Privacy Policy

1. Who we are

ShepherdCare is a church pastoral care and member management platform operated by Nathanoak Ltd, a company registered in England and Wales. Our website is https://shepherdcare.co.uk. If you have any questions about this policy, contact us at contact@shepherdcare.co.uk.

2. What data we collect

We collect the following personal data when you register or use ShepherdCare:

• Account information: full name, email address, password (hashed — never stored in plain text)
• Contact details: phone number, home address, postcode
• Personal details (optional): date of birth, wedding anniversary, marital status
• Church membership: the church you belong to, your role (Member or Admin)
• Activity data: pastoral care requests, event RSVPs, prayer requests, messages, sermon notes, and other content you create within the platform
• Google Calendar data (if connected): we access your Google Calendar to sync church events. We request read/write access only to create and update events on your behalf. We do not read your existing personal calendar events.
• Technical data: IP address, browser type, device information, and usage logs collected automatically for security and performance purposes

3. How we use your data

We use your personal data to:

• Provide and operate the ShepherdCare platform for your church
• Enable your church pastor and administrators to manage pastoral care, events, and communications
• Send you notifications about events, sermon uploads, care requests, and messages relevant to your church
• Sync church events to your Google Calendar when you have connected it
• Improve the platform and diagnose technical issues
• Comply with legal obligations

We do not sell your personal data to any third party, use it for advertising, or share it with anyone outside your church organisation except as described in this policy.

4. Google Calendar integration

If you choose to connect your Google account, ShepherdCare uses the Google Calendar API to:

• Add church events and pastoral visits to your Google Calendar
• Update or remove events if they are changed or cancelled

ShepherdCare's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only request the minimum permissions necessary and do not share your Google data with any third party. You can disconnect your Google account at any time from your profile settings.

5. Legal basis for processing

We process your personal data under the following legal bases (UK GDPR):

• Contract: to provide the ShepherdCare service you signed up for
• Legitimate interests: to operate, secure, and improve the platform
• Consent: for optional features such as Google Calendar integration and push notifications (you can withdraw consent at any time)

6. Data sharing

Your data is shared only with:

• Your church administrators: admins of your church can see your name, contact details, and activity within the platform as part of managing pastoral care
• Vercel: our hosting provider (servers located in the EU/USA). See Vercel's Privacy Policy
• Neon (database): our database provider. See Neon's Privacy Policy
• Resend: our email delivery provider. See Resend's Privacy Policy
• Google: if you connect Google Calendar. See Google's Privacy Policy

7. Data retention

We retain your personal data for as long as your church account is active on ShepherdCare. If you or your church administrator deletes your account, your personal data will be permanently deleted within 30 days, except where we are required to retain it by law.

8. Your rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erase your data ("right to be forgotten")
• Restrict how we process your data
• Data portability — receive your data in a structured, machine-readable format
• Object to processing based on legitimate interests
• Withdraw consent at any time for consent-based processing

To exercise any of these rights, contact us at contact@shepherdcare.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

9. Security

We take the security of your data seriously. Measures include:

• Passwords are hashed using bcrypt — never stored in plain text
• All data is transmitted over HTTPS/TLS
• Each church's data is isolated — no church can access another church's data
• Access tokens for Google Calendar are encrypted and stored securely
• Regular security headers (HSTS, X-Frame-Options, CSP) applied to all responses

10. Cookies

ShepherdCare uses only essential session cookies required to keep you logged in (via NextAuth.js). We do not use advertising, tracking, or analytics cookies.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or an in-app notification. The "Last updated" date at the top of this page will always reflect the most recent revision.

12. Contact us

For any privacy-related questions or requests: