This Privacy Policy explains what data Volunteers of Lourdes (operated by Iago Rodrigues, "we", "us") collects from you, how we use it, who we share it with, and what rights you have over it. We are committed to handling your personal information with care and transparency.
1. Information We Collect
We collect only the information necessary to deliver the Service:
- Identification data: first name, last name, email address (provided at checkout via Digistore24).
- Prayer petition content: the text of the prayer you submit. This is the only sensitive data we directly handle.
- Order data: tier purchased, transaction ID (provided by Digistore24, no card data ever reaches us).
- Technical data: IP address, browser type, device type, pages visited, referral URL, UTM parameters — collected automatically through our website analytics and tracking pixels.
2. How We Use Your Information
- To deliver the Service: printing your prayer, including it in the next monthly trip to the Grotto, sending you the photo confirmation email.
- To communicate with you: order confirmation, delivery updates, customer support replies, refund processing, and (only for Sacred Pilgrim tier) the 12-month devotional newsletter.
- To improve the Service: aggregated analytics about how customers find and use the website, no individual profiling.
- To comply with legal obligations: tax records, fraud prevention, response to lawful requests from authorities.
We do not sell your personal information. We do not use your data for unsolicited marketing beyond the newsletter you signed up for in the Sacred Pilgrim tier (you can unsubscribe at any time with one click).
3. Legal Bases for Processing (GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, our legal bases are:
- Performance of a contract: to deliver the Service you purchased.
- Legitimate interest: website analytics, fraud prevention, service improvement.
- Consent: for the optional newsletter and for non-essential cookies. Consent can be withdrawn at any time.
- Legal obligation: to comply with tax, accounting, and consumer-protection law.
4. Sharing Your Information
We share data only with these categories of recipients:
- Digistore24 Inc. (payment processor, USA) — receives your name, email, billing address, and card details directly from you at checkout. We never see card data.
- Email service provider (e.g., SendGrid, Postmark) — to deliver order confirmations and the photo confirmation.
- Hosting provider (e.g., Vercel, Cloudflare) — to host the website and store technical logs.
- Analytics (e.g., Microsoft Clarity for session analytics, UTMify for attribution) — anonymized or pseudonymized data only.
- Legal authorities — only when required by law (court order, tax investigation, etc.).
We do not share your prayer text with any third party. The prayer is handled exclusively by our small volunteer team for printing and delivery.
5. International Data Transfers
Your data may be transferred outside your country of residence — in particular, from the European Economic Area, United States, or other regions to Brazil (where we are based) and to the USA (where Digistore24 is based). We rely on the European Commission's adequacy decisions, Standard Contractual Clauses, and equivalent safeguards to ensure your data remains protected.
6. Data Retention
- Prayer text: destroyed (placed in the Petition Box at the Grotto) on the day of delivery, then deleted from our internal records within 30 days.
- Order and contact data: retained for 7 years to comply with Brazilian tax and consumer-protection law.
- Newsletter subscribers: retained until you unsubscribe (which you can do at any time).
- Technical logs: retained for 6 months for security purposes, then deleted.
7. Your Privacy Rights
Depending on your country of residence, you have some or all of the following rights:
- Access: request a copy of the personal information we hold about you.
- Rectification: ask us to correct inaccurate or incomplete data.
- Erasure ("right to be forgotten"): ask us to delete your data, subject to legal retention requirements.
- Restriction of processing: ask us to stop using your data for non-essential purposes.
- Data portability: receive your data in a machine-readable format.
- Object to processing: particularly for direct marketing or processing based on legitimate interest.
- Withdraw consent: for any processing based on consent, you can withdraw at any time.
- Lodge a complaint: with your local data-protection authority (ANPD in Brazil, ICO in the UK, your national DPA in the EU, the FTC in the USA).
To exercise any of these rights, write to privacy@lourdescircle.com. We respond within 30 days.
8. California Residents (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we collect, to delete that information, to correct it, and to opt out of the "sale" or "sharing" of personal information. We do not sell your personal information. To submit a request, write to privacy@lourdescircle.com.
9. Cookies & Tracking
We use the following categories of cookies and similar technologies:
- Strictly necessary: for the website to function (form submission, security).
- Analytics: Microsoft Clarity, UTMify (anonymized session and traffic-source data).
- Marketing/Advertising: if you arrived via a paid ad, your UTM parameters are forwarded to the checkout for attribution. Some ad-platform pixels (Meta Pixel, Google Tag) may be active.
You can control cookies via your browser settings. Disabling non-essential cookies will not break the Service but may impair our ability to attribute conversions.
10. Children's Privacy
The Service is not directed at children under 18. We do not knowingly collect personal information from children under 18. If you believe a child has submitted personal data to us, please write to privacy@lourdescircle.com and we will delete it promptly.
11. Security
We use industry-standard security measures (HTTPS, encrypted storage, access controls) to protect your information. However, no method of transmission or storage is 100% secure. We notify affected customers and the relevant authority within 72 hours of becoming aware of a personal-data breach that is likely to result in a risk to their rights and freedoms.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes are communicated by email to active customers.
13. Contact
Privacy questions or requests: privacy@lourdescircle.com. For general inquiries, see our Contact page.