Privacy Policy

Service Sheep
Last updated: June 25, 2026

1. Overview

Service Sheep is a field ministry territory management platform developed by Jar Labs (Johannen Gabriel Robles & Jazielle Mavis Robles), offered as a two-app service: a mobile app for iOS and Android, and a web-based admin console. This privacy policy covers the mobile app only. The mobile app is designed to be privacy-first: it collects no personal accounts, no user identity, and no analytics about how users interact with the mobile app. All ministry records are stored on your device and leave it only when you explicitly initiate an export.

The Service Sheep web console (admin portal) is a separate product governed by its own privacy policy. This policy explains what data is collected by the mobile app, how it is used, and your rights under the Data Privacy Act of 2012 (Republic Act No. 10173) of the Philippines.

2. Definitions

• "We," "us," "our" — Jar Labs (Johannen Gabriel Robles & Jazielle Mavis Robles), the developers of Service Sheep.
• "You," "your," "user" — any person using the Service Sheep mobile app.
• "The mobile app" — the Service Sheep iOS/Android application this policy covers.
• "The web console" — the Service Sheep admin portal at console.servicesheep.com, governed by a separate privacy policy.
• "Congregation" — the local group your device is enrolled into.

3. Who This Policy Applies To

This policy applies to users of the Service Sheep mobile app. It does not apply to the Service Sheep web console, which is governed by a separate privacy policy. Service Sheep is intended for use in the Philippines only. Users outside the Philippines are not the intended audience of this service, and this policy is written in accordance with Philippine law. The mobile app requires no account and collects no information that identifies you personally.

4. Roles and Responsibilities

Under RA 10173, Service Sheep acts as a Data Processor — it provides tools for recording and managing ministry activity but does not determine what information is entered or how it is used.

Users are the Data Controllers. They decide what is recorded and are responsible for ensuring that records do not contain personally identifiable information (PII) about householders.

The mobile app is designed to capture publicly observable details about locations — landmarks, GPS coordinates — and ministry activity such as visit dates and discussion topics. Users determine how specifically they describe a location. It does not prompt for or require householder names, nationality, or personal details. However, free-text fields (visit notes, landmarks, personal notes) cannot technically prevent a user from entering such information.

It is the user's responsibility to ensure that no personally identifiable information about householders is entered into the mobile app. Service Sheep provides the technical tools; it does not control or review what users type.

The only data excluded from exports by the mobile app is personal notes — visit log content and landmarks are exported exactly as entered. There is no automatic PII detection or filtering on export. It is entirely the user's responsibility to ensure no personally identifiable information is recorded in the first place.

All congregation, territory, and ministry data entered into the mobile app is owned by you and your congregation. Service Sheep is not responsible for any congregation or ministry data stored in the mobile application. Where required by law, you are personally responsible for obtaining the necessary permissions to collect and store such data, and for using it in accordance with relevant laws and regulations.

5. Data Stored on Your Device

All ministry data is stored locally on your device in a local database. Ministry records are never automatically transmitted to any server. The only data the mobile app sends automatically is crash diagnostics to Sentry in the event of an error (see Section 8).

Users are responsible for protecting the device on which the mobile app is installed and the data stored on it. Service Sheep does not control device-level security.

Ministry records stored on-device include:

• Territory boundaries and map files
• GPS coordinates of visited locations (pins)
• Location statuses (e.g., Initial Call, Return Visit, Not Interested)
• Visit logs: date, time, landmarks, and discussion notes
• Personal notes on pins and visit logs

Users may optionally set a 4-digit lock PIN and a master PIN to restrict access to the mobile app. These are created on demand and are not required. Only the bcrypt hash of each PIN is stored on-device — the raw PIN is never stored anywhere. PINs are never transmitted or included in any export.

Personal notes are strictly private. They are stored in isolated tables, are never included in any export, and never leave your device under any circumstance.

The mobile app does not store:

• Your name, identity, or any account credentials
• Householder names, nationality, or family information
• Your device's location (the mobile app records visited locations, not the user's own GPS position)
• User's behavioral data or usage analytics of any kind

6. Data Exported via Report Packages (.ssrep)

When you tap Export on a territory, the mobile app packages that territory's ministry data into an encrypted .ssrep report file and presents the system share sheet. You choose where to send it — for example, via WhatsApp, email, or AirDrop — to your Field Service Group Overseer, who forwards it to the territory servant for consolidation in the congregation's web console.

What an export contains:

• GPS coordinates of pins
• Location statuses
• Visit logs (dates, landmarks, discussion notes)
• Territory boundary geometry (inside the encrypted body)

What an export is designed never to contain:

• Householder names, nationality, or family information
• Your personal notes
• Any information that identifies you as the user

Personal notes are the only item above that is technically enforced — the mobile app excludes them automatically. The remaining items depend entirely on users not entering such information into free-text fields. The mobile app does not scan or filter visit log content or landmarks before export.

Exports are AES-256-GCM encrypted using your congregation's data key. Only an enrolled device or the congregation's web console can decrypt them.

The mobile app's responsibility ends at the share sheet. Once you share the file, it travels through the channel you selected and is ultimately imported into your congregation's web console, also built and operated by Jar Labs. Once imported, that data is governed by the Service Sheep web console's privacy policy, not this one.

Export is always user-initiated. Exporting a territory does not remove it from your device — territory data remains stored locally until you explicitly delete it. The mobile app will warn you before allowing deletion if a territory has not yet been exported.

7. Device Enrollment

Before the mobile app can import territory maps or export reports, your device must be enrolled into a congregation by scanning an enrollment QR code and entering an activation passphrase provided by your congregation's service overseer. Enrollment requires access to your device's camera to scan the QR code, or access to your photo library if you choose to import the QR code from a saved image. These permissions are used solely for enrollment and are not used for any other purpose.

• The activation passphrase is never stored on your device or transmitted anywhere.
• Enrollment stores only your congregation's ID, display name, key version, and encrypted data key in your device's secure storage (iOS Keychain / Android EncryptedSharedPreferences).
• Switching to a different congregation wipes all local territory data (territories, pins, visit logs) from your device. Personal notes are not affected by a congregation switch — they remain on your device and are only removed when the mobile app is uninstalled.

8. Crash and Error Diagnostics (Sentry)

The mobile app uses Sentry (Sentry.io, Inc.) to collect crash reports and error diagnostics in release builds only. Diagnostic builds (debug and profile) send nothing.

Before any event leaves your device, a scrubber unconditionally removes or redacts:

• Your identity and any user context
• Network request data
• Breadcrumb activity logs
• GPS coordinates and coordinate-like numbers
• File paths and territory file names
• All frame-level local variables

Only the exception type and a scrubbed stack trace are transmitted. No personal information, no ministry content, and no location data are ever sent to Sentry.

Sentry may receive your device's IP address as part of the HTTPS connection. This is a standard characteristic of any internet communication and is not combined with any identifying information on our end.

Sentry's own privacy policy is available at https://sentry.io/privacy/.

9. Basemap Tile Downloads (Protomaps)

Territory maps are rendered using MapLibre GL with vector tile data from Protomaps (Protomaps Inc.). Basemap tiles are not bundled in the mobile app. The first time you open a territory, the mobile app downloads only the tiles covering that territory from Protomaps' public tile server (build.protomaps.com). Once downloaded, tiles are cached on your device and the map works fully offline.

During a tile download, Protomaps' servers receive your device's IP address as part of the HTTP request. No API key is used and no account is required. After the initial download, no further requests are made to Protomaps for that territory.

Protomaps does not publish a separate privacy policy. For questions about their data practices, contact support@protomaps.com.

10. Data We Do Not Collect

To be explicit, Service Sheep does not:

• Create or require user accounts
• Collect your name, email address, or any identifying information
• Track your location or movements
• Share data with advertisers or third-party marketing services
• Sell or monetize any data
• Transmit ministry records automatically or in the background
• Use cookies or web trackers

11. Data Security

• All .ssmap and .ssrep package files are encrypted with AES-256-GCM using a per-congregation key.
• Enrollment credentials are stored in platform-grade secure storage (iOS Keychain; Android EncryptedSharedPreferences).
• The activation passphrase used during enrollment is derived using scrypt and is never stored anywhere.
• On-device ministry data is stored in a local database. Switching congregations wipes all local territory data.
• If set, lock PINs and master PINs are hashed with bcrypt (cost factor 12) before storage. The raw PIN is never stored or transmitted.

12. Data Retention

Ministry data (territories, pins, visit logs) remains on your device until you delete a territory or re-enroll into a different congregation. Personal notes remain on your device across congregation switches and are only removed when the mobile app is uninstalled or app data is cleared through your device's settings. The mobile app does not impose any automatic expiration on any data.

On iOS, enrollment credentials stored in the Keychain survive app uninstallation. The mobile app detects a re-installation and clears stale enrollment data automatically on first launch.

13. Your Rights

Under the Data Privacy Act of 2012 (RA 10173), you have the right to:

• Access — request information about what data is held about you
• Correction — request correction of inaccurate data
• Erasure — request deletion of your data
• Restriction — request that processing be limited
• Data portability — receive your data in a portable format
• Object — object to processing in certain circumstances

Because Service Sheep acts as a Data Processor, requests relating to ministry records held in the congregation's web console should be directed to your congregation's service overseer, who acts as the Data Controller for that data. That data is governed by the Service Sheep web console's privacy policy. For questions about the mobile app or this privacy policy, contact: support@servicesheep.com

14. Children

The mobile app is intended for users aged 16 and older. The mobile app does not knowingly collect personal information from any user regardless of age.

15. Changes to This Policy

We may update this policy from time to time. The current version is always available at https://servicesheep.com/app/legal/privacy-policy. The "Last updated" date at the top of this document indicates when it was last revised.

16. Contact

Jar Labs
Johannen Gabriel Robles & Jazielle Mavis Robles
support@servicesheep.com

Service Sheep is an independent project by Jar Labs and is not affiliated with JW.ORG or the Watchtower Bible and Tract Society. This is not an official application of Jehovah's Witnesses.