LAST UPDATED: MARCH 2025
Introduction
ChurchSuite Ltd. is committed to the protection of the privacy of everyone who engages with our user research programme. Your privacy is really important to us and we understand how important it is to you. Our aim is to be as clear and open as possible about what we do with your personal data and why we do it.
Definitions we use in this privacy notice
"Data Protection Law" means all data protection laws and regulations applicable to the UK including (i) the UK Data Protection Act 2018; (ii) UK General Data Protection Regulation ("UK GDPR"); (iii) the Privacy & Electronic Communications Regulations 2003 ("the PECR") relating to electronic communications; (iv) In the event that the EU GDPR (as defined in the Data Protection Act 2018) applies to activities, we will comply with the EU GDPR; and applicable national implementations of (iii) and (iv).
"The Service" means our proprietary ChurchSuite software (including where the software is made available through a CharitySuite brand), which is accessed online through a web browser, or by using our mobile applications (Apps).
“The Programme” means our user research programme which includes user surveys, questionnaires and interviews.
"you", or "your Organisation" means you as an individual or the organisation you belong to as you interact with ChurchSuite. More specifically we define you as a data subject, as defined within the context of Data Protection Law, under the ‘Whose data do we collect?’ section.
"us", "we" and "our" refer to ChurchSuite Ltd. In the relationship between us as you use The Service, our marketing website, and our customer support services, ChurchSuite Ltd should be considered the Data Controller (the Service Provider) as defined within the context of General Data Protection Regulation Data Protection Law. This means we decide how your personal data is processed and for what purposes (explained below).
Scope of this Privacy Notice
This Privacy Notice only applies to data we process relating to or as part of The Programme. For data that we process elsewhere (e.g. for support or for using the service) please view our main privacy notice available on the website. This Privacy Notice also does not cover data that ChurchSuite processes on behalf of its customers. For data held by our customers please refer to their individual privacy notices.
Whose data do we collect?
Research participants, those who consent to engage with us in user research, including those who complete user surveys and interviews.
What data do we collect?
Participants
We only hold data that is provided to us for the purposes of The Programme and will vary depending on the context of the research that the participant is involved with. Data collected may include:
Full name
Email address
Organisational affiliation (e.g. church, denomination, or other religious affiliation)
Telephone number
Job title within the organisation
Video and audio recordings of interviews
What does ChurchSuite do with the data collected?
Participants
We collect data from participants necessary to carry out research about how users of The Service interact with it.
We collect and process the following personal data:
Your contact details - we use this information to communicate with you about previous, current and/or future research opportunities as part of The Programme.
Your role and organisational affiliation - we use this information to determine suitability for research projects within The Programme.
Audio/video recordings - if you participate in an interview as part of The Programme we may store the audio/video recordings, with your consent, for further analysis. Personally identifiable information will be redacted from the recordings where possible.
Other personal information may be divulged during surveys and/or interviews. Where possible we redact or remove this data from surveys and interviews before we process them any further. We do not intend to process any personal data as part of The Programme’s research projects.
Interview and survey data is identified using a pseudoanonymised identifier. This identifier will be the only link back to your contact details (so that we can communicate with you regarding your responses). If you revoke consent for us to communicate with you then this identifier will be removed and the research data will be anonymised.
What is our lawful basis for using your information?
We only collect and use personal data as the law allows us to. We do so under three different lawful bases of processing which are:
You have provided us with consent to process your data for a specific purpose.
Necessary for our compliance with legal obligations.
Necessary due to our, or a third party’s, legitimate interest which does not contradict your rights or freedoms.
Where legitimate interest is identified as a lawful basis, we will undertake a legitimate interest assessment which is a three part test covering:
The purpose test – to identify the legitimate interest
Necessity test – to consider if the processing is necessary for the purpose identified
Balancing test – considering the individual’s interests, rights or freedoms and whether these override the legitimate interests identified.
Some of our legitimate interests for processing your personal data include:
Scheduling and communication regarding research interviews.
How long do we keep your data?
We keep data in accordance with the guidance set out by the UK Data Protection Law and retain it for as long as it is relevant, or need to in accordance with laws, regulations and professional obligations.
We have internal processes to periodically review the data we hold and delete data that is no longer relevant to our purposes for processing.
Where you revoke consent for the processing of your data we will cease the processing of your data and remove or anonymise it as soon as is reasonably practicable.
What data does ChurchSuite share with third parties?
To support the management and analysis of the data provided from participant interviews and surveys we engage a small number of data processors who may have access to the personal data of individuals. Each of these is a “Sub-processor” who will only process data in accordance with our instructions inline with the GDPR. A list of our third-party sub-processors can be found on our website here.
Beyond those sub-processors we use to process data in accordance with this Privacy Notice, the information we hold about you and your Organisation will be treated as strictly confidential. Should we need to, we will only share your/your Organisation’s contact details with another party outside of our sub-processors with your prior consent, or unless required to do so by law.
How secure is your information?
We take security very seriously and will do everything within our power to keep your information safe in accordance with our obligations under Data Protection laws. We have in place technical and organisational measures to ensure your data is secured - preventing it from being accessed in an unauthorised way, altered or disclosed.
We have policies and procedures to handle any potential security breaches and will notify data subjects, third parties and any applicable regulators where we are legally required to do so.
We will never sell, rent, distribute or otherwise make your personal information commercially available to any third party, but information may be shared as outlined under the section ‘What data does ChurchSuite share with third parties?’ and we will process it as outlined in this privacy notice.
Details on the technical measures we take to manage your data securely can be found on our security page.
Does your information ever leave the UK/EEA?
While the research data will primarily be accessed and managed within the UK, we will share personal information to third parties outside of the UK or European Economic Area (EEA) but will only do so with our sub-processors, a list of which can be found on our website here.
Where personal data is transferred outside of the UK we will only do so with that data which is absolutely necessary. If there is no suitable adequacy decision for the country to which the data is being transferred then we will carry out a transfer risk assessment and ensure other safeguards are implemented prior to transferring data. These can include:
Standard Data Protection Clauses such as the International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum (Addendum)
Binding Corporate Rules in accordance with Article 47 of the GDPR (UK & EU)
An exemption as defined in Article 49 of the GDPR (UK & EU)
Does ChurchSuite use any automated decision making with your data?
While we may use automated and ‘AI’ based tools to manage, analyse and process the research data, we do not make any automated decisions or profiles relating to you as an individual.
What happens if ChurchSuite changes how it processes data?
If we ever need to use your personal information for a new purpose, not covered by this Privacy Notice, we will provide you with a new notice explaining the new use prior to starting that processing and setting out the relevant purposes and legal basis for processing. Where and whenever necessary, we will seek your prior consent to the new processing.
Your rights and your information
Unless subject to an exemption under the UK Data Protection Law, you have the following rights with respect to your personal data: -
Access to your information: You have the right to request a copy of the personal information that we hold about you.
Correcting your information: We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.
Deletion of your information: You have the right to ask us to delete personal information about you where:
you consider that we no longer require the information for the purposes for which it was obtained or that we no longer need to retain it in accordance with our statutory obligations under UK Data Protection Law;
you have previously consented to us processing your data but you have now withdrawn that consent;
you object to the processing of your data that we are doing so under legitimate interest and there is no overriding legitimate interest to continue;
your data is being used for direct marketing purposes and you object to your data being used for that purpose;
our use of your personal information is contrary to law or our other legal obligations.
Restricting how we may use your information: In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, when we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where there is no longer a basis for using your personal information but you do not want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
Portability of your data: you have the right to transfer the personal data you have provided us to another provider or service by retrieving your data in a machine readable format.
Withdrawing consent using your information: Where we use your personal information with your consent you may withdraw that consent at any time and we will stop using your personal information for the purpose(s) for which consent was given. Please contact us in any of the ways set out in the ‘Who do you contact if you have any privacy concerns?’ section if you wish to exercise any of these rights.
Automated decision making and profiling: we do not perform any profiling of individuals, and the only automated decision making is made when you register for a trial which is required as part of registering for The Service. Details for the automated decision making can be found under the section ‘Does ChurchSuite use any automated decision making with your data?’
Lodging a complaint: If you feel we have used your information incorrectly or without a lawful basis, or you dispute our lawful basis, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) - details found under the section ‘Who do you contact if you have any privacy concerns?’.
Who do you contact if you have any privacy concerns?
We can provide you with access to the personal data we hold about you at any time. We ask that requests be made in writing to ChurchSuite Ltd, 2nd Floor, The Courtyard, 35-37 St. Marys Gate, Nottingham, England, NG1 1PU, UK, or by email to support@churchsuite.com.
If you have a data protection, security or privacy-related question or complaint, please contact ChurchSuite by email in the first instance, where we will do our best to assist you or resolve an issue.
Alternatively you can contact our data protection officer who is Bulletproof Cyber Ltd, Unit 13, Gateway 1000, Arlington Business Park, Whittle Way, Stevenage, Hertfordshire, SG1 2FP (dposupport@bulletproof.co.uk)
Or you can contact the Information Commissioner's Office via post Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or using the contact details on their complaint portal.
European Union (EU) Representative
If you are based within the European Union, as per Article 27 of the EU GDPR, we have appointed European Data Protection Office (EDPO) as our EU representative and you can contact them using their online request form or alternatively by writing to EDPO at Regus Block 1, Blanchardstown Corporate Park, Ballycoolen Road, Blanchardstown, Dublin D15 AKK1, Ireland.