We use optional cookies to understand how people discover and use Catholic Events. You can choose whether to enable analytics and update your choice at any time. We also use strictly necessary cookies to run secure sign-in and core site functions. These are always on. Read more in our Privacy Policy.

Catholic EVENTS

Privacy Policy

Privacy Policy

Catholic Events Ltd (Company Number: 16528637) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal information when you use our services.

By using Catholic Events, you agree to the practices outlined below. If you have any questions, you can contact us at support@catholicevents.co.uk. For data protection matters, please use the subject line "Data Protection" so we can route your request quickly.

Our Role: Controller and Processor

Catholic Events is the data controller for personal data we process for our own purposes — for example, account creation and administration, securing the platform, and platform analytics.

Where an event organiser collects attendee, registration, or questionnaire data through the platform, the organiser is the data controller for that data and Catholic Events acts as a data processor on the organiser's behalf, processing it only as needed to provide the platform and on the organiser's instructions.

1. Information We Collect

We collect the following information when you use our services:

  • Email address (required for account creation)
  • Name (does not need to be your real name)
  • Encrypted password (stored securely in our database)
  • Events you like or bookmark while signed in
  • Location data (only when you grant browser permission to show nearby events, filter by distance, and improve map features)
  • Anonymous identifier (a unique ID assigned to your browser to help us provide consistent service and link your activity before and after you create an account)
  • Payment information (processed by Stripe; we do not store your card details)

1b. Organiser & Publisher Verification

We collect additional information from event organisers and publishing organisations in order to verify organisational legitimacy, reduce fraudulent or misleading events, ensure relevance and safety for users, and comply with legal and platform integrity requirements.

This may include:

  • Organisation name, address, and contact details
  • Domain or email ownership verification
  • Links to official websites or social profiles
  • Event details submitted for publication
  • Internal verification notes and review outcomes

Review & Moderation: We may use a combination of automated systems and manual review to assess organiser accounts and submitted events for authenticity, accuracy, and compliance with our platform policies.

Data Sharing: Verification data and internal review notes are not made public and are only accessible to authorised staff and service providers involved in trust, safety, and platform operations.

1a. Location Data

When you grant browser permission to access your location (on the map view, discover page, or when using location-based filters), we store your approximate location locally in your browser to improve your experience. Here's how we handle this data:

  • Coarsened Coordinates: Your precise location is reduced to approximately ±111 meters accuracy (3 decimal places) to protect your privacy while still being useful for finding nearby events
  • Local Storage Only: Location data is stored in your browser's localStorage, not on our servers
  • 30-Day Expiry: Stored location automatically expires and is deleted after 30 days
  • User Control: You can delete your stored location at any time using the "Clear Location" button on the map view or by clearing your browser's localStorage
  • No Tracking: We do not track your movements or store location history

This approach follows GDPR principles of data minimization and storage limitation. Your browser permission only allows access to your device's location—the decision to store it locally for 30 days is separate and designed purely for convenience.

2. How We Use Your Information

We use your information to:

  • Provide and maintain our services
  • Identify your account and saved preferences
  • Show you nearby Catholic events, filter events by distance from your location, and center the map on your area (location data only)
  • Respond to your support requests
  • Improve the quality, functionality, and performance of the platform
  • Verify organisers and events to maintain platform safety and relevance
  • Prevent fraudulent or misleading event listings
  • Comply with legal and regulatory obligations

3. Legal Basis for Processing

We process your personal data on the following legal bases:

  • Performance of a contract (e.g., to provide your account)
  • Legitimate interests (e.g., to improve our services, secure the platform, and remember your map location to enhance user experience)
  • Consent (e.g., analytics in the organiser tools, and any optional or marketing communications) — which you can withdraw at any time
  • Compliance with legal obligations

Where an organiser's registration form collects special category data (for example health, accessibility, or religious-belief information under Article 9 UK GDPR), that data is processed on the basis of the data subject's explicit consent. The organiser, as controller, is responsible for obtaining that consent and for the lawful basis of the fields it configures.

4. Sharing Your Information

We do not sell your data. We may share your information with trusted third-party service providers who help us operate and support Catholic Events, including:

  • Authentication and account management (e.g., Google, Microsoft, or other trusted identity providers via NextAuth)
  • Hosting and performance (e.g., Vercel)
  • Database and caching (e.g., NeonDB, Upstash/Redis)
  • Email communication (e.g., MailerSend)
  • Location-based services (e.g., Google Places API)
  • Payment processing (Stripe - for bookings and contributions)
  • Product analytics and session replay (PostHog — used only in the organiser tools at /manage, consent-gated, with all form inputs and text content masked in recordings)

These providers only process data as instructed by us and are required to comply with relevant data protection laws.

Event registration and questionnaire data: When you register for an event through Catholic Events, we may collect and store purchaser details (such as name and email address), attendee details (such as name and email address), and responses to organiser-configured registration and questionnaire fields.

Organiser-configured fields may include free-text responses and, depending on organiser setup, information such as phone number, date of birth or age category, accessibility needs, health-related information, emergency contact details, or other personal details. Please provide only information necessary for participation.

How registration data is shared: Registration and questionnaire responses are made available to the relevant event organiser so they can administer the event, communicate with attendees, and manage attendance. Organisers may export attendee data (for example, CSV export) for events they manage.

Catholic Events provides the platform and related processing infrastructure. Organisers are responsible for their own downstream use of attendee data they access or export, and must handle that data in accordance with applicable data protection laws.

Data minimisation and sensitive responses: Organisers are expected to collect only information that is necessary for event administration. If organisers request sensitive information (for example health or accessibility details, or free-text responses that may reveal sensitive personal information), that information is processed for event administration and shared with the organiser for that purpose.

4a. Booking, Contribution, and Payment Data

When you make a booking payment or contribution, payment processing is handled by Stripe. We do not receive or store full card numbers. Stripe may share limited payment-related data with us, such as:

  • Name and email address
  • Payment amount, status, and date
  • Last four digits of your card (for reference)
  • Subscription status (for recurring contributions)

We use payment and order metadata to confirm and fulfil bookings, prevent fraud or abuse, provide support, resolve disputes, and maintain accounting and audit records.

Where you book an organiser event, relevant registration and order details are shared with that organiser so they can administer the event. Organisers are responsible for their own downstream use of attendee data they access or export.

You can manage recurring contributions and access payment history through Stripe's receipt links or by visiting our subscription management page. For Stripe's full data practices, see their Privacy Policy.

5. International Data Transfers

Personal data is hosted within the UK and European Economic Area (EEA) by default. A small number of service providers process data outside the UK/EEA. In each case we rely on UK GDPR-approved transfer mechanisms — typically the UK Extension to the EU-US Data Privacy Framework, or the UK International Data Transfer Agreement / Standard Contractual Clauses (SCCs) — to keep your data protected to a UK-equivalent standard.

Hosting locations for our main service providers:

  • NeonDB (primary database) — UK.
  • Upstash / Redis (caching) — UK (London, eu-west-2).
  • Vercel (application hosting; functions configured to eu-west-2) — UK for compute. Vercel's global edge network may serve cached static assets from other regions; the UK Extension to the EU-US DPF applies to any out-of-region flows.
  • MailerSend (transactional email) — EU (Belgium).
  • PostHog (product analytics, session replay on /manage) — EU (Frankfurt).
  • Stripe (payments) — US / global. EU and UK customer transactions are handled by Stripe's Irish entity (Stripe Technology Europe Ltd); some operational data (e.g. fraud detection) crosses to the US. UK Extension to the EU-US DPF + SCCs apply.
  • Google Places API (location lookup) — US. UK Extension to the EU-US DPF applies.
  • NextAuth identity providers (Google, Microsoft) — US. UK Extension to the EU-US DPF applies.

5a. How We Protect Your Data

We use appropriate technical and organisational measures to keep personal data secure, including:

  • Encryption of data in transit (TLS)
  • Encryption at rest of event registration and order form responses
  • Access controls that limit personal data to authorised personnel and to the relevant organiser
  • Hosting of primary personal data within the UK and/or EEA

5b. Data Breach Notification

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of it. Where a breach is likely to result in a high risk to you, we will also inform you without undue delay. We maintain an internal incident-response process to support this commitment.

6. Data Retention

We keep personal data only for as long as necessary for the purpose it was collected. Our standard retention periods are:

  • Account data — retained while your account is active. Accounts that remain inactive for 24 months are deleted or anonymised, following a re-engagement notice.
  • Order and payment records — retained for 7 years to meet UK accounting, tax (HMRC), and audit requirements.
  • Registration and questionnaire answers (not part of a paid order) — retained until 90 days after the event date, then deleted.

You may request deletion at any time. Where legally permitted, we will action deletion requests and remove or de-identify data that is no longer required; records we are required to keep (for example, payment and accounting records) are retained for the periods above.

Location data stored in your browser is automatically deleted after 30 days or when you click the "Clear Location" button on the map view.

Anonymous identifiers are stored in cookies (1 year expiry) and localStorage (until you clear browser data). When linked to your account, the link is retained until you delete your account, at which point it is automatically removed from our database.

Organiser Verification Data: Verification-related information may be retained for as long as an organiser maintains an account on the platform, and for a reasonable period thereafter to support fraud prevention, legal compliance, and audit requirements.

7. Account Deletion

You can request to delete your account and associated data by emailing us at support@catholicevents.co.uk. We will process your request within 30 days, unless we are legally required to retain certain information.

8. Cookies

We use two categories of cookies: strictly necessary cookies that keep the site working, and consent-based analytics cookies that are only set in the organiser tools after you choose to accept them.

8a. Strictly Necessary Cookies

These cookies are required for authentication and core site functionality and are always on:

  • catholic-events-next-auth.callback-url
  • catholic-events-next-auth.csrf-token
  • catholic-events-next-auth.session-token
  • catholic-events-anonymous-id (stores an anonymous identifier to provide consistent service and link your activity before and after account creation)

These cookies are required for logging in and maintaining your session. They do not track you for marketing or analytics purposes.

8b. Analytics Cookies (organiser area only, consent-based)

When you visit the organiser tools at /manage, we ask for your consent to set an analytics cookie. We do not enable organiser analytics until you choose to accept.

  • ce_manage_analytics_consent_v1 — stores your analytics preference. Path: /manage. Expiry: one year.

The cookie can take one of three values, which you choose via the consent banner:

  • Accepted — product analytics and session replay (via PostHog) are enabled. Session replay masks all form inputs and text content.
  • Analytics only — product analytics is enabled, but session replay is disabled.
  • Rejected — both analytics and session replay are disabled.

You can update your preference at any time using "Manage cookie preferences" in the organiser footer or the consent banner. If you reject, no analytics or session replay data is collected for the organiser tools. The lawful basis for organiser analytics is your consent, which you can withdraw at any time.

8b (public site). Analytics Cookies (consent-based, no session recording)

On the public Catholic Events website (discover, event listings, and related pages), we ask for your consent before setting an analytics cookie or enabling product analytics. This is separate from organiser-tool consent at /manage — your choices on one surface do not apply to the other.

  • ce_public_analytics_consent_v1 — stores your public-site analytics preference. Path: /. Expiry: one year.

The cookie can take one of two values:

  • Accepted — product analytics (via PostHog EU) is enabled. We do not use session recording on the public site.
  • Rejected — analytics is disabled.

You can update your preference at any time from the footer on Discover (Cookie preferences), the side menu under Legals → Cookie preferences, or via the consent banner. If you reject, no public-site analytics data is collected. The lawful basis is your consent, which you can withdraw at any time.

8c. Anonymous Identifier Tracking

When you visit Catholic Events, we assign a unique anonymous identifier to your browser. This identifier helps us:

  • Provide consistent service across your browsing session
  • Link your activity before and after you create an account (so we can preserve your preferences and activity history)
  • Improve our services by understanding how users interact with the platform

Storage: The anonymous identifier is stored in both a cookie and your browser's localStorage for redundancy. The cookie expires after 1 year, and the localStorage entry persists until you clear your browser data.

Linking to Your Account: When you create an account or sign in, we link your anonymous identifier to your user account. This allows us to associate your pre-sign-in activity (such as liked events or browsing history) with your account. This link is stored in our database and is automatically deleted when you delete your account.

Your Control: You can clear the anonymous identifier by clearing your browser cookies and localStorage. However, if you've already signed in, the link between your anonymous identifier and account will remain in our database until you delete your account.

This tracking is based on our legitimate interest in providing consistent service and improving our platform. The identifier itself is a random UUID and does not contain any personal information.

9. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Correct inaccurate or incomplete data
  • Request deletion of your data
  • Restrict or object to certain forms of processing
  • Data portability — receive the personal data you provided to us in a structured, commonly used, machine-readable format
  • Withdraw consent at any time, where our processing is based on your consent
  • Lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority, at ico.org.uk

You can exercise these rights by contacting us at support@catholicevents.co.uk (subject line "Data Protection"). We will respond within one month.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last Updated” date at the bottom of this page. Continued use of the site means you accept the revised policy.

Last Updated

20 June 2026 (Added our controller/processor role statement and a data-protection contact convention; added consent and Article 9 explicit-consent legal bases; published concrete retention periods; added data-portability and consent-withdrawal rights and named the ICO; added a security-of-processing statement and a 72-hour breach-notification commitment)