Privacy policy

Last updated: April 2026

This is a courtesy translation. In case of discrepancy, the French version prevails.

1. Data controller and processor

Each local congregation using Unitae is the data controller of its own data within the meaning of the General Data Protection Regulation (GDPR).

MindsersIT (SASU, RCS Lyon 983 970 245), publisher of the hosted platform unitae.app, acts as data processor in accordance with Article 28 of the GDPR. A Data Processing Agreement (DPA) is established between MindsersIT and each local congregation.

Contact: privacy@mindsers.it

2. Data collected

Unitae collects and processes the following categories of personal data:

  • Identification data: last name, first name, email address
  • Contact details: phone number, postal address (optional)
  • Demographic data: date of birth, gender (optional)
  • Religious data (special category, Article 9): baptism date, publisher status, congregation responsibilities, service activities
  • Activity data: monthly service reports, territory assignments
  • Payment data: processed by Stripe (MindsersIT only stores Stripe reference identifiers)
  • Technical data: IP address (consent records), session data

3. Special category data

The mere presence of a user in Unitae reveals their religious affiliation as one of Jehovah's Witnesses. This data constitutes special category data within the meaning of Article 9 of the GDPR.

Processing is based on Article 9(2)(d): processing carried out in the course of the legitimate activities of a not-for-profit body with a religious aim, on condition that the processing relates solely to members of that body and that the data are not disclosed outside it without the consent of the data subjects.

4. Legal bases for processing

  • Performance of a contract (Art. 6.1.b): provision of the congregation management service
  • Legitimate interest (Art. 6.1.f): security, logging, fraud prevention
  • Legal obligation (Art. 6.1.c): retention of billing data (10 years, French tax law)
  • Consent (Art. 6.1.a): explicit consent collected at first login

5. Purposes of processing

  • Management of congregation members and responsibilities
  • Service activity tracking (monthly reports)
  • Territory and assignment management
  • Information board and document management
  • Event and schedule management
  • Authentication and account security
  • Email communications (password reset, notifications)
  • Billing and subscription management

6. Retention periods

  • User accounts: duration of membership + 30 days
  • Activity reports: duration of membership (configurable by the congregation)
  • Territory assignments: duration of the congregation account
  • Board documents: until deletion by the administrator + 30 days
  • Session cookies: 1 hour
  • Reset tokens: 24 hours
  • Consent records: 2 years after withdrawal
  • Billing data (Stripe references): 10 years (legal obligation)

7. Sub-processors

Data is processed by sub-processors listed on our sub-processors page. Transfers to the United States are covered by the EU-US Data Privacy Framework (DPF) or standard contractual clauses.

All primary data (database, files) is hosted in France (OVH, Gravelines).

8. Your rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15): obtain a copy of your personal data
  • Right to rectification (Art. 16): correct inaccurate data
  • Right to erasure (Art. 17): request the deletion of your data
  • Right to data portability (Art. 20): receive your data in a structured format
  • Right to restriction (Art. 18): restrict the processing of your data
  • Right to object (Art. 21): object to the processing
  • Withdrawal of consent: withdraw your consent at any time from your profile

To exercise these rights, contact your local congregation administrator. You can also contact MindsersIT at: privacy@mindsers.it

9. Security

  • Data encryption in transit (TLS)
  • Password hashing (scrypt)
  • Data isolation per congregation (PostgreSQL Row-Level Security)
  • Role-based access control (20 fine-grained permissions, built-in and custom roles)
  • Secure session cookies (httpOnly, secure, SameSite)
  • Login attempt rate limiting
  • Hosting in France (OVH, Gravelines)

10. Cookies

Unitae uses only a session cookie strictly necessary for authentication. This cookie does not require consent.

The optional Google Maps integration in the application may load third-party cookies. In this case, your explicit consent is requested before any loading.

11. Complaints

If you believe that the processing of your personal data constitutes a violation of the GDPR, you have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL)www.cnil.fr.

12. Self-hosting

Unitae is open source software (AGPL-3.0). Self-hosted instances are under the sole responsibility of the entity that deploys them. MindsersIT has no role as a processor in this case, as no data passes through its systems.