June 2023
GRACELY LLC (here “Gracely”, “We”, “Us”), a company incorporated under the laws of USA, having its registered office at 1209 Orange Street, City of Wilmington, Delaware, DE 19801, offers a Church Management Platform (the “Services”) through https://gracely.io/ (the “Website”).
Gracely is committed to respect your privacy and applicable data protection laws and regulations. This Privacy Policy (the “Policy”) intends to inform you about the way we use your personal data (i.e. any data related to an identifiable natural person, either directly or indirectly), either we collect them, when you visit our Website, when you donate by clicking on a banner at a third-party webpage for the process initialized after clicking on the banner, or when ordering and using our Services.
By accessing and using this Website, you confirm that you have read and fully understood this Policy, that you agree to the collection and the usage of your own and others’ personal data in accordance with the Policy and that you have the authority to provide Gracely with all information submitted by you via the Website and the Services, including but not limited to the personal data of third parties.
A. Gracely as Data Controller
1. Data Collected Through the Website
Gracely is the “Data Controller” of all Personal Data collected through the Website. This means that Gracely determines the means and the purposes of the processing and is responsible to reply to data subjects requests. A visitor of our Website is the person simply visiting our Website, as well as the person interacting with our Website e.g. by filling in and sending the contact form, or ordering our Newsletter (referred to as “you”, “your” or “Visitor” in this Policy).
Cookies
A cookie is a small data file stored by your browser at your device’s hard disk for record-keeping purposes, namely it records information about the use and activity on the Website. This information may include, but is not
limited to, your Internet Protocol address, browser type, but also your web browsing history before visiting the Website, our Website’s search history.
Some cookies are “first party cookies”, which means that they are set by the owner of a website, i.e. Gracely. Cookies set by parties other than the owner of a website are called “third party cookies”.
Cookies are used for different reasons.
There are the necessary cookies, which are required for technical reasons in order for a website to operate.
Some cookies are used to enhance the performance and functionality of a website, but are non-essential to their use. However, if you decide not to accept such cookies, certain functionality may become unavailable. Such cookies are called preferences cookies.
Some cookies collect information that is used in aggregate form to help a website owner understand how its website is being used. Such cookies are called analytics. For example Google, stores a Google Analytics cookie in order to be able to differentiate between users and be able to show to the website owner how many times people visit a website on average and information on what pages they’ve seen, how long the duration was, and so on. Third party cookies used on our Website upon your consent are Hotjar and Google Analytics.
Some cookies are used for marketing purposes. These are the marketing cookies and are third-party cookies. Third-party cookies are placed by providers (e.g., by Google, Facebook), who a website owner may have engaged to provide advertising services on its behalf. If, from the analysis of information, visitors of a webpage are interested in one of the services, then advertising material would be projected on third party websites. To see how data is collected and analyzed by third party cookies, you can also visit the websites of the third parties.
When you visit our Website, you are asked to consent to the use of cookies. You may choose to consent to none, one or more of the above cookies, except for the necessary ones. You may withdraw your consent to the use of cookies any time during your visit to our Website freely and
easily by clicking on the Cookies Manager button and setting your preferences.
Additionally, you can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit.
Newsletter
If you wish to receive our Newsletter, for example announcements about new offers and actions of Gracely, you may enter your e-mail address on this Website to specifically request registering for the Newsletter. Your email address is solely used for the purpose of sending our Newsletter and you are removed from the Newsletter recipient list, once you choose to unsubscribe. You may be removed from this list, easily and without cost, by selecting the “unsubscribe” link within the e-mail content. You can also send an email at privacy@gracely.io
To send the Newsletter, we use mailchimp, a US based company, as a provider of electronic communication platform. For the privacy policy of mailchimp see https://mailchimp.com/legal/privacy/.
Contact Form
If you wish to communicate with us by using the Contact Form, you may enter the name of the Church you represent, your name, your e-mail address, your telephone number, the matter you would like to discuss about with us and write your message in the dedicated space. Such personal data is used solely for the purpose of responding to you, and we keep your data only as long as it is necessary to respond to your request.
2. Data Collected through the Services
We collect data of our Customers for the purpose of billing and payments as well as for analysis and benchmarking. We collect Full name, Email, Address and Phone Number and other identification data (such as company name and position in company and VAT number). For the purpose of billing and payments, we engage Stripe as our processor. Gracely does not process your credit card details.
For the purpose of analysis and benchmarking we use Hotjar and Google Analytics. We process data produced, while you and your Authorized users are using the Services, such as these traffic and behavioral data in aggregated and anonymous form for statistics, and analysis and benchmarking. In this way, we understand how easy and quick it is for you to use the Services, whether some tools are more popular than others, whether some tools are not easy to handle or whether you need some assistance from us.
B. Gracely as Data Processor
1. Data collected when you decide to donate
When you decide to donate to a Church that is a Customer of Gracely, we collect (in the Services) your identification data (Full Name, Email), the Amount you choose to donate, and the date and time of the donation. For the collection of the donations, we engage Stripe Connect and have only view access to the data collected by Stripe Connect in Customer’s Account. The money you donate flows via Stripe to the Church’s bank account. Gracely is the “data processor” for Personal Data collected to execute your donation to the Church and the Church is the “data controller”.
2. Data collected for the provision of the Services
If you decide to purchase the Services, then Gracely processes Personal Data inputted in the Services by you/the Customer and your Authorized Users and Personal Data of your donators, in they way described and instructed by you in the Data Processing Addendum.
Data Processing Addendum
Gracely is the “Data Processor” for all personal data processed in relation to the provision of the Services. This means that such Personal Data is collected on the Customer’s/Account Owner’s behalf for its own purposes, that Customer/Account Owner is solely responsible i) for the legality, reliability, accuracy and quality of such Personal Data ii) for the legality of the processing purposes and iii) for the necessity of the processing to serve these purposes, and that the Customer/Account Owner is the Data Controller of Personal Data processed, while using the Services. Therefore, the Customer/Account Owner is responsible to satisfy the requests of the
data subjects, whose Personal Data is processed through the Services. Additionally, the Customer/Account Owner is responsible to inform the data subjects (any person whose personal data is processed by usage of the Services) about the scope, the purpose, the duration and the means of the processing, and to acquire the consent of the data subjects, whose Personal Data is being processed through the Services, where required. Gracely executes a Data Processing Addendum with the
Customer/Account Owner, which is available at https://gracely.io/dpa.
We share personal data with our associates (sub-contractors and sub-processors), solely for the provision of the Services. We have made sure, by means of a written contract or assignment that our sub-processors comply with the DPA, and provide at least the same level of data protection as we do, for example that they follow reliable technical and organizational security measures.
Our full list of sub-processors, their tasks, locations, and contact details, is available at https://gracely.io/subprocessors.
C. Security
Either we process Personal Data as Data Controllers or Data Processors we take appropriate technical and organizational security measures to protect the integrity, accessibility and confidentiality of your data. These measures are physical and environmental security measures, as well as IT security measures, including but not limited to the use of updated anti-virus and firewalls, safe protocols, user authentication processes, encryption, data separation, etc. We also have in place specific procedures for incident reporting and management.
D. International Data Transfer
Data transfers outside the EEA or the UK (e.g. if the Church is based in the EEA or the UK) are subject to Adequacy Decisions or to the latest versions of the Standard Contractual Clauses approved by the European Commission from time to time, as published in the Official Journal of the European Union, as well as by the UK Information Commissioner, based on the GDPR and the UK GDPR.
E. Social media
You may be able to access third party social media services through our Website by using social media plugins on our Website and in the Services. In that case URL data may be transferred to this third party, based on this party’s Privacy Policy. Make sure you read the Privacy Policy of this third party, before you proceed to the plugin.
F. Your Rights
We respect your rights as a data subject under the GDPR, the UK GDPR and other applicable data protection laws and regulations. Bear in mind that we are entitled to answer to your requests as a data subject, when acting as Data Controllers, if you contact us at this email address: [INSERT PRIVACY EMAIL]. When we are acting as Data Processors the Data Controller, our Customer/the Church, is responsible to address your requests. However, we shall provide any reasonable assistance to the Data Controller for the satisfaction of your rights.
If you are a resident of California, the California Consumer Privacy Act (“CCPA”) provides you with certain rights over your personal information. We will work at our Customer’s directions to ensure that your rights provided by the CCPA are respected.
You should know that you, as a data subject, have the following rights under the GDPR and the UK GDPR.
Information and Transparency
You have the right to be informed about any processing of your personal data (the purpose, scope, duration and means, as well of data sharing). We adhere to the principle of transparency in the processing activities we undertake. For any question regarding this Policy, you may contact us at privacy@gracely.io We will respond without delay and in any case no later than one month upon receipt of the request.
Access
You have the right to receive confirmation on whether your personal data are processed and in case this happens, all required information thereof (processing means, goal, records etc.). This enables you to receive a copy
of the personal information the data controller holds about you and to check that your data are lawfully processed. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, you may be charged with a reasonable fee, if your request for access is clearly unfounded or excessive. Alternatively, the data controller may refuse to comply with the request in such circumstances.
Rectification
You have the right to require the rectification of incomplete or inaccurate data relating to you without undue delay, as well as to fill in incomplete data, if necessary for processing.
Erasure
You have the right to ask for the erasure of personal data concerning you without undue delay. Gracely, if we are the data controllers, shall erase the data, when one of the following grounds applies: a) personal data is no longer necessary in relation to the purposes of processing; or b) the data subject objects to the processing and there are no overriding legitimate grounds for the processing or the data subject objects to processing for direct marketing; or c) the personal data have to be erased in compliance with a legal obligation. We shall not proceed to the erasure of personal data, if the data must be maintained in compliance with a legal obligation or in case the processing is required for the establishment, exercise or defense of legal claims.
Restriction of processing
You have the right to request restriction of processing, if the accuracy of personal data is disputed, for that period of time that allows the data controller to verify the accuracy of personal data or based on any other legitimate reason specified in applicable data protection laws. For example, you may ask suspension of the processing of your personal data, if you want the data controller to establish its accuracy or the reason for processing it.
Data Portability
You have the right to receive your personal data in a structured, commonly used and machine-readable format as well as the right to request the direct transmission of personal data by another to another (controller or processor), if this is technically feasible.
Right to Object
You may oppose the processing of personal data, which takes place based on overriding legitimate interest without your consent. In this case, data controller may no longer process your personal data, unless it demonstrates imperative and legitimate reasons for the processing that outweigh the interests, rights and freedoms of you as a data subject or for the establishment, exercise or defense of legal claims.
No solely automated individual decision-making
We fully respect your right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. You have the right to object to such automated individual decision-making.
Consent Withdrawal
In case you have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. In this case we will notify you. Consent withdrawal does not affect the legality of data processing until then.
For example, you may withdraw your consent to the use of cookies by clicking on the button “Manage Cookies Settings” or choose not to accept cookies by your browser settings.
Children
Our services are not directed to children. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will immediately delete such information. If you become aware that a child has provided Us with his/her personal data, please contact Us at the contact information below.
Complaint to a Supervisory Authority
You have the right to lodge a complaint with a Supervisory Authority, meaning an independent public authority which is established by an EU
Member State or the UK Information Commissioner, pursuant to the GDPR/UK GDPR, if you consider that the processing of your personal data infringes the GDPR/UK GDPR and other applicable European Union or member state data privacy laws.
California Residents
Right to opt out and right to Non-Discrimination: If you are a California resident, you should be specifically aware that you have the right to direct a business that sells (or may in the future sell) your Personal Information to stop selling your Personal Information and to refrain from doing so in the future. We do not sell your Personal Information to any other party.
If you are a California resident, you should be specifically aware that we will not discriminate against California residents or against any person, if they exercise any of the rights provided in the CCPA, or any applicable privacy law provision. In particular, we will not deny goods or services; charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; provide a different level or quality of goods or services; or suggest that anybody (including California residents) will receive a different price or rate for goods or services or a different level or quality of goods or services.
G. Changes to this Privacy Policy
Our Privacy Policy may change from time to time and any changes to this Policy will be updated so as to describe these changes. You are expected to check our website from time to time to take notice of any changes in this Policy. If you have any further questions about this Policy or how we handle your personal data, which are eventually not dealt with here, please get in touch with us by writing to privacy@gracely.io