Privacy Policy
Last updated: May 20, 2026This Privacy Policy explains how Border East Consulting Corp. ("we", "us", or "our") collects, uses, and protects personal information through ChurchPlanner (the "Service"). We are based in New Brunswick, Canada and operate in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA). If you are in the European Union, United Kingdom, or another jurisdiction with stronger protections, the additional rights described in Section 8 also apply to you.
1. Roles: Controller and Processor
ChurchPlanner is a multi-tenant Service used by churches and similar organizations. When your organization stores information about its members, volunteers, or contacts in the Service, your organization is the data controller of that information and we act as a data processor on its behalf. For account information you provide directly to us (such as your name and email when you register), and for limited operational data such as logs, we act as the controller.
2. Information We Collect
We collect the following categories of information:
Account information — your name, email address, phone number (optional), organizational affiliation, password hash, language preference, and profile photo if you upload one.
Authentication data — if you sign in with Google, we receive your name, email, and Google account identifier; we do not receive your Google password.
Content you or your organization enters — contact records, household relationships, event and service details, attendance records, ministry team rosters, songs and chord charts, donation records (where used), and the body and metadata of messages sent through the Service.
Usage and technical data — sign-in times, IP address, browser and device information, pages and features accessed, error reports, and similar diagnostic information used to operate and improve the Service.
Billing information — for paid plans, billing contact details and the last four digits of any payment card. Full payment card details are handled by our payment processor and not stored on our servers.
3. How We Use Your Information
We use personal information to:
provide, maintain, and improve the Service;
authenticate users and protect against unauthorized access, fraud, and abuse;
send transactional messages such as password resets, security alerts, billing notices, and feature changes;
deliver the messages that your organization sends to its members through the Service;
respond to support requests;
comply with legal obligations and enforce our Terms of Service.
We do not sell personal information. We do not use Your Content to train artificial intelligence or machine-learning models, and we do not use it for advertising.
4. Legal Basis for Processing
Under PIPEDA we rely on your consent (express or implied through use of the Service) and the requirement to provide the Service you have requested. For users in the EU/UK we rely on contract performance, legitimate interests (such as keeping the Service secure and improving it), legal obligation, and where applicable your consent — which you may withdraw at any time without affecting prior processing.
5. Sharing and Subprocessors
We share information only as needed to operate the Service. Current categories of subprocessors include:
Hosting and infrastructure — cloud server providers that run the application, database, and backup storage.
Transactional email — a third-party email delivery provider used to send messages on your behalf and on ours.
SMS delivery — a third-party messaging provider used when your organization sends SMS through the Service.
Authentication — Google, if you choose to sign in with a Google account.
Payment processing — a PCI-DSS compliant payment processor for paid plans.
Diagnostics and logging — internal log aggregation used to investigate errors and security events.
Each subprocessor receives only the information necessary to perform its function and is bound by confidentiality and data-protection obligations. We may also disclose information if required by law, valid legal process, or to protect the rights, property, or safety of users or the public. If we are involved in a merger, acquisition, or asset sale, personal information may transfer to the successor entity, which will remain bound by this Policy or a substantially similar one.
6. International Transfers
The Service is operated from Canada. Some subprocessors may process information in the United States, the European Economic Area, or other countries. Where required, we rely on Standard Contractual Clauses or equivalent safeguards to protect information when it crosses borders. By using the Service you acknowledge that your information may be processed outside your country of residence.
7. Data Retention
We retain Your Content for as long as your organization's account is active. After an account is closed, content is retained for a wind-down period (typically 30 days) during which it can be recovered, then permanently deleted from active systems. Encrypted backups are retained on a rolling basis and are purged according to our backup schedule (typically within 90 days). Diagnostic logs are retained for a limited period for security and troubleshooting purposes. Records we are legally required to retain (such as billing records under tax law) are kept for the applicable statutory period.
8. Your Rights
Subject to applicable law you have the right to:
access the personal information we hold about you;
correct information that is inaccurate or incomplete;
request deletion of your personal information;
export your account data in a portable format;
withdraw consent or object to processing, where consent or legitimate interests are the basis for processing;
lodge a complaint with the Office of the Privacy Commissioner of Canada, or your local supervisory authority.
You can manage many of these rights directly from your Data & Privacy page. For requests about content your organization has stored about you, contact your organization administrator first — they are the controller of that data. For requests we can fulfil directly, email [email protected]. We will respond within 30 days or as required by applicable law.
9. Security
We use technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit via HTTPS, encryption of backups at rest, password hashing, role-based access controls, multi-factor authentication for administrative access to our systems, and audit logging. No system is perfectly secure; if we discover a breach affecting your personal information we will notify affected users and the relevant authorities as required by law.
10. Cookies and Tracking
We use a small number of cookies and similar technologies that are necessary for the Service to function — for example, to keep you signed in, remember your language preference, and protect against cross-site request forgery. We do not use advertising cookies or third-party tracking pixels for marketing purposes.
11. Children's Privacy
The Service is designed for use by adults who administer or participate in church activities. We do not knowingly collect personal information directly from children. Organizations using the Service may store information about children (for example in attendance records for children's ministries); that information is provided by, and managed under the authority of, the organization that records it, with parental or guardian consent where required by law.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date above and, where reasonable, notify you by email or in-app message. Your continued use of the Service after the effective date indicates that you accept the revised Policy.
13. Contact
Questions, requests, or privacy concerns? Email [email protected] or write to Border East Consulting Corp., Fredericton, New Brunswick, Canada.
To delete your account and personal data, see Delete Your Account.