Data Management
Understand how your data is stored, retained, exported, and deleted in Ecclesly. Learn about our data retention policies and the secure purge process.
Your Data, Your Control
Ecclesly is committed to data transparency and security. You maintain ownership of your organization's data at all times. Our data management features help you:
- Export your data in standard formats for backup or migration
- Understand our data retention policies during subscription lifecycle
- Request permanent deletion when you no longer need the service
- Maintain compliance with data protection requirements
Data Retention Policy
Your data is retained based on your subscription status. Understanding these policies helps you plan for account changes and ensure continuity.
Subscription Lifecycle
| Status | Data Access | Duration |
|---|---|---|
| Active | Full read/write access | While subscription is active |
| Trialing | Full read/write access | Trial period (typically 14 days) |
| Past Due | Full access while payment resolves | Until payment succeeds or fails |
| Grace Period | Read-only access | 30 days after cancellation |
| Cancelled | Data retained, access suspended | Until purge requested |
| Expired | Data retained, access suspended | Until purge requested |
Reactivation
You can reactivate your subscription at any time before data purge. All your data will be immediately accessible again with full read/write permissions.
Data Retention by Category
When an organization's subscription ends and data purge is initiated, different data categories are handled according to their legal retention requirements. Some data must be retained for compliance purposes even after account closure.
| Data | Purgeable? | Retention | What Happens on Purge |
|---|---|---|---|
| Member profiles (no donations) | Yes | 90 days post-cancel | Permanently deleted |
| Member profiles (with donations) | Partial | 7 years | Names/contact pseudonymized; donation amounts preserved |
| Donation records | No | 7 years | Anonymized but retained |
| Journal entries & expenses | No | 7 years | Retained with anonymized user references |
| Bank reconciliations | No | 7 years | Retained |
| Audit logs | No | 3–7 years (by category) | Archived, then deleted |
| Care notes & medical info | Yes | Immediate | Permanently deleted |
| Emergency contacts | Yes | Immediate | Permanently deleted |
| Attendance records | Yes | 3 years | Permanently deleted |
| AI chat conversations | Yes | Immediate | Permanently deleted |
| Ministry/volunteer data | Yes | 2 years | Permanently deleted |
IRS Compliance
Financial records are retained for 7 years per IRS IRC §6001 and §6501. This includes donation records, journal entries, expenses, and bank reconciliations. Personal identifiers on these records are pseudonymized to protect privacy while maintaining the financial audit trail.
Data Export
Export your data at any time for backup, reporting, or migration purposes. Exports are available in standard formats compatible with other systems.
Available Exports
| Data Type | Formats | Location |
|---|---|---|
| Members | CSV, Excel | Members → Export |
| Donations | CSV, Excel, PDF | Donations → Export |
| Financial Reports | PDF, Excel | Reports → Download |
| Journal Entries | CSV, Excel | Accounting → Journal → Export |
| Contribution Statements | Reports → Statements |
Tip: Regularly export and backup your financial reports and contribution statements. These serve as important records even after your subscription ends.
Data Purge
When your organization cancels its Ecclesly subscription, your data remains available during a grace period. After this period, you may request permanent deletion of all your organization's data through a secure two-step verification process.
Permanent Deletion Warning
Data purge is irreversible. Once completed, all your organization's data will be permanently deleted, including members, donations, financial records, accounting data, bank connections, and audit logs. This action cannot be undone.
When Data Purge is Available
Data purge can only be requested when your subscription is in one of the following states:
- Grace Period: Subscription cancelled but still within the 30-day grace period
- Cancelled: Subscription has been cancelled and grace period has ended
- Expired: Subscription has fully expired
Data Retention During Grace Period
Your data remains intact and accessible (in read-only mode) during the grace period. You can reactivate your subscription at any time during this period without losing any data.
Two-Step Verification Process
Data purge requires verification from both the Kaleo Systems administrator and your organization to prevent accidental or unauthorized deletion:
1Initiate Purge Request
- Kaleo Systems administrator initiates a purge request
- Administrator provides a reason for the purge (for audit trail)
- Administrator confirms the organization name by typing it exactly
- A 6-digit verification PIN is generated and emailed to your organization's registered email address
- The PIN expires after 30 minutes
2Confirm Deletion
- You (the customer) receive the verification PIN via email
- Review the email carefully to confirm this is a legitimate request
- If you authorize the deletion, provide the PIN to the administrator
- The administrator enters both the PIN and their admin password to complete the purge
- All data is permanently deleted from Ecclesly systems
Protect Your PIN
Only share the verification PIN if you have personally authorized the data deletion. If you receive a purge verification email unexpectedly, contactsupport@kaleosystems.com immediately.
Security Measures
| Security Feature | Description |
|---|---|
| PIN Expiration | Verification PINs expire after 30 minutes |
| Attempt Limits | Maximum of 5 PIN entry attempts before request is invalidated |
| Dual Authorization | Requires both customer PIN and admin password |
| Complete Audit Trail | All purge requests and actions are logged, including failed attempts |
| Email Verification | PIN is sent only to your organization's registered email |
What Gets Deleted
A complete data purge removes all of your organization's data from Ecclesly, including:
- All members, families, and contact information
- All donations, pledges, and giving history
- All funds and fund allocations
- All journal entries and expenses
- Chart of accounts and balances
- Bank connections and transaction history
- All reports and statements
- Staff accounts and permissions
- Audit logs and system data
- All uploaded documents and files
Before Requesting Purge: We recommend exporting all reports and downloading any data you may need for record-keeping purposes. Once deleted, data cannot be recovered. See the Data Export section above.
Data Security
Ecclesly employs industry-standard security measures to protect your data throughout its lifecycle.
Encryption at Rest
All data is encrypted using AES-256 encryption while stored in our databases.
Encryption in Transit
All connections use TLS 1.3 encryption for secure data transmission.
Access Controls
Role-based permissions ensure users only access data they're authorized to see.
Audit Logging
Complete audit trail of all data access and modifications for accountability.