Privacy Policy

Effective Date: October 20, 2025

Last Updated: October 20, 2025

New Life The Fort (“we,” “us,” or “our”) is a church community based in the Philippines, dedicated to fostering spiritual growth, community fellowship, and service through our website at https://newlife.ph/thefort or newlifethefort.com (the “Website”). We are committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in compliance with the Data Privacy Act of 2012 (Republic Act No. 10173, or “DPA”) and its Implementing Rules and Regulations (IRR), as administered by the National Privacy Commission (NPC) of the Philippines.

As a faith-based organization, we process personal data in line with principles of transparency, legitimate purpose, and proportionality. Where applicable, we also strive to align with international standards, such as the General Data Protection Regulation (GDPR) for users in the European Union and the Children’s Online Privacy Protection Act (COPPA) for users in the United States, to ensure global compliance if our Website serves international visitors. If you are a resident of the EU, US, or another jurisdiction with stricter data protection laws, additional rights may apply, and we will honor them to the extent feasible.

By accessing or using our Website, you consent to the practices described in this Policy. If you do not agree, please do not use the Website. We may update this Policy periodically; changes will be posted here with the updated effective date. Continued use after changes constitutes acceptance.

Table of Contents

Definitions

For clarity, key terms used in this Policy are defined as follows (in accordance with the DPA):

  • Personal Data: Any information from which the identity of an individual is apparent or can be reasonably and directly ascertained, or when combined with other information, would directly identify an individual (e.g., name, email, phone number).
  • Sensitive Personal Information (SPI): Personal data revealing racial or ethnic origin, marital status, age (when combined with other data), educational attainment, medical condition, health status, genetic or biometric data, religious or philosophical beliefs, political opinions, or information on trade union membership (e.g., religious affiliation, allergies, dietary restrictions, special needs, or medical conditions tied to spiritual, community, or pastoral support). SPI requires heightened protection due to its potential to cause significant harm if misused. Under GDPR, this aligns with “Special Category Data” (Article 9), including data on racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic/biometric data, health data, sex life, or sexual orientation.
  • Processing: Any operation on personal data, including collection, recording, storage, use, disclosure, or destruction.
  • Data Subject: You, the individual whose personal data we process (e.g., website visitors, members, donors).
  • Data Protection Officer (DPO): The person responsible for overseeing our data privacy compliance.
  • Child: An individual under the age of 18, as defined under Philippine law (Civil Code and DPA). For online privacy purposes, we treat individuals under 13 as requiring enhanced protections aligned with COPPA and GDPR-K.
  • Parent/Guardian: A legal parent or authorized guardian with parental responsibility over a child.

Back to Top

Scope and Applicability

This Policy applies to all personal data processed through our Website, including data collected from visitors, members, volunteers, donors, and event participants. It covers our operations as a Personal Information Controller under the DPA. It does not apply to third-party websites linked from ours or offline church activities unless specified. Special provisions apply to children’s data and sensitive personal information to ensure compliance with parental/guardian consent requirements and heightened protections for vulnerable data.

Back to Top

Personal Data We Collect

We collect only the minimum personal data necessary for our legitimate purposes. Types include:

  • Basic Contact Information: Name, email address, phone number, and mailing address (e.g., for event registrations or newsletters).
  • Demographic Data: Age, gender, date of birth, or location (optional, for community outreach; birthdays for children help determine transitions to youth/adolescent ministries; age data for children requires parental consent).
  • Donation and Financial Data: Payment details (e.g., credit card info via secure processors), donation amounts, and purposes (e.g., tithing or missions; not collected from children).
  • Sensitive Personal Information: Religious affiliation, spiritual needs, health or medical information (e.g., allergies, dietary restrictions, special needs for adults and children in ministry programs), collected only with explicit consent (e.g., for prayer requests, counseling, or safety in children’s ministry). For children, this is limited to essential details like allergies or special needs to ensure safe participation in programs.
  • Technical Data: IP address, browser type, device information, and usage analytics (non-identifiable unless linked to you).
  • Other: Photos or videos from events (with consent), feedback, or survey responses.

For children, we collect only data essential for youth programs or family events, such as name, age, birthdays, and health-related details for safety, and always with parental/guardian verification.

We do not collect data from children under 13 without parental consent (see Children’s Privacy and Parental/Guardian Consent).

Back to Top

How We Collect Personal Data

We collect data through:

  • Direct Submission: Online forms (e.g., contact us, event sign-up, donation pages). For children and health/medical data, forms include parental consent checkboxes, verification steps, and clear notices about sensitive information.
  • Automated Tools: Cookies, web beacons, and analytics (e.g., Google Analytics for site performance; children’s browsing data is not profiled).
  • Interactions: Emails, social media links, or offline sign-ups uploaded to our systems.
  • Third Parties:
    • Payment processors (e.g., Paymongo, PayPal, Maya, GCash)
    • Email services (e.g., Brevo, SendGrid, Mailchimp, Constant Contact), who share limited data with us under their own policies and must comply with children’s privacy and sensitive data laws.
    • Enterprise Resource Planning Systems / Church Management Systems (e.g., Microsoft Dynamics 365, Microsoft 365 apps and services, RockRMS)

Collection occurs only with your consent or as necessary for contractual or legal obligations. For children and sensitive health/medical data, collection requires verifiable parental/guardian consent.

Back to Top

Purposes for Processing Personal Data

We process personal data solely for legitimate, church-related purposes, including:

  • Communicating spiritual resources, event invitations, and newsletters.
  • Managing memberships, volunteer opportunities, and community programs (for children, limited to age-appropriate activities with parental oversight, including using birthdays for ministry transitions).
  • Processing donations and issuing receipts (not from children under 18).
  • Improving Website functionality and user experience via analytics.
  • Complying with legal requirements (e.g., NPC reporting).
  • Fulfilling prayer or counseling requests (with consent for sensitive data; for children, only via parents/guardians).
  • Ensuring safety and accommodations in ministries, such as processing health/medical information (e.g., allergies, dietary restrictions, special needs) for adults and children to provide tailored support during events or programs.

Processing is limited to what is necessary and proportionate, with heightened care for children’s data and sensitive health/medical information.

Back to Top

Sensitive Personal Information

As a religious organization, we may process Sensitive Personal Information (SPI), such as religious beliefs, health/medical conditions, or special needs, which is afforded the highest level of protection under the DPA (Section 13). Under GDPR (Article 9), this aligns with “Special Category Data,” which includes processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation. Processing of such data is prohibited unless one of the specified lawful bases applies, and we adhere to these strictly for both DPA and GDPR compliance.

Lawful Bases for Processing SPI/Special Category Data:

We process SPI/Special Category Data only where a DPA lawful basis (e.g., explicit consent under Section 12) and a GDPR equivalent (Article 9) apply, including:

  • Explicit Consent (DPA Section 13(c); GDPR Article 9(2)(a)): We obtain your free, informed, specific, and unambiguous consent before collecting or processing SPI (e.g., via a clear opt-in checkbox on forms for prayer requests or health disclosures). Consent must be granular, easily withdrawable, and documented. For EU users, this includes affirmative action (e.g., no pre-ticked boxes). Consent can be withdrawn at any time without affecting the lawfulness of prior processing.
  • Necessary for Legitimate Church Activities (DPA Section 13(a); GDPR Article 9(2)(d) or (e)): For core pastoral care (e.g., spiritual counseling or religious affiliation for membership), processing may be justified if it is strictly necessary and proportionate, carried out in the course of legitimate activities by a foundation, association, or non-profit body with a political, philosophical, religious, or trade union aim, on condition that the processing relates solely to members or former members and is without prejudice to data subjects’ rights.
  • Vital Interests (DPA implied; GDPR Article 9(2)(c)): In emergencies (e.g., disclosing allergies to medical personnel during an event) where the data subject is physically or legally incapable of giving consent.
  • Legal Claims or Obligations (DPA Section 13(f); GDPR Article 9(2)(f)): As required by law or to establish, exercise, or defend legal claims (e.g., reporting under NPC or EU supervisory authority guidelines).
  • Health or Social Care Purposes (GDPR Article 9(2)(h)): For preventive or occupational medicine, assessment of working capacity, medical diagnosis, provision of health/social care, or management of health/social care systems/services, processed by or under the responsibility of a professional subject to confidentiality obligations. For our church context, this applies to pastoral health support (e.g., accommodations for special needs in ministries).
  • Public Interest in Public Health (GDPR Article 9(2)(i)): For public interest in public health, such as ensuring protection against serious cross-border threats or compulsory vital interests, under EU/EEA law.
  • Archiving, Research, and Statistics (DPA Section 13(g); GDPR Article 9(2)(j)): For archiving purposes in the public interest, scientific/historical research, or statistical purposes, subject to appropriate safeguards.

Key Protections for SPI/Special Category Data:

  • Minimized Collection: We collect only the SPI essential for the purpose (e.g., allergies for meal planning in children’s ministry, not full medical history). For GDPR, this aligns with data minimization (Article 5(1)(c)).
  • Purpose Limitation: SPI is used solely for the consented or justified purpose and not repurposed without further explicit consent (DPA Section 11(d); GDPR Article 5(1)(b)).
  • Enhanced Security: SPI receives additional safeguards, including pseudonymization where possible (GDPR Article 4(5)), restricted access (e.g., only to pastoral staff on a need-to-know basis), and regular audits. We ensure processing is confidential and secure per DPA Section 20 and GDPR Article 32.
  • Transparency: Forms clearly label SPI fields and explain risks, benefits, and how data will be protected, with privacy notices provided at collection (DPA Section 9; GDPR Article 13/14).
  • For Religious Data: As a church, we process religious beliefs (e.g., affiliation or spiritual needs) to fulfill our mission of faith-based support, but always with explicit consent except where integral to membership services under the legitimate activities exemption.
  • For Health/Medical Data: Limited to safety and accommodation needs (e.g., dietary restrictions, special needs). We do not process genetic, biometric, or unrelated health data. Adults provide direct consent; for children, verifiable parental consent is mandatory (GDPR Recital 71 for child data).
  • Prohibitions: We never process SPI for marketing, profiling, or automated decision-making without explicit consent, and we prohibit discrimination based on SPI (GDPR Article 22). Automated processing of SPI triggers mandatory Data Protection Impact Assessments (DPIAs; GDPR Article 35).

If SPI processing involves automated systems, we conduct Privacy Impact Assessments (PIAs) under DPA and DPIAs under GDPR to identify and mitigate risks. Breaches of SPI trigger immediate enhanced response protocols, including notifications to EU supervisory authorities where applicable.

Back to Top

Sharing and Disclosure of Personal Data

We do not sell or rent personal data. Disclosure occurs only:

  • To service providers (e.g., email platforms, hosting services) bound by data processing agreements ensuring DPA compliance, children’s privacy protections, and safeguards for sensitive health/medical data.
  • To church affiliates or volunteers for event coordination (with your consent; for children or health data, only with parental approval and on a need-to-know basis).
  • As required by law (e.g., court orders) or to protect rights/safety (e.g., sharing allergies with medical staff in emergencies).
  • In mergers or transfers of church assets (with notice).

All recipients must maintain confidentiality and use data only for specified purposes. Children’s data and sensitive health/medical information are never shared without appropriate consent.

Back to Top

Data Security Measures

We implement reasonable organizational, physical, and technical safeguards to protect personal data against loss, misuse, unauthorized access, alteration, or destruction, per NPC guidelines:

  • Organizational: Designation of a DPO (contact below); annual staff training on DPA, children’s privacy, and handling sensitive health/medical data; Privacy Impact Assessments (PIAs) for new processes, including child-specific and health-related risks; non-disclosure agreements for volunteers.
  • Physical: Secure storage in locked facilities or encrypted drives; access logs for data rooms; restricted entry to authorized personnel.
  • Technical: Encryption (e.g., SSL for Website); firewalls; multi-factor authentication; regular vulnerability scans and penetration testing; intrusion detection systems; additional segmentation and access controls for children’s data and sensitive health/medical information.

Despite these measures, no system is infallible. We cannot guarantee absolute security, but we prioritize protections for vulnerable groups like children and sensitive health data.

Back to Top

Your Rights as a Data Subject

Under the DPA (and GDPR/COPPA where applicable), you have the following rights, exercisable free of charge (subject to verification):

  • Access: Request confirmation of processing and a copy of your data (including sensitive health/medical details).
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure/Blocking: Delete or block data when no longer needed or unlawfully processed.
  • Object/Withdraw Consent: Oppose processing or revoke consent (may limit services).
  • Damages: Seek compensation for violations.
  • Data Portability: Receive data in a structured format (for automated processing).
  • Lodge Complaints: With the NPC at privacy.gov.ph.

Parents/guardians have these rights on behalf of children under 18, including reviewing, rectifying, or deleting collected data such as health/medical information or birthdays. Requests should be submitted in writing to our DPO (see Contact). We respond within 30 days (or 45 for complex cases).

Back to Top

Cookies and Similar Technologies

Our Website uses cookies (small files stored on your device) for functionality, analytics, and preferences. Types include:

  • Essential: For site navigation (e.g., session management).
  • Analytics: To track usage (e.g., Google Analytics; anonymized and no behavioral advertising for children).
  • Marketing: For personalized content (with consent; disabled for under-13 users).

You can manage cookies via browser settings. Disabling may affect functionality. For children, we limit non-essential cookies and obtain parental consent where required. For details, see our Cookie Policy (link if separate).

Back to Top

Children's Privacy and Parental/Guardian Consent

We are committed to protecting the privacy of children, recognizing their vulnerability under the DPA, COPPA (for U.S. users), and GDPR (for EU users). Our Website and youth programs are family-oriented but not directed at children under 13 as a primary audience. We do not knowingly collect, use, or disclose personal data from children under 13 without verifiable parental/guardian consent. For children aged 13-17, we encourage parental involvement and may require consent for sensitive activities, including health/medical data.

Key Provisions:

  • Age Screening: Online forms include age verification prompts. If a user indicates they are under 13, the form directs to a parental consent process.
  • Verifiable Parental/Guardian Consent: Before collecting, using, or disclosing a child’s personal data (e.g., for youth event registration, birthdays for ministry transitions, or health/medical information like allergies, dietary restrictions, or special needs), we obtain consent through multiple verification methods, such as:
    • Signed consent forms (digital or physical).
    • Credit card verification (a small, refundable charge to confirm parental control).
    • Email-plus (parental email confirmation followed by a video call or toll-free call-back).
    • Knowledge-based authentication (e.g., answering questions only a parent would know).

    These methods align with COPPA’s “verifiable parental consent” standards and DPA’s emphasis on protecting minors, with explicit notices for sensitive health data.

  • Data Collected from Children: Limited to essentials like name, age, birthdays (for program transitions), contact info for family events, emergency contacts, and health/medical details (e.g., allergies, dietary restrictions, special needs) only to ensure safe and accommodating participation in children’s ministry. No financial data, location tracking, or other non-essential sensitive information without explicit parental approval. Photos/videos from youth events require separate opt-in consent from parents.
  • Use and Disclosure: Children’s data is used only for the consented purpose (e.g., event coordination, safety accommodations) and not for marketing or third-party sharing without further consent. We do not create persistent profiles or enable behavioral advertising for children. Health/medical data is processed solely for immediate ministry needs (e.g., meal planning or activity modifications).
  • Parental/Guardian Rights: Parents/guardians can:
    • Review any data collected about their child, including health/medical details.
    • Revoke consent at any time, leading to immediate cessation of collection and deletion of data.
    • Request deletion of their child’s data.
    • Opt out of future communications or data processing.

    To exercise these, contact our DPO (see Contact). We provide a dedicated “Parent Portal” link on the Website for easy access.

  • Monitoring and Enforcement: We train staff on recognizing and handling child data interactions, with special protocols for health/medical information. If we inadvertently collect data from a child without consent, we delete it within 10 business days and notify the parent if contactable.
  • Youth Programs (Ages 13-17): Teens may provide consent for non-sensitive activities (e.g., newsletter sign-up), but parents are notified via email, and consent can be overridden. For sensitive processing (e.g., health data or counseling), parental involvement is mandatory.

If you believe we have collected data from your child without appropriate consent, please contact us immediately. We will investigate and take corrective action.

Back to Top

International Data Transfers

Personal data is primarily stored in the Philippines (e.g., via local servers). Transfers abroad (e.g., to U.S.-based email providers) occur only with safeguards like standard contractual clauses or adequacy decisions, ensuring equivalent protection under the DPA, including for children’s data and sensitive health/medical information. EU users: We comply with GDPR transfer requirements, including for special category data.

Back to Top

Data Retention and Destruction

We retain data only as long as necessary:

  • Event/donation records: 5 years (for tax/legal purposes).
  • Newsletters: Until unsubscribed.
  • Analytics: Anonymized after 2 years.
  • Children’s data: Deleted immediately upon consent revocation or event conclusion (max 1 year unless legally required).
  • Health/Medical Information and Other SPI: Retained only for the duration of participation in relevant programs (e.g., current ministry year) or as minimally required for legal/safety records (max 2 years), and deleted thereafter. Religious affiliation data is retained only while active in membership.

Expired data is securely destroyed (e.g., shredding paper, overwriting digital files) per NPC standards.

Back to Top

Data Breaches and Incidents

In case of a breach, a Data Breach Response Team will assess, mitigate, and notify affected data subjects (including parents for children) and the NPC within 72 hours (per DPA). Breaches involving children’s data or sensitive health/medical information receive priority notification. We maintain breach logs and conduct post-incident reviews.

Back to Top

Inquiries, Complaints, and Contact

For questions, rights exercises, or complaints (including children’s privacy or health data concerns):

Data Protection Officer
New Life The Fort
[Church Address, e.g., The Fort, Taguig City, Metro Manila, Philippines]
Email: [email protected]
Phone: [+63 XX XXX XXXX]

We acknowledge requests within 3 days and resolve complaints promptly. For NPC complaints: [email protected] or 8-8888-NPC-NOW. Parents may use this channel for child-related issues.

Back to Top

Governing Law

This Policy is governed by Philippine law. Disputes fall under Philippine courts. For international users, applicable local laws (e.g., COPPA, GDPR) supplement without conflicting with DPA.

Back to Top

Thank you for trusting New Life The Fort with your data. We value your privacy as part of our commitment to loving and serving our community.