GDPR Compliance

We use cookies to ensure you get the best experience on our website. By continuing to use our site, you accept our use of cookies, privacy policy and terms of service.

ESC

Search

Newsletter image

Subscribe to our Newsletter

Join 10k+ people to get notified about new posts, news and updates.

Do not worry we don't spam!

Select theme:

Your favorites

You have not yet added any recipe to your favorites list.

Browse recipes

Schedule your 15-minute demo now

We’ll tailor your demo to your immediate needs and answer all your questions. Get ready to see how it works!

Privacy policy

Welcome to Churchy Church Management System. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our church management platform.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the Data Protection Act, 2012 (Act 843) of Ghana, and other applicable data protection laws. By using our Service, you consent to the collection and use of your information as described in this Privacy Policy.

This Privacy Policy applies to all users of our Service, including users in the European Economic Area (EEA), the United Kingdom, Ghana, and other jurisdictions worldwide.

1. Information We Collect

Personal Information: We collect personal information that you voluntarily provide to us when you register for an account, use our services, or communicate with us. This includes:

  • Account Information: Name, email address, phone number, church name, position/role
  • Church Member Data: Names, contact information, addresses, dates of birth, family relationships, photos, attendance records, giving history, and other information you choose to input into the system
  • Payment Information: Billing name, address, payment card information (processed by third-party payment processors)
  • Communication Data: Email correspondence, SMS messages, and other communications you send through our platform

Automatically Collected Information: We automatically collect certain information when you access our Service:

  • Usage Data: IP address, browser type, device information, pages visited, time spent on pages, referring website
  • Cookies and Similar Technologies: We use cookies, web beacons, and similar tracking technologies to track activity on our Service
  • Log Data: Server logs including your IP address, browser type, pages visited, time and date of visit, and other statistics

2. How We Use Your Information

In accordance with the Data Protection Act, 2012 (Act 843) of Ghana, we process your personal information for specific, explicit, and legitimate purposes:

  • Service Provision: To provide, operate, and maintain our church management platform
  • Account Management: To create and manage your account, authenticate your identity, and process subscriptions
  • Customer Support: To respond to your inquiries, provide technical support, and communicate with you about the Service
  • Service Improvement: To understand how you use our Service, identify usage trends, and improve our features and functionality
  • Communication: To send you administrative information, updates, security alerts, and support messages
  • Marketing: With your consent, to send you promotional communications about new features, events, or offers (you may opt-out at any time)
  • Security and Fraud Prevention: To detect, prevent, and address technical issues, security breaches, and fraudulent activity
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or government requests

3. Legal Basis for Processing (GDPR & Data Protection Act, 2012)

Under the GDPR (for EEA and UK users) and Ghana's Data Protection Act, 2012 (Act 843), we process your personal information based on the following legal grounds:

  • Consent (GDPR Art. 6(1)(a)): You have given explicit, freely given, specific, informed, and unambiguous consent for us to process your personal data for specific purposes. You may withdraw your consent at any time.
  • Contract Performance (GDPR Art. 6(1)(b)): Processing is necessary for the performance of our contract with you (providing the Service), or to take steps at your request prior to entering into a contract
  • Legal Obligation (GDPR Art. 6(1)(c)): Processing is necessary to comply with applicable legal or regulatory requirements, including tax laws, anti-money laundering regulations, and other legal obligations
  • Legitimate Interests (GDPR Art. 6(1)(f)): Processing is necessary for our legitimate business interests or those of a third party, such as:
    • Improving and developing our services
    • Preventing fraud and ensuring security
    • Network and information security
    • Internal administrative purposes
    • Reporting possible criminal acts or threats to public security
    We will always balance our legitimate interests against your rights and freedoms.
  • Vital Interests (GDPR Art. 6(1)(d)): Processing is necessary to protect your vital interests or those of another natural person

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information with the following third parties:

  • Service Providers: Third-party vendors who provide services on our behalf (hosting, payment processing, email delivery, SMS services, analytics). These providers have access to your information only to perform specific tasks and are obligated to protect your data
  • Payment Processors: When you make a payment, your payment information is processed by secure third-party payment processors (e.g., Stripe, PayPal, Paystack)
  • Legal Requirements: We may disclose your information if required by law, court order, or government regulation, or if we believe such action is necessary to:
    • Comply with legal obligations
    • Protect and defend our rights or property
    • Prevent fraud or illegal activity
    • Protect the safety of users or the public
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your personal information may be transferred to the acquiring entity
  • With Your Consent: We may share your information with other third parties when you explicitly consent to such sharing

5. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction, in compliance with the Data Protection Act, 2012 (Act 843):

  • Encryption of data in transit using SSL/TLS protocols
  • Encryption of sensitive data at rest
  • Regular security assessments and vulnerability testing
  • Access controls and authentication mechanisms
  • Regular data backups and disaster recovery procedures
  • Employee training on data protection and security practices

However, no system is completely secure, and we cannot guarantee the absolute security of your information. You are responsible for maintaining the confidentiality of your account credentials.

6. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law:

  • Active Accounts: We retain your data while your account remains active
  • Terminated Accounts: After account termination, we retain your data for 30 days to allow for data export, after which we will delete or anonymize your personal information
  • Legal Retention: We may retain certain information for longer periods if required by law, for tax purposes, to resolve disputes, or to enforce our agreements
  • Backup Systems: Data may remain in backup systems for a limited period after deletion from active systems

7. Your Rights Under GDPR and the Data Protection Act, 2012

Under the GDPR (for EEA and UK users) and Ghana's Data Protection Act, 2012 (Act 843), you have the following rights regarding your personal information:

  • Right of Access (GDPR Art. 15): You have the right to request access to your personal information we hold about you, including the purposes of processing, categories of data, recipients, retention periods, and your other rights
  • Right to Rectification (GDPR Art. 16): You can request that we correct inaccurate or incomplete personal information without undue delay
  • Right to Erasure / "Right to be Forgotten" (GDPR Art. 17): You can request that we delete your personal information when:
    • The data is no longer necessary for the purposes for which it was collected
    • You withdraw consent and there is no other legal basis for processing
    • You object to processing and there are no overriding legitimate grounds
    • The data has been unlawfully processed
    • Erasure is required to comply with a legal obligation
  • Right to Restriction of Processing (GDPR Art. 18): You can request that we restrict processing of your personal information when:
    • You contest the accuracy of the data
    • Processing is unlawful and you oppose erasure
    • We no longer need the data but you need it for legal claims
    • You have objected to processing pending verification of legitimate grounds
  • Right to Object (GDPR Art. 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests
  • Right to Data Portability (GDPR Art. 20): You can request a copy of your personal information in a structured, commonly used, machine-readable format (e.g., CSV, JSON) and have it transmitted to another controller. You can exercise this right through our "I Want My Data" feature in your profile settings, which allows you to export all your data as a ZIP file containing JSON-formatted data
  • Right to Withdraw Consent (GDPR Art. 7(3)): Where we process your data based on consent, you can withdraw your consent at any time. This will not affect the lawfulness of processing before withdrawal
  • Right Not to be Subject to Automated Decision-Making (GDPR Art. 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or significantly affects you
  • Right to Lodge a Complaint: You have the right to lodge a complaint with:
    • For EEA/UK users: Your local supervisory authority (e.g., Information Commissioner's Office in the UK)
    • For Ghana users: The Data Protection Commission of Ghana

Exercising Your Rights: To exercise any of these rights, please contact us using the contact information provided below. We will respond to your request within:

  • GDPR: 1 month (extendable by 2 further months for complex requests)
  • Ghana Data Protection Act: As specified by law

We may need to verify your identity before processing your request. We will not charge a fee unless your request is clearly unfounded, repetitive, or excessive.

8. Account Deletion and Data Export

We provide you with tools to exercise your data rights directly through our platform:

Data Export ("I Want My Data"):

  • You can request an export of all your data through your profile settings
  • Data exports are processed in the background and delivered to your registered email address
  • Your data is provided as a ZIP file containing JSON-formatted information
  • Exports include: your profile information, church data, member records, giving history, attendance sessions, events, groups, first timers, and expenses
  • We recommend exporting your data before deleting your account

Account Deletion:

  • You have the right to permanently delete your account through your profile settings
  • Account deletion is a permanent and irreversible action
  • When you delete your account, all personal data and church data associated with your account will be permanently removed from our active systems
  • Some data may remain in backup systems for a limited period as described in our Data Retention section
  • We cannot recover your data after deletion

Impact on Active Subscriptions:

  • If you delete your account while you have an active paid subscription, your subscription will be immediately forfeited
  • No refunds, credits, or prorated amounts will be provided for any unused portion of your subscription
  • This forfeiture applies to all subscription types (monthly, annual, promotional)
  • We strongly recommend canceling your subscription separately if you wish to avoid automatic renewal, rather than deleting your account

Important: Before exercising your right to deletion, please ensure you have exported all data you wish to retain. Once your account is deleted, we cannot restore your data or provide additional exports.

9. International Data Transfers (GDPR Chapter V)

Your personal information may be transferred to and processed in countries outside the European Economic Area (EEA), the United Kingdom, or Ghana. When we transfer personal data internationally, we ensure appropriate safeguards are in place to protect your information in accordance with GDPR and the Data Protection Act, 2012 (Act 843).

GDPR Safeguards for International Transfers:

  • Adequacy Decisions (GDPR Art. 45): Transfers to countries recognized by the European Commission as providing adequate data protection (e.g., UK, Switzerland, Japan)
  • Standard Contractual Clauses (GDPR Art. 46(2)(c)): We use EU Standard Contractual Clauses (SCCs) approved by the European Commission to ensure appropriate safeguards when transferring data to countries without adequacy decisions
  • Binding Corporate Rules (GDPR Art. 47): Where applicable, we may rely on approved binding corporate rules
  • Data Processing Agreements: We enter into data processing agreements with all service providers that comply with GDPR Article 28 requirements
  • Encryption and Pseudonymization: We implement technical measures such as encryption and pseudonymization to protect data during international transfers

Transfer Impact Assessments: In accordance with the Schrems II ruling, we conduct Transfer Impact Assessments (TIAs) to evaluate the data protection laws and practices in destination countries and implement supplementary measures where necessary.

Your Rights Regarding International Transfers: You have the right to obtain information about the safeguards we use for international data transfers and to obtain a copy of the Standard Contractual Clauses we use.

10. Children's Privacy

Our Service is not directed to children under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us so we can delete such information.

While churches may use our platform to manage children's ministry programs, the responsibility for obtaining parental consent and managing children's data lies with the church organization using our Service.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Service and hold certain information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.

Types of Cookies We Use:

  • Essential Cookies: Required for the operation of our Service (authentication, security)
  • Performance Cookies: Help us understand how visitors interact with our Service
  • Functional Cookies: Enable enhanced functionality and personalization
  • Marketing Cookies: Used to track visitors across websites to display relevant advertisements

12. Third-Party Links and Services

Our Service may contain links to third-party websites, applications, or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policies of any third-party sites you visit.

13. Changes to This Privacy Policy

We may update our Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

  • Posting the updated Privacy Policy on this page with a new "Last Updated" date
  • Sending you an email notification (if you have provided your email address)
  • Displaying a prominent notice on our Service

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of such changes.

14. Data Breach Notification (GDPR Art. 33 & 34)

In the unlikely event of a personal data breach, we are committed to transparent communication and swift action:

  • Supervisory Authority Notification: We will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a breach that is likely to result in a risk to your rights and freedoms
  • Individual Notification: If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay, providing:
    • The nature of the personal data breach
    • The likely consequences of the breach
    • The measures taken or proposed to address the breach
    • Contact information for our Data Protection Officer
  • Breach Documentation: We maintain internal records of all data breaches, including their effects and the remedial action taken
  • Security Measures: We continuously monitor and improve our security measures to prevent data breaches

15. Data Protection Officer (GDPR Art. 37-39)

In accordance with GDPR Article 37, we have appointed a Data Protection Officer (DPO) to oversee our compliance with data protection laws and serve as the point of contact for data subjects and supervisory authorities.

Contact our DPO:

Email: dpo@churchychms.com
Subject line: "Data Protection Inquiry - [Your Name]"

Our DPO's responsibilities include:

  • Monitoring compliance with GDPR and Ghana Data Protection Act
  • Advising on data protection impact assessments
  • Cooperating with supervisory authorities
  • Serving as the contact point for data subjects and supervisory authorities

16. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us at:

Churchy Church Management System
Email: privacy@churchychms.com
Support Email: churchychms@gmail.com
Website: Contact Us

We will respond to your inquiry within 48 business hours.

17. Supervisory Authorities and Complaints

If you are not satisfied with our response to your data protection concerns, you have the right to lodge a complaint with the relevant supervisory authority:

For Users in Ghana:

Data Protection Commission of Ghana
Email: info@dataprotection.org.gh
Website: www.dataprotection.org.gh
Phone: +233 (0)302 971 40
Address: No. 6 Agostinho Neto Road, Airport Residential Area, Accra, Ghana

For Users in the European Economic Area (EEA):

You have the right to lodge a complaint with your local supervisory authority. Find your local authority at: https://edpb.europa.eu/about-edpb/board/members_en

For Users in the United Kingdom:

Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

You also have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

Last updated: 27 Nov, 2025