Privacy Policy

ChurchLinker is a church management software service provided by Limelai Limited, a company registered in England and Wales (Company number: 16486216). Registered office: 86-90 Paul Street, London, EC2A 4NE. We are registered with the Information Commissioner's Office (ICO) as a UK data controller.

When this policy refers to "ChurchLinker", "we", "us" or "our", it means Limelai Limited trading as ChurchLinker. When it refers to "you", it means the individual reading this policy: whether you're a church administrator, a church member or a visitor to our marketing website.

Data protection contact

Our data protection lead is Ben Sonoiki. For any privacy-related queries, to exercise your rights, to request a Data Processing Agreement or to report a security concern, contact us at: dataprotection@churchlinker.com.

It depends what data we're talking about. This matters because different rules apply.

For ChurchLinker customer accounts (the church administrators who sign up to ChurchLinker, pay the subscription and configure the platform), we are the Data Controller. We decide how and why your account data is processed.

For church member data (the people whose names, contact details, giving records and so on are entered into ChurchLinker by church staff), the church is the Data Controller and we are the Data Processor. The church decides what to collect and why; we process it on their instructions to provide the service.

We sign a Data Processing Agreement with every paying customer setting out this relationship in writing. The current template is published at churchlinker.com/dpa. If your church needs a signed DPA, email dataprotection@churchlinker.com.

Information you give us as a customer

When you sign up for ChurchLinker, we collect: your name, email address, the name of your church and your role. If you subscribe to a paid plan, payment information is processed by Stripe. We do not store your card details, only a Stripe customer reference and the last four digits of the card for receipts.

Information your church enters about its members

When church administrators use ChurchLinker to manage their congregation, they enter personal data about members. The categories typically include:

- Identity: name, date of birth, photo, gender, marital status - Contact: email, phone numbers, address, household - Membership: join date, baptism date, membership status, group memberships - Financial: donations, Gift Aid declarations, payment references - Pastoral (special category data under UK GDPR Art. 9): religious belief, prayer requests, pastoral notes, allergies, medical notes, safeguarding/DBS records - Demographic (special category data): ethnic origin (optional, used for ministry context)

This data belongs to the church. We hold it as a Processor under their instructions. We never use it for any purpose other than providing the service.

Information collected automatically

When you visit churchlinker.com, we collect standard web analytics data: pages visited, time on site, browser type and country-level location. We use privacy-friendly analytics that do not build cross-site profiles.

When you use the platform (app.churchlinker.com or your church's subdomain), we collect security and operational logs: timestamps, IP addresses, user-agent strings and the API endpoints accessed. These are retained for 90 days and used solely for security monitoring, debugging and audit-trail purposes.

Sign-in activity. Each time you sign in we record the timestamp of that sign-in against your account (throttled to one write per hour) and which calendar day you were active on. This powers an aggregate "active users by month / by year" report that helps your church measure platform engagement. By default only the aggregate counts are visible to admins; per-member detail ("when did Mary last sign in?") is off by default and only available to a church's admin if they have explicitly opted into it at Settings → Member usage analytics. Every time an admin views the per-member detail we audit-log it, so if you ever want to know which admin saw your sign-in activity you can ask your church for the answer and they can give you a precise list.

We use the information we collect to:

- Provide and operate the ChurchLinker service - Send service-related emails (account setup, invoices, important updates) - Respond to your support requests - Detect and prevent fraud or abuse - Improve the platform based on aggregate usage patterns (never individual profiling) - Comply with our legal obligations (e.g. HMRC's six-year retention rule for Gift Aid records)

We do not use your church's member data for any purpose other than providing the ChurchLinker service. We do not sell, rent or share personal data with third parties for marketing purposes. Ever.

Legal basis for processing (UK GDPR Article 6)

For our customers (church administrators): we process your personal data under Contract (to fulfil our agreement with you) and Legitimate Interests (to keep the service secure and improve it).

For your members' data that we process on your behalf: the legal basis is determined by you as the Data Controller. We act only on your documented instructions.

Special category data (UK GDPR Article 9)

Religious belief, health data (allergies, medical notes) and ethnic origin are special-category data needing extra protection. Where we hold this on a church's behalf, the lawful basis under Article 9 is typically explicit consent (Art. 9(2)(a)) or, for safeguarding records, substantial public interest (Art. 9(2)(g)).

We collect explicit consent at the point of capture (visitor cards, member registration) and record it in our GdprConsent audit table.

Some optional ChurchLinker features use artificial intelligence: sermon transcription and Q&A, pastoral summaries, message drafting and duplicate-detection. These are powered by OpenAI.

When AI is invoked:

- The minimum necessary text is sent to OpenAI for processing - Our agreement with OpenAI prohibits them from using your data to train their models - OpenAI processes the request in the United States; we rely on the UK International Data Transfer Addendum (UK IDTA) and OpenAI's Standard Contractual Clauses for that transfer - Each AI use is logged in our internal AI Usage Log, visible to your church's admin - Churches can disable AI features entirely from Settings → Integrations

We do not send special-category data (health, ethnic origin, religious belief details) to OpenAI unless the feature explicitly requires it (e.g. pastoral summary), in which case the church configures it knowingly and the user has consented.

Full sub-processor list and international-transfer detail: churchlinker.com/sub-processors.

We share data only with vetted third-party services and only as necessary to provide ChurchLinker. Each one has signed our Data Processing Agreement and meets UK GDPR standards.

A complete and current list, including each one's role, location, certifications and DPA link, is published at churchlinker.com/sub-processors. The headlines:

- Hosting + serverless: Vercel (UK/EU regions where configurable) - Database + file storage: Supabase, hosted on AWS in the EU - Authentication: Clerk (SOC 2 Type II) - Payments: Stripe (PCI DSS Level 1) - Transactional email: Resend - SMS / WhatsApp: Twilio - AI features: OpenAI (US. See "AI features" section above) - Bot protection: Cloudflare Turnstile - UK address lookup: Ideal Postcodes - Audio generation (optional): ElevenLabs

We do not use advertising networks, profiling analytics or data brokers. ChurchLinker contains no third-party tracking pixels.

We will give 30 days' notice on the sub-processors page before adding any new sub-processor. You can subscribe to that page (RSS) to be notified of changes.

You have the following rights over your personal data:

Right of access (Art. 15): Get a copy of everything we hold on you. If you're a member of a church using ChurchLinker, you can self-serve this from your member portal: open your profile and click "Download my data". You'll receive a ZIP of JSON files covering every record we hold on you.

Right to rectification (Art. 16): Correct inaccurate data. Edit your profile in the member portal, or ask your church admin to update what they hold about you.

Right to erasure ("right to be forgotten", Art. 17): Ask us to delete your data. Contact your church admin (the Data Controller). Some records (Gift Aid donation records) must be retained for six years under HMRC rules; in that case we anonymise them so they no longer identify you.

Right to restrict processing (Art. 18): Ask us to pause certain uses of your data while we investigate a query.

Right to data portability (Art. 20): Request your data in a machine-readable format. The DSAR export above provides this.

Right to object (Art. 21): Object to processing based on legitimate interests; opt out of marketing.

Right to withdraw consent: Where the legal basis is consent (e.g. marketing emails, photo consent), withdraw it at any time from your member profile.

How to exercise these rights

- If you're a customer of ChurchLinker (a church admin): email dataprotection@churchlinker.com. - If you're a member of a church using ChurchLinker: contact your church first (they're the Data Controller). If they don't respond, or if you're unhappy with their response, you can also email us. We will help where we can.

We respond to valid requests within one calendar month, as required by UK GDPR.

You can complain to the ICO at any time, at ico.org.uk or 0303 123 1113. We'd appreciate the chance to address your concern first.

We follow the UK GDPR storage-limitation principle (Art. 5(1)(e)): personal data is kept only as long as we need it for the purpose it was collected for.

Customer (church admin) account data: retained while your subscription is active. After cancellation, retained for 90 days to allow reinstatement, then permanently deleted (subject to records we must keep for tax / legal reasons).

Operational logs: 90 days, then automatically purged.

Aggregated analytics (totals, counts. No individual data): retained indefinitely.

Church member data. Automated retention sweeps

These run daily on every tenant:

| Data | Retention | Action | |---|---|---| | Visitor cards (un-converted to a Person) | 12 months from creation | Hard-delete | | Resolved or archived prayer requests | 12 months from resolution | Hard-delete | | SMS conversations (no activity) | 6 months from last message | Hard-delete | | Inactive Person records | 24 months after deactivation | Anonymise in place |

Inactive members are anonymised rather than deleted because UK and HMRC rules require donation and Gift Aid records to be retained for six years. Anonymising redacts identifying fields (name, address, contact) while preserving the financial-record audit chain.

The church can override these defaults in their settings; we publish the default values for transparency.

Security underpins every part of the product. Our key measures:

In transit. All connections use TLS 1.2 or higher.

At rest. Database storage uses AES-256 disk-level encryption (provided by Supabase / AWS). On top of that, we apply application-level field encryption to the most sensitive free-text fields: prayer request titles and bodies, visitor prayer needs, and pastoral notes / safeguarding / medical notes on Person records. The encryption is AES-256-GCM with a per-tenant key derived from a master key via HKDF. Meaning a breach of one church's encrypted data is useless against another's.

Access control inside the product. Every page and API endpoint enforces role-based authorisation. Two granular per-user flags ("Treasurer access" and "People access") let admins grant minimum-necessary privileges. Every grant or revocation writes to a tamper-evident audit log.

Audit log. Every permission change, member edit and GDPR action (DSAR export, erasure) is recorded. Admins can view the audit log at /dashboard/settings/audit-log; entries are retained indefinitely.

Authentication. Handled by Clerk (SOC 2 Type II). Supports MFA, passkeys and SSO.

Backups. Daily full + point-in-time recovery on the database. Backups are encrypted at rest and stored in the same region as the primary.

Personnel. Access to production systems is restricted to a small number of senior engineers, each using MFA. Every access is logged.

Reviews. We conduct an annual security review and update controls accordingly.

Disclosure

No system is 100% secure. If we discover a security breach affecting your personal data, we will notify the ICO within 72 hours of becoming aware (as required by UK GDPR), and we will notify affected customers without undue delay. Our internal breach-notification runbook is published in our public docs.

Your data is hosted in the UK / EU. Some of our sub-processors operate in other jurisdictions, primarily the United States. The relevant transfers are:

- OpenAI (US): used for optional AI features. We rely on the UK IDTA and OpenAI's published Standard Contractual Clauses. - ElevenLabs (US): optional, only used if your plan enables Communication Pack audio. Same transfer mechanism. - Stripe (US/UK): payments. Stripe is certified under the UK Adequacy Regulations. - Twilio (US): SMS/WhatsApp delivery. UK IDTA + SCCs. - Cloudflare (global): bot protection. UK IDTA + SCCs. - Clerk (US): authentication. UK IDTA + SCCs.

Where personal data leaves the UK or EEA, we use a transfer mechanism approved by UK GDPR. Typically the UK International Data Transfer Addendum (UK IDTA) appended to the European Commission's Standard Contractual Clauses. Copies of executed transfer agreements are available on request to dataprotection@churchlinker.com.

Churches sometimes register children. Minors under 13. As members. Under UK GDPR, parental or guardian consent is required for processing children's data when consent is the legal basis.

ChurchLinker provides a Guardian field on every Person record so a child's record is explicitly linked to a consenting adult. Children's data is treated with the same encryption and retention controls as adult data, with the additional restriction that medical notes / allergies are encrypted at rest as standard.

Churches are responsible (as Data Controller) for obtaining and recording parental consent. We provide a consent-capture UI; the church operates it.

Our marketing website (churchlinker.com) uses a small number of cookies:

Strictly necessary: required for the website to function (e.g. session management). Set without consent.

Analytics: Google Analytics 4 (G-DCBXV2KEKE), used to understand how the marketing site and the product are used so we can improve them. We run GA in Consent Mode v2 with IP anonymisation; storage cookies are set only after you accept on the consent banner. If you reject, GA still runs but in cookieless mode (no identifiers persisted).

We do not use advertising cookies, retargeting pixels or Facebook Pixel.

The platform itself (app.churchlinker.com / your church subdomain) uses cookies only for authentication (Clerk session) and for remembering your preferences (e.g. selected language). No tracking cookies.

You can withdraw consent for analytics cookies at any time using the Manage cookie preferences button below.

The public ChurchLinker website offers an in-page assistant where visitors can ask questions about the product, pricing and how things work. Two things happen behind the scenes that you should know about.

The chat itself. Messages you send to the assistant are sent to our AI provider (OpenAI) to generate a reply. We don't store chat transcripts unless you choose to share your details with us through the lead-capture card described below. Cloudflare Turnstile checks that you're a human, and per-IP rate limits protect the service from abuse; neither stores a long-term identifier for you.

The lead-capture card. If you tick the consent box and submit your first name and email through the assistant, we store the following: first name, email, the exact consent text you agreed to, the date and time of consent, your IP address, your browser's user-agent string and a short snippet of the conversation that led to the form. The lawful basis is your explicit consent under Article 6(1)(a) of UK GDPR.

We use this only to follow up with you about ChurchLinker and to send occasional product updates and how-to guides, as set out in the consent text. We do not share these details with third parties for advertising. We do not enrich them, profile them, or use them for automated decisions.

Withdrawing consent. Every email we send includes a one-click unsubscribe link. You can also email dataprotection@churchlinker.com at any time and we'll honour the request promptly.

Retention. We keep marketing-lead records for 12 months from your last interaction, after which we erase the personal data and keep only an anonymised audit row showing that lawful processing took place. If you become a paying ChurchLinker customer, the record converts into a customer record under separate retention rules.

We may update this policy as the service evolves or as the law changes. The "last updated" date below indicates the most recent version.

For material changes (new sub-processors, changes to retention periods, new uses of data), we will give customers 30 days' notice by email and on our changelog before the change takes effect.

Previous versions of this policy are kept in our git history and are available on request.

This privacy policy was last updated on 10 May 2026.

For any privacy-related queries, to exercise your rights, to request a Data Processing Agreement or to report a suspected security incident:

Email: dataprotection@churchlinker.com Data protection lead: Ben Sonoiki Post: Limelai Limited (trading as ChurchLinker), 86-90 Paul Street, London, EC2A 4NE

We respond to all privacy enquiries within 30 days, usually much sooner.

If you have a complaint about how we handle your personal data, please contact us first. We take all complaints seriously and will investigate promptly. You also have the right to complain to the Information Commissioner's Office (ICO):

- Online: ico.org.uk/make-a-complaint - Phone: 0303 123 1113 - Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF