🔒 In brief: MyEcclesia only collects data necessary to run the platform. Your data belongs to your church. It is never sold or shared for commercial purposes. It is hosted within the European Union.
1 Data controller
The data controller for personal data collected via the MyEcclesia platform is MyEcclesia SAS, publisher of the service available at https://myecclesia.org.
Contact: [email protected]
2 Data collected
MyEcclesia collects different categories of data depending on the context of use.
2.1 Administrators and platform users
- First and last name
- Professional or personal email address
- Password (hashed, never stored in plain text)
- Role within the church (pastor, secretary, ministry leader, etc.)
- Connection data (IP address, browser, timestamp) for security purposes
2.2 Church data
- Church name, denomination, location
- Approximate number of members
- Logo and presentation information
2.3 Church members' data (managed by the church)
This data is entered and controlled by the Church User (data controller for its members). MyEcclesia acts as a data processor under Article 28 of the GDPR:
- First name, last name, date of birth
- Contact details: email, phone, postal address
- Member type (adult, child)
- Family information (household structure, relationships)
- Attendance history at events and services
- Financial data: donation and tithe amounts (no full bank details ever stored)
- Pastoral notes (confidential, restricted access)
2.4 Browsing data
- Essential technical cookies (session, preferences)
- Anonymised analytics data (pages visited, session duration)
3 Purposes of processing
Your data is used exclusively for the following purposes:
- Providing and improving the MyEcclesia service
- Managing your account and secure authentication
- Sending service-related communications (confirmations, security alerts, important updates)
- Customer support and technical assistance
- Billing and subscription management
- Improving the platform through aggregated and anonymised statistical analysis
- Complying with our legal and regulatory obligations
MyEcclesia does not engage in advertising profiling and never sells your data to third parties.
4 Legal basis for processing
In accordance with GDPR (EU Regulation 2016/679), processing is based on the following legal grounds:
- Performance of a contract — for delivering the subscribed service
- Legitimate interests — for service security, fraud detection and platform improvement
- Consent — for non-essential cookies and optional marketing communications
- Legal obligation — for retaining certain accounting and tax records
For special category data (data of a religious nature concerning church members), MyEcclesia relies on Article 9.2(d) of the GDPR, which permits processing carried out in the context of legitimate activities of a non-profit body or association of a religious character.
5 Hosting and data transfers
🇺🇪 100% EU hosting. All user and church member data is stored on servers located within the European Union (EU-West zone). No data is transferred to third countries without appropriate contractual safeguards.
Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Backups are performed daily and stored in separate data centres within the EU.
Where a sub-processor outside the EU is used (e.g. an emailing tool), Standard Contractual Clauses (SCCs) approved by the European Commission are systematically put in place.
6 Retention periods
- Active account data: retained for the duration of the active subscription
- Cancelled account data: permanently deleted within 90 days of cancellation, unless legally required otherwise
- Billing data: retained for 10 years in accordance with French accounting obligations
- Connection and security logs: 12 months
- Data exported by the church before cancellation: under the exclusive responsibility of the church
Before any deletion, you will receive a notification allowing you to export your data.
7 Your GDPR rights
Under the General Data Protection Regulation (GDPR), you have the following rights:
Obtain a copy of your personal data being processed
Correct inaccurate or incomplete data
Request deletion of your data ("right to be forgotten")
Object to certain processing based on legitimate interests
Request restriction of processing in certain circumstances
Receive your data in a structured, machine-readable format
To exercise these rights, contact our Data Protection Officer (DPO) at [email protected]. We commit to responding within one month.
If you believe your rights have not been respected, you may lodge a complaint with your national data protection authority (e.g. the ICO in the UK: ico.org.uk, or the CNIL in France: cnil.fr).
8 Cookies and trackers
MyEcclesia uses cookies to ensure the platform works correctly and to improve the user experience.
8.1 Strictly necessary cookies
These cookies are essential to the functioning of the service and cannot be disabled: session management (authentication), security preferences, CSRF protection.
8.2 Analytical cookies (with consent)
We use analytics tools to measure audience in an aggregated and anonymised way to improve the platform. These cookies are only placed after your explicit consent.
8.3 Cookie management
You may withdraw your consent to non-essential cookies at any time via our cookie management banner at the bottom of each public page. You can also manage cookies through your browser settings.
9 Third-party processors
MyEcclesia uses carefully selected sub-processors to deliver certain services. Each is subject to a data processing agreement compliant with Article 28 of the GDPR:
- Hosting: EU-based cloud provider (ISO 27001 certified infrastructure)
- Payment: PCI-DSS certified payment processor — full card details never pass through our servers
- Transactional email: delivery of confirmation and notification emails
- SMS: delivery of SMS notifications (pseudonymised data)
The full and up-to-date list of our sub-processors is available on request at [email protected].
10 Minors
The MyEcclesia service is intended for adult administrators (18 or over). However, the platform allows churches to manage profiles for minor members (children, youth) as part of their ministries.
For minor members registered on the platform, the church is the data controller and must ensure that appropriate parental consent has been obtained in accordance with applicable law.
MyEcclesia provides a "Member type — Child" field to clearly identify minor profiles and apply specific access restrictions.
11 Changes to this policy
MyEcclesia reserves the right to amend this Privacy Policy at any time, in particular to comply with legislative and regulatory changes.
In the event of a material change, you will be informed by email at least 30 days before the new provisions take effect. The current version is always accessible at https://myecclesia.org/en/privacy.
The date of the last update appears at the top of this document.
12 Contact and Data Protection Officer
Data Protection Officer (DPO)
MyEcclesia SAS
Email: [email protected]
Subject line: "GDPR Request — [your name]"
Response time: maximum 30 days
For any question about the processing of your personal data or to exercise your rights, you may contact us by email at the address above. We commit to acknowledging your request within 5 business days and responding within the statutory one-month deadline.