Privacy Policy

Last updated: February 26, 2026

1. Introduction

Kaleo Systems LLC ("Kaleo Systems," "we," "our," or "us"), operating under the brand name Ecclesly, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our church management software and related services (the "Service").

By using Ecclesly, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the Service.

2. Data Controller and Data Processor

When you sign up for Ecclesly, your organization (e.g., your church) is the data controller — you determine what member data is entered into the system and how it is used. Kaleo Systems LLC acts as the data processor, processing your organization's data solely on your behalf and in accordance with your instructions to provide the Service.

For information we collect directly from you (such as your account registration details and billing information), Kaleo Systems LLC is the data controller.

If your organization requires a Data Processing Agreement (DPA) for regulatory compliance, please contact us at sales@ecclesly.com.

3. Information We Collect

Account Information

When you register for an account, we collect information you provide directly, including:

  • Name and email address
  • Organization (church) name
  • Billing and payment information (processed by Stripe; see Section 8)
  • Account credentials

Church Member Data

As a church management platform, we process data about your organization's members on your behalf. This may include names, contact information, donation records, attendance data, and other information you choose to store in the Service. This data may include information that implies religious affiliation, which is considered sensitive personal data under certain laws. Your organization, as the data controller, is responsible for ensuring that appropriate consent or legal basis exists for collecting and processing this data.

Automatically Collected Information

When you visit our website or use the Service, we may automatically collect:

  • IP address and approximate geographic location
  • Browser type, device information, and operating system
  • Pages visited, time spent, and referring URLs
  • Usage patterns and feature interaction data

4. Legal Basis for Processing

We process your information based on the following legal grounds:

  • Contract performance: To provide and maintain the Service you have subscribed to
  • Legitimate interest: To improve our Service, ensure security, and prevent fraud
  • Consent: When you opt in to marketing communications or optional features
  • Legal obligation: To comply with applicable laws, regulations, or legal processes

5. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process transactions and send related information (invoices, receipts)
  • Send technical notices, security alerts, and support messages
  • Respond to your comments, questions, and support requests
  • Monitor and analyze usage trends to improve user experience
  • Detect, investigate, and prevent fraudulent or unauthorized activity

We do not sell, rent, or share your personal information or your organization's member data with third parties for their marketing purposes.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Service and improve your experience. These include:

  • Essential cookies: Required for authentication, security, and core functionality
  • Analytics cookies: Help us understand how visitors use our website so we can improve it

You can control cookie preferences through your browser settings. Disabling essential cookies may prevent you from using certain features of the Service.

7. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • Encryption of data in transit (TLS) and at rest
  • Hosting on ISO 27001 certified infrastructure
  • Role-based access controls and multi-factor authentication
  • Regular backups and disaster recovery procedures
  • Regular security assessments

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Third-Party Service Providers

We use trusted third-party service providers to help operate the Service. These providers process data on our behalf and are contractually obligated to protect your information. Our current sub-processors include:

  • Stripe — Payment processing. Stripe's privacy policy is available at stripe.com/privacy.
  • Resend — Transactional email delivery
  • Hostinger — Cloud infrastructure and hosting (ISO 27001 certified)

We may update this list from time to time. Material changes to our sub-processors will be communicated through our website.

9. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. When you close your account, we apply the following retention periods based on data category:

  • Financial transaction data (donations, journal entries, expenses, bank reconciliations): 7 years as required by IRS regulations (IRC §6001, §6501) and GAAP/FASB ASC 958
  • Authentication and access logs: 3 years as required by PCI DSS 10.7 and SOC 2
  • Authorization changes and system configuration: 7 years for SOC 2 compliance
  • Member personal data (not linked to financial records): deleted or anonymized within 90 days of account closure
  • Member personal data linked to financial records (e.g., donor names on contribution records): pseudonymized and retained for 7 years with financial records
  • Operational data (sync logs, sessions, temporary data): 90 days

When deletion is requested but financial records must be retained, we pseudonymize personal identifiers (names, emails, addresses) while preserving the financial transaction data in anonymized form. This ensures compliance with IRS record-keeping requirements while protecting individual privacy.

Backup copies may persist for up to an additional 30 days after deletion before being permanently removed from our backup systems.

10. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users and relevant authorities as required by applicable law, and in no event later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, the data affected, and the steps we are taking to address it.

11. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal information
  • Portability: Request your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interest
  • Withdrawal of consent: Withdraw consent where processing is based on consent

To exercise these rights, contact us at sales@ecclesly.com. We will respond within 30 days.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request the categories and specific pieces of personal information we have collected about you
  • Right to Delete: You may request that we delete your personal information
  • Right to Correct: You may request correction of inaccurate personal information
  • Right to Opt-Out: We do not sell or share your personal information for cross-context behavioral advertising
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights

Categories of personal information collected: Identifiers (name, email), commercial information (subscription and billing data), internet activity (usage data), and professional information (organization name). We collect this information for the business purposes described in Section 5.

12. Children's Privacy

The Service is not directed to individuals under 13 years of age. We do not knowingly collect personal information directly from children under 13.

Churches using Ecclesly may store information about minors (e.g., for children's ministry programs). In such cases, the church, as the data controller, is responsible for obtaining appropriate parental consent as required by the Children's Online Privacy Protection Act (COPPA) and applicable laws.

13. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We take steps to ensure that your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page, updating the "Last updated" date, and, where appropriate, sending you an email notification. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us: