Privacy Policy

Introduction

Aurnet is a church engagement platform providing messaging, events, rotas, sermons/media, meetings, bible plans, and related tools. We are committed to protecting your privacy in compliance with UK GDPR, the Data Protection Act 2018, and EU GDPR. This Privacy Policy explains how we collect, use, share, and protect your personal data.

Data Controller

• •Organisation: Aurnet Ltd
• •Email: privacy@aurnet.co.uk or info@aurnet.co.uk
• •Address: 10 Shepherds Green Road, B24 8EX, Birmingham, United Kingdom

Lawful Basis for Processing

We process your personal data under the following lawful bases under Article 6 of GDPR:

• •Consent (Art 6(1)(a)): We obtain your explicit consent before processing data, particularly for special category data.
• •Contract (Art 6(1)(b)): We process data necessary to perform our service agreement with your church.
• •Legitimate Interests (Art 6(1)(f)): We process data to improve our service, maintain security, and comply with legal obligations.

Special Category Data (Article 9)

Aurnet processes special category data, specifically religious affiliation. We do this under Article 9(2)(d) (processing by religious bodies) and Article 9(2)(a) (explicit consent). Your religious affiliation is processed only for the purposes of church administration and engagement.

What Data We Collect

• •Account Data: Full name, email address, bcrypt-hashed password, phone number, date of birth, profile photo, church affiliation, and role.
• •Church Engagement Data: Participation in events, rotas, meetings, prayer requests, testimonies, giving records, and interaction with sermons/media.
• •Communication Data: Messages sent through the platform, including timestamps and recipients.
• •Financial Data: Bank details (encrypted with AES-256-GCM), donation/giving history, and Stripe payment processor integration.
• •Technical Data: Device tokens, IP addresses, browser information, and platform usage logs.

How We Use Your Data

• •Deliver and maintain the Aurnet platform and provide requested services
• •Manage your account and authenticate you securely, including verifying email changes and sending security notifications
• •Process donations and financial transactions through Stripe
• •Respond to your enquiries and provide customer support
• •Send service updates, account change confirmations, and security notices
• •Improve the platform through analytics and usage data
• •Comply with legal, regulatory, and safeguarding obligations

Account Changes and Verification

When you update sensitive account information, we take steps to protect your security and maintain transparency:

• •Email Changes: When you request an email change, your current email remains active until the new email is verified via a confirmation link. We send a notification to your current email address informing you of the change request, and a second notification when the change is confirmed.
• •Password Changes: Password changes require your current password for verification. Your new password is hashed using bcrypt before storage; we never store passwords in plain text.
• •Phone Number: You may optionally provide a phone number. This is stored to support church contact purposes and is visible to church administrators within your church only.
• •Profile Updates: Changes to your name and other profile fields are applied immediately and reflected across the platform.

Data Sharing

We do not sell, rent, trade, or share your personal data for advertising, marketing, or profiling. We only share data with trusted service providers bound by confidentiality:

• •Stripe: Payment processor for donations (PCI-DSS compliant)
• •AWS S3: Cloud storage for media and documents
• •Expo: Mobile app platform and push notification service
• •SMTP Provider: Email delivery service for notifications and updates

Data Retention

We retain your data for as long as your account is active. Upon account deletion, we permanently delete all associated personal data including: account information, messages, engagement records, financial data, and technical logs. Some aggregated, anonymized data may be retained for analytics.

Your Rights Under GDPR

• •Right of Access (Art 15): Request and export your personal data (Export My Data)
• •Right to Rectification (Art 16): Correct or update inaccurate personal data
• •Right to Erasure (Art 17): Request deletion of your account and all associated data (Delete Account)
• •Right to Data Portability (Art 20): Receive your data in a structured, commonly-used format
• •Right to Withdraw Consent: Withdraw consent for data processing at any time
• •Right to Lodge a Complaint: Contact the ICO (Information Commissioner's Office) if you believe we have mishandled your data

Data Security

• •Password Security: Passwords are hashed using bcrypt with a salt factor of 12
• •Email Verification: Email changes require password confirmation and verification of the new address before the change takes effect. Notifications are sent to both old and new email addresses.
• •Data Encryption: Sensitive financial data is encrypted using AES-256-GCM
• •Transport Security: All data is transmitted over HTTPS/TLS encryption
• •Security Headers: We implement security headers including HSTS, CSP, and X-Frame-Options
• •Rate Limiting: We implement rate limiting to prevent brute-force attacks
• •Log Masking: Sensitive data is masked in application logs

International Data Transfers

Where data is transferred internationally, we rely on Standard Contractual Clauses (SCCs) as approved by relevant authorities to ensure adequate protection.

Children's Data

Aurnet is not intended for individuals under 13 years old. We do not knowingly collect personal data from children under 13. If we become aware of such collection, we will delete the data and notify relevant parties.

Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes at least 30 days before they take effect. Your continued use of Aurnet constitutes acceptance of the updated policy.