C3 Privacy Policy

At The C3 Church (C3), we are committed to protecting and respecting your data privacy. This policy outlines the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following to understand our processes regarding your personal data and how we will treat it.

Our principles

We will only process your data for purposes that are legal and fair. All processing undertaken will be necessary to achieve the purpose for which it was collected. We will make you fully aware of the extent of C3's processing of personal data at the point of collection in a transparent and easy-to-understand way. We will also inform you of the possible trusted third-party recipients of your data and will provide you with the safeguards and controls applied to the processing and retention of your data.

Your data will only be processed for the specific and legitimate process for which it was collected. If C3 proposes to use your data for a different purpose, we will seek to obtain your consent.

We will endeavour to use anonymised data where possible. If your data is found to be inaccurate, it will be corrected as soon as reasonably possible.

We will not store your data longer than is needed for the legitimate activity for which it is held. Data retention periods for each type of data are held centrally by C3 and are in line with legal requirements.

C3 will ensure your data is protected against unauthorised use and accidental loss, destruction or damage. We also keep your data confidential. It will not be disclosed to unauthorised third parties without a clear reason and in accordance with the consent you give.

When we process your data

We ensure data is only processed when it satisfies one of a number of legal conditions.

We will only process your data when you have freely given specific, informed and clear agreement. You are able to withdraw this consent at any time. Whenever you give consent, we will keep a record of when and how this was given.

If you are a guardian of a minor, we will only process the data of the minor when you have freely given specific, informed, and clear agreement. You are able to withdraw this consent at any time. Where possible, we will also ensure that consent documentation is appropriate for the minor, so that they can also understand our requirements for consent. Whenever you give consent, we will keep a record of when and how this was given.

We will never process your data if there is any reason to believe that doing so would prejudice you.

Day-to-day activities at C3 may require the processing of sensitive data. All sensitive data will be handled in accordance with legal requirements, best practice, and the appropriate safeguards.

Your data rights

You have the right to request information about whether your personal data is processed by, or on behalf of C3. This includes the right to be provided with a copy and a description of the data in a clearly understandable format.

You have the right to require C3 to correct any inaccurate information held about you. If you request a change to your data, it will be actioned as soon as is reasonably possible once your identity has been verified.

You can request all personal data relating to you is deleted where it is no longer needed by C3 for the purposes for which it was collected.

You can request that C3 stop processing personal data where your interests override that of C3. This does not apply if C3 is required by law to process your data.

At any time, you can object to the use of your data for the purposes of marketing events, opportunities, and activities by C3 or its partners. A record of your objection will be held in C3 systems in order to exclude your data from further communications.

How we process your data

We email you to keep you up to date with events and activities at C3. This data is held in our main church database and in specialised communication platforms.

We keep a record of events, courses and groups you have registered with and the dates you attended. We may contact you about upcoming activities which may be of interest to you.

We hold historical financial data, in accordance with the law, if you regularly give, have donated or purchased anything through our shop or trusted partners.

If you are on a team or volunteer in any of our outreach initiatives, we keep rota information and other data to help us to manage your time, involvement, and progression.

If you receive any of our specialist services, such as pastoral or ministry support, we may keep confidential data on this in compliance with government regulations.

If provided with consent, we hold sensitive data regarding allergies or special medical requirements.

Youth and Kids data (aged 13 or under) is held with guardian consent for all of the above activities and is also used to connect with Youth over social media and messaging software.

By law, you have a number of rights as a data subject, such as the right to be informed, the right to access information held about you and the right to rectification of any inaccurate data that we hold about you.

You have the right to request that we erase personal data about you that we hold (although this is not an absolute right).

You have the right to request that we restrict processing of personal data about you that we hold in certain circumstances.

You have the right to object to processing of personal data about you on grounds relating to your particular situation (also again this right is not absolute).

If you are unhappy or wish to complain about how your information is used, you should contact a member of staff in the first instance to resolve your issue.

If you are still not satisfied, you can complain to the Information Commissioner’s Office. Their website address is www.ico.org.uk.

Third-party data processing

ChurchSuite (church administration and church family processing)
We use ChurchSuite, a church management platform, to help us administer church activities, manage rotas, groups, events, Kids and Youth groups, communication preferences, and contact details. ChurchSuite acts as our data processor, processing personal data on our instructions in line with their GDPR‑ready terms of service, which provide the written controller–processor contract required under the UK GDPR.

Personal data processed in ChurchSuite may include contact information, group involvement, rota participation, child/youth details for safeguarding and emergency contact purposes, and event sign‑ups, depending on your involvement. This aligns with how churches typically use ChurchSuite for volunteer administration, groups, kids and youth groups, and communication management.

ChurchSuite supports GDPR compliance through features such as audit trails, consent management, privacy controls, unsubscribe options in all emails, and mechanisms to facilitate data subject rights (including “right to be forgotten” workflows and privacy‑setting controls in My ChurchSuite).

ChurchSuite processes data in accordance with UK GDPR requirements, and any international transfers (if applicable) are handled under appropriate safeguards as described in their GDPR‑compliant terms. Your data will only be processed for the purposes described above and never for unrelated purposes.

Mailchimp (email communications and audience management)
We use Mailchimp, operated by The Rocket Science Group LLC (part of Intuit), to send our email newsletters, updates, and other communications. Mailchimp acts as our data processor, handling personal data on our instructions solely for communication purposes. Mailchimp maintains strong data‑stewardship commitments, including clear assurances that it does not sell members’ or subscribers’ personal data.

Contact information used for email communications is managed within ChurchSuite, which integrates with Mailchimp. As part of this integration, relevant personal data (such as names, email addresses, and communication preferences) is securely transferred from ChurchSuite to Mailchimp to deliver our communications. ChurchSuite itself is designed to support GDPR compliance and includes consent management, audit trails, and privacy‑notice display for all public‑facing forms.

Mailchimp stores data on servers located in the United States. It is certified under the EU–US Data Privacy Framework, the UK Extension, and the Swiss–US Framework, meaning restricted UK–US data transfers occur under an adequacy mechanism recognised by the UK government. Should that mechanism ever become invalid, Mailchimp has Standard Contractual Clauses (SCCs) embedded in its Data Processing Addendum as a fallback safeguard.

As required under UK GDPR, we maintain a Data Processing Addendum (DPA) with Mailchimp. The DPA sets out Mailchimp’s processor obligations, security and breach‑notification commitments, sub‑processor arrangements, and international‑transfer safeguards.

Mailchimp also supports GDPR and PECR compliance through features such as opt‑in signup tools, unsubscribe links, and mechanisms to help us manage consent and communication preferences. We only send marketing emails where we have a valid lawful basis, typically consent under PECR.

Planning Center (service planning and team access to running orders)
We use Planning Center, a church management and worship‑planning platform, to give authorised team members access to service plans, running orders, and where applicable, song information. Planning Center acts as our data processor, processing personal data only on our instructions for these defined operational purposes. Planning Center affirms its full commitment to GDPR compliance, maintains an EU‑based Data Protection Officer, and offers a Data Processing Agreement (DPA) to govern its processing.

Access is restricted to those teams who require it — for example, worship teams needing song information, and production, AV, or hosting teams needing the running order to fulfil their roles. Only the minimal necessary data (such as names, contact details, roles, and permissions) is transferred from ChurchSuite into Planning Center via our integration. ChurchSuite itself provides GDPR‑ready features including consent management, audit trails, and privacy‑notice display on data‑collection forms.

Planning Center stores all data on Amazon Web Services (AWS) servers in Virginia, USA, meaning personal data is transferred outside the UK. Planning Center states that it upholds GDPR‑level protections for all customer data and that churches may execute a DPA to formalise transfer safeguards and define security and processor obligations.

Planning Center also maintains published security practices and a public sub‑processor list, with the option to subscribe for notifications of any changes. It acknowledges that churches may rely on legitimate interest as a lawful basis for internal processing within ministry contexts.

Data in Planning Center is used exclusively to support team‑based service preparation — such as viewing service plans, running orders, schedules, and song information — and is never used for marketing or other unrelated purposes.

Microsoft 365 (data storage and communications)
We use Microsoft 365 as a secure platform for storing and managing a range of organisational data, including employee HR information, safeguarding records, pastoral notes, and operational documents. Microsoft acts as our data processor for these services, processing personal data on our instructions within the scope of our Microsoft service agreement. Microsoft publicly commits to GDPR compliance across Microsoft 365 and provides detailed accountability documentation, including Data Protection Impact Assessment (DPIA) guidance, breach‑notification procedures, and Data Subject Request (DSR) support.

Microsoft 365 also underpins our email communications, including 1‑to‑1 and small‑audience emails to members of our church family, and stores incoming emails sent to us by members of the congregation or wider community. Outlook and Exchange Online form part of the Microsoft 365 service suite, and are covered by the same GDPR compliance commitments and organisational/technical safeguards.

Data stored within Microsoft 365 may be held in Microsoft’s European or UK data centres, depending on the service configuration and regional availability. Microsoft provides GDPR‑aligned technical and organisational measures — including encryption, data‑loss‑prevention tooling, and compliance controls through the Microsoft 365 Compliance Centre — to help ensure the security, confidentiality, and proper governance of personal data.

As with many US‑headquartered cloud providers, certain elements of Microsoft’s infrastructure may involve international transfers. Microsoft states that it offers GDPR‑compliant contractual safeguards for such transfers and maintains a suite of documentation to support Transfer Impact Assessments (TIAs), audit readiness, and regulatory compliance.

All personal data stored in Microsoft 365 is used solely for church operational purposes — including HR administration, safeguarding management, pastoral care, and communications — and is never used for marketing or unrelated activities.

Purchase approvals and spend control
We use ApprovalMax Limited (UK) to manage business spending, purchase orders, and related approvals. ApprovalMax acts as our data processor, processing personal data on our instructions to operate our approval workflows. Personal data involved may include staff identifiers (name, work email, role, approval limits) and supplier contact details included on bills/POs. Our lawful basis is legitimate interests (effective financial governance and fraud prevention) and, where we contract with suppliers, contract.
ApprovalMax processes data in the UK/EEA. Where data is transferred outside the UK/EEA, this is done under approved safeguards (e.g., UK Addendum to the EU Standard Contractual Clauses). You can read ApprovalMax’s privacy information and DPA here: approvalmax.com/policy and approvalmax.com/dpa.

CCTV at The C3 Church

To ensure the safety and security of people visiting and working at The C3 Church, we operate CCTV cameras. These collect recognisable images of people in the following locations:

  • Coldham’s Coffee
  • Reception
  • Community Fridge
  • Carpark
  • Rear bike area
  • Rear sheds

Signs are in place informing people that CCTV is being used.We retain CCTV data for 28 days.Any person whose image is recorded on our CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage. If you wish to request footage, please email cctv@thec3.uk or phone the office during office hours on 01223 844415 and ask for the facilities manager.The Police may request CCTV footage from us and we may supply it but we will ensure that any request is confirmed in writing. Should the Police wish to view the footage on the premises, this action would fall outside of data protection concerns.

How to contact us

If you have any questions regarding this policy or the processing of your data, please contact:

The Data Protection Officer The C3 Church Brooks Road Cambridge CB1 3HR gdpr@thec3.uk

We keep our privacy notice under regular review, and we will make new versions available on our privacy notice page on thec3.uk/privacy . This privacy notice was last updated on 20th November 2022.