VestryVestry

Privacy Policy

Last updated: 13 June 2026

Vestry is a church administration platform operated by Shire Tech ("we", "us"). This policy explains how we handle personal data when a church uses Vestry, and how we handle data about the people who visit our website or contact us. It is written to reflect the UK GDPR and the Data Protection Act 2018.

Who is responsible for your data

Each church that uses Vestry is the data controller for the information it holds about its members, contacts, donors and visitors. Shire Tech acts as a data processor, hosting and operating the platform on the church's behalf and only acting on its instructions. The terms of that relationship are set out in our Data Processing Agreement. If you want to exercise your rights over data a church holds about you, contact that church directly; they can also use Vestry's built-in tools to export or erase your record.

What we collect

  • Account data for church staff and volunteers: name, email address and role, used to sign in and control access.
  • Church records entered by each church: contacts, households, groups, attendance, giving, pastoral and safeguarding notes, bookings and similar. We process this only to provide the service.
  • Technical data: IP address, browser type and basic logs, used to keep the service secure and reliable.
  • Communications: messages you send us by email for support.

How we use it and our lawful basis

We process church account and technical data to deliver, secure and improve the service (our legitimate interests and to perform our contract with the church). Church records are processed solely under the instructions of the church as its processor. We do not sell personal data, and we do not use church records for advertising or to train any unrelated product.

Email and payments

We send transactional email (sign-in codes, notifications) through SMTP2GO. Where a church enables online giving, card payments are handled by that church's own payment provider (for example Stripe); we do not store full card details. Each of these providers processes data under its own terms.

Where data is stored

Vestry runs on dedicated servers hosted by Hetzner in the EU. Data is logically separated so that each church's records are kept apart from every other church's. We take daily encrypted backups and apply security updates routinely.

How long we keep it

Church records are retained for as long as the church's account is active, and are deleted on the church's instruction or within a reasonable period after an account is closed. We keep limited billing and security logs for as long as needed for legal and operational reasons.

Your rights

You have the right to access, correct, erase, restrict or object to the processing of your personal data, and to data portability. Because a church is the controller of its records, please direct those requests to the relevant church in the first instance; we will support them in responding. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

Contact

Questions about this policy can be sent to support@shire-tech.co.uk.

This document is a plain-English template provided for transparency and should be reviewed by your own legal adviser before relying on it. Questions: support@shire-tech.co.uk.