Privacy Policy (EU)

1. Introduction

Hello, thanks for choosing Elvanto and welcome to our Privacy Policy.

Before getting into the details, we'd like to highlight some of the key principles behind our Privacy Policy. These principles are important to us because we know they're important to you.

The Privacy Policy is here to do three things:

  • Explain the way we use information Churches share with us to build a great product and give you a great experience with it;
  • Ensure that you understand what information we collect with your permission, and what we do - and do not do - with it;
  • Hold us accountable for protecting your rights and your privacy under this policy.

This current policy came into effect at 25 May 2018. We may need to update it over time but if we do, we'll post the updated version on our website.

2. The information we collect

2.1. Church Information

Elvanto provides church management software to help Churches manage their congregations. As part of providing that service, we collect information from people who make enquiries of us, trial our software, or set up and operate an account on behalf of a Church. This might include:

  • Name and contact details
  • Church name and location and number of members
  • Financial information like your Church's bank account details

We call this information "Church Information".

When people complete forms, make enquiries or contact us online, or otherwise provide us with Church Information, we confirm that they consent to that collection and proposed use of the information. That consent is the lawful basis for our processing of Church Information.

You can withdraw that consent at any time. Please contact us via the contact details in the How to contact us section below to let us know if you would like to withdraw your consent. However, please be aware that if you do not provide us with the Church Information requested or withdraw your consent to our use of that information, we may not be able to set up or maintain your Account or respond to your query. We will also keep, and may process, your Church Information to the extent required to by law or otherwise as set out in this Privacy Policy.

When dealing with Church Information, Elvanto acts as a data controller.

2.2. Individual Information

Our service aims to give Churches the right tools and flexibility to help stay connected with their congregations and other people. As part of this, Churches can include lots of information about their members in their account by adding new fields to the standard data categories which we set up.

Churches themselves upload or support the uploading of Individual Information into the Church Account. That Individual Information is usually not disclosed to us nor do we have any right to use that Individual Information.

The information that our Church clients enter and store about their congregations and other people in our software is called "Individual Information".

When dealing with Individual Information, Elvanto acts as a data processor, and regards the Church which has uploaded that information as the data controller. Where Elvanto is acting as a data processor, we will only process information in accordance with the lawful instructions of the data controller. More detail about the terms on which we process information are included in the Elvanto Terms of Service.

Your Church has the flexibility to determine how it uses Individual Information. We assume that your Church has collected your personal information lawfully and has lawful basis for that way it uses your Individual Information.

If you are concerned or have any questions about the use of your Individual Information, you should contact your Church directly.

3. How we collect information

We only collect Church Information directly from you unless you authorise another person to provide the information.

We collect Personal Data from you when you interact with us online or over the phone in order to assist with your on-line query, email or call.

Sensitive Information

Because we offer church management software, the Church Information we collect includes information about your religious opinions, beliefs, associations or affiliations. This type of information is regarded as deserving special treatment and is defined as "sensitive information" by privacy laws.

We need your consent to the collection of sensitive information. To support this requirement, we have included places for you to indicate your consent in our on-line forms and on our website. If you do not provide this information, we may not be able to provide our Services.

You have the right to withdraw your consent at any time. This is discussed further below.

Member Information is also sensitive information, but this information has been collected by the Church. If you are concerned about the Member Information that has been included in the Elvanto service, we recommend you contact your Church directly.

3.1. Social Networking Services

We use social networking services such as Twitter, Facebook and YouTube to communicate with Churches and the public about our Services. When you communicate with us using these services we may collect your Personal Data, but we only use it to help us to communicate with you and the public. The social networking service will also handle your personal information for its own purposes. These sites have their own privacy policies and we recommend that you review them.

4. Use of your information

We will only use Personal Data for purposes related to providing our Services.

Examples of this use by us include:

  • providing you with Services requested;
  • administering your Account, including billing and dealing with payment issues;
  • dealing with requests, enquiries or complaints and other customer care related activities;
  • marketing our Services generally.

We will not use your Personal Data for purposes other than described in this Section unless we have your consent or there are specified law enforcement or public health and safety reasons or other uses required by law.

In most cases, Elvanto will interact only with the nominated Super Admins for a Church Account, and not directly with Individual Users. We are happy to interact with Individual Users but in most cases will direct them back to the Super Admin for their Church Account. In later sections of this Policy we describe how we respond to requests for access to, correction and deletion of Individual Information.

Generally, we do not collect Individual Information (other than in special cases, such as when we help with onboarding). However, if Churches do provide us with Individual Information (for example, for onboarding) we will only use this information for the specific reason for which it is provided.

If you contact Elvanto with a general question you can interact with us anonymously or through the use of pseudonym.

4.1. Marketing by Elvanto

Elvanto may use Church Information for marketing purposes, or to send you promotional material, if you have consented to receiving marketing material.

We may also conduct surveys or market research or seek other information from you on a periodic basis. These surveys will provide us with information that allows improvement in the types and quality of Services offered to you, and the way those Services are offered to you.


To opt-out of receiving marketing materials through the Elvanto system either:

  • contact Elvanto by email; or
  • select the 'unsubscribe' link provided in a marketing email.

4.2. Church Marketing

Your Church has the flexibility to determine how it might use Individual Information. If you are concerned or have questions about that use, you should contact your Church directly.

Your Church may use Elvanto to send you marketing or promotional material. To opt-out of receiving certain marketing materials through the Elvanto system if you are a Church member, you may contact your Church or select the 'unsubscribe' link provided in the email.

5. Sharing information and Sub-processors

Unless you consent, we will not disclose any Church Information or Individual Information to third parties, other than Sub-processors we use as part of delivering the Service.

The Sub-processors used by us include Amazon Web Services, Inc., SendGrid, Inc., and Pusher Ltd. These Sub-processors are located in the US, the UK and the EU.

Use of their services may involve the transfer of personal information to them.

For all our Sub-processors:

  • we remain primarily liable to you for the acts and omissions of the sub-processor;
  • each sub-processor has agreed that it will only access and use Church or Individual Information to the extent necessary to perform the functions contracted to it by us and which are necessary for us to be able to provide the Services;
  • we ensure that they will comply with all the obligations contained in this Policy and the principles contained in the GDPR, either as part of the terms of services we have with them or pursuant to their commitment as organisations that have certified as being compliant with the EU-US Privacy Shield arrangements.

5.1. Third party services and websites

We also give our Churches the option to use services that may involve third parties. This may be done via a link to another service or website and may include, as an example, links to PayPal or Stripe for on-line payment.

The decision to use these services is at the discretion of each Church.

Although we try to only partner with reputable and trustworthy suppliers, we cannot control or be responsible for the policies of other sites we may link to, or the use of any Personal Data you may share with them.

Please note that this Policy does not cover these other websites, and we recommend that you review the privacy policies attached to the use of those services and websites before deciding whether to proceed.

If you do not want your Individual Information to be shared with third parties for example for the purposes of emailing or texting you or supporting event registration, please let your Church know and they can disable these services for you.

6. How we hold your information

We store your personal information using secure servers provided by Amazon Web Services, which servers are protected from unauthorised access, modification or disclosure.

The location of the server on which your information is stored is dependent on your Church's location:

Church Location

Server Location

Australia, New Zealand, the Pacific and Asia


United States

United States

All other locations

Republic of Ireland

7. Security of your Personal Information

We take steps to protect the security of the Personal Data we hold from both internal and external threats by:

  • regularly assessing the risk of misuse, interference, loss, and unauthorised access, modification or disclosure of that information
  • taking measures to address those risks, for example, we keep a record (audit trail) of when someone has added, changed or deleted personal information held in our electronic databases and regularly check that staff only access those records when they need to; and
  • conducting regular internal and external audits to assess whether we have adequately complied with or implemented these measures.

However, we also note that no data transmission over the Internet or information system or storage technology can be guaranteed to be 100% secure.

If a data breach occurs, we will:

  • notify the Churches affected of it as soon as reasonably possible after it comes to our attention;
  • take reasonable steps to secure the affected data and minimise harm to all individuals; and
  • provide Churches with whatever reasonable assistance might otherwise be required.

8. Elvanto's use of Google Analytics

This website uses Google Analytics, a web analytics service provided by Google, Inc. ('Google'). Google Analytics uses 'cookies', which are text files placed on your computer, to help the website analyse how you use the site.

Cookies are used to store information, such as the time that the current visit occurred, whether you have been to the site before and what site referred you to our web page.

The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.

Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

By using this website, you consent to the processing of data about you by Google in the manner described in Google's Privacy Policy and for the purposes set out above. You can opt out of Google Analytics if you disable or refuse the cookie, disable JavaScript, or use the opt-out service provided by Google.

9. Retention and Deletion and the Right to Object

9.1. Retention

Generally, we will keep Personal Information for the period during which any legal claim may be made in regard to the provision of Services, in accordance with legal requirements or to meet our legal obligations. For example, we hold billing records, and any information associated with those records (such as the number of members a Church had) for 7 years.

This is in accordance with our Data Retention and Deletion Policy. Please let us know if you would like to see a copy of this policy.

9.2. Deletion and Disposal

If we hold personal information about you, and we do not need that information for any purpose, we will take reasonable steps to securely destroy or de-identify that information unless we are prevented from doing so by law.

The basis on which we delete information is included in our Data Retention and Deletion Policy.

An Authorised User can ask us to delete Church Information at any time, and we will delete it from all live systems and make sure we do not process it further in any way (other than as we may need to support your account or for other reasonable administrative or legal purposes, such as billing).

We do not delete Church Information or Individual Information from back-ups. However, we only keep back-ups for 30 days at the most. All our back-ups are encrypted and stored securely. If any back up is used to restore data, we will check and ensure that all deletion requests are actioned before restoring the data. Generally, we only restore data from the last 24 hours.

We apply the following rules to the permanent deletion of information:

  • Group Accounts and associated Church Information and Individual Information, where there has been no activity for more than 7 months (and where not required for Elvanto's own records or administrative processes) will be deleted permanently; and
  • Individual Information which has been deleted or disabled, will be permanently deleted or de-identified 90 days after deletion or disabling (or 18 months where members have financial data associated to them).

More detailed information on when we delete information is included in our Data Retention and Deletion Policy. Please let us know if you would like to see a copy of this policy.

9.3. Right to Object

An Authorised User can object to or ask us to stop processing Church Information at any time. We will comply with such request, if the request is on legitimate grounds and subject to any specified exemptions in the GDPR. Where we have been requested to stop processing or there has been an objection to processing, we will only process Church Information needed for our legitimate purposes such as satisfaction of legal obligations or for our own records.

9.4. Withdrawal of Consent

We rely on the consent of Authorised Users to collect and process their Personal Data, as the data may include Sensitive Data. Authorised Users may withdraw their consent to the collection or processing of their Personal Data at any time by contacting us via any of the contact details included below. We will immediately cease processing and, if requested, will also delete Personal Data in accordance with Section 9.2. We note however that this may impact usage of the Church Account.

If a Member wishes to withdraw consent to the use of their Personal Data by their Church, that Member should in the first instance contact their Church.

9.5. Deletion of Individual Information by Churches

Churches can delete or disable access to Individual Information at any time. Members who wish to delete or stop the use of their Individual Information should contact their Church. Permanent deletion of Individual Information will be done in accordance with section 9.2 above. If a Member requires the permanent deletion of their Individual Information earlier than that, they should first ask their Church. If the Church cannot permanently delete their information then it can contact us and we will do it for them.

If a Member feels their Church has not dealt with their request promptly or effectively, we will respond in the same way we would to a Member request for access (see the next paragraph for more information on this).

10. How to access your Personal Information

You can contact us at any time and, subject to identification of you as an Authorised User, Elvanto will provide access to Church Information we hold (subject to allowable exceptions). We will provide access within a reasonable time and at a reasonable cost.

We endeavour to only hold Church Information that is accurate, complete and up-to-date.

We maintain a register for information about our Church clients, based on the information you provide via the Legal and Compliance section in your Church Account Settings. Authorised Users can update their Church Information at any time via those Church Account Settings.

We encourage you to keep these details up to date.

If you become aware that any Church Information we hold is no longer accurate, complete or up-to-date you can also contact us to correct the information (using the contact details below).

Members who wish to access or correct their Individual Information should contact their Church.

If Members contact us, we will refer them to their Church. If the Church does not promptly or effectively respond to their requests, we will do so after having taken reasonable steps to verify their identity. In these circumstances, we expect that the Church will promptly provide us with all reasonable assistance to fulfil the Member's request at its cost (as provided in the Terms of Service).

11. How to contact us or our Data Protection Officer (DPO)

Elvanto has appointed an external Data Protection Officer (DPO) to help ensure that we meet our obligations under the GDPR.

If you have any queries, questions, concerns or wish to make a complaint regarding how we deal with your personal information please contact either us or our DPO, using the following details:


PO Box 1201
Elanora QLD 4221

Phone: (07) 3062 2359


Elvanto Data Protection Officer:

Dr Jodie Siganto
Privacy 108 Consulting Pty Ltd

PO Box 3295
Yeronga QLD 4104


12. EU Representative

Because we are based in Australia and do not have an office in the EU, we have appointed DPR Group as our Data Protection Representative in the EU.

DPR Group will primarily deal with any communications with EU data protection authorities.

You may also wish to contact DPR Group if you have any queries, questions, concerns or wish to make a complaint regarding how we deal with your personal information and would prefer to deal with a local organisation.

To raise a question or otherwise exercise your rights in respect of your personal data through DPR Group, you may do so by using any of the following details:

DPR Group:

1-2 Marino Mart
Fairview, Dublin 3


Online form

Mail to an address from this list.

PLEASE NOTE: When mailing inquiries, it is ESSENTIAL that you mark your letters for 'DPR Group' and not 'Elvanto Pty Ltd', or your inquiry may not reach DPR Group. Please refer clearly to Elvanto Pty Ltd in your correspondence. On receiving your correspondence, DPR Group may ask you to provide evidence of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you.

13. Complaint to the Data Protection Authority

If you have any concerns or complaints about how we are collecting or processing your Personal Information, you can complain to your local data protection authority.

If you are in the EU, please follow this link to locate the data protection authority most relevant to you:

As our EU Representative is in the Republic of Ireland, you may wish to contact the Data Protection Commissioner in Ireland at

More information about making a complaint to the Data Protection Commissioner in Ireland is available at

14. Amendments of this Privacy Policy

We may need to update this Privacy Policy from time to time. If we do, we'll post the updated version on our website. Your continued use of the Service or the site after the notice period has lapsed indicates your consent to be bound by the amended Privacy Policy.

15. Copy of this policy

To download a PDF version of this Privacy Policy, click here.

Alternatively, please contact us or our DPO on the contact details above and we will gladly send you a copy free of charge.

16. Definitions

In this Policy, the following terms have the meanings given:

Account means any form of account for the Service including whether it is paid for, is opened to test the Service or for the purpose of demonstration.

Authorised User means any user who has been granted permission to manage, access or make decisions concerning a Group Account by the owner of that Group Account.

Church means the organisation on whose behalf a Group Account is established.

Data Controller has the meaning given to it in the GDPR.

Data Processor has the meaning given to it in the GDPR.

Data means any material including documents, information or data provided by you to us by way of the Software.

Data Subject has the meaning given to it in the GDPR.

GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of Personal Data, and repealing Directive 95/46/EC.

Group Account means the Account type intended for Churches to use the Services and may be free or paid for.

Individual Users means individuals associated with a Church and whom a Church directs, encourages or enables to provide Personal Data as part of the Church's use of the Service.

Privacy Law means the relevant law concerning the collection, use and disclosure of Personal Information, which may include:

  1. the Privacy Act 1988 (Cth) and any code registered under the Privacy Act or Australian Privacy Principles; or
  2. the GDPR.

Privacy Policy means, as the circumstances require, either Elvanto's EU Privacy Policy, which is available at or Elvanto's Privacy Policy which is available at, as amended by Elvanto from time to time.

Personal Data has the meaning given to it in the GDPR.

Service means any service provided by Elvanto by way of the Software.

Software means the cloud-based Church management software owned and designed by Elvanto.

Sub-processors has the meaning given to it in the GDPR.