Privacy Policy
⚠ DRAFT — NOT YET APPROVED FOR PUBLICATION
This policy is a working draft. It accurately describes what the website does with personal data, but it still contains unresolved items highlighted in yellow and has not been reviewed by a qualified data protection adviser.
Because this policy governs special category health data about children, it must be reviewed and signed off before publication. Delete this notice once every yellow placeholder is resolved and the policy has been approved.
1. Who We Are
Mission Life Grace ("we", "our", or "us") is the data controller for the personal information described in this policy. This means we are responsible for deciding how and why your information is used.
Mission Life Grace
542 Westhorne Avenue, Eltham, London, SE9 6RR
ICO registration number: Awaiting ICO reg number
Data protection contact: John Watson — enquiries@missionlifegrace.net
General enquiries: enquiries@missionlifegrace.net
This policy explains what personal information we collect through our website, why we collect it, who we share it with, how long we keep it, and the rights you have over it. It applies to our website, our conference and event bookings, and our donations.
2. The Information We Collect
2.1 When you book a conference or event
The person making the booking (the "group leader") provides:
- Name, email address, telephone number and postal address
- Home church or group
- Payment details and booking history (see section 2.5)
For each person attending, including children and teenagers, we collect:
- Full name, date of birth and age
- Postal address and home church
- School year (for children)
- Email address and telephone number, where given
- Emergency contact — name, telephone number and relationship to the attendee
- Consent responses covering medical treatment, photography and video, and participation in activities
2.2 Health information (special category data)
Some of the information we collect is special category data — information about health, which the law protects more strictly. We collect:
- Special Educational Needs and Disabilities (SEND) — a free-text description of a child's or teenager's needs, and whether you would like a group leader to contact you about them before the conference
- Accessibility needs — for example mobility, hearing or sight impairments
- Dietary requirements — which may reveal a health condition, allergy or religious belief
- Medical information and medical treatment consent for children and teenagers
We collect this information so that we can keep people safe and make our events accessible. It is explained in more detail in sections 3 and 5.
2.3 When you create an account
- Email address
- A password, which is stored in a securely hashed form and cannot be read by us
- The bookings linked to your account
2.4 When you make a donation
- Name and email address
- The amount you gave and the fund you chose
- Whether you made a Gift Aid declaration and, if you did, your home address — we are required to record this so we can claim Gift Aid from HM Revenue & Customs
2.5 Payment information
We never see or store your card details. Payments are handled directly by Stripe. We keep only a reference to the transaction, the amount, and whether it succeeded.
2.6 When you contact us
If you use our contact form we collect your name, email address, telephone number and your message. This is sent to us by email and is not stored in our website database.
2.7 Technical information
- Booking activity log — to help us diagnose booking problems, we record the steps of a booking as it progresses, together with the group leader's email address.
- Server logs — our hosting provider records IP addresses and browser information as part of running the site securely.
- Your browser's storage — if you start a booking and do not finish it, your progress (including any attendee details you have entered) is saved in your own web browser so you can come back to it. This stays on your device until the booking is completed or you clear your browser data. See our Cookie Policy.
We do not use any analytics, advertising or tracking services. There is no Google Analytics, no advertising pixel and no third-party tracking on this website.
3. Our Lawful Bases for Using Your Information
Data protection law requires us to have a "lawful basis" for using your personal information. Ours are:
| What we do | Our lawful basis |
|---|---|
| Take and administer your booking, and send you booking and payment confirmations | Contract — we need this information to provide the booking you asked for |
| Keep financial records, and claim and record Gift Aid | Legal obligation — HMRC and charity accounting requirements |
| Keep attendees safe: emergency contacts, first aid, and responding to a medical emergency | Vital interests (in an emergency) and legitimate interests (in planning for safety) |
| Make our events accessible, and support children with SEND | Consent, which you can withdraw at any time |
| Take photographs and video at events | Consent, which you can withdraw at any time |
| Send you news and updates about our events, conferences and church life | Consent — only if you opt in, and you can withdraw it at any time |
| Run and secure our website, and diagnose booking problems | Legitimate interests — keeping the service working and secure |
3.1 Health information
Because health information is special category data, we need an additional lawful condition to use it. We rely on:
[TO CONFIRM — REQUIRES DATA PROTECTION SIGN-OFF]
The Article 9 condition relied on for SEND, medical, accessibility and dietary information must be confirmed by a qualified adviser, together with the Appropriate Policy Document that some conditions require. The likely candidates are explicit consent (Article 9(2)(a)) and, in a genuine emergency where consent cannot be obtained, vital interests (Article 9(2)(c)).
Do not publish this policy until this section states a single, confirmed condition in plain language.
4. How We Use Your Information
- To take and manage conference and event bookings, and to allocate children and teenagers to the right groups
- To send you booking confirmations, payment receipts and reminders about payments still due
- To process payments and keep our financial and Gift Aid records
- To keep attendees safe — including making emergency contact details and relevant medical information available to the people responsible for their care at an event
- To make reasonable adjustments so that people with SEND, disabilities or accessibility needs can take part
- To answer your enquiries
- To run, secure and improve our website
We only send marketing or news emails to people who have asked for them. If you opt in — when you book, when you create an account, through the sign-up form on our website, or from your account page — we will send you occasional updates about our events, conferences and church life. This is based on your consent, and you can withdraw it at any time: every such email carries an unsubscribe link, you can turn updates off from your account page, or you can email us. Withdrawing has no effect on any booking. We do not use your information to profile you or to make automated decisions about you.
5. Who We Share Your Information With
We do not sell, rent or trade your personal information. We share it only as set out below.
5.1 Our volunteer group leaders
When you register a child or teenager for a conference, we send the volunteer leader of their age group a list of the children in that group. This includes the child's name, age, allergies, dietary requirements and emergency contact name. We do this so that the people directly responsible for your child's care during the event have the information they need to keep them safe.
Every volunteer group leader signs a Volunteer Confidentiality Agreement. Under it they must keep this information private, use it only to care for the children in their group during the event, and not share it with anyone else. Once the event has ended they are required to securely delete or destroy the list.
5.2 Our service providers
We use the following companies to run our website and services. They act on our instructions and may not use your information for their own purposes:
| Provider | What they do | Where |
|---|---|---|
| Stripe | Processes card payments for bookings and donations | UK account (Stripe Payments UK Ltd); may transfer within its group, including to the USA |
| Resend | Sends our confirmation and notification emails | European Union (EU data region) |
| Cloudinary | Hosts and delivers the images shown on our public website (e.g. page banners and team photos) | USA |
| Railway | Hosts our website and stores our database | European Union |
Our website embeds video and audio from YouTube and Spotify. If you play an embedded video or podcast, your IP address is visible to those companies as part of streaming it. Our fonts and icons are served from our own site, so simply browsing our pages does not share your IP address with any third party.
5.3 In an emergency
If there is a medical emergency or a risk to someone's safety, we will share whatever information is necessary with medical professionals, the emergency services, or the relevant safeguarding authorities.
5.4 Where the law requires it
We may disclose information if we are legally required to, for example in response to a court order, or to meet our safeguarding obligations.
6. Sending Information Outside the UK
6.1 Your information is stored in the UK and the EU
Our database is stored within the European Union, and our emails are sent through a provider whose EU data region we use. This covers everything most sensitive that we hold: booking and attendee records, children's health and SEND information, emergency contacts, account details and donation records, and the emails we send to group leaders about the children in their care.
The UK Government recognises the European Economic Area as providing an adequate level of protection for personal information. That means your information remains protected to UK standards when it is stored or processed there, and no additional transfer safeguard is required.
6.2 Payments
Our Stripe account is a UK account, contracted with Stripe Payments UK Ltd. Stripe may transfer information within its corporate group, including to the United States. Where it does, we rely on the safeguards in Stripe's data processing agreement, which incorporate the UK International Data Transfer Addendum. You can contact Stripe's data protection officer at dpo@stripe.com.
Your card details are never sent to us and are never stored by us. They pass directly from your browser to Stripe.
6.3 Information that reaches the United States
- Cloudinary hosts and delivers the images shown on our public website, such as page banners and photographs of our team. These are pictures we choose to publish on the site itself. We do not upload photographs of the people who book, register or attend, and no images of children are stored there.
- When you play an embedded video or podcast, your device connects to YouTube (Google) or Spotify to stream it, and they receive your IP address as part of that. This only happens if you choose to play the content. We do not load fonts or icons from any third party — those are served from our own site — so no visitor IP address is shared simply by browsing our pages.
Where a published image includes an identifiable person, that is their personal information. For that transfer we rely on the safeguards in Cloudinary's data processing agreement, which incorporate the UK International Data Transfer Addendum, to make sure it remains protected to UK standards. Video and podcast embeds are provided by YouTube and Spotify under their own privacy terms.
7. How Long We Keep Your Information
| Information | How long we keep it |
|---|---|
| Children's and teenagers' health, SEND, dietary and emergency contact information | [TO CONFIRM: e.g. deleted within X months of the event ending] |
| Booking records | [TO CONFIRM] |
| Financial records and Gift Aid declarations | [TO CONFIRM: HMRC generally requires Gift Aid records to be kept for around 6 years after the end of the accounting period — confirm with your accountant] |
| Your website account | [TO CONFIRM: e.g. deleted after X years of inactivity] |
| Booking activity logs | [TO CONFIRM: e.g. deleted after X months] |
| Contact form enquiries | [TO CONFIRM] |
8. How We Protect Your Information
Access to personal information is limited to administrators who need it to do their job. Passwords are stored in a securely hashed form and cannot be read, even by us. Connections to our website are encrypted.
No system can be completely secure, but if a breach of your personal information occurs and it is likely to put you at risk, we will tell you and we will report it to the Information Commissioner's Office as the law requires.
9. Your Rights
Under UK data protection law you have the right to:
- Be informed — to know how we use your information, which is what this policy is for
- Access — to get a copy of the information we hold about you
- Rectification — to have inaccurate information corrected
- Erasure — to have your information deleted, in certain circumstances
- Restrict processing — to ask us to limit how we use your information
- Data portability — to receive your information in a portable format
- Object — to object to us using your information where we rely on legitimate interests
- Withdraw consent — where we rely on your consent, you can withdraw it at any time, and doing so will not affect anything we did before you withdrew it
To exercise any of these rights, contact us using the details in section 1. We will respond within one month. There is no charge.
9.1 Complaining to the regulator
If you are unhappy with how we have handled your information, you can complain to the Information Commissioner's Office. You can do this at any time, and you do not have to raise it with us first — though we would like the chance to put things right.
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk
10. Children's Information
We hold information about children and teenagers who attend our conferences, including health and SEND information. We treat this as the most sensitive information we hold.
- A child's information is provided by their parent or guardian, or by the group leader making the booking on their behalf, when they register.
- It is used only to keep the child safe, to care for them properly during the event, and to make sure they can take part.
- It is seen by our administrators and by the volunteer leader of the child's age group, as described in section 5.1.
- A parent or guardian can ask to see, correct or delete their child's information at any time using the contact details in section 1.
- Photography and video consent is given separately by the parent or guardian, and can be withdrawn at any time.
11. Cookies
We use only the cookies that are necessary to make the website work — there is no analytics, advertising or tracking. Our Cookie Policy explains what we use and how to control it.
12. Changes to This Policy
If we make a significant change to how we use your information, we will update this page and, where it materially affects you, we will contact you directly rather than relying on you noticing.
13. Contact Us
If you have any question about this policy, or you want to exercise any of your rights, please contact us:
Mission Life Grace
542 Westhorne Avenue, Eltham, London, SE9 6DH
Data protection contact: John Watson