Your privacy matters

We use cookies to improve your experience, analyse site traffic, and support our marketing efforts. You can accept or decline non-essential cookies. Read our Cookies Policy.

Church Loop
Get started

Data Processing Agreement

(DPA)

Last Updated: 14 April 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Church Loop ("Processor") and the organisation or church entity subscribing to the services ("Controller").

By signing up for an account, accessing, or using the Church Loop platform (the "Service"), the Controller agrees to be bound by the terms of this DPA.

1. Definitions

1.1. "Data Protection Laws" means the UK GDPR (as defined in the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019), the Data Protection Act 2018, and any other applicable privacy laws in the United Kingdom.

1.2. "Personal Data," "Data Subject," "Processing," and "Personal Data Breach" shall have the meanings given to them in the Data Protection Laws.

1.3. "Data Controller" (or "Controller") means the church or organisation that determines the purposes and means of processing Personal Data (the customer).

1.4. "Data Processor" (or "Processor") means Church Loop, which processes Personal Data on behalf of the Controller to provide the Service.

1.5. "Sub-processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Role

2.1. This DPA applies to the processing of Personal Data provided by the Controller to the Processor for the purpose of providing church management and visitor follow-up services.

2.2. The Controller acts as the Data Controller and the Processor acts as the Data Processor.

3. Processing Instructions

3.1. The Processor shall process Personal Data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country, unless required to do so by applicable law.

3.2.The Controller's use of the Service constitutes the primary instruction for processing data to enable visitor follow-up, event management, and church communication.

4. Confidentiality

4.1. The Processor ensures that all persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Security Measures

5.1. Taking into account the state of the art and the nature of church operations, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, protecting data against unauthorised or unlawful processing and accidental loss or destruction.

5.2. These measures include (as appropriate to the Service):

  • access controls designed to limit access to Personal Data to authorised users;
  • encryption in transit (where supported by the relevant connections and providers);
  • reasonable steps to secure systems and databases used to provide the Service;
  • monitoring and logging to help detect and investigate unauthorised access; and
  • staff/contractor confidentiality commitments for those who may access Personal Data.

6. Sub-processors

6.1. The Controller provides a general authorisation for the Processor to engage Sub-processors (such as hosting providers, SMS gateways, and email delivery services).

6.2. The Processor shall ensure that any Sub-processor is bound by data protection obligations at least as stringent as those set out in this DPA.

6.3. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object.

7. Data Subject Rights

7.1.The Processor shall, insofar as is possible, assist the Controller by appropriate technical and organisational measures for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights (e.g., access, rectification, or deletion requests).

8. Personal Data Breach

8.1. The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach. Such notification shall include sufficient information to allow the Controller to meet its obligations under Data Protection Laws.

9. Return and Deletion of Data

9.1. Upon termination of the Service, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller, unless applicable law requires continued storage of the Personal Data.

10. Audit Rights

10.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

11. Liability

11.1. The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the main Terms of Service.

12. Governing Law

12.1. This DPA shall be governed by and construed in accordance with the laws of England and Wales.

Annex 1: Details of Processing

A. Subject Matter and Duration of Processing

The subject matter is the provision of the Church Loop SaaS platform for church visitor follow-up, events, and communications. The duration of the processing is for the term of the Controller's subscription and any additional period needed to return or delete data in line with this DPA, until all Personal Data is deleted or returned (unless UK law requires continued storage).

B. Nature and Purpose of Processing

Processing to enable the Service, including:

  • managing visitor follow-up journeys (including tasks, timelines, and reminders);
  • managing people records and profiles;
  • event management (sign-ups, ticketing, attendance/check-in);
  • SMS and email communications sent by or on behalf of the Controller; and
  • team collaboration and coordination within the church (mentions, assignments, and notes).

C. Categories of Data Subjects

  • Church members and attendees
  • Visitors and newcomers
  • Staff and volunteers
  • Donors or event registrants

D. Types of Personal Data

  • Names
  • Contact information (such as email address, phone number, address where provided)
  • Notes added by the church (for example pastoral notes, preferences, follow-up notes) and journey stages/tags
  • Attendance records and event sign-up/ticketing data
  • Communication history (SMS and email content and related metadata)
  • Digital identifiers (IP addresses, login logs)

E. Contact Information

For data protection inquiries, contact: hello@churchloop.co