1
Privacy Policy
Last updated: May 11, 2025
This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of
Your information when You use theService and tells You about Your privacy rights and how the law
protects You.
We use Your Personal data to provide and improve the Service. By using the Service, You agree to
the collection and use of information in accordance with this Privacy Policy.
Interpretation and Definitions
Interpretation
The words of which the initial letter is capitalized have meanings defined under the following
conditions. The following definitions shall have the same meaning regardless of whether they
appear in singular or in plural.
Definitions
For the purposes of this Privacy Policy:
Accountmeans a unique account created for You to access our Service or parts of
our Service.
Affiliatemeans an entity that controls, is controlled by or is under common control
with a party, where "control" means ownership of 50% or more of the shares, equity
interest or other securities entitled to vote for election of directors or other
managing authority.
Applicationmeans the software program provided by the Company downloaded by
You on any electronic device, namedChurchPlan®
Business, for the purpose of the CCPA (California Consumer Privacy Act), refers to
the Company as the legal entity that collects Consumers' personal informationand
determines the purposes and means of the processing of Consumers' personal
information, or on behalf of whichsuchinformation is collected and that alone, or
2
jointly with others, determines the purposes and means of the processing of
consumers' personal information, that does business in the State of California.
Charity: The organization (Client Charity) that subscribes to ChurchPlan® services
(may act as a Data Controller for certain data under GDPR).
Church: The organization (Client Church) that subscribes to ChurchPlan®services
(may act as a Data Controller for certain data under GDPR).
Company(referred to as either "the Company", "We", "Us" or "Our" in this
Agreement) refers to ChurchPlan:
- Acts as a Data Controller for End User account data (directly provided).
- Acts as a Data Processor for any data processed on behalf of Client Churches &
Charities.
For the purpose of the GDPR, the Companyis the Data Controller.
Consumer, for the purpose of the CCPA (California Consumer Privacy Act), means a
natural person who is a California resident. A resident, as defined in the law,
includes (1) every individual who is in the USA for other than a temporary or
transitory purpose, and (2) everyindividual who is domiciled in the USA who is
outside the USA for a temporary or transitory purpose.
Countryrefers to: Ontario, Canada.
Data Controller, for the purposes of the GDPR (General Data Protection
Regulation), refers to the Company as the legal entity which alone or jointly with
others determines the purposes and means of the processing of Personal Data.
Data Processor:The entity that processes personal data on behalf of the Data
Controller
Devicemeans any device that can access the Service such as a computer, a
cellphone or a digital tablet.
Do Not Track(DNT) is a concept that has been promoted by US regulatory
authorities, in particular the U.S. Federal Trade Commission (FTC), for the Internet
industry to develop and implement a mechanism for allowing internet users to
control the tracking of their online activities across websites.
End User: Individuals who create personal accounts directly in ChurchPlan® (e.g.,
congregants, volunteers). They areData Subjects under GDPR and control their
own data.
Personal Datais any information that relates to an identified or identifiable
individual.
For the purposes for GDPR, Personal Data means any information relating to You
such as a name, an identification number, location data, online identifier or to one or
more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity.
For the purposes of the CCPA, Personal Data means any information that identifies,
relates to, describes or is capable of being associated with, or could reasonably be
linked, directly or indirectly, with You.
3
Privacy Officer(or Data Protection Officer) is thedesignated individual responsible
for overseeing the Company's data protection strategy and compliance with privacy
laws and regulations (such as PIPEDA, GDPR, CCPAor CPRA).
Sale: For the purpose of the CCPA (California Consumer Privacy Act), means selling,
renting, releasing, disclosing, disseminating,making available, transferring, or
otherwise communicating orally, in writing, or by electronic or other means, a
Consumer's personal information to another business or a third party for monetary
or other valuable consideration.
Servicerefers to the Application.
Service Providermeans any natural or legal person who processes the data on
behalf of the Company. It refers to third-party companies or individuals employed
by the Company to facilitate the Service, to provide the Service on behalf of the
Company, to perform services related to the Service or to assist the Company in
analyzing how the Service is used. For the purpose of the GDPR, Service Providers
are considered Data Processors.
Third-party Social Media Servicerefers to any website or any social network
website through which a User can log in or create an account to use the Service.
Usage Datarefers to data collected automatically, either generated by the use of the
Service or from the Service infrastructure itself (for example, the duration of apage
visit).
Youmeans the individual accessing or using the Service, or the company, or other
legal entity on behalf of which such individual is accessing or using the Service, as
applicable.
Under GDPR (General Data Protection Regulation), You can be referred to as the
Data Subject or as the User as you are the individual using the Service.
Collecting and UsingYour PersonalData
Types of Data Collected:
A. Data Provided Directly by End Users:
Types of Data:First & Last Name, Date of Birth, Gender, Martial Status, email address,
phone number, address, payment details (if applicable), profile pictures, and other account
information.
Purpose:To provide and personalize ChurchPlan®services, facilitate logins, and enable
features (e.g., event sign-ups, donations).
Legal Basis (GDPR):
Consent (for account creation).
Contractual necessity (to maintain user accounts).
CCPA/CPRA: No "sale" of personal data.
4
B. Data Processed forClient Churches/Charities:
Types of Data:Attendance records, Services subscription, group memberships, or other
data managed by the Church (if applicable).
Purpose:To fulfill the Client Church’s administrative needs (e.g., member tracking, event
management, pastoral care).
Legal Basis (GDPR):
Legitimate interest (for operational use bythe Church/Charity).
Consent (if required by the Church’s policies).
C. Automatically Collected Data:
Types:Cookies, device info, IP addresses, usage analytics (Google Analytics).
Purpose:Security, fraud prevention, and serviceimprovement.
Opt-Out:Available via browser settings or our cookie policy.
Usage Data
Usage Data is collected automatically when using the Service.
Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP
address), browser type, browser version, the pages of our Service that You visit, the time and date
of Your visit, the time spent on those pages, unique device identifiers and otherdiagnostic data.
When You access the Service by or through amobile device, We maycollect certain information
automatically, including, but not limited to, the type of mobile device You use, Your mobile device
unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile
Internet browser You use, unique device identifiers and other diagnostic data.
We may also collect information that Your browser sends whenever You visit our Service or when
You access the Service by or through a mobile device.
Information from Third-Party Social Media Services
The Company allows You to create anaccount and log in to use the Service through the following
Third-party Social Media Services:
Apple
Google
Facebook
If You decide to register through or otherwise grant us access to a Third-PartySocial Media Service,
We may collect Personal data that is already associated with Your Third-Party Social Media
Service's account, such as Your name, Youremail address, Your activities or Your contact list
associated with that account.
You may also have the option of sharing additional information with the Company through Your
Third-Party Social Media Service's account. If You choose to provide such information and Personal
5
Data, during registration or otherwise,You are giving the Company permission to use, share, and
store it in a manner consistent with this Privacy Policy.
Information Collected while Using the Application
While using Our Application, in orderto provide features of Our Application, We may collect, with
Your prior permission:
Information regarding your location
Pictures and other information from your Device's camera and photo library
We use this information to provide features of Our Service, to improve and customize Our Service.
The information may be uploaded to the Company's servers and/or a Service Provider's server or it
may be simply stored on Your device.
You can enable or disable access to this information at any time,through Your Device settings.
Use of Your PersonalData
The Company may use Personal Data for the following purposes:
To provide and maintain our Service:
Your personal information is collected and processed solely to support the operational and/or
religious mission of the Client Church/Charity including but not limited to:
oAdministration of membership records:Maintaining an updated directory of
congregation members.
oPastoral Care & SpiritualSupport: Providing counseling, prayer requests, and
spiritual guidance.
oDonation Management: Processing donations, offerings, and issuing tax receipts.
oEvent Coordination: Facilitating registration, attendance tracking, and logistical
planning for Church/Charity events.
oChurch Communications: Sharing updates about services, sermons, liturgies,
ministries, and community outreach.
oVolunteer & Ministry Operations: Screening, scheduling, and supporting volunteers
and ministry programs.
oChild & Youth Safety: Administeringprograms with appropriate safeguards for minors.
oSacramental Recordkeeping: Preserving historical records of baptisms, marriages,
and other rites.
All data is handled in accordancewith our Privacy Policy and applicable data protection laws.
To manage Your Account:to manage Your registration as a user of the Service. The Personal Data
You provide can give You access to different functionalities of the Service thatare available to You
as a registered user.
6
For the performance of a contract:the development, compliance andundertaking of the purchase
contract for the products, items orservices You have purchased or of any other contract with Us
through the Service.
To contact You:To contact You by email, telephone calls, SMS, or other equivalent forms of
electronic communication, such as a mobile application's push notifications regarding updates or
informative communications related to the functionalities, products or contractedservices,
including the security updates, when necessary or reasonable for their implementation.
To provide Youwith news, special offers and general information about other goods, services and
events which we offer that are similar to those thatyou have already purchased or enquired about
unless You have opted not to receive such information.
To manage Your requests:To attend and manage Your requests to Us.
For business transfers:We may use Your information to evaluate or conduct a merger,
divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or allof Our
assets, whether as a going concern or as partof bankruptcy, liquidation, or similar proceeding, in
which Personal Data held by Us about ourService users is among the assets transferred.
For other purposes: We may use Your information for other purposes, such as data analysis,
identifying usage trends, determining theeffectiveness of our promotional campaigns and to
evaluate and improve our Service, products, services, marketing and your experience.
We may share Your personal information in the following situations:
With Service Providers:We may share Your personal information with Service Providers to
monitor and analyze the use of our Service, for payment processing, to contact You.
For business transfers:We may share or transfer Your personal information in connection
with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of
all or a portion of Our business to another company.
With Affiliates:We may share Your information with Our affiliates, in which case we will
require those affiliates to honor this Privacy Policy. Affiliates include Our parentcompany and
any other subsidiaries, joint venture partners or other companies that We control or that are
under common control with Us.
With other users:when You share personal information or otherwise interact in the public
areas with other users, such information may be viewed by all users and may be publicly
distributed outside. If You interact with other users or register through a Third-Party Social
Media Service, Your contacts on the Third-Party Social Media Service may see Your name,
profile, pictures and description of Your activity. Similarly, other users will be able to view
descriptions of Your activity, communicate with You and view Your profile.
With Your consent: We may disclose Your personal information for any other purpose with
Your consent.
7
Retention of YourPersonal Data
The Company will retain Your Personal Data only for as long as is necessary for the purposesset
out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to
comply with our legal obligations (for example, if we are required to retain your data to comply
with applicable laws), resolve disputes, and enforce our legal agreements and policies.
The Company will also retain Usage Datafor internal analysis purposes. Usage Data is generally
retained for a shorter period of time,except when this data is used to strengthen the security or to
improve the functionality of Our Service, orWe are legally obligated to retain this data for longer
time periods.
Transfer of Your Personal Data
Your information, including Personal Data,is processed at the Company's operating offices and in
any other places where the parties involved in the processing are located. It means that this
information may be transferred to — andmaintained on — computers located outside of Your
state, province, country or other governmental jurisdiction where the data protection laws may
differ than those from Your jurisdiction.
Your consent to this Privacy Policy followed by Your submission of such information represents
Your agreement to that transfer.
The Company will take all steps reasonably necessary to ensure that Your data is treated securely
and in accordance with this Privacy Policyand no transfer of Your Personal Data will take place to
an organization or a country unless there are adequate controls in place including the security of
Your data and other personal information.
Data Retention & Transfer After Contract Termination
WE WILL NOT TRANSFER, MIGRATE, OR DISCLOSE End User's personal data to any other service
provider without the explicit, documentedconsent of each affected End User.
1. Client Church/Charity Contract Termination
When a Client Church/Charity ends itsagreement with ChurchPlan®:
All End User personal data remainsunder the control of the individual End Users (data
subjects).
2. End User Rights Post-Termination
Access & Deletion:
oUsers may access their data anytime in the app’s "Profile" section.
oUsers can delete their data permanently via the app’s "Delete Account" feature, or by
visiting: Delete account
Consent-Based Transfers:
8
If a Client Church/Charity organizes a migration to a new provider, every End User must provide
explicitconsent through a verified method (such as email confirmation or in-app authorization) to
proceed with the transfer. Without this individual opt-in, ChurchPlan will not be involved in the
migration process.
Sale of Personal Information
We do NOT and will NOT sell your personal information.
Disclosure of Your Personal Data
Business Transactions
If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be
transferred. We will provide notice before Your Personal Data is transferred and becomes subject
to a different Privacy Policy.
Law enforcement
Under certain circumstances, the Company may be required to disclose Your Personal Data if
required to do so by law or in response to valid requests by public authorities (e.g. a court or a
government agency).
Other legal requirements
The Company may disclose Your Personal Datain the good faith belief that such actionis necessary
to:
Comply with a legal obligation
Protect and defend the rights or property of the Company
Prevent or investigate possible wrongdoing in connection with the Service
Protect the personal safety of Users of the Service or the public
Protect against legal liability
Security of Your Personal Data
The security of Your Personal Data is important to Us, but remember that no method of
transmission over the Internet, or method of electronic storage is 100% secure. While We strive to
use commercially acceptable means to protect Your Personal Data, We cannot guarantee its
absolute security.
Detailed InformationontheProcessing of
YourPersonal Data
The Service Providers We use may have access to Your Personal Data. These third-party vendors
collect, store, use, process and transfer informationabout Your activity on Our Service in
accordance with their Privacy Policies.
9
Analytics
We may use third-party Service providers to monitor and analyze the use of our Service.
Google Analytics
Google Analytics is a web analytics service offered by Google that tracks and reports
website traffic. Google uses the data collected to track and monitor the use of our Service.
This data is shared with other Google services. Google may use the collected data to
contextualize and personalize the ads of its own advertising network.
You may opt-out of certain Google Analytics features through your mobile device settings,
such as your device advertising settings or by following the instructions provided byGoogle
in their Privacy Policy: https://policies.google.com/privacy
For more information on the privacy practices of Google, please visit the Google Privacy &
Terms web page: https://policies.google.com/privacy
Firebase
Firebase is an analytics service provided byGoogle Inc.
You may opt-out of certain Firebase features through your mobile device settings, such as
your device advertising settings or byfollowing the instructions provided byGoogle in their
Privacy Policy: https://policies.google.com/privacy
We also encourage you to review the Google's policy for safeguarding your data:
https://support.google.com/analytics/answer/6004245
For more information on what type of information Firebase collects, please visit the How
Google uses data when you use our partners' sites or apps webpage:
https://policies.google.com/technologies/partner-sites
Email Marketing
We may use Your Personal Data to contact You with newsletters, marketing or promotional
materials and other information that may be of interest to You. You may opt-out of receiving any, or
all, of these communications from Us by following the unsubscribe link or instructions provided in
any email We send or by contacting Us.
Payments
We may provide paid products and/orservices within the Service. In that case, we may use third-
party services for payment processing (e.g. payment processors).
We will not store or collect Yourpayment card details. That information is provided directly to Our
third-party payment processors whose use ofYour personal information is governed by their
Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by
the PCI Security Standards Council, which is a joint effort of brands like Visa,Mastercard, American
Express and Discover. PCI-DSS requirements help ensure the secure handling of payment
information.
Usage, Performance and Miscellaneous
We may use third-party Service Providers to provide better improvement of our Service.
10
Google Places
Google Places is a service that returns information about places using HTTP requests. Itis
operated by Google
Google Places service may collect information from You and from Your Device for security
purposes.
The information gathered by Google Places is held in accordance with the Privacy Policy of
Google: https://www.google.com/intl/en/policies/privacy/
Children's Privacy
The Service may contain content appropriate for children under the age of 13. As a parent, you
should know that through the Service children under the age of 13 may participate in activities that
involve the collection or use of personal information. We use reasonable efforts to ensure that
before we collect any personal information from a child, the child's parent receives notice of and
consents to our personal information practices.
We also may limit how We collect, use, and store some of the information of Users between 13 and
18 years old. In some cases, this means We will be unable to provide certain functionality of the
Service to these Users. If We need to rely on consent as a legal basis for processing Your
information and Your country requires consent from a parent,We may require Your parent's
consent before We collect and use that information.
We may ask a User to verify its date of birth before collecting any personal information from them.
If the User is under the age of 13, the Servicewill be either blocked or redirected to a parental
consent process.
Information Collected from Children Under the Age of 13
The Company may collect and store persistent identifiers such as cookies or IP addresses from
Children without parental consent for the purpose of supporting the internaloperation of the
Service.
We may collect and store other personalinformation about children if this information is submitted
by a child with prior parent consent or by the parent or guardian of the child.
The Company may collect and store the following types of personal information about a child when
submitted by a child with prior parental consent or by the parent or guardian of the child:
First and Last name
Date of birth
Gender
Grade level
Email address
Telephone number
Picture
11
Parent's or guardian's name & contact
Health Insurance
Doctor’s name & contact
Allergies
Special Accommodation
For further details on the information We might collect, You can refer to the "Types of Data
Collected" section of this Privacy Policy. We follow our standard Privacy Policy for the disclosure of
personal information collected from and about children.
Parental Access
A parent who has already given the Companypermission to collect and use his child personal
information can, at any time:
Review, correct or delete the child's personal information
Discontinue further collection or use of the child's personal information
To make such a request, You can write to Us using the contact information provided in this Privacy
Policy.
Links to OtherWebsites
Our Service may contain links to other websites that are not operated by Us. If You click on a third-
party link, You will be directed to that third party's site. ChurchPlan is not responsible for any
personal information shared on third-party websites and cannot guarantee its security.
We strongly advise You to review the Privacy Policy of every site You visit. We have no control over
and assume no responsibility for the content, privacy policies or practices of anythird-party sites or
services.
12
International Privacy Laws Compliance
United States Privacy LawsCompliance
The Company, ChurchPlan, adheres to applicable U.S. federal and state privacy laws, including but
not limited to:
California Consumer Privacy Act (CCPA)& California Privacy Rights Act (CPRA)
Virginia Consumer Data Protection Act (VCDPA)
Colorado Privacy Act (CPA)
Connecticut Data Privacy Act (CTDPA)
Utah Consumer Privacy Act (UCPA)
Other state laws (as they come into effect)
This section outlines the rights of U.S. residents andour compliance obligations.
1. Categories of Personal Data Collected
We collect the following categories of personal data (as defined by applicable laws):
Identifiers (e.g., name, email, IP address)
Commercial information (e.g., purchase history)
Internet/network activity (e.g., browsing behavior)
Geolocation data (if enabled by the user)
Inferences (e.g., user preferences)
For a full list, see the "Types of Data Collected" section of this Privacy Policy.
2. Consumer Rights Under U.S. State Laws
Depending on your state of residence, you may have the following rights:
a) Right to Know & Access
Users may access & edit their data anytime in the app’s "Profile" section.
Request confirmation of whether we process your personal data.
Obtain a copy of your data in a portable format (up to twice per year).
b) Right to Delete
13
Request deletion of personal data, subject to legal exceptions (e.g., fraud prevention,
compliance).
Users can delete their data permanently via the app’s "Delete Account" feature, or by visiting:
https://web.churchplan.com/delete-account
c) Right to Correct
Users may access & edit their data anytime in the app’s "Profile" section.
Request correction of inaccurate personal data (under CPRA, VCDPA, CPA, and CTDPA).
d) Right to Opt Out of:
Sales of personal data (as defined by CCPA/CPRA) – We do not sell and will not Your personal
data, No Opt Out action is required
Targeted advertising (under VCDPA, CPA, CTDPA, UCPA).
Profiling for automated decision-making (under some state laws).
e) Right to Non-Discrimination
We will not deny services, charge different prices, or provide a lower quality of service for
exercising privacy rights.
f) Right to Appeal (Under VCDPA, CPA, CTDPA)
If we deny a request, you may appeal within a reasonable period.
3. How to Exercise Your Rights
Submit a verifiable request via:
Email: privacyofficer@churchplan.com
We may require authentication to prevent fraud. Authorized agents must provide proof of
authorization.
We aim to respond within 45 days (may extend once by an additional 45 days with notice).
4. "Do Not Sell or Share My Personal Information"
Under CCPA/CPRA, California residents may opt out of:
Sales of data (if applicable).
Sharing for cross-context behavioral advertising.
To opt out:
We do not sell your personal information, so no opt-out action is needed.
5. Sensitive Personal Information (Under CPRA)
We do not use or disclose sensitive personal information (e.g., racial origin, biometrics) for
purposes beyond what is necessary under law unless we obtain explicit consent.
6. Data Retention &Security
We retain personal data only as longas necessary for business or legal purposes.
We implement reasonable security measures, including encryption and access controls.
14
7. Children’s Privacy(COPPA Compliance)
We do not knowingly collect data from children under 13 without parental consent.
Parents may review, delete, or restrict data collection by contacting us.
8. Updates & Contact
We will update this section as new state laws take effect. For questions:
Email: privacyofficer@churchplan.com
PIPEDA Compliance(Canada)
Personal Information Protection and Electronic Documents Act (PIPEDA)
The Company, ChurchPlan, is committed to complying with thePersonal Information Protection
and Electronic Documents Act (PIPEDA)of Canada. This section outlines our practices regarding
the collection, use, and disclosure of personal information in accordance with PIPEDA's principles.
1. Accountability
We are responsible for the personal information under our control and havedesignated a Privacy
Officer to ensure compliance with PIPEDA.The Privacy Officer can be contacted at:
Email:privacyofficer@churchplan.com
2. Identifying Purposes
We collect personal information for the following purposes:
To provide and maintain the Service.
To manage user accounts and authenticate identities.
To communicate with users regarding updates, security alerts, and support.
To improve and customize the Service.
To comply with legal and regulatory requirements.
The purposes for collection are communicated at or before the time of collection.
3. Consent
We obtain meaningful consent before collecting, using, or disclosing personal information, except
where otherwise permitted or required by law. Consent may be express (e.g., through a checkbox)
or implied (e.g., by using the Service after beinginformed of this Privacy Policy).
Users may withdraw consent at any time, subject to legal or contractual restrictions, by contacting
us. However, withdrawing consent may limit access to certain features of the Service.
15
4. Limiting Collection
We collect only the personal information necessary for the identified purposes. The types of data
collected are outlined in the"Types of Data Collected" section of this Privacy Policy.
5. Limiting Use, Disclosure, and Retention
Personal information is used or disclosedonly for the purposes for which it was collected, unless
the user provides additional consent or as required by law.
We retain personal information only as long as necessary to fulfill the identified purposes or as
required by law. After this period, the information is securelydestroyed or anonymized.
6. Accuracy
ChurchPlan® relies on users to provide andmaintain their own personal information within our
system. As such, all user-entered data is presumed to be accurate and current at the time of
submission.
For manually processed information, we make reasonable efforts to verify its accuracy,
completeness, and timeliness for its intended use. Should users identify any discrepancies in their
personal data, they may submit correction requests by contacting our support team.
7. Safeguards
We implementphysical, organizational, and technical safeguardsto protect personal
information against loss, theft, unauthorized access, disclosure, or modification. Thesemeasures
include:
Encryption of sensitive data.
Restricted access to personal information on a need-to-know basis.
Regular security audits and training for employees.
8. Openness
This Privacy Policy, along with any additional documentation, is made readily available to users to
explain our practices regarding personal information.
9. Individual Access
oUsers may access & edit their data anytime in the app’s "Profile" section.
oUsers can delete their data permanently via the app’s "Delete Account" feature, or by
visiting:https://web.churchplan.org/delete-account
Upon request, users have the right to:
Access their personal information held by us.
16
Challenge the accuracy or completeness of the information and request corrections.
Be informed of any third parties to whom their information has been disclosed.
Requests for access or corrections must be made in writing to the Privacy Officer and may require
verification of identity.
10. Challenging Compliance
Users may address any concerns, complaints,or questions about our compliance with PIPEDA to
the Privacy Officer. We will investigate and respond to all inquiries promptly.
General DataProtectionRegulation(GDPR)
Compliance (EU&UK)
The Company, ChurchPlan, is committed to complying with theGeneral Data Protection
Regulation (GDPR) (EU) 2016/679when processing the personal data of individuals in the
European Union (EU) and European Economic Area (EEA). This section outlines the rights of data
subjects and our obligations under GDPR.
1. Lawful Basis for Processing Personal Data
We process personal data only when we have a valid legal basis, including:
Consent– The data subject has given clear, informed, and revocable consent.
Contractual necessity– Processing is necessary to fulfill a contract (e.g., providing the
Service).
Legal obligation– Processing is required to comply with EU or member state law.
Legitimate interests– Processing is necessary for our legitimate business interests,
provided they do not override individual rights.
2. Rights of Data Subjects Under GDPR
Individuals in the EU/EEA have the following rights regarding their personal data:
a) Right to Access (Article 15 GDPR)
You may request a copy of your personal data, including:
The purposes of processing.
Categories of data held.
Recipients of the data.
Retention periods.
17
b) Right to Rectification (Article 16 GDPR)
oUsers may access & edit their data anytime in the app’s "Profile" section.
oYou may request corrections to inaccurateor incomplete data.
c) Right to Erasure ("Right to Be Forgotten") (Article 17 GDPR)
oUsers can delete their data permanently via the app’s "Delete Account" feature, or by
visiting:https://web.churchplan.org/delete-account
oYou may request deletion of your data when:
It is no longer necessary for the original purpose.
You withdraw consent (and no other legal basis applies).
It was unlawfully processed.
Exceptions apply (e.g., legal compliance, public interest, or defense of legal claims).
d) Right to Restriction of Processing (Article 18 GDPR)
You may request temporary restriction of processing if:
You contest the data’s accuracy.
Processing is unlawful, but you oppose erasure.
We no longer need the data, but you require it for legal claims.
e) Right to Data Portability (Article20GDPR)
You may request a structured, machine-readable copy of your data for transfer to another service
provider (where processing is based on consent orcontractual necessity).
f) Right to Object (Article 21 GDPR)
You may object to processing based on:
Legitimate interests(unless we demonstrate compelling grounds).
Direct marketing(absolute right to opt out).
g) Rights Related to Automated Decision-Making (Article 22 GDPR)
You have the right not to be subject to decisions based solely on automated processing (e.g.,
profiling) that significantly affect you, unless:
Necessary for a contract.
Authorized by EU/member state law.
Based on explicit consent.
3. Data Protection Measures
18
We implementtechnical and organizationalmeasuresto ensure GDPR compliance, including:
Data minimization– Collecting only necessary data.
Encryption & pseudonymization– Protecting data in transit and at rest.
Access controls– Limiting employee access to personal data.
Data Protection Impact Assessments (DPIAs)– Conducted for high-risk processing.
4. International Data Transfers
If personal data is transferred outside the EU/EEA, we ensure safeguards such as:
Adequacy decisions(e.g., transfers to Canada under the EU adequacy ruling).
Standard Contractual Clauses (SCCs)with third parties.
Binding Corporate Rules (BCRs)for intra-group transfers.
5. Data Breach Notification
In the event of apersonal data breach likely to result in a risk to rights and freedoms, we will:
Notify therelevant EU supervisory authority within 72 hours.
Inform affected individualswithout undue delay if the breach poses a high risk.
6. Data Protection Officer (DPO)
While not legally required for our operations, wehave appointed a Privacy Officer to oversee
GDPR compliance. Contact:
Email:privacyofficer@churchplan.com
7. Complaints
If you believe we have violated GDPR terms, you may address your concern to our Privacy Officer.
We will investigate and respond to allinquiries promptly.
19
Australian Privacy Rights (APPCompliance)
The Company, ChurchPlan, is committed to complying with theAustralian Privacy Principles
(APPs)under thePrivacy Act 1988 (Cth)when handling the personalinformation of Australian
users. This section outlines our practices in accordance with Australian privacy laws.
1. Open and Transparent Management of Personal Information
We maintain this Privacy Policy to clearly explain how we collect, use, disclose, and protect
personal information. Users may request a copy of this policy at any time.
2. Anonymity and Pseudonymity
Where possible, users may interact with our Service anonymously or using a pseudonym. However,
certain features (e.g., account registration, payments) may require personal information to function
properly.
3. Collection of Solicited Personal Information
We only collect personal information that is:
Reasonably necessaryfor our functions or activities.
Directly relatedto providing and improving the Service.
Collected with the user’sconsent (unless an exception applies under Australian law).
4. Dealing with Unsolicited Personal Information
If we receive unsolicited personal information that we could not have lawfully collected, we will:
Destroy or de-identifythe information (if lawful and reasonable).
If the information could have been collected under APP 3, we will treat it in accordance with
this Privacy Policy.
5. Notification of Collection
At or before the time of collection (or as soonas practicable afterward), we will notify usersof:
Our identity and contact details.
The purposes for which we collect the information.
Any third parties to whom the information may be disclosed.
How users can access and correct their information.
Whether the collection is required or authorized by law.
6. Use and Disclosureof Personal Information
20
We will only use or disclose personalinformation for theprimary purposefor which it was
collected, or for a secondary purpose if:
The user has consented.
The user would reasonably expect the use/disclosure.
It is required or authorized by law.
It is necessary to prevent a serious threat to life, health, or safety.
7. Direct Marketing
We may use personal information for direct marketingonly if:
The user has consented (or would reasonably expect us to do so).
We provide a simpleopt-out mechanism in every marketingcommunication.
The user has not previously opted out.
8. Cross-Border Disclosure of Personal Information
If we disclose personal information to overseas recipients (e.g., service providers), we will take
reasonable steps to ensure they comply with the APPs or similar privacy protections.
9. Adoption, Use, or Disclosure of Government Identifiers
We will not:
Use government-related identifiers (e.g., Medicare numbers) as account identifiers.
Disclose such identifiers unless required or authorized by law.
10. Data Quality
We take reasonable steps to ensure personal information isaccurate, complete, and up-to-date.
Users may request corrections if their informationis incorrect.
11. Data Security
We implement reasonable safeguards to protect personal information from misuse, interference,
loss, unauthorized access, modification, or disclosure. This includes:
Encryption and secure storage.
Access controls and staff training.
Regular security assessments.
If a data breach occurs that is likely to cause harm, we will notify affected individuals and the Office
of the Australian Information Commissioner (OAIC) as required.
12. Access to Personal Information
21
Australian users have the right to:
Request access to their personalinformation (with some exceptions under law).
Request corrections if theinformation isinaccurate, outdated, or incomplete.
Requests must be made in writing and may require identity verification. We will respond within a
reasonable time (usually 30 days).
13. Correction of Personal Information
If we refuse a correction request, we will provide written reasons and note thedispute on the user’s
record.
Complaints and Enforcement
If an Australian user believes we have breached the APPs, they may Lodge a complaint with us via:
Email:privacyofficer@churchplan.org
We will investigate and respond within30 days.
Changes to thisPrivacy Policy
We may update Our Privacy Policy from time to time. We will notify You of any changes byposting
the new Privacy Policy on this page.
We will let You know via email and/or a prominent notice on Our Service, prior to the change
becoming effective and update the "Last updated" date at the top of this Privacy Policy.
You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy
Policy are effective when they are posted on this page.
Contact Us
If you have any questions about this Privacy Policy, You can contact us:
By email:
privacyofficer@churchplan.com
support@churchplan.com
By visiting this page on our website:
https://churchplan.com/contact
All rights reserved. 2025ChurchPlan®