Privacy Policy

Learn what data we collect from our users, how we use it and what your rights are.

About this policy

My Church is a project built for God's glory and is based on Christian values. Therefore, your privacy is very important to us. This policy is designed to let you know what data we collect from our users, how we use it and why we use it. This notice is applicable to our website and the software and service we provide.
We urge you to read this privacy notice so you are fully aware of how we collect and process personal data. Equally, if after reading this policy you have any questions, please do not hesitate to contact us. We will be more than happy to answer any queries.

Please also be aware that this privacy notice is a brief summary of our data protection practices. Please read our data protection policy if you're looking for a more in-depth explanation of our data protection policies and procedures.

Who are we?

The author behind the My Church project is Edan Joseph Brooke. Edan works as an IT support technician but is also experienced as a web developer.

My Church is a registered as a data controller with the ICO (registration reference ZA349020).
The project was founded out of a passion to see youth ministry develop and to make lives easier for youth and for leaders in the church.

You can contact the My Church team by sending an e-mail to hello@my-church.org, or by calling 0161 738 1165. If you would like to contact our data protection compliance manager or if you have a data protection enquiry, you can send an e-mail to data@my-church.org. You may also phone the data protection compliance manager on 0161 738 1165 or write to them at the following address:

Data Protection Compliance Manager
My Church
Armadillo MUMB #10232
Parkway Avenue
Sheffield
West Yorkshire
S9 4WA
GB

What information do we collect? How is it used?

We collect several pieces of personal information from users. As the My Church system is very complex and has a lot of functionality, we collect data in many ways.

Registration of interest in the service

When a user registers their interest in the platform, we collect, store and process the following pieces of information about them. This information is collected and processed to allow us to follow up on enquiries about the service and to deliver requested information.

Full name
E-mail address
Telephone number
Place of worship (name, location and figures relating to attendees)

Registration as a volunteer with My Church

If a user registers as a volunteer with us or expresses that they may be interested in doing so, we collect and process the following pieces of information. This is done so that we have sufficient information to enter into a contract with the individual.

Full name
E-mail address
Telephone number

Acceptance of an invite to register on the My Church platform

If a user generates an invite to another individual and the individual chooses to accept the invite, the following information will be requested, stored and processed in order to allow the individual to use the service.

Full name
Nickname
E-mail address
Chosen password
Date of birth

This personal information is used to:

Provide access to the My Church service
Provide a customised user experience
Enable us to protect all data inputted into the system with user authentication
Provide marketing information to users where the user has opted in to receive marketing communications
Communicate with users to fulfil provision of our service (e.g. session reminder e-mails)
Allow generation of session registration sheets
Carry out polls and / or surveys where a user has opted in to the development program
Aid internal research and product development
Enable us to meet internal audit requirements
Allow us to fulfil our legal obligations, such as fraud prevention or co-operation with law enforcement agencies
Notify you of an update to our privacy policy

This information will be shared with 3rd parties in some situations.

Other users who attend the same church(es) as you will be able to see your forename if you take a quiz on the system.

Measures in place to protect sensitive personal information

The My Church project uses multiple levels of security to protect the information our users entrust us with. We recognise that some information we store is sensitive and have procedures in place to deal with this.

We have a strict data protection policy that we strive to follow at all times.
All sensitive data in our database is secured using bank-grade encryption.
A high level of digital security is in place on our network infrastructure and on the third-party services we use.
All data transmissions to and from our website are conducted via a secure connection with HSTS headers to prevent cyber attacks. We cannot guarantee the security of these network technologies but once we receive your data in our infrastructure, we use our internal policies and procedures to store and process your data securely and legally.
Any paper based record we receive that we do not need a physical copy of is scanned in to an encrypted digital file store and the original is destroyed. If we need to keep the original, it will be kept in a locked filing cabinet.
We constantly audit our internal policies and procedures to ensure that they are fair and in line with legislation.

Our legal basis for processing your personal data

For the most part, the service uses consent as a legal basis for processing personal data as it is registration based, though we do process personal data under other basis.

Please see the table below for an explanation of the basis we may process personal data under. We endeavour to process your personal data under the most appropriate basis at all times.

	Explanation	Right to erasure	Right to object
Consent	The data subject has given clear and explicit consent for their personal data to be processed.		but right to withdraw consent
Contract	Processing is necessary to fulfil a contract between My Church and the data subject, or to take steps to enter into a contract.
Legal obligation	We are required to process personal data to fulfil a legal obligation.
Vital interests	Processing is mandatory to protect the vital interests of either the data subject, or another person, in a life or death situation.
Public tasks	Processing is necessary to perform a task carried out in the public interest that is set out in law, or in the exercise of official authority.
Legitimate interests	Processing is necessary for purposes of legitimate interests pursued by My Church or by a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.	Dependant on circumstance

The basis on which we hold and process personal data differs. The My Church system and project is very extensive so we cannot process under just one basis for everything.

Data collected when a user registers their interest in the platform is held on the basis of consent.
Data collected when a user registers as a volunteer with us is held on the basis of legitimate interests.
Data that is collected from a user when they accept an invite to register for a My Church account is held on the basis of consent, unless the data subject accepts an invite for a leadership role in a church. In this instance, data is held and processed under the basis of legitimate interests. This includes maintaining historic data and representing historic records appropriately.

To learn how we process data relating to children please read §5.4 of our full data protection policy.

For more information about our legal basis for processing data, please contact our data protection compliance officer by sending an e-mail to data@my-church.org or by calling 0161 738 1165.

How long do we retain your personal data for? How can I stop my data from being processed?

The length of time for which we hold personal data depends on the purpose it was collected for.

Data that is collected solely on the basis of consent is kept only for as long as we have your consent to process your personal data.

If you have registered your interest in the My Church platform and now wish to withdraw your consent for us to process this data, you can unsubscribe by following the link in the e-mail that was sent to you when you registered your interest. If you no longer have this e-mail, please contact the data protection compliance officer. Opting out will withdraw the consent that you gave to us to store and process your personal data. Your personal information will be permanently deleted from our records.

If you registered as a volunteer with us but never undertook any responsibilities or work with us, you can have us delete your personal data by following the link in the e-mail that was sent to you when you registered as a volunteer. If you no longer have this e-mail, please contact the data protection compliance officer to be removed from our records.

Volunteers who have undertaken work on the project have their information held on the basis of legitimate interests.

If you have an account with us, you can close your account permanently and withdraw your consent to data processing by logging into your account online. This only applies if legitimate interests conditions do not apply. If you wish to object to processing under the basis of legitimate interests, please contact our data protection compliance officer.

If you have any questions regarding data retention, such as additional data retention periods information, please contact our data protection compliance officer using the aforementioned contact details.

What are my rights?

My Church does its best to be compliant with General Data Protection Regulation 2018 and Data Protection Act 2018. This legislation gives you as a data subject several rights in regards to collection and processing of your personal data.

You can:

Ask us to provide you with all the data we hold about you by initiating a subject access request.
Request that we delete the personal data we have stored about you unless we are required to process the personal data to fulfil a legal obligation (see the legal basis explanation table) or otherwise required to hold the data by law.
Have any inaccurate or incorrect data stored about you corrected.
Restrict the processing of your personal data in some situations.
Withdraw your consent to data processing by contacting our data protection compliance officer, or, where possible, by withdrawing your consent on our website.

Cookies

A "cookie" is a small file that is stored on your computer. Cookies are regulated by your web browser and will not intentionally cause harm to your computer or device. My Church uses cookies to provide a customised user experience, to ensure correct operation of our service, and to collect data to produce reports that allow us to monitor website traffic and to improve our website by getting an overview of how users interact with it.

If you do not wish for us to store cookies on your computer, you can object to this by changing cookie settings in your web browser. Please be aware that by doing this your experience on our website will be suboptimal as the website is designed with cookies playing a key part in enabling full functionality.

Cookies are used to identify your device so we can provide a tailored experience even when you leave the website and come back later. Cookies do not contain any personal information about you.

External organisations

The My Church system integrates with and links to third party websites and services. These external entities are not operating under our policies or procedures and may be operating under a different legal jurisdiction. Therefore, please consider this before providing any personal data to these third party websites or services as they are not affiliated with us.

We also work with other organisations that allow us to provide our service. Some of these organisations are responsible for storing our databases or backups and will therefore hold your personal information.

Online SAS

Online SAS are responsible for hosting our service including our database servers and therefore hold data that is protected under the Data Protection Act.
We have reviewed their privacy policy and they are headquartered in Europe so they operate under the same strict General Data Protecton Regulation legislation that My Church does.

Online SAS holds all our customer information in a manner that is compliant with GDPR.

Amazon UK Services LTD.

Our backup data and any user uploads to the service are stored with Amazon in their Amazon Web Services (AWS) S3 service. Our allocated storage with AWS, referred to as a "bucket", is located in the EU so falls under GDPR legislation.
Amazon's privacy policy is compliant so we trust Amazon to store this data.

Amazon holds all our customer data in a way that is GDPR compliant, and allows us to comply by offering a backup solution to us.
As per our published backups procedure, backups exceeding 6 months in age are removed from Amazon's systems.

Unlimited Web Hosting UK Limited

Unlimited Web Hosting provides staff e-mail accounts at My Church. Therefore, any personal data you e-mail to a My Church domain will reach Unlimited Web Hosting. They don't read the content of your e-mails, though they could access it if they wanted or needed to.
This company is based in the United Kingdom and is compliant with data protection laws.

Unlimited Web Hosting allows the My Church team to communicate with you by e-mail. All e-mails are treated with confidentiality both by our team and by Unlimited Web Hosting's team.

Freshworks Inc

Freshworks powers the My Church support centre. The majority of support requests are routed through Freshworks' system to allow us to provide a high quality of support. Freshworks is committed to complying with GDPR.

Freshdesk provides our helpdesk and is well-versed in data protection compliance. They are GDPR compliant to the best of our knowledge.

Updates to our privacy policy

When our privacy policy is updated, it will be published on our website. If you have an account with My Church and have not opted out for privacy policy update notifications, you will be notified of any updates to our privacy policy by e-mail if the changes to the policy are anything other than correctional modifications that do not change the principles of the policy in any way.

Questions or concerns?

If you have any questions or concerns you'd like to raise in regards to any of our policies or procedures or anything on this page, please contact our data protection compliance officer by e-mail at data@my-church.org. Alternatively, you can reach the data protection compliance officer by phone (0161 738 1165).

This policy was last updated Mon 4 June 2018 by Edan Brooke.