Privacy Policy

1. Introduction

CEF Core, LLC ("we," "us," or "our") operates the CEF Core platform at https://CEFCore.com (the "Service"). We provide financial management software for Church Extension Funds and religious organizations.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. We are committed to protecting your privacy and handling your data with care, especially given the sensitive financial and religious nature of the information we process.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, do not use the Service.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide when using the Service:

• Account Information: Name, email address, phone number, job title, organization name
• Financial Data: Loan information, investor note details, transaction records, account balances, payment information
• Organization Data: Church and ministry information, contact details, tax identification numbers
• User Content: Documents uploaded, notes, comments, custom reports, and other content you create
• Support Communications: Information provided when you contact customer support

2.2 Automatically Collected Information

When you access the Service, we automatically collect:

• Usage Data: Pages viewed, features used, time spent, clicks, and navigation patterns
• Device Information: IP address, browser type, operating system, device identifiers
• Log Data: Access times, error logs, performance data, API calls
• Cookies and Tracking: Session cookies, authentication tokens, analytics cookies

2.3 Third-Party Information

We may receive information from third parties:

• Bank Data: Transaction information from bank integrations (with your authorization)
• Authentication Providers: Information from Firebase Authentication
• Payment Processors: Payment confirmation and transaction data

3. How We Use Your Information

We use collected information for the following purposes:

• Service Delivery: To provide, maintain, and improve the CEF Core platform
• Financial Operations: To process loans, track investor notes, manage accounts, and facilitate transactions
• Account Management: To create and manage your account, authenticate users, and provide customer support
• Compliance: To comply with legal obligations, regulatory requirements, and audit trails
• Communications: To send service notifications, updates, security alerts, and support messages
• Analytics: To analyze usage patterns, improve features, and optimize performance
• Security: To detect fraud, prevent abuse, and protect against security threats
• Legal Compliance: To respond to legal requests, enforce our terms, and protect our rights

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), our legal basis for collecting and using information depends on the data and context:

• Contract Performance: Processing necessary to perform our contract with you (Service delivery)
• Legitimate Interests: Our legitimate interests in improving the Service, preventing fraud, and ensuring security
• Legal Obligations: Compliance with legal and regulatory requirements
• Consent: Where you have given explicit consent for specific processing activities

5. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

5.1 Service Providers

We share information with trusted third-party service providers who assist in operating the Service:

• Cloud Infrastructure: Google Cloud Platform, Firebase (hosting, database, authentication)
• Payment Processing: Payment processors for transaction handling
• Bank Integration: Plaid or similar services for bank account connections (with your authorization)
• Analytics: Google Analytics for usage analysis
• Email Services: Email delivery providers for notifications
• Support Tools: Customer support platforms

These service providers are contractually obligated to protect your information and may only use it for specified purposes.

5.2 Legal Requirements

We may disclose information if required by law or in response to:

• Court orders, subpoenas, or legal process
• Government or regulatory requests
• Compliance with applicable laws and regulations
• Protection of our rights, property, or safety
• Investigation of fraud, security issues, or policy violations

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity. We will notify you before your information is transferred and becomes subject to a different privacy policy.

5.4 With Your Consent

We may share information for other purposes with your explicit consent.

6. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access Controls: Role-based access control (RBAC) and multi-factor authentication
• Audit Trails: Comprehensive logging of all data access and modifications
• SOC 2 Type II: Annual third-party security audits and certifications
• Infrastructure Security: Firewall protection, intrusion detection, and regular security assessments
• Data Backup: Regular automated backups with encryption and geographic redundancy
• Incident Response: Security incident monitoring and response procedures
• Employee Training: Regular security awareness training for all personnel

However, no method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

7. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account Data: Retained while your account is active and for 7 years after closure for compliance purposes
• Financial Records: Retained for 7 years to comply with tax and financial regulations
• Audit Logs: Retained for 7 years for compliance and security purposes
• Support Communications: Retained for 3 years
• Analytics Data: Aggregated data may be retained indefinitely

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

8.1 General Rights

• Access: Request a copy of your personal information
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your information (subject to legal retention requirements)
• Data Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdrawal: Withdraw consent where processing is based on consent

8.2 GDPR Rights (EEA Residents)

If you are in the EEA, you have additional rights under GDPR:

• Right to restrict processing
• Right to lodge a complaint with a supervisory authority
• Right to withdraw consent without affecting prior processing

8.3 CCPA Rights (California Residents)

If you are a California resident, you have rights under CCPA:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information (subject to exceptions)
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your rights

8.4 Exercising Your Rights

To exercise any of these rights, contact us at:

• Email: privacy@cefcore.com
• Subject line: "Privacy Rights Request"

We will respond to your request within 30 days. We may require verification of your identity before processing your request.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Service and hold certain information.

9.1 Types of Cookies We Use

• Essential Cookies: Required for authentication and core functionality
• Performance Cookies: Collect information about how you use the Service
• Functionality Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand usage patterns (Google Analytics)

9.2 Managing Cookies

You can control cookies through your browser settings. However, disabling cookies may limit your ability to use certain features of the Service. Essential cookies cannot be disabled without losing core functionality.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States where our servers and service providers are located.

We ensure appropriate safeguards are in place for international transfers:

• Standard Contractual Clauses approved by the European Commission for EEA transfers
• Service providers certified under recognized privacy frameworks
• Equivalent levels of protection as required by applicable laws

11. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us, and we will take steps to delete such information.

12. Third-Party Links

The Service may contain links to third-party websites or services not operated by us. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policy of every site you visit.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date
• Sending email notification for significant changes
• Displaying a prominent notice in the Service

Your continued use of the Service after changes become effective constitutes acceptance of the revised Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, contact us:

15. Data Protection Officer

For GDPR-related inquiries, you may contact our Data Protection Officer atdpo@cefcore.com