This current policy came into effect at 25 May 2018. We may need to update it over time but if we do, we'll post the updated version on our website.
Elvanto provides church management software to help Churches manage their congregations. As part of providing that service, we collect information from people who make enquiries of us, trial our software, or set up and operate an account on behalf of a Church. This might include:
We call this information "Church Information".
When people complete forms, make enquiries or contact us online, or otherwise provide us with Church Information, we confirm that they consent to that collection and proposed use of the information. That consent is the lawful basis for our processing of Church Information.
When dealing with Church Information, Elvanto acts as a data controller.
Our service aims to give Churches the right tools and flexibility to help stay connected with their congregations and other people. As part of this, Churches can include lots of information about their members in their account by adding new fields to the standard data categories which we set up.
Churches themselves upload or support the uploading of Individual Information into the Church Account. That Individual Information is usually not disclosed to us nor do we have any right to use that Individual Information.
The information that our Church clients enter and store about their congregations and other people in our software is called "Individual Information".
When dealing with Individual Information, Elvanto acts as a data processor, and regards the Church which has uploaded that information as the data controller. Where Elvanto is acting as a data processor, we will only process information in accordance with the lawful instructions of the data controller. More detail about the terms on which we process information are included in the Elvanto Terms of Service.
Your Church has the flexibility to determine how it uses Individual Information. We assume that your Church has collected your personal information lawfully and has lawful basis for that way it uses your Individual Information.
If you are concerned or have any questions about the use of your Individual Information, you should contact your Church directly.
We only collect Church Information directly from you unless you authorise another person to provide the information.
We collect Personal Data from you when you interact with us online or over the phone in order to assist with your on-line query, email or call.
Because we offer church management software, the Church Information we collect includes information about your religious opinions, beliefs, associations or affiliations. This type of information is regarded as deserving special treatment and is defined as "sensitive information" by privacy laws.
We need your consent to the collection of sensitive information. To support this requirement, we have included places for you to indicate your consent in our on-line forms and on our website. If you do not provide this information, we may not be able to provide our Services.
You have the right to withdraw your consent at any time. This is discussed further below.
Member Information is also sensitive information, but this information has been collected by the Church. If you are concerned about the Member Information that has been included in the Elvanto service, we recommend you contact your Church directly.
We use social networking services such as Twitter, Facebook and YouTube to communicate with Churches and the public about our Services. When you communicate with us using these services we may collect your Personal Data, but we only use it to help us to communicate with you and the public. The social networking service will also handle your personal information for its own purposes. These sites have their own privacy policies and we recommend that you review them.
We will only use Personal Data for purposes related to providing our Services.
Examples of this use by us include:
We will not use your Personal Data for purposes other than described in this Section unless we have your consent or there are specified law enforcement or public health and safety reasons or other uses required by law.
In most cases, Elvanto will interact only with the nominated Super Admins for a Church Account, and not directly with Individual Users. We are happy to interact with Individual Users but in most cases will direct them back to the Super Admin for their Church Account. In later sections of this Policy we describe how we respond to requests for access to, correction and deletion of Individual Information.
Generally, we do not collect Individual Information (other than in special cases, such as when we help with onboarding). However, if Churches do provide us with Individual Information (for example, for onboarding) we will only use this information for the specific reason for which it is provided.
If you contact Elvanto with a general question you can interact with us anonymously or through the use of pseudonym.
Elvanto may use Church Information for marketing purposes, or to send you promotional material, if you have consented to receiving marketing material.
We may also conduct surveys or market research or seek other information from you on a periodic basis. These surveys will provide us with information that allows improvement in the types and quality of Services offered to you, and the way those Services are offered to you.
To opt-out of receiving marketing materials through the Elvanto system either:
- contact Elvanto by email firstname.lastname@example.org; or
- select the 'unsubscribe' link provided in a marketing email.
Your Church has the flexibility to determine how it might use Individual Information. If you are concerned or have questions about that use, you should contact your Church directly.
Your Church may use Elvanto to send you marketing or promotional material. To opt-out of receiving certain marketing materials through the Elvanto system if you are a Church member, you may contact your Church or select the 'unsubscribe' link provided in the email.
Unless you consent, we will not disclose any Church Information or Individual Information to third parties, other than Sub-processors we use as part of delivering the Service.
The Sub-processors used by us include Amazon Web Services, Inc., SendGrid, Inc., and Pusher Ltd. These Sub-processors are located in the US, the UK and the EU.
Use of their services may involve the transfer of personal information to them.
For all our Sub-processors:
We also give our Churches the option to use services that may involve third parties. This may be done via a link to another service or website and may include, as an example, links to PayPal or Stripe for on-line payment.
The decision to use these services is at the discretion of each Church.
Although we try to only partner with reputable and trustworthy suppliers, we cannot control or be responsible for the policies of other sites we may link to, or the use of any Personal Data you may share with them.
Please note that this Policy does not cover these other websites, and we recommend that you review the privacy policies attached to the use of those services and websites before deciding whether to proceed.
If you do not want your Individual Information to be shared with third parties for example for the purposes of emailing or texting you or supporting event registration, please let your Church know and they can disable these services for you.
We store your personal information using secure servers provided by Amazon Web Services, which servers are protected from unauthorised access, modification or disclosure.
The location of the server on which your information is stored is dependent on your Church's location:
Australia, New Zealand, the Pacific and Asia
All other locations
Republic of Ireland
We take steps to protect the security of the Personal Data we hold from both internal and external threats by:
However, we also note that no data transmission over the Internet or information system or storage technology can be guaranteed to be 100% secure.
If a data breach occurs, we will:
This website uses Google Analytics, a web analytics service provided by Google, Inc. ('Google'). Google Analytics uses 'cookies', which are text files placed on your computer, to help the website analyse how you use the site.
Cookies are used to store information, such as the time that the current visit occurred, whether you have been to the site before and what site referred you to our web page.
The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.
Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google.
Generally, we will keep Personal Information for the period during which any legal claim may be made in regard to the provision of Services, in accordance with legal requirements or to meet our legal obligations. For example, we hold billing records, and any information associated with those records (such as the number of members a Church had) for 7 years.
This is in accordance with our Data Retention and Deletion Policy. Please let us know if you would like to see a copy of this policy.
If we hold personal information about you, and we do not need that information for any purpose, we will take reasonable steps to securely destroy or de-identify that information unless we are prevented from doing so by law.
The basis on which we delete information is included in our Data Retention and Deletion Policy.
An Authorised User can ask us to delete Church Information at any time, and we will delete it from all live systems and make sure we do not process it further in any way (other than as we may need to support your account or for other reasonable administrative or legal purposes, such as billing).
We do not delete Church Information or Individual Information from back-ups. However, we only keep back-ups for 30 days at the most. All our back-ups are encrypted and stored securely. If any back up is used to restore data, we will check and ensure that all deletion requests are actioned before restoring the data. Generally, we only restore data from the last 24 hours.
We apply the following rules to the permanent deletion of information:
More detailed information on when we delete information is included in our Data Retention and Deletion Policy. Please let us know if you would like to see a copy of this policy.
An Authorised User can object to or ask us to stop processing Church Information at any time. We will comply with such request, if the request is on legitimate grounds and subject to any specified exemptions in the GDPR. Where we have been requested to stop processing or there has been an objection to processing, we will only process Church Information needed for our legitimate purposes such as satisfaction of legal obligations or for our own records.
We rely on the consent of Authorised Users to collect and process their Personal Data, as the data may include Sensitive Data. Authorised Users may withdraw their consent to the collection or processing of their Personal Data at any time by contacting us via any of the contact details included below. We will immediately cease processing and, if requested, will also delete Personal Data in accordance with Section 9.2. We note however that this may impact usage of the Church Account.
If a Member wishes to withdraw consent to the use of their Personal Data by their Church, that Member should in the first instance contact their Church.
Churches can delete or disable access to Individual Information at any time. Members who wish to delete or stop the use of their Individual Information should contact their Church. Permanent deletion of Individual Information will be done in accordance with section 9.2 above. If a Member requires the permanent deletion of their Individual Information earlier than that, they should first ask their Church. If the Church cannot permanently delete their information then it can contact us and we will do it for them.
If a Member feels their Church has not dealt with their request promptly or effectively, we will respond in the same way we would to a Member request for access (see the next paragraph for more information on this).
You can contact us at any time and, subject to identification of you as an Authorised User, Elvanto will provide access to Church Information we hold (subject to allowable exceptions). We will provide access within a reasonable time and at a reasonable cost.
We endeavour to only hold Church Information that is accurate, complete and up-to-date.
We maintain a register for information about our Church clients, based on the information you provide via the Legal and Compliance section in your Church Account Settings. Authorised Users can update their Church Information at any time via those Church Account Settings.
We encourage you to keep these details up to date.
If you become aware that any Church Information we hold is no longer accurate, complete or up-to-date you can also contact us to correct the information (using the contact details below).
Members who wish to access or correct their Individual Information should contact their Church.
If Members contact us, we will refer them to their Church. If the Church does not promptly or effectively respond to their requests, we will do so after having taken reasonable steps to verify their identity. In these circumstances, we expect that the Church will promptly provide us with all reasonable assistance to fulfil the Member's request at its cost (as provided in the Terms of Service).
Elvanto has appointed an external Data Protection Officer (DPO) to help ensure that we meet our obligations under the GDPR.
If you have any queries, questions, concerns or wish to make a complaint regarding how we deal with your personal information please contact either us or our DPO, using the following details:
Suite 5, 15 Lake Street
Varsity Lakes QLD 4227
Phone: (07) 3062 2359
Elvanto Data Protection Officer:
Dr Jodie Siganto
PO Box 3295
Because we are based in Australia and do not have an office in the EU, we have appointed DPR Group as our Data Protection Representative in the EU.
DPR Group will primarily deal with any communications with EU data protection authorities.
You may also wish to contact DPR Group if you have any queries, questions, concerns or wish to make a complaint regarding how we deal with your personal information and would prefer to deal with a local organisation.
To raise a question or otherwise exercise your rights in respect of your personal data through DPR Group, you may do so by using any of the following details:
1-2 Marino Mart
Fairview, Dublin 3
Mail to an address from this list.
PLEASE NOTE: When mailing inquiries, it is ESSENTIAL that you mark your letters for 'DPR Group' and not 'Elvanto Pty Ltd', or your inquiry may not reach DPR Group. Please refer clearly to Elvanto Pty Ltd in your correspondence. On receiving your correspondence, DPR Group may ask you to provide evidence of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you.
If you have any concerns or complaints about how we are collecting or processing your Personal Information, you can complain to your local data protection authority.
If you are in the EU, please follow this link to locate the data protection authority most relevant to you: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.
As our EU Representative is in the Republic of Ireland, you may wish to contact the Data Protection Commissioner in Ireland at email@example.com.
More information about making a complaint to the Data Protection Commissioner in Ireland is available at https://www.dataprotection.ie/docs/complaints/1592.htm.
Alternatively, please contact us or our DPO on the contact details above and we will gladly send you a copy free of charge.
In this Policy, the following terms have the meanings given:
Account means any form of account for the Service including whether it is paid for, is opened to test the Service or for the purpose of demonstration.
Authorised User means any user who has been granted permission to manage, access or make decisions concerning a Group Account by the owner of that Group Account.
Church means the organisation on whose behalf a Group Account is established.
Data Controller has the meaning given to it in the GDPR.
Data Processor has the meaning given to it in the GDPR.
Data means any material including documents, information or data provided by you to us by way of the Software.
Data Subject has the meaning given to it in the GDPR.
GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of Personal Data, and repealing Directive 95/46/EC.
Group Account means the Account type intended for Churches to use the Services and may be free or paid for.
Individual Users means individuals associated with a Church and whom a Church directs, encourages or enables to provide Personal Data as part of the Church's use of the Service.
Privacy Law means the relevant law concerning the collection, use and disclosure of Personal Information, which may include:
Personal Data has the meaning given to it in the GDPR.
Service means any service provided by Elvanto by way of the Software.
Software means the cloud-based Church management software owned and designed by Elvanto.
Sub-processors has the meaning given to it in the GDPR.