Privacy Policy: St Paul’s Harrogate

Last updated: 17 November 2025

This privacy notice explains how St Paul’s Harrogate (“we”, “us”, “our”) collects, stores and uses personal information, and how you can exercise your rights.

Data controller

St Paul’s Harrogate (part of the United Reformed Church)

Postal address: [St Paul’s Harrogate, Victoria Avenue, Harrogate, HG1 1EL]

Church Secretary & Data Contact: Erica Miller — Email: secretarystpaulsurc@gmail.com

How and why, we use your information

We collect personal data so the church can fulfil its purposes: worship, pastoral care, membership administration, volunteering, events, and to process donations. The lawful bases we rely on are most commonly:

  • Performance of a task carried out in the public interest / legitimate interests: to administer church life and to provide pastoral care; and
  • Legal obligation: where required by law (for example, Gift Aid reporting and safeguarding); and
  • Consent: for marketing, newsletters, photographs and other non‑essential processing (you can withdraw consent at any time).

We will only process personal data where we have a lawful basis for doing so and we will not use your data for purposes incompatible with the reasons we collected it.

Categories of personal data we hold

The types of personal data we may collect include:

  • Contact and identity: name, title, postal address, email, telephone number.
  • Membership and attendance records: church roll, attendance, ministry involvement, rotas and volunteer roles.
  • Pastoral and safeguarding information: pastoral notes and safeguarding records where necessary (these are treated as highly confidential).
  • Financial information: donation amounts, frequency, Gift Aid declarations and basic payer details (we do not store full card numbers).
  • Online and technical data: IP addresses, cookies and analytics data from our website.
  • Media: photographs, audio or video recordings taken at services and events (used with consent where required).

We collect data directly from you, from public sources or from third parties where necessary and lawful (for example denominational offices or statutory authorities for safeguarding or legal obligations).

Use of ChurchSuite

We use ChurchSuite as our church management system to hold member and attendee records, rotas, events and communications preferences. ChurchSuite acts as a data processor and processes information on our behalf under a data processing agreement. ChurchSuite is used to help the church manage its life more effectively; access is limited to authorised staff and volunteers and is role‑based.

Donations and our Giving page

When you donate via our website Giving page we collect your name, contact information and donation amount so we can issue receipts and maintain accounts. If you opt into Gift Aid, we will retain the information required to make Gift Aid claims and to comply with HMRC requirements.

Photographs and recordings

We sometimes take photographs and audio/video recordings at services and events for use on our website, social media and printed materials. We will generally seek consent for photographing children and where people clearly object we will make reasonable efforts to exclude them. If you do not wish to be included in images or recordings please speak to the duty steward or contact the Church Secretary at secretarystpaulsurc@gmail.com.

How long we keep your data

We retain personal data only for as long as necessary for the purposes for which it was collected and to satisfy any legal, accounting or reporting requirements. Typical retention periods include:

  • Financial and Gift Aid records: it is current best practice to keep financial records for a minimum period of 7 years to support HMRC audits.
  • Safeguarding records: retained according to safeguarding guidance and legal obligations (often long‑term).
  • Membership and contact details: retained while you remain connected to the church or until you ask for deletion.
  • Website analytics: anonymised after a defined period (e.g. 24–26 months) unless otherwise required.

In general, we will endeavour to keep data only for as long as we need it. This means that we may delete it when it is no longer needed.

Who we share data with

We do not share your information with others except as described in this notice.

Security

We use reasonable organisational and technical measures to protect personal data: role‑based access, secure passwords, HTTPS on the website and regular backups. Only authorised staff and volunteers access sensitive records and only on a need‑to‑know basis.

Your rights

Under data protection law you have a number of rights in relation to the personal data we hold about you, including the right to:

  • request access to the personal data we hold about you (a subject access request);
  • request correction of inaccurate personal data;
  • request erasure of personal data where there is no lawful reason for us to continue processing it;
  • object to or restrict processing in certain circumstances;
  • request portability of the data you have provided to us; and
  • withdraw consent where we are relying on consent to process your data.

To exercise any of these rights please contact the Church Secretary at secretarystpaulsurc@gmail.com.

If you remain unhappy you may complain to the Information Commissioner’s Office: https://ico.org.uk/concerns/.

Contact and further information

For questions about this notice or our data handling practices contact:

Church Secretary: Erica Miller — secretarystpaulsurc@gmail.com

For general data protection queries you can also contact the Information Commissioner’s Office at https://ico.org.uk