Publishing
Directory
Websites
About Us
Our Privacy Policy
Privacy Policy
We are committed to handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy supersedes all previous versions, including our policy effective from 22/05/2018.
1 Who We Are
CathCom Ltd is the data controller responsible for your personal data.
- Company: CathCom Ltd
- Email: info@cathcom.org
- Address: [Insert Physical Address]
- Registered in: United Kingdom
2 What Information We Collect
We collect and process personal data across several areas of our business. The categories of data we may collect include:
2.1 General Business & Account Information
- Name and contact details (address, phone number, email)
- Organisational affiliation (e.g. parish or church name)
- Demographic information such as postcode, preferences, and interests
- Billing and financial information for accounts, advertising, and subscription purposes
- Information relevant to customer surveys, offers, and market research
- Information added to our CASPAR system by individuals themselves, or by church organisations who agree to seek permission before entering any personal information
2.2 Directory Information
We operate a directory that stores information about churches, schools, and the people who work in them. This may include:
- Names of institutions (churches and schools) and their addresses
- Names and contact details of staff members and associated individuals
- Organisational roles and affiliations
2.3 Member Profile & App Information
Our member profile application allows individuals to create a personal record. This may include:
- Full name, home address, and contact details
- Personal interests and skills
- Names, ages, and schools of children associated with the account
- Class and programme enrolments and sign-up preferences
2.4 Social Media Integration Data
When you connect social media accounts to our platform, we collect:
- Facebook/Meta: Page IDs, Page Names, User Account IDs, encrypted page access tokens, and profile pictures
- Bluesky: Decentralised Identifiers (DIDs), handles, encrypted app passwords or OAuth tokens, and profile pictures
- Other platforms: Encrypted authentication credentials and public profile information (usernames, display names, account identifiers)
2.5 Content and Usage Data
- Newsletter content uploaded for AI processing
- AI-generated social media post drafts and suggestions
- Post scheduling data (publication times, content, status)
- Platform usage analytics and service interaction logs
3 Legal Basis for Processing (UK GDPR)
We process your personal data under the following legal bases:
- Contract Performance: To provide our services, including social media management, directory listings, and member profile features
- Legitimate Interests: To improve our platform, provide customer support, manage our publications and advertising services, and ensure security
- Legal Obligation: To fulfil our obligations under tax, financial, and compliance law
- Consent: For marketing communications and, where applicable, the inclusion of personal data in our directory or app - which you may withdraw at any time
4 How We Use Your Information
4.1 General Business Purposes
- Maintaining internal records for accounts, billing, and tax purposes
- Improving our products and services based on usage and feedback
- Customising our platforms and publications to your interests
- Sending promotional emails about new products, special offers, or services (only with your consent)
- Contacting you for market research purposes by email, phone, or mail
4.2 Directory Services
- Publishing and maintaining an accurate directory of churches, schools, and associated individuals
- Enabling users to find and connect with relevant organisations and people
4.3 Member Profile & Programme Management
- Maintaining member records and profile information
- Managing sign-ups to classes and programmes
- Communicating relevant information about classes, events, and services
4.4 Social Media Management
- Processing newsletter PDFs using AI to generate social media post suggestions
- Storing encrypted authentication credentials to post approved content to connected accounts on your behalf
- Executing scheduled posts to connected platforms (Facebook, Bluesky, and others)
- Maintaining post history and analytics
4.5 Communications
- Sending service-related notifications (post confirmations, error alerts, account updates)
- Providing customer support and responding to enquiries
- Sending marketing communications (only with your explicit consent)
You can opt out of marketing communications at any time by using the unsubscribe link in our emails or by contacting us at info@cathcom.org.
5 Social Media Platform Integration
5.1 How Social Media Credentials Are Stored
When you connect a social media account, we encrypt and securely store OAuth access tokens, app passwords, and session data on our secure, self-hosted infrastructure. Credentials are used exclusively to post content you have reviewed and approved, and are processed in-memory during scheduled post execution.
5.2 Your Control Over Connected Accounts
- AI-Generated Content: All AI-generated posts are provided as suggestions only. You review and approve all content before publication.
- Your Responsibility: You are solely responsible for all content posted through our platform to your social media accounts.
- Unlinking Accounts: You may disconnect any connected social media account at any time through your account settings.
5.3 Data Retention for Social Media Accounts
- During Active Connection: We retain authentication credentials and account metadata for the entire duration the account remains connected.
- Shared Accounts: If multiple parishes are connected to the same account, data is retained until all parishes have unlinked.
- Upon Unlinking: We immediately delete all authentication credentials, account metadata, and profile information. We may retain the Page Name or public handle on historical post records for audit purposes only - no credentials are retained.
5.4 Data Received from Meta (Facebook/Instagram)
We access the following data from Meta platforms in accordance with Meta's Platform Terms and Data Policy: Page access tokens for authentication; Page profile information (Page ID, Page Name, profile picture); and User Account IDs for account linking.
6 Data Security
We are committed to protecting your personal information. We have implemented appropriate physical, technical, and organisational measures including:
- Encryption: Sensitive data including social media credentials are encrypted in transit (HTTPS/TLS) and at rest
- Access Controls: Strict internal controls limit who can access your data
- Self-Hosted Infrastructure: All data is stored on our own secure Virtual Private Server (VPS)
- Regular Security Reviews: We periodically review and update our security practices
While we take all reasonable precautions, no method of electronic transmission or storage is 100% secure. We will notify you of any data breaches in accordance with UK GDPR requirements.
7 Data Processors & International Transfers
We use the following third-party data processor:
- Hetzner Online GmbH - Role: VPS infrastructure hosting. Location: Germany (European Economic Area). Hetzner provides infrastructure only and does not access or process your data.
All data is stored within the European Economic Area (EEA). We do not transfer your personal data outside the EEA. If we engage additional processors in the future, we will update this policy and ensure appropriate data processing agreements are in place.
8 Cookies
A cookie is a small file which asks permission to be placed on your device. Once agreed, the cookie helps analyse web traffic or lets us recognise you on return visits.
We use traffic log cookies to identify which pages are used, analyse web traffic patterns, and improve our website and platforms. This information is used for statistical analysis only and is removed from the system after analysis.
You can choose to accept or decline cookies through your browser settings. Please note that declining cookies may prevent you from taking full advantage of our platform's features.
9 Links to Other Websites
Our websites and platforms may contain links to third-party websites, including social media platforms. Once you leave our site, we have no control over those websites and cannot be responsible for their privacy practices. You should review the privacy statement of any website you visit.
10 Your Data Rights (UK GDPR)
Under the UK General Data Protection Regulation (Data Protection Act 2018), you have the following rights. To exercise any of them, contact us at info@cathcom.org - we will respond within one month.
Right to Access
Request a free copy of the personal information we hold about you.
Right to Rectification
Request that we correct any information that is incorrect or incomplete.
Right to Erasure
Request that we delete your personal data, subject to legal retention requirements.
Right to Restrict Processing
Request that we limit how we use your personal data in certain circumstances.
Right to Data Portability
Request your data in a structured, machine-readable format for transfer to another provider.
Right to Object
Object to our processing of your data for direct marketing at any time.
Right to Withdraw Consent
Withdraw consent at any time where we rely on it as the basis for processing.
11 Data Retention
We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy, unless a longer retention period is required by law:
- Account & General Business Data: Retained for the duration of your active relationship with us, plus a reasonable period for legal or compliance purposes after closure
- Directory Information: Retained while the listing remains active; removed upon request or when no longer required
- Member Profile & App Data: Retained while your account is active; deleted or anonymised upon request or account closure
- Social Media Credentials: Retained while connected; deleted immediately upon unlinking
- Post History: Retained for audit purposes (page names only; no credentials retained)
- Marketing Data: Deleted or anonymised when you withdraw consent or opt out
12 Third-Party Sharing
We will not sell, distribute, or lease your personal information to third parties unless:
- We have your explicit permission
- We are required to do so by law
- It is necessary to provide our services (e.g. sharing with Hetzner under strict contractual data processing agreements)
We may send you information about third-party products or services only if you have consented to receive such communications.
13 Deletion of Information
If you believe we are holding personal information about you without permission, please notify us immediately at info@cathcom.org. We will make all reasonable efforts to delete information promptly, except where:
- We are required to hold the information for financial, business, or compliance purposes
- Deletion would affect our ability to defend legal claims
- There is a legal necessity preventing immediate deletion - in which case we will notify you and explain the situation
14 Complaints & Regulatory Authority
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK supervisory authority:
- Information Commissioner's Office (ICO)
- Website: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
15 Contact Us
Get in Touch
If you have any questions about this Privacy Policy, wish to exercise your data rights, or need to report a data concern, please contact us:
CathCom Ltd
Email: info@cathcom.org
Address: [Insert Physical Address]
We will respond to your enquiry within 5 business days.
Supervisory Authority
Information Commissioner's Office (ICO) | ico.org.uk | 0303 123 1113