Privacy Policy
This policy explains what personal data Faith Frame Labs collects, why we collect it, how we use it, and what rights you have over it.
1. Who is the data controller?
Isaiah Mutabaruka, trading as Faith Frame Media, an independent sole trader based in the United Kingdom, is the data controller for personal data processed through Faith Frame Labs. Contact for privacy enquiries: info@faithframemedia.com.
2. What we collect and why
| Category | Examples | Why |
|---|---|---|
| Account data | Email, password (hashed), church / individual account name, slug | To create your account and let you sign in |
| Team-member data | Name, PIN, optional email, optional photo, optional campus, optional role | So you can manage your team's training |
| Training data | Lesson progress, quiz attempts and scores, hands-on sign-off events, deadlines | Core function of the Service |
| Billing data | Stripe customer ID, last 4 digits of card, billing address, country, tax ID | To process subscriptions. Full card numbers are held by Stripe — we never see them. |
| Communications | Bug reports, support emails, replies to our notifications | To help you and improve the Service |
| Technical data | IP address (in server logs), browser type, page-load events | Security, debugging, basic uptime monitoring |
3. What we do NOT do
- We do not sell, rent, or trade your personal data.
- We do not run third-party advertising trackers.
- We do not use your account data, training data, or content to train any AI or machine-learning model.
- We do not place non-essential cookies. The only client-side storage we use is
localStoragefor things like remembering your login and the trainee-filter panel state.
4. Legal bases (UK GDPR Article 6)
We rely on the following lawful bases for processing:
- Contract — most processing is necessary to provide the Service you've signed up for (e.g. account creation, billing, training progress).
- Legitimate interests — basic security logging, fraud prevention, product improvement (always balanced against your rights).
- Legal obligation — keeping invoices for HMRC, responding to lawful requests.
- Consent — for optional things like profile photos. You can withdraw consent at any time by removing the photo.
5. Who we share data with (processors)
We use a small set of vetted third-party providers to operate the Service. They process data on our instructions only, under written data-processing terms:
| Processor | What they do | Where |
|---|---|---|
| Supabase | Postgres database, authentication, file storage (profile photos) | EU / global, see Supabase DPA |
| Stripe | Payment processing, subscription billing | UK + global, see Stripe DPA |
| Netlify | Static hosting + serverless functions | Global CDN |
| Resend | Transactional email delivery (sign-up confirmations, bug-report receipts, notifications) | EU / US, see Resend DPA |
| GitHub | Source-code hosting (no customer data stored) | US |
| YouTube | Embedded videos. When a video loads, YouTube may set cookies — see YouTube's own policy. | Global |
Some processors are based outside the UK / EEA. Where personal data is transferred internationally, transfers rely on the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) as published by the ICO.
6. How long we keep data
- Active accounts: for as long as the account exists.
- Cancelled accounts: we keep account + training data for up to 90 days after cancellation in case you change your mind, then delete it. You can request immediate deletion at any time.
- Billing records: retained for 6 years to comply with UK accounting and tax law.
- Bug-report emails: retained for up to 12 months for product-improvement purposes.
- Server logs: rotated within 30 days.
7. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Erasure ("right to be forgotten") — subject to legal retention obligations.
- Restrict or object to certain processing.
- Data portability — get a copy of your data in a machine-readable format.
- Withdraw consent at any time for processing based on consent.
- Lodge a complaint with the UK Information Commissioner's Office at ico.org.uk/make-a-complaint.
To exercise any of these rights, email info@faithframemedia.com. We aim to respond within 30 days.
8. Children's data
Admin accounts are restricted to users 16 or older. Team-member entries are restricted to people 13 or older. We do not knowingly collect data on children under 13. If you believe data about a child under 13 has been added, email us and we will delete it promptly.
9. Security
We protect your data with industry-standard measures: TLS encryption in transit, encrypted-at-rest databases via Supabase, password hashing, JWT-based authentication for admin actions, scoped API access, and audit logging of admin actions. No system is perfectly secure, but we take reasonable steps proportionate to the scale of the Service.
10. Cookies
We do not set marketing or analytics cookies. The Service uses browser localStorage for functional state (e.g. remembering your sign-in session, your trainee-filter selections). Stripe Checkout and YouTube embeds may set their own cookies on their own pages or iframes; those are subject to their own privacy policies.
11. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top shows the most recent change. For material changes we will notify account owners by email.
12. Contact
For any data-protection question or to exercise your rights, email info@faithframemedia.com.
Faith Frame Labs