Privacy Policy

Last updated: May 2026 · Applies to: churchcloud.online

0. Scope of this policy

This policy covers the ChurchCloud marketing website at churchcloud.online — the public site where prospective church administrators learn about the service and submit enquiries.

If you are using the ChurchCloud file-sharing service at a church-specific subdomain (e.g. yourchurch.churchcloud.online), a separate privacy policy applies, available on that subdomain. On those subdomains, your church is the data controller and ChurchCloud acts as a processor on its behalf.

1. Who we are

This website is operated by ChurchCloud. For the purposes of this policy, ChurchCloud is the data controller for personal data you provide when interacting with the marketing site.

You can contact us at [email protected].

2. Data we collect

  • Enquiry form data — when you submit the contact form on this site we collect the name, church name, email address, and message you provide. This information is delivered to our enquiries inbox so we can reply to you.
  • Server access metadata — when you visit the site, our infrastructure providers record standard technical information such as IP address, user-agent string, requested URL, response status code, and timestamp. This is used for security, abuse prevention, and operational troubleshooting.

We do not use Google Analytics, Plausible, Fathom, or any other website analytics tool. We do not run advertising pixels, retargeting tags, or behavioural tracking scripts.

3. Why we process it

Our lawful basis is legitimate interest (Article 6(1)(f) UK/EU GDPR):

  • Enquiry form data — responding to your enquiry and, where appropriate, providing follow-up information about the service. Submitting the form is itself a request for contact.
  • Server access metadata — keeping the website secure, identifying abuse, and diagnosing operational issues.

4. Sub-processors & infrastructure providers

The following third parties process or receive personal data in the course of providing this website to you:

  • Hetzner Online GmbH (Germany) — virtual server hosting. Server logs, including IP addresses of visitors, are stored in Hetzner data centres in Finland. (privacy policy)
  • Resend (United States) — transactional email delivery for enquiry-form submissions. Your name, church name, email address, and message are transmitted to Resend solely so that the enquiry email can be delivered to our inbox. (data processing agreement)
  • Cloudflare, Inc. (United States, with EU operations) — DNS, TLS termination, DDoS protection, and content delivery at the network edge. Cloudflare processes IP addresses and request metadata, and may set a strictly necessary bot management cookie (see the Cookies section below). (privacy policy)
  • Google Fonts (Google LLC, United States) — webfonts loaded from fonts.googleapis.com and fonts.gstatic.com. Loading these fonts transmits your IP address to Google. Google does not, to our knowledge, use this information for advertising profiling in the fonts context, but you should be aware of the transfer. (privacy policy)
  • unpkg (operated by Cloudflare in the United States) and cdn.tailwindcss.com — public content delivery networks from which the browser loads JavaScript and CSS libraries (HTMX, Alpine.js, Tailwind CSS). These providers see your IP address but do not receive any of the data you submit on this site.

No other third parties receive your personal data. We do not sell, rent, or share your personal data for marketing or advertising purposes.

5. Where your data is processed

Our primary hosting is in the European Union (Hetzner data centres in Finland). Several of the sub-processors and CDN providers listed above are headquartered in the United States. Transfers to those providers rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum (IDTA), or an equivalent adequacy mechanism where available.

6. How we protect your data

  • Transport encryption — all traffic uses HTTPS (TLS 1.2 or higher), with TLS terminated at Cloudflare and re-encrypted to our origin server.
  • Security headers — we set Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers to mitigate common browser-side attacks.
  • Minimal data surface — the marketing site does not hold a user database, does not store credentials, and does not retain enquiry submissions on the web server beyond what is needed to send them by email.
  • Rate limiting and abuse protection — provided at the Cloudflare edge.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours and inform affected users without undue delay (UK GDPR Articles 33 & 34).

7. Data retention

  • Enquiry emails — retained in our enquiries inbox for up to 24 months from the date of receipt to allow for follow-up correspondence, then deleted.
  • Server access logs — typically retained for up to 30 days for security and operational purposes, then rotated out.
  • Cloudflare edge logs — retained by Cloudflare in accordance with their privacy policy (typically a small number of days).

8. Your rights

Under UK/EU GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate data.
  • Erasure — ask us to delete your enquiry data from our inbox.
  • Data portability — receive your personal data in a structured, machine-readable format (Article 20 UK GDPR).
  • Restriction / objection — ask us to stop or limit how we process your data, including the right to object to processing based on legitimate interests.
  • Complaint — lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email [email protected].

9. Cookies

ChurchCloud does not set any first-party cookies on this marketing site. We do not run advertising, analytics, or tracking cookies of any kind.

Our edge provider Cloudflare may set a strictly necessary cookie named __cf_bm for bot management and DDoS mitigation. This cookie is essential to protect the site from automated abuse and expires after 30 minutes of inactivity. It contains no personal information about you.

10. Automated decisions and AI

We do not use your personal data for automated decision-making, profiling, or to train artificial intelligence or machine-learning models. Submissions to the enquiry form are read and responded to by a person.

11. Marketing

We do not send unsolicited marketing emails. If you submit an enquiry, we will reply to it and may follow up with directly relevant information about the service. We will not add your email address to any marketing list or share it with third parties for marketing purposes. You can ask us at any time to stop further correspondence by replying to any email we send you.

12. Children and young people

This website is intended for adults — typically church administrators or trustees evaluating the service. It is not designed for or directed at children, and we do not knowingly collect personal data from anyone under the age of 18 through this site.

13. Law-enforcement and government requests

We may disclose personal data to a public authority where we are compelled to do so by valid UK legal process. Where we receive such a request we will:

  • Verify that the request is lawful and proportionate before responding.
  • Push back on overly broad or non-specific requests.
  • Disclose only the minimum data necessary to comply.
  • Notify you of the request where we are lawfully permitted to do so.

14. Business transfers

If ChurchCloud is involved in a merger, acquisition, restructuring, or sale of all or part of its assets, your personal data may be transferred to a successor organisation as part of that transaction. We will notify you by email before any such transfer takes effect and outline any choices you have.

15. Changes to this policy

We may update this policy from time to time. When we do, we will update the "last updated" date at the top of this page. Where changes are material, we will note them prominently on this page for a reasonable period and, where we hold your email address, notify you directly.

16. Contact

For any privacy-related questions or requests, please email us at [email protected].