Privacy Notice

This Privacy Notice explains how SDACTMS collects, uses, stores, and shares personal data through SDACTMS, a church financial request and approval platform.

SDACTMS is used to submit, review, approve, reject, process, and retain records relating to church financial requests, reimbursements, advances, receipts, and related workflow communications.

Please read this notice carefully. It explains what information we collect, why we use it, who we share it with, how long we keep it, and your rights under UK data protection law.

1. Who is responsible for your personal data

The data controller for personal data processed through SDACTMS is SDACTMS.

If SDACTMS is used by multiple churches, each church may act as a controller for personal data relating to its own members, requesters, pastors, elders, treasurers, and finance workflow records. Your contractual and governance setup should reflect the correct controller / processor relationship with each church.

2. What personal data we collect

Depending on how SDACTMS is used, we may collect and process:

• full name
• email address
• phone number
• church name, church code, ministry, department, and related identifiers
• user role, such as requester, pastor, elder, treasurer, or administrator
• request details, including expense descriptions, amounts, dates, and request reference numbers
• receipt images, invoices, and supporting documents
• bank or payment details where needed for financial processing
• approval and rejection status information
• signatures and request-specific approval codes
• comments added as part of the workflow
• technical and security data such as timestamps, audit logs, and account identifiers

Because SDACTMS is used in a church context, some information may reveal a person’s religious affiliation or belief. Under UK GDPR, personal data revealing religious beliefs can be special category data and requires additional care and an appropriate legal basis assessment.

3. How we collect your data

• directly from you when you submit a request or upload documents
• from church staff involved in the review and approval workflow
• from signed-in administrative users managing churches and user access
• from system-generated records such as timestamps, approval actions, and audit logs

Privacy information should be made available when personal data is collected, or within the relevant legal timeframe if obtained from another source.

4. Why we use your personal data

We use personal data for the following purposes:

• to receive and manage reimbursement, advance, and payment requests
• to route requests to the correct church, ministry, department, pastor, elder, or treasurer
• to review, approve, reject, process, and archive requests
• to verify receipts, supporting documents, and payment details
• to send workflow notifications and status emails
• to keep financial and administrative records
• to maintain security, prevent misuse, detect fraud, and investigate incidents
• to generate operational and financial reports
• to maintain audit trails and system accountability
• to comply with legal, regulatory, accounting, safeguarding, or governance obligations

5. Our lawful bases for processing

We rely on one or more lawful bases under UK GDPR depending on the processing activity. These may include:

• Legitimate interests — for operating SDACTMS, managing request workflows, maintaining records, ensuring accountability, and securing the service.
• Contract — where processing is necessary to provide the service or fulfil agreed administrative functions.
• Legal obligation — where records must be retained or disclosed to comply with law, taxation, accounting, anti-fraud, or regulatory duties.
• Consent — where consent is actually used as the lawful basis, for example for non-essential analytics cookies if enabled in future.

Where special category data is processed, an additional Article 9 condition is required as well as an Article 6 lawful basis.

Do not state that all processing is based on consent unless that is genuinely the case. The rights that apply can differ depending on the lawful basis used.

6. Who we share personal data with

We may share personal data only where necessary with:

• authorised church staff, such as treasurers, pastors, elders, and administrators
• service providers that host or support SDACTMS, such as cloud hosting and infrastructure providers
• email or notification providers where needed to send workflow communications
• professional advisers, auditors, insurers, or legal advisers where appropriate
• regulators, law enforcement, courts, or public authorities where required by law

We do not sell personal data. Where third-party processors are used, appropriate contracts should be in place.

7. Cloud providers and international transfers

SDACTMS may use cloud and infrastructure providers such as Firebase / Google Cloud and Vercel. Personal data may therefore be processed in cloud environments and may be transferred outside the UK where relevant.

Where international transfers take place, they should be assessed and protected using an appropriate transfer mechanism where required by law.

If you know the actual hosting locations and transfer mechanisms, add that detail here before publishing.

8. How long we keep personal data

We keep personal data only for as long as necessary for the purposes described in this notice, including operational, legal, accounting, safeguarding, and audit requirements.

Retention periods may vary depending on the type of record, such as:

• live workflow records
• financial and reimbursement records
• receipts and supporting documents
• audit logs and security records
• user account records

When data is no longer needed, it should be securely deleted or anonymised, unless there is a lawful reason to keep it longer. The ICO expects retention periods or the criteria used to decide them to be explained.

9. Security

We use technical and organisational measures designed to protect personal data against unauthorised access, misuse, loss, alteration, and disclosure.

• role-based access controls
• authentication and access management
• transport security
• logging and audit trails
• restricted administrative access
• security monitoring and incident handling processes

Only include more specific claims, such as mandatory 2FA, encryption at rest, or regular external audits, if you have actually implemented and documented them.

10. Your rights

Subject to applicable law, you may have the right to:

• be informed about how your personal data is used
• request access to your personal data
• request correction of inaccurate or incomplete personal data
• request erasure in certain circumstances
• request restriction of processing in certain circumstances
• object to processing in certain circumstances
• request portability where that right applies
• withdraw consent where consent is the lawful basis

These rights are not absolute and may depend on the lawful basis and context of processing. The right to object and the right to withdraw consent should be explained accurately where they apply.

To exercise your rights, contact us at privacy@sdactms.com.

11. Cookies and similar technologies

SDACTMS may use strictly necessary cookies or similar technologies for essential site functions such as authentication, security, and session management.

If non-essential analytics or tracking technologies are enabled, we will seek consent where required before using them.

Cookie rules under PECR apply to cookies and similar technologies, and any cookie notice or consent mechanism should reflect the technologies actually in use.

12. Complaints

If you have concerns about how your personal data is handled, please contact us first at privacy@SDACTMS.com.

You also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters. The ICO expects people to be told how they can complain.

13. Changes to this notice

We may update this Privacy Notice from time to time to reflect changes in the law, our services, or our data processing practices. The latest version will be published on this page with the updated review date shown above.