Privacy Notice

Last updated: 27 March 2026

How AltarDesk collects, uses and protects your personal data

Rayscent Ltd (‘we’, ‘us’, ‘our’) operates AltarDesk. We take the privacy of everyone who uses our software seriously. This notice explains how we collect, use and protect personal data in connection with AltarDesk.

We will never sell, rent, distribute or otherwise make your personal data commercially available to any third party, except as described in this notice.

1. Who this notice applies to

This notice applies to three groups:

(a) Customers — churches, charities, and other organisations that subscribe to AltarDesk (including those on a free trial), as well as their administrators and team members.

(b) End users (congregation members)— people whose data is entered into AltarDesk by a church, including those who access a member portal. Please note: this notice does not cover how churches use member data — that is governed by the church's own privacy notice.

(c) Website visitors — anyone visiting altardesk.co.uk.

2. Data controller vs data processor

For account data (your name, email, billing information and support messages), Rayscent Ltd is the data controller.

For congregation data (members, Gift Aid declarations, attendance, safeguarding records and similar data entered by the church), the church is the data controller and Rayscent Ltd is the data processor. We process this data solely on the church's instructions and in accordance with our Data Processing Agreement.

If a congregation member has a question about how their data is used, that request should be directed to the church — not to us.

A Data Processing Agreement (DPA) is available on request at hello@altardesk.co.uk.

3. What data we collect

A. Account data

Name and email address
Organisation name, type and size
HMRC reference number
Charity Commission number
Authorised official details (for Gift Aid submissions)
Billing information (processed via Stripe — we never see or store your card details)
Support messages and correspondence
Team member names and email addresses

B. Member data (processed on behalf of the church)

Names, addresses and contact details
Dates of birth
Gift Aid declarations
Donation history
DBS check records
Safeguarding incidents
Attendance records
Rota records
Baptism and birth records
Ministry membership

We process this data only as instructed by the church and for no other purpose.

C. Automatic data

IP addresses
Browser and device information
Pages visited
Error and performance logs
Authentication session data

For more information about tracking technologies, see our cookie notice.

4. How we use data and our legal basis

Purpose	Legal basis
Providing and operating AltarDesk	Contract
Processing subscription billing via Stripe	Contract
Sending account emails (password reset, invitations)	Contract
Securing the platform against fraud and abuse	Legitimate interests
Improving the service using anonymised analytics	Legitimate interests
Responding to support requests	Legitimate interests
Complying with HMRC requirements (Gift Aid, 6-year retention rule)	Legal obligation
UK accounting obligations (7-year records)	Legal obligation
Sending marketing emails about product updates and features	Consent (opt-in, withdrawable at any time)

We will never use member data entered by churches for our own purposes.

5. Special category and sensitive data

Gift Aid data contains financial information about individual donors. This data is stored encrypted at rest, retained for a minimum of 6 years as required by HMRC, and used solely for the purpose of processing Gift Aid claims.

DBS and safeguarding data is classified as sensitive data under Article 9 of UK GDPR. Access is restricted to admin users only. Safeguarding incidents are visible only to users with an admin role. Enhanced security controls apply. This data is processed only as directed by the church.

We will never sell, rent or commercially share your personal data.

We use the following sub-processors to deliver AltarDesk:

Sub-processor	Purpose	Location	Safeguard
Supabase Inc	Database & authentication	USA	SCCs
Vercel Inc	Hosting	USA	SCCs
Stripe Inc	Payments	USA	SCCs
Resend Inc	Email	USA	SCCs
Google LLC	Analytics (consent-gated)	USA	SCCs

We may also share data where required by law — for example, in response to a court order or a request from HMRC. We will notify you if this happens, unless we are legally prohibited from doing so.

7. International transfers

Some of our sub-processors are based in the United States. All international transfers are protected by Standard Contractual Clauses (SCCs) approved by the ICO. We only work with sub-processors that provide an adequate level of data protection.

8. How long we keep data

Data type	Retention period
Account data	Duration of subscription + 2 years
Gift Aid and donation records	6 years (HMRC requirement)
Billing records	7 years (UK accounting law)
Safeguarding records	Per church policy (retained while account is active)
Server logs	90 days
Marketing consent records	Until withdrawn
Member data	Deleted within 30 days of account closure, except where legal retention applies

When a church closes their account, we permanently delete all member data within 30 days, except legally required records.

9. How we protect your data

AES-256 encryption at rest (Supabase)
TLS 1.2+ encryption in transit
Row-level security for multi-tenant data isolation
Role-based access control
Two-factor authentication available for all users
SOC 2 Type II compliance (Supabase)
Regular security assessments

In the event of a data breach, we will notify the ICO within 72 hours as required by UK GDPR and inform affected parties without undue delay.

10. Your rights

Under UK GDPR, you have the right to:

Access — request a copy of the personal data we hold about you
Correct — ask us to correct inaccurate or incomplete data
Erasure — ask us to delete your data (subject to legal retention requirements)
Restrict — ask us to limit how we process your data
Portability — receive your data in a structured, commonly used format
Object — object to processing based on legitimate interests
Withdraw consent — where processing is based on consent, withdraw it at any time
Complain — lodge a complaint with the Information Commissioner's Office (ICO)

To exercise any of these rights, contact us at privacy@altardesk.co.uk. We will respond within one calendar month.

You can also contact the ICO directly at ico.org.uk, by phone on 0303 123 1113, or by email at casework@ico.org.uk.

11. Children

AltarDesk is designed for use by church administrators aged 18 and over. Churches may enter records relating to children (for example, baptism records or Sunday school attendance). This data is processed solely on the church's instruction.

Churches are responsible for ensuring they have a lawful basis for entering children's data into AltarDesk.

12. Cookies

For full details about the cookies and similar technologies we use, see our cookie notice. You can manage your cookie preferences at any time using the Cookie Settings link in the footer.

13. Changes to this notice

We review this notice at least once a year. If we make material changes, we will notify you by email at least 14 days before the changes take effect.

The “Last updated” date at the top of this page will always reflect the most recent revision.

14. Contact us

For data protection queries, contact privacy@altardesk.co.uk. For general enquiries, contact hello@altardesk.co.uk.

Rayscent Ltd, registered in England and Wales.

We aim to respond to all enquiries within 5 working days.