Skip to main content
Privacy Policy

Privacy Policy

Last updated: February 13, 2026

We never sell data

Your information is never shared with third parties for marketing

You own your data

Export your complete dataset anytime

GDPR-ready features

Tools for data export, deletion, and access requests

1. Information We Collect

We collect information you provide directly to us when you:

  • Create an account and set up your church profile
  • Add member information to your database
  • Process donations and financial transactions
  • Communicate with us via email, phone, or chat
  • Subscribe to our newsletter or marketing emails

This information may include: names, email addresses, phone numbers, addresses, payment information, and any other data you choose to upload to the platform.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process transactions and send related information
  • Send administrative messages, updates, and security alerts
  • Respond to your comments and questions
  • Analyze usage patterns to improve user experience
  • Detect and prevent fraud and abuse

3. Information Sharing

We do not sell, trade, or rent your personal information to third parties. We may share information in the following circumstances:

  • Service Providers: With third-party vendors who perform services on our behalf (payment processing, hosting, analytics)
  • Legal Requirements: When required by law or to protect our rights
  • Business Transfers: In connection with a merger, sale, or acquisition
  • With Your Consent: When you explicitly authorize us to share information

4. Data Security

We take data security seriously and implement appropriate technical and organizational measures:

  • SSL/TLS encryption for all data in transit
  • Data stored in encrypted databases managed by our infrastructure provider
  • Regular security assessments and monitoring
  • Secure passwordless authentication via magic links
  • Role-based access control with granular permissions
  • Automated backups with geographic redundancy

5. Your Rights (GDPR)

If you are located in the European Economic Area, you have the following rights:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data
  • Portability: Request transfer of your data to another service
  • Objection: Object to processing of your data
  • Restriction: Request restriction of processing

To exercise these rights, contact us at privacy@gracebase.co

6. Data Retention

We retain your information for as long as your account is active or as needed to provide services. After account cancellation, we retain data for 90 days to allow for recovery, then permanently delete it. Financial records may be retained longer for tax and legal compliance purposes.

7. Cookies and Tracking

GraceBase uses only essential cookies required for authentication and security (such as session tokens and CSRF protection). We do not use tracking cookies or third-party advertising cookies.

Our analytics are privacy-preserving and do not use client-side storage. We do not track individual users across websites or share browsing data with third parties.

8. Children's Privacy

GraceBase is designed for use by church administrators, not children. However, church administrators may store information about children as part of managing church programs and activities.

Data collected about children: Church administrators may enter children's names, birthdates, allergies, medical notes, special needs information, and attendance records into the platform.

Purpose: This data is collected and managed by churches to ensure child safety during church events, services, and activities such as nursery check-in and children's ministry programs.

Who enters data: All child data is entered by authorized church administrators, not by children directly. Children do not create accounts or interact with the platform.

Parental rights: Parents or guardians may request to review or delete their child's data by contacting their church administrator. Churches using GraceBase are responsible for obtaining appropriate parental consent before entering children's information.

If you have concerns about children's data stored in GraceBase, please contact your church administrator or email us at privacy@gracebase.co.

9. Third-Party Service Providers (Sub-Processors)

We use the following third-party service providers to operate GraceBase. Each provider processes data only as necessary to provide their specific service:

  • Supabase — Database hosting and authentication
  • Stripe — Payment processing for donations and subscriptions
  • Resend — Transactional email delivery
  • Twilio — SMS messaging and text-to-give
  • Vercel — Application hosting and privacy-preserving analytics
  • Checkr — Background check processing (when enabled by your church)
  • Mailchimp — Email marketing integration (optional, when connected by your church)
  • Intuit QuickBooks — Accounting integration (optional, when connected by your church)

We maintain data processing agreements with each provider and will notify you of any changes to this list. For questions about our sub-processors, contact privacy@gracebase.co.

10. Delete Your Account

You can request deletion of your GraceBase account and all associated data by following these steps:

  1. Log in to your GraceBase account
  2. Navigate to Settings > Privacy
  3. Click "Delete My Account"
  4. Confirm the deletion when prompted

Alternatively, you can email privacy@gracebase.co with the subject line "Delete My Account" from the email address associated with your account.

What gets deleted:

  • Your profile information (name, email, phone, address)
  • Your login credentials
  • Your notification preferences and app settings
  • Your group memberships, event RSVPs, and form submissions
  • Profile photos and uploaded files

What may be retained:

  • Donation and financial transaction records (retained for 7 years for tax and legal compliance)
  • Anonymized analytics data that cannot be linked back to you

Account deletion is processed within 30 days. Data is permanently removed within 90 days of the request.

11. Delete Your Data

You can request deletion of specific data without deleting your entire account:

  1. Log in to your GraceBase account
  2. Navigate to Settings > Privacy
  3. Select the data categories you want deleted (e.g., giving history, event attendance, uploaded files)
  4. Click "Request Data Deletion"

You can also email privacy@gracebase.co specifying which data you would like removed. We will process your request within 30 days and confirm once complete.

Note: Some data may need to be retained for legal or regulatory compliance (see section 10 above for details on what may be retained).

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

13. Contact Us

If you have questions about this privacy policy or our data practices, please contact us:

Email: privacy@gracebase.co

Mail: GraceBase Privacy Team — please use the email address above for all privacy inquiries