Your Privacy Matters
Privacy Policy
Spring Valley Church is committed to protecting your personal data and respecting your privacy. This policy explains how we collect, use, and safeguard your information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Last updated: 9 March 2026
1.Data Controller
The data controller responsible for your personal data is:
Spring Valley Church
49 High Town Rd, Luton LU2 0BW, Bedfordshire, UK
2.What Data We Collect
We may collect the following personal data:
- Contact form submissions: your name, email address, phone number (optional), and message content when you use our contact form.
- Admin user accounts: name, email address, and a securely hashed password for authorised administrators who manage the website.
- Session data: authentication session tokens stored in cookies (see Section 5 below).
We do not collect any special category (sensitive) data, nor do we collect data from children through this website.
3.Why We Collect Your Data (Lawful Basis)
Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following:
- Consent (Article 6(1)(a)) — when you voluntarily submit the contact form, you consent to us processing your details to respond to your enquiry.
- Legitimate interests (Article 6(1)(f)) — to administer and secure our website, including managing admin accounts and maintaining session authentication.
4.How We Store and Protect Your Data
Your data is stored securely in a PostgreSQL database hosted by Neon (cloud database provider) with encrypted connections. The website is hosted on Vercel. Both providers maintain appropriate technical and organisational security measures.
Key security measures include:
- All passwords are stored as cryptographically hashed values — we never store passwords in plain text.
- All data transmitted between your browser and our website is encrypted using HTTPS/TLS.
- Database connections are encrypted and access is restricted to authorised services only.
- Admin access is protected by authenticated sessions with limited lifetimes.
5.Cookies
Our website uses only strictly necessary cookies. We do not use any advertising, tracking, or analytics cookies.
| Cookie | Purpose | Expiry |
|---|---|---|
| next-auth.session-token | Authenticates admin users via a signed JWT. This cookie is essential for the admin area to function and is only set when an administrator logs in. | 1 hour |
Because we only use strictly necessary cookies, no cookie consent banner is required under UK GDPR and the Privacy and Electronic Communications Regulations (PECR).
6.Third-Party Services
We use a limited number of third-party services. We do not sell or share your personal data with third parties for marketing purposes.
- Google Maps (embed): Our contact page includes an embedded Google Map to show our location. When this page loads, your browser may send data (such as your IP address) to Google. This is governed by Google's Privacy Policy.
- Google Fonts: Fonts are self-hosted via Next.js and served directly from our domain. No requests are made to Google's servers for font loading.
- Vercel (hosting): Our website is hosted on Vercel, which may process standard server logs (IP addresses, request timestamps). See Vercel's Privacy Policy.
- Neon (database): Our database is hosted by Neon. Your data is stored securely and is not shared with other parties. See Neon's Privacy Policy.
We do not currently use any third-party analytics, advertising, or tracking services.
7.Data Retention
We retain personal data only for as long as necessary:
- Contact form submissions: retained for up to 12 months after your enquiry has been resolved, then securely deleted.
- Admin accounts: retained for the duration of the individual's role as an administrator, then deleted upon removal of access.
- Session cookies: automatically expire after 1 hour and are removed from your browser.
8.Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access — you can request a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct inaccurate or incomplete data.
- Right to erasure — you can ask us to delete your personal data where there is no compelling reason for us to continue processing it.
- Right to restrict processing — you can ask us to limit how we use your data.
- Right to data portability — you can request your data in a structured, commonly used, machine-readable format.
- Right to object — you can object to processing based on legitimate interests.
- Right to withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at admin@svchurch.co.uk. We will respond to your request within one month, as required by law.
9.International Data Transfers
Some of our third-party service providers (Vercel, Neon, Google) may process data outside the UK. Where this occurs, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions, to protect your data in compliance with UK GDPR.
10.Complaints
If you are unhappy with how we have handled your personal data, we encourage you to contact us first so that we can try to resolve the matter.
You also have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk
11.Changes to This Policy
We may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date. We encourage you to review this page periodically.
12.Contact Us
If you have any questions about this privacy policy or wish to exercise your data rights, please get in touch:
Spring Valley Church
49 High Town Rd, Luton LU2 0BW, Bedfordshire, UK
Have Questions?
If you have any concerns about your data or would like to know more, we're here to help.