Welcome to CanByFirst! This Privacy Policy outlines how CanByFirst (“we,” “us,” or “our”), operating the website https://canbyfirst.com, collects, uses, maintains, and discloses information collected from users (each, a “User”) of the CanByFirst website. We are committed to protecting your privacy and ensuring the security of your personal information. This policy applies to the website and all products and services offered by CanByFirst.

At CanByFirst, we understand the importance of your personal data and are dedicated to being transparent about our data practices. This comprehensive policy details our approach to data privacy, explaining what information we collect, why we collect it, how we use it, and your rights regarding your personal data. Our goal is to provide a safe, secure, and trustworthy online experience for all our Users, whether you are signing up for a newsletter, registering for an event, making a donation, or simply browsing our content.

We adhere to the principles of data minimization, purpose limitation, accuracy, storage limitation, integrity, confidentiality, and accountability. This policy is designed to comply with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR) for individuals in the European Economic Area (EEA) and the California Consumer Privacy Act (CCPA) for California residents, as well as other relevant U.S. state and federal privacy regulations. By accessing or using our website, you signify your acceptance of this Privacy Policy. If you do not agree to this policy, please do not use our website.

2. Information We Collect

We collect various types of information to provide and improve our services, communicate with you, and enhance your experience on our website. This information can be broadly categorized into Personal Data, Usage Data, and Cookies.

2.1. Personal Data

Personal Data refers to any information that can directly or indirectly identify you. We collect Personal Data that you voluntarily provide to us when you interact with our website, such as when you:

  • Register for an event or program.
  • Sign up for our newsletters or mailing lists.
  • Make a donation.
  • Fill out a contact form or send us an email.
  • Create an account (if applicable).
  • Participate in surveys or provide feedback.

The types of Personal Data we may collect include:

  • Identity Data: Your first name, last name, title, and potentially date of birth or age if required for specific events or programs (e.g., children’s ministries registration).
  • Contact Data: Your email address, postal address (including billing and shipping addresses), and telephone numbers. This is crucial for communication, event logistics, and processing donations.
  • Demographic Data: While generally not directly collected for identification, certain event registrations might request gender or age range for planning purposes (e.g., gender-specific events or age-appropriate groups).
  • Financial Data: Information related to your donations, such as transaction history. Please note that we do not directly store your full payment card details. All payment transactions are processed through secure, third-party payment gateways (e.g., Stripe, PayPal), which are PCI DSS compliant. We only receive confirmation of your payment and limited transaction details necessary for record-keeping and tax purposes.
  • Communication Data: The content of your messages, inquiries, feedback, and any other communications you send to us.
  • Event-Specific Data: Depending on the nature of an event, we might collect additional information such as emergency contact details, dietary restrictions, or specific needs to ensure your safety and participation.
  • Account Data: If we offer user accounts, this would include your username, password (stored securely as a hash), and account preferences.

We collect this data with your explicit consent or when necessary to fulfill a contract with you (e.g., event registration), to comply with legal obligations, or based on our legitimate interests in operating and improving our services, provided these interests do not override your fundamental rights and freedoms.

2.2. Usage Data

Usage Data is information that is automatically collected when you visit or use our website. This data is generally non-identifying, but it can be associated with your Personal Data in certain circumstances. Usage Data helps us understand how our website is used, which pages are most popular, and how we can improve the user experience. This may include:

  • IP Address: Your Internet Protocol address, which is a numerical label assigned to your device. This can indicate your general geographic location.
  • Browser Type and Version: Information about the web browser you are using (e.g., Chrome, Firefox, Safari).
  • Operating System: The type of operating system your device uses (e.g., Windows, macOS, Android, iOS).
  • Referring Pages: The website address from which you linked to our site.
  • Pages Visited: The specific pages you visit on our website.
  • Time and Date of Visit: The timestamp of your access.
  • Duration of Visit: The amount of time spent on each page or the entire site.
  • Clickstream Data: Information about your navigation path through the website, including clicks, scrolls, and interactions.
  • Device Information: Details about the device you use, such as device type, screen resolution, and unique device identifiers.

We collect Usage Data using various technologies, including cookies, web beacons, and server logs. This data is primarily used for analytical purposes to monitor the performance and usability of our website.

2.3. Cookies and Tracking Technologies

Our website uses “cookies” and similar tracking technologies to enhance your experience, analyze site usage, and support the functionality of our services. Cookies are small data files placed on your device (computer, tablet, smartphone) when you visit a website. They allow the website to remember your actions and preferences over a period of time.

We use different types of cookies:

  • Strictly Necessary Cookies: Essential for the website to function correctly, enabling core functionalities like page navigation and access to secure areas. The website cannot function properly without these cookies.
  • Performance/Analytics Cookies: Collect information about how you use our website, such as which pages you visit most often and if you encounter error messages. This data is aggregated and anonymous, used to improve how our website works. We use Google Analytics for this purpose.
  • Functionality Cookies: Remember choices you make (e.g., language preferences, region) and provide enhanced, more personal features.
  • Targeting/Advertising Cookies: These cookies are generally not a primary focus for CanByFirst. However, if we were to integrate third-party services that display ads, these cookies might be used to deliver more relevant advertisements to you and track the effectiveness of advertising campaigns. We aim to minimize or avoid such cookies on our primary website.

In addition to cookies, we may use other tracking technologies such as web beacons, pixel tags, and local storage objects (LSOs) to collect information about your interactions with our website and emails. For a more detailed explanation of how we use cookies and how you can manage them, please refer to Section 7: Cookies and Tracking Technologies.

3. How We Use Your Information

We use the information we collect from you for various purposes, always in alignment with the reasons it was collected and in compliance with legal requirements. Our processing of your Personal Data is based on specific legal grounds as required by GDPR and other applicable privacy laws. These legal bases include:

  • Your Consent: Where you have given us clear consent to process your Personal Data for a specific purpose (e.g., signing up for a newsletter).
  • Performance of a Contract: Where processing is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract (e.g., registering for an event).
  • Legal Obligation: Where processing is necessary for compliance with a legal obligation that we are subject to (e.g., tax record keeping for donations).
  • Legitimate Interests: Where processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms (e.g., improving our website, preventing fraud, direct marketing where permitted).

Here are the specific ways we use your information:

3.1. To Provide and Maintain Our Services

  • To operate and deliver the functionalities of the https://canbyfirst.com website.
  • To manage your event registrations, including sending confirmations, reminders, and relevant event information.
  • To process your donations and provide donation receipts for tax purposes.
  • To facilitate communication, such as responding to your inquiries, feedback, and requests submitted through contact forms or email.

3.2. To Improve and Personalize User Experience

  • To understand how our Users as a group use the services and resources provided on our website, allowing us to enhance design, content, and functionality.
  • To personalize your experience by remembering your preferences and settings, making your future visits more efficient and tailored.
  • To develop new features, services, and content based on user feedback and analytical insights.

3.3. For Communication and Outreach

  • To send you periodic emails, newsletters, and updates about CanByFirst activities, events, and relevant news, provided you have opted in to receive such communications.
  • To send administrative emails, such as password reset instructions, transaction confirmations, or important service announcements.
  • To inform you about changes to our terms, conditions, and policies.

3.4. For Security and Fraud Prevention

  • To protect the security and integrity of our website, systems, and data.
  • To detect, prevent, and address technical issues, fraud, and unauthorized access or activities.
  • To verify your identity when you exercise your privacy rights.

3.5. For Analytics and Reporting

  • To monitor and analyze trends, usage, and activities in connection with our website.
  • To gather demographic information about our user base as a whole.
  • To generate aggregated, anonymized statistics for internal reporting and strategic planning.

3.6. To Comply with Legal Obligations

  • To fulfill our legal, regulatory, and compliance requirements, such as maintaining financial records for donations as mandated by tax laws.
  • To respond to lawful requests from public authorities, including to meet national security or law enforcement requirements.

We will not use your Personal Data for purposes materially different from those described in this Privacy Policy without providing you with notice and, where required by law, obtaining your consent.

4. Data Sharing and Disclosure

CanByFirst respects your privacy and is committed to protecting your personal information. We do not sell, rent, or trade your Personal Data to third parties for their independent marketing purposes. We may, however, share your information in specific, limited circumstances as described below, always ensuring appropriate safeguards are in place.

4.1. With Service Providers

We may engage trusted third-party service providers to perform functions and provide services to us. These service providers act as data processors on our behalf and are contractually bound to protect your information and use it only for the purposes for which it was disclosed. Examples include:

  • Hosting Providers: To host our website and store our data (e.g., web hosting companies).
  • Analytics Providers: To help us analyze website usage and performance (e.g., Google Analytics).
  • Payment Processors: To securely process online donations and transactions (e.g., Stripe, PayPal). We do not store your full payment card details on our servers; these are handled directly by the PCI DSS compliant processors.
  • Email Marketing Services: To manage and send newsletters and other communications (e.g., Mailchimp).
  • Event Management Platforms: If we use third-party platforms for specific event registrations.
  • IT Support and Maintenance: To assist with the technical operation and security of our systems.

We ensure that these third parties have robust security measures and privacy policies in place and that they comply with applicable data protection laws. We enter into Data Processing Agreements (DPAs) or similar contracts with these providers to ensure they process data according to our instructions and protect it adequately.

4.2. For Legal and Regulatory Purposes

We may disclose your information if we are legally required to do so, or in the good faith belief that such action is necessary to:

  • Comply with a legal obligation, such as a subpoena, court order, or other governmental request.
  • Protect and defend the rights or property of CanByFirst.
  • Prevent or investigate possible wrongdoing in connection with the Service.
  • Protect the personal safety of users of the Service or the public.
  • Protect against legal liability.

4.3. Business Transfers

In the unlikely event that CanByFirst undergoes a merger, acquisition, or asset sale, your Personal Data may be transferred as a business asset. We will notify you before your Personal Data is transferred and becomes subject to a different Privacy Policy, if applicable. Given our nature as a church-affiliated entity, such scenarios are highly improbable but included for completeness.

4.4. With Your Consent

We may share your Personal Data with third parties when we have your explicit consent to do so. For example, if you consent to have your contact information shared with a specific partner organization for a joint event.

4.5. Aggregated or Anonymized Data

We may share aggregated or anonymized data that does not directly identify you with third parties for various purposes, such as analytics, research, or marketing. This data cannot be used to identify any individual user.

4.6. CCPA “Do Not Sell/Share My Personal Information”

As a core principle, CanByFirst does not sell your Personal Information as defined under the California Consumer Privacy Act (CCPA). This means we do not exchange your Personal Information for monetary or other valuable consideration. Furthermore, we do not “share” your Personal Information for cross-context behavioral advertising. Our primary purpose for collecting data is to provide our services, facilitate community engagement, and manage church-related activities, not for commercial data brokering. Therefore, a “Do Not Sell or Share My Personal Information” link is not explicitly provided because we do not engage in these activities.

5. Data Security and Protection

The security of your Personal Data is of paramount importance to us. CanByFirst is committed to implementing and maintaining robust technical and organizational measures to protect your information from unauthorized access, disclosure, alteration, or destruction. We regularly review and update our security practices to adapt to evolving threats and technologies.

5.1. Technical Security Measures

  • Encryption: We use industry-standard encryption technologies, such as Secure Socket Layer (SSL)/Transport Layer Security (TLS), to encrypt data transmitted between your web browser and our servers. This ensures that your information, including contact details and donation information, is protected during transit. You can verify this by looking for “https://” in the website address and a padlock icon in your browser’s address bar.
  • Access Controls: Access to Personal Data is restricted to authorized personnel who have a legitimate need to access it for their job functions. Access is controlled through strong authentication mechanisms, including unique user IDs and complex passwords, and is based on the principle of least privilege.
  • Firewalls and Intrusion Detection Systems: Our network infrastructure is protected by firewalls and intrusion detection systems to monitor and prevent unauthorized access attempts.
  • Regular Security Audits and Vulnerability Scans: We conduct periodic security assessments, vulnerability scans, and penetration testing to identify and address potential weaknesses in our systems.
  • Data Minimization and Pseudonymization: Where feasible and appropriate, we anonymize or pseudonymize Personal Data, especially for analytical purposes, to reduce the risk of re-identification. We also adhere to the principle of data minimization, collecting only the data strictly necessary for our stated purposes.
  • Secure Storage: Personal Data is stored on secure servers with appropriate physical and environmental controls to prevent unauthorized access.

5.2. Organizational Security Measures

  • Staff Training: All personnel who handle Personal Data receive regular training on data protection principles, privacy policies, and security best practices to ensure they understand their responsibilities.
  • Internal Policies and Procedures: We have established internal policies and procedures for data handling, incident response, and data breach notification to ensure a consistent and compliant approach to data protection.
  • Third-Party Vendor Management: We carefully vet our third-party service providers and ensure they meet our security standards. As mentioned in Section 4, we establish Data Processing Agreements (DPAs) with them, obliging them to protect your data.
  • Incident Response Plan: In the event of a data breach or security incident, we have a defined incident response plan to promptly identify, contain, investigate, and mitigate the impact of the breach, and to notify affected individuals and regulatory authorities as required by law.

5.3. User’s Role in Security

While we implement extensive security measures, the overall security of your information also depends on your actions. We encourage you to:

  • Use strong, unique passwords for any accounts you may have on our website and avoid reusing passwords across different services.
  • Keep your login credentials confidential and do not share them with anyone.
  • Be vigilant for suspicious emails or communications that may be phishing attempts.
  • Ensure your device’s operating system and web browser are updated to the latest versions.

Please be aware that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security. By using our website, you acknowledge and accept these inherent risks.

6. Your Rights and Choices

CanByFirst is committed to enabling you to exercise your privacy rights concerning your Personal Data. Depending on your jurisdiction (e.g., EEA, California), you have specific rights that we fully support. We will respond to your requests in accordance with applicable data protection laws.

6.1. General Privacy Rights (Applicable to all Users)

  • Right to Opt-Out of Marketing Communications: You have the right to opt-out of receiving marketing or promotional communications from us at any time. You can do this by following the unsubscribe instructions provided in any email we send you, or by contacting us directly using the information in Section 13. Please note that even if you opt-out of marketing communications, we may still send you non-promotional, transactional, or administrative messages related to your use of our services (e.g., event confirmations, donation receipts, security alerts).

6.2. Rights for Individuals in the European Economic Area (EEA) and UK (GDPR Rights)

If you are located in the EEA or UK, you have the following rights concerning your Personal Data:

  • Right to Access (Art. 15 GDPR): You have the right to request confirmation of whether we are processing your Personal Data and, if so, to request a copy of the Personal Data we hold about you, along with information about how and why we process it.
  • Right to Rectification (Art. 16 GDPR): You have the right to request that we correct any inaccurate or incomplete Personal Data we hold about you.
  • Right to Erasure (Art. 17 GDPR – “Right to be Forgotten”): You have the right to request the deletion of your Personal Data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, or if you withdraw your consent and there is no other legal ground for processing.
  • Right to Restriction of Processing (Art. 18 GDPR): You have the right to request that we restrict the processing of your Personal Data under certain conditions, such as if you contest the accuracy of the data, or if our processing is unlawful.
  • Right to Data Portability (Art. 20 GDPR): You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where technically feasible and where the processing is based on consent or a contract.
  • Right to Object (Art. 21 GDPR): You have the right to object to the processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have an absolute right to object to the processing of your Personal Data for direct marketing purposes.
  • Right to Withdraw Consent (Art. 7(3) GDPR): Where we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
  • Rights in Relation to Automated Decision Making and Profiling (Art. 22 GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless certain exceptions apply. CanByFirst does not currently engage in such automated decision-making.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe that our processing of your Personal Data infringes the GDPR.

6.3. Rights for California Residents (CCPA Rights)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights concerning your Personal Information:

  • Right to Know (Categories and Specific Pieces): You have the right to request that we disclose to you the categories of Personal Information we have collected, the categories of sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling, or sharing Personal Information, the categories of third parties to whom we disclose Personal Information, and the specific pieces of Personal Information we have collected about you.
  • Right to Delete: You have the right to request the deletion of Personal Information that we have collected from you, subject to certain exceptions (e.g., to complete a transaction, detect security incidents, comply with a legal obligation).