UK GDPR & Data Protection
Built privacy-first for UK churches
Special-category data. Religious belief, health, safeguarding, ethnic origin. Sits at the heart of church life. ChurchLinker is engineered around UK GDPR from day one, with practical controls church admins can verify themselves.
The documents
Everything you might need to read or hand to your church's data protection lead.
Privacy Policy
How we collect, use and protect personal data. Written in plain English.
Sub-processors
Every third-party service that processes your data, with their certifications and DPA links.
Data Processing Agreement
Customer-facing DPA template. Required if your church is a Data Controller using ChurchLinker.
Built-in technical controls
Concrete things that exist in the product. Not promises.
Per-church encryption at rest
Sensitive free text. Prayer requests, visitor prayer needs, pastoral notes, allergies, medical notes. Is encrypted with a per-church AES-256-GCM key derived via HKDF. A breach of one church's encrypted data is useless against another's.
Role-based access + audit log
Granular permission gates with two per-user flags (Treasurer, People). Every grant, revoke, role change and member record edit is recorded in an audit log retained indefinitely.
Automated retention
Visitor cards (12 months), resolved prayers (12), SMS conversations (6), inactive members (24, anonymised). Daily sweep. UK GDPR Art. 5(1)(e).
One-click data subject access
Members can self-serve a complete data export from their profile. Admins can export for any record. Both flows write to the audit log.
Right to erasure (Art. 17)
Admin-triggered, requires a documented reason. Anonymises in place to preserve HMRC's 6-year donation retention; hard-deletes wholly-personal records.
Documented international transfers
UK IDTA + SCCs in place for every sub-processor outside the UK / EEA, including OpenAI for AI features.
Understanding the Data Controller / Data Processor split
Your church = Data Controller
Your church decides what personal data to collect, why, how long to keep it and who can access it. You are responsible for having a lawful basis for processing (e.g. legitimate interests for pastoral care, consent for marketing). ChurchLinker provides the tools; the decisions are yours.
ChurchLinker = Data Processor
We process your congregation's data only on your documented instructions and only to provide the service. We have no independent interest in members' data, do not share it with advertisers and do not use it to train AI models.
Your rights
UK GDPR gives every individual a set of rights over their personal data. ChurchLinker honours all of them.
- Right of access (Art. 15) . Members: download from your profile. Customers: email us.
- Right to rectification (Art. 16) . Edit your profile, or ask your church admin.
- Right to erasure (Art. 17) . Contact your church (Data Controller). HMRC retention applies to donation records (anonymised in place rather than deleted).
- Right to restrict processing (Art. 18)
- Right to data portability (Art. 20) . The data export is JSON, machine-readable.
- Right to object (Art. 21)
- Right to withdraw consent at any time.
You also have the right to complain to the Information Commissioner's Office at ico.org.uk/make-a-complaint. We'd appreciate the chance to address your concern first.
Talk to our data protection lead
Ben Sonoiki, ChurchLinker's data protection contact, responds personally to every privacy enquiry. Most replies inside one working day; always within the 30-day GDPR window.
dataprotection@churchlinker.com