Privacy Policy
Effective Date: February 24, 2026
Last Updated: February 24, 2026
1. Introduction
Daniel Kuśmider, operating as a sole proprietorship registered in Poland ("Company", "we", "us", or "our"), operates the ChurchPlace church management platform ("Service"). This Privacy Policy explains how we collect, use, share, and protect your personal data in accordance with the General Data Protection Regulation (GDPR), Polish data protection laws, and the Google API Services User Data Policy.
2. Data Controller
Data Controller:
Daniel Kuśmider
Marii Konopnickiej 61/18
30-302 Kraków, Poland
NIP (Tax ID): 7922234750
Data protection contact:
Email: support@churchplace.io (opens in new tab)
3. Personal Data We Collect
3.1 Account Data
When you create an account, we collect:
- Full name
- Email address
- Password (stored as a secure hash)
- Date of birth (for age verification)
3.2 Profile Data
You may optionally provide:
- Phone number
- Gender
- Biography
- Baptism status and date
3.3 Church Membership Data
When you join a church organization:
- Church affiliation
- Campus assignment
- Ministry memberships and assigned roles
- Event assignments and attendance history
- Volunteer availability
3.4 Google Calendar Integration Data
If you choose to connect your Google account to ChurchPlace via OAuth 2.0 authentication, we may access the following data from your Google Calendar:
- Calendar data (calendar names, time zones)
- Event information (title, date, time, location, description, status)
- Availability information (free/busy status)
- Event identifiers for synchronization purposes
The scope of data we access depends on the permissions you grant during the OAuth authorization process. We always request only the minimum scope necessary to provide the requested functionality.
Important: You may revoke Google Calendar access at any time through your ChurchPlace account settings or via your Google Account permissions page (https://myaccount.google.com/permissions (opens in new tab)).
3.5 Technical Data
We automatically collect:
- IP address
- Browser type and version
- Device type and operating system
- Pages visited within the Service and time spent
- Date and time of access
4. Legal Bases for Processing
We process your personal data under the following legal bases in accordance with Article 6 of the GDPR:
| Processing Purpose | Legal Basis | Details |
|---|---|---|
| Account creation and management | Performance of contract (Art. 6(1)(b)) | Necessary to provide the Service |
| Age verification | Legal obligation (Art. 6(1)(c)) | Compliance with Art. 8 GDPR regarding children's consent |
| Google Calendar integration | Consent (Art. 6(1)(a)) | Only with your explicit consent via OAuth 2.0 |
| Service notifications | Legitimate interest (Art. 6(1)(f)) | Keeping you informed about events, assignments, and updates |
| Marketing communications | Consent (Art. 6(1)(a)) | Only with your explicit consent |
| Analytics and service improvement | Legitimate interest (Art. 6(1)(f)) | Improving functionality and user experience |
| Customer support | Performance of contract (Art. 6(1)(b)) | Responding to inquiries and resolving issues |
| Legal compliance | Legal obligation (Art. 6(1)(c)) | Tax, accounting, and legal requirements |
5. How We Use Your Data
We use your personal data for the following purposes:
- Creating and managing your account
- Providing access to your church's ChurchPlace platform
- Enabling event scheduling and volunteer coordination
- Synchronizing church events with your Google Calendar (if you consent)
- Displaying your availability based on Google Calendar data to facilitate ministry scheduling
- Sending notifications about events, assignments, and updates
- Processing form submissions
- Enabling service planning features
- Providing customer support
- Analyzing and improving our Service
- Fulfilling legal obligations
6. Data Sharing
6.1 Within Your Church Organization
When you join a church on ChurchPlace, church administrators have access to:
- Your name and email address
- Your phone number (if provided)
- Your ministry and role assignments
- Your event attendance and volunteer history
- Your form submissions (for that church)
- Your availability based on calendar data (if you have enabled the Google Calendar integration) — free/busy information only, not private event details
Important: Your church is a joint data controller for this shared data and may have its own privacy policy governing its use.
6.2 Sub-processors
We use the following third-party service providers:
| Provider | Purpose | Data Location | Privacy Policy |
|---|---|---|---|
| Supabase Inc. | Database, Authentication, File Storage | EU (Frankfurt, Germany) | https://supabase.com/privacy (opens in new tab) |
| Resend Inc. | Email delivery | EU | https://resend.com/legal/privacy-policy (opens in new tab) |
| Google LLC (Google Calendar API) | Calendar synchronization, event scheduling | EU (with possible transfers to US) | https://policies.google.com/privacy (opens in new tab) |
| Google Firebase | Push notifications | EU | https://firebase.google.com/support/privacy (opens in new tab) |
| Upstash Inc. | Rate limiting | EU | https://upstash.com/trust/privacy.pdf (opens in new tab) |
| Vercel Inc. | Web hosting | EU (Frankfurt, Germany) | https://vercel.com/legal/privacy-policy (opens in new tab) |
6.3 Data Transfers Outside the EEA
Some of our sub-processors are US-based companies, including Google LLC. While data is stored on EU servers, transfers to the US may occur for technical support or processing purposes. Such transfers are protected by:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- EU-U.S. Data Privacy Framework certification (where applicable)
- Additional technical and organizational safeguards
For the Google Calendar integration, data may be processed by Google LLC in accordance with their Privacy Policy and the EU-U.S. Data Privacy Framework.
You may obtain copies of the relevant safeguards by contacting us.
6.4 Other Disclosures
We may disclose your data when required by law, court order, or to protect our rights, property, or safety.
7. Use of Google API Services — Limited Use Compliance
ChurchPlace's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy (opens in new tab), including the Limited Use requirements.
Specifically:
- Limited use: We use Google Calendar data solely to provide and improve user-facing features visible in the ChurchPlace interface, such as synchronizing church events and displaying volunteer availability. All other uses of the data are prohibited.
- No transfer for advertising: We do not use or transfer Google data for serving ads, including retargeted, personalized, or interest-based advertising.
- No transfer for AI/ML training: We do not use Google data to train non-personalized artificial intelligence or machine learning models.
- Limited human access: We do not allow humans to read Google user data unless: (a) the user's explicit consent has been obtained to view specific data (e.g., for technical support); (b) it is necessary for security purposes (e.g., investigating abuse); (c) it is required by law; or (d) the data is aggregated and anonymized and used solely for internal operations.
- Data transfer: We only transfer Google data to third parties when necessary to provide or improve user-facing features, with the user's explicit consent, for security purposes, or as required by law.
8. Data Retention
We retain your personal data for the following periods:
| Data Category | Retention Period | Justification |
|---|---|---|
| Account data | Duration of account + 30 days after deletion | Service provision and data export |
| Date of birth | Duration of account | Age verification |
| Google Calendar data | Duration of active integration; deleted within 30 days of disconnecting Google account or account deletion | Calendar synchronization |
| Church membership data | Duration of church membership + per church policy | Church is joint controller |
| Billing data | 5 years from end of fiscal year | Polish tax law requirements |
| Technical data (logs) | 90 days | Security and diagnostics |
| Marketing data | Until consent is withdrawn | Based on consent |
After the retention period expires, data is permanently deleted or anonymized.
9. Your Rights Under the GDPR
You have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Right of access (Art. 15) | Obtain a copy of your data | Account settings or contact us |
| Right to rectification (Art. 16) | Correct inaccurate data | Account settings |
| Right to erasure (Art. 17) | Delete your data ("right to be forgotten") | Account settings or contact us |
| Right to restriction (Art. 18) | Restrict how your data is used | Contact us |
| Right to data portability (Art. 20) | Receive data in a machine-readable format | Account settings (export feature) |
| Right to object (Art. 21) | Object to processing based on legitimate interest | Contact us |
| Right to withdraw consent (Art. 7) | Withdraw previously given consent (including Google Calendar integration consent) | Account settings or contact us |
Revoking Google Calendar access: You can disconnect the Google Calendar integration at any time via your ChurchPlace account settings or by revoking ChurchPlace's access on your Google Account permissions page (https://myaccount.google.com/permissions (opens in new tab)). Upon revocation, we will stop retrieving data from your Google Calendar, and existing synced data will be deleted within 30 days.
Response time: We will respond to your request within 30 days. In complex cases, the deadline may be extended by an additional 60 days, and we will inform you accordingly.
How to exercise your rights: Use the Privacy section in your profile settings or contact us at support@churchplace.io (opens in new tab).
10. Right to Complain
If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority:
President of the Personal Data Protection Office (PUODO)
ul. Stawki 2
00-193 Warsaw
Poland
Website: https://uodo.gov.pl (opens in new tab)
Email: kancelaria@uodo.gov.pl (opens in new tab)
However, we encourage you to contact us first so we can address your concerns.
11. Cookies and Tracking Technologies
11.1 What Are Cookies
Cookies are small text files stored on your device when you use our Service.
11.2 Types of Cookies We Use
| Type | Purpose | Duration | Consent Required |
|---|---|---|---|
| Essential | Authentication, security, core functionality | Session / 30 days | No |
| Functional | Remembering preferences (e.g., language, theme) | 1 year | No |
| Analytical | Understanding how the Service is used | 1 year | Yes |
| Integration (Google) | OAuth tokens for Google Calendar integration | Until consent is withdrawn | No (essential for integration functionality) |
11.3 Managing Cookies
You can manage your cookie preferences through:
- The cookie banner displayed on your first visit
- Browser settings
- The Privacy section in your account settings
11.4 Analytics
We use analytics tools to understand how users use our Service. This data is aggregated and does not identify individual users.
12. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.
13. Data Security
We implement appropriate technical and organizational measures:
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256)
- Row-Level Security for data isolation between organizations
- Regular security audits
- Access controls and authentication
- Regular backups with encrypted storage
- Employee training on data protection
- Secure storage of OAuth tokens (encrypted at rest) for Google Calendar integration
- Refresh tokens stored server-side only and never exposed to the client
While we take every precaution to protect your data, no method of transmission over the Internet or electronic storage is 100% secure.
14. Children's Privacy
Our Service is not intended for persons under 16 years of age. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us and we will delete that information.
Persons aged 16–17 may use the Service with parental or legal guardian consent.
The Google Calendar integration is not available to users under 18 years of age.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes:
- Via email to your registered address
- Via a prominent notice within the Service
If changes affect how we use Google data, we will request renewed consent before using the data in any new way or for a different purpose.
We encourage you to review this Policy regularly. Continued use of the Service after changes constitutes acceptance of the updated Policy.
16. Contact
If you have questions about this Privacy Policy, your personal data, or the Google Calendar integration:
Daniel Kuśmider
Sole Proprietorship (Jednoosobowa Działalność Gospodarcza)
NIP (Tax ID): 7922234750
Address: Marii Konopnickiej 61/18, 30-302 Kraków, Poland
Email: support@churchplace.io (opens in new tab)
Website: https://churchplace.io (opens in new tab)
This Privacy Policy was last updated on February 24, 2026.