Home Privacy
Privacy Policy
How we process your personal data when you interact with soyaviva.com or get in touch with us. Information provided in compliance with Regulation (EU) 2016/679 (the GDPR) and Spanish Organic Act 3/2018, on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGPD).
1. Data controller
| Legal name | IGLESIA AVIVA COMUNIDAD DE FE |
|---|---|
| Tax ID (NIF) | R3800588J |
| Address | Avenida Ángel Romero, 9, Local 7 — 38009 Santa Cruz de Tenerife |
| Contact email | [email protected] |
| Telephone | +34 633 50 90 95 |
| Registration | Register of Religious Entities (MAPER) — no. 026637 |
AVIVA Comunidad de Fe, in its capacity as a religious entity, is not required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR. Nevertheless, we have set up a single point of contact for any matter relating to data protection: [email protected].
2. What personal data do we process and where does it come from?
We process only the data that you provide to us voluntarily through:
- Contact form (the /en/contact page): name, email address and the content of the message you choose to send.
- Direct communications by email, telephone or social media: the identifying and contact details that appear in the message.
- Donations (once the online form is enabled): the identifying and tax details required to issue the annual certificate provided for in Act 49/2002, should you request a tax deduction.
In addition, simply by browsing the website, technical data is generated (IP address, user agent, time of the visit) which is processed by our security and content delivery network provider Cloudflare for the strictly necessary purpose of keeping the service operational and preventing abuse.
3. Why do we process your data?
- To deal with your enquiry, prayer request or request for information received via the form, email or telephone.
- To manage the pastoral relationship arising from your interest or participation in the life of the church.
- To issue annual donation certificates where applicable, in compliance with Act 49/2002 on the tax regime for non-profit entities and tax incentives for patronage.
- To maintain the technical security of the website (bot prevention, attack mitigation, logging of suspicious activity).
- To comply with legal obligations applicable to us as a registered religious entity.
4. What is the legal basis for the processing?
- Consent (Art. 6(1)(a) and, where applicable, 9(2)(a) GDPR): when you voluntarily send us a message or request a service.
- Lawful activity of a religious organisation (Art. 9(2)(d) GDPR): for processing the data of those who are part of AVIVA or who maintain regular contact with the church.
- Compliance with a legal obligation (Art. 6(1)(c) GDPR): for the issuing of donation certificates and the retention of the mandatory accounting documentation.
- Legitimate interest (Art. 6(1)(f) GDPR): to maintain the security and availability of the website against automated abuse.
5. How long do we keep your data?
- Messages received via the form or by email: for the time necessary to deal with the enquiry and, thereafter, blocked for 3 years for the purposes of the limitation period for any potential claims, unless the enquiry gives rise to an ongoing pastoral relationship.
- Donor data with a tax certificate: the tax limitation period (a minimum of 4 years from the filing of the relevant return).
- Technical site logs: the automatic retention period that Cloudflare applies by default to its logs (typically between 4 and 72 hours for unflagged traffic and up to 30 days for security incidents).
6. With whom do we share your data?
We do not sell, rent or transfer your data to third parties for commercial purposes. Only the following data processors are involved, with whom we have signed the contracts provided for in Article 28 of the GDPR:
| Provider | Purpose |
|---|---|
| Cloudflare, Inc. (USA) | Hosting of the site through Cloudflare Pages, CDN network, protection against abuse and the Turnstile anti-bot service (the latter loads only on the /en/contact page). Certified under the EU-US Data Privacy Framework. |
| Web3Forms (Plobble Technologies) | Processing of the contact form: it receives the form data and forwards it to our email address. Processing covered under the GDPR by means of standard contractual clauses. |
| Google LLC (USA) | Google Maps service embedded on the /en/visit page to show our location. It only receives data when the user loads the map. Certified under the EU-US Data Privacy Framework. |
| FuerteHost | Provider of email services associated with the soyaviva.com domain (storage and delivery of received messages). |
| Ordenatech | Agency responsible for the design, maintenance and technical support of the website. Technical access restricted to what is strictly necessary for its tasks. |
In addition to the processors listed above, we may disclose your data to Public Authorities, Courts and Tribunals where there is a legal obligation to do so (for example, in response to a request from the Spanish Tax Agency regarding certified donations).
7. International data transfers
The use of the providers Cloudflare and Google may involve the transfer of personal data to the USA. These transfers are carried out under the European Commission's adequacy decision concerning the EU-US Data Privacy Framework (Decision (EU) 2023/1795) and, on a subsidiary basis, by means of Standard Contractual Clauses approved by the Commission. Web3Forms applies Standard Contractual Clauses. No transfers are made to countries that do not offer an adequate level of protection without the appropriate safeguards.
8. What are your rights?
As the data subject, you may exercise the following rights at any time:
- Access: to find out what data of yours we process.
- Rectification: to correct inaccurate or incomplete data.
- Erasure (right to be forgotten): to request the deletion of your data when it is no longer necessary.
- Objection: to object to the processing on grounds relating to your particular situation.
- Restriction: to request that we temporarily stop processing it.
- Portability: to receive your data in a structured, commonly used format.
- Withdrawal of consent: at any time, without affecting the lawfulness of the prior processing.
- Not to be subject to automated decisions: we do not carry out profiling or automated decision-making with significant impact.
To exercise any of these rights, write to us at [email protected] indicating the right you wish to exercise and, if you consider it appropriate, attaching a copy of an identity document. We will respond within a maximum of one month.
If you believe that our processing of your data does not comply with the regulations, you may lodge a complaint with the Spanish Data Protection Agency (AEPD) (www.aepd.es, C/ Jorge Juan, 6 — 28001 Madrid).
9. Data security
We apply appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encrypted communications via HTTPS, access control to email mailboxes, reasonable backups and the selection of providers with recognised certifications. Despite this, no measure can guarantee absolute security; we ask you to exercise caution when sending us sensitive information.
10. Minors
The website is not specifically aimed at minors under 14 years of age. Where a minor takes part in church activities involving the processing of images or other data, we obtain the consent of those holding parental authority or guardianship in accordance with Article 7 LOPDGPD.
11. Changes to the policy
This policy may be updated when required by the services provided, the applicable regulations or our internal practices. We recommend that you review it periodically. The date of the last update appears at the start of the document.