Gospel Mount

Privacy Policy

Who we are (Data Controller): Gospel Mount (“we”, “us”, “our”), a UK-based Christian blog.

Contact (privacy): privacy@gospelmount.org

This notice explains how we handle your personal data under
UK GDPR, the DPA 2018 and PECR.

1) What data we collect

  • Basic identifiers: name, email address, IP (Internet Protocol) address, user-agent.
  • Content you submit: comments, contact-form messages, prayer requests, testimonials.
  • Newsletter data: email address and subscription preferences.
  • Usage data: page views, referrers, timestamps, approximate location from IP.
  • Technical data: device/browser data, cookies and similar technologies.
  • Special category data: only if you choose to share it (e.g., a prayer request). We process this only with your explicit consent (UK GDPR Art. 9(2)(a)).

We do not intentionally collect data from children under 13. If you believe a child has provided data, contact us to remove it.

2) Why we use your data and lawful bases

Purpose Examples Lawful basis
Site operation & security Load pages, prevent spam/fraud, rate-limit Legitimate interests (keep the site safe and functional)
Comments & community Publish your comment, show your avatar (if enabled) Legitimate interests; you choose to post
Respond to enquiries Reply to contact-form/email requests Legitimate interests (responding) or Contract (pre-contract steps)
Email newsletter Send Gospel Mount updates Consent (withdraw any time)
Analytics & performance Understand readership and improve content Consent (non-essential cookies)
Compliance Legal/records, handling rights requests Legal obligation

3) Cookies and similar technologies

We use a CMP to obtain/manage consent for non-essential cookies. You can change your choice any time via the “Cookie settings” link in the footer.

  • Strictly necessary (no consent): core WordPress, security, load balancing.
  • Newsletter popup (functional, no personal data): a session cookie (gm_nl_shown) remembers if you have seen or dismissed the newsletter signup prompt, so it does not reappear during the same visit. This cookie expires after 24 hours and contains no personal data.
  • Analytics (consent): readership statistics.
  • Functional (consent): commenting conveniences (e.g., remember details).
  • Social (consent): share buttons for X/Twitter, Facebook, etc.

4) Who we share data with (processors/partners)

  • Automattic (WordPress.com / Jetpack / Gravatar / Akismet): hosting, stats, image CDN, spam filtering, subscription emails.
    Note: When you subscribe via Jetpack Subscriptions, Automattic may act as an independent controller for delivery of emails—see their privacy notice.
  • Email delivery (for contact replies/newsletters): Amazon Simple Email Service (SES), operated by Amazon Web Services, Inc. (USA). Emails are sent via SES SMTP. AWS processes data under their Privacy Notice and applicable SCCs.
  • reCAPTCHA/antispam (if enabled): protects forms from abuse.

We do not sell your personal data.

Newsletter details: When you subscribe to our newsletter, we collect your email address, optional first name, IP address, and consent record. Subscription uses double opt-in (you must click a confirmation link in a verification email before receiving any content). Emails are delivered via Amazon SES. You can unsubscribe at any time using the link in every email, or permanently delete all your data using the “Delete my data” link.

5) International transfers

Some providers store/process data outside the UK (e.g., in the USA). Where this occurs, we rely on
SCCs with the UK Addendum or the
IDTA, plus additional safeguards.

6) How long we keep data

  • Comments: for the life of the post unless you request deletion.
  • Contact enquiries: normally 24 months.
  • Newsletter data: until you unsubscribe or your address bounces. Unconfirmed signups are automatically deleted after 7 days.
  • Newsletter consent records: we store the consent text, your IP address at the time of signup, and the date of confirmation. These records are retained for compliance purposes even after unsubscription, unless you request full data deletion.
  • Server/security logs: up to 12 months.
  • Special category data (e.g., prayer requests): shortest necessary period; you can withdraw consent at any time.

We may retain minimal records to demonstrate compliance (e.g., consent logs).

7) Your rights

  • Access, rectify, erase or port your data.
  • Restrict processing; object to processing based on legitimate interests.
  • Withdraw consent (newsletter/analytics) at any time.

To exercise rights, email privacy@gospelmount.org. Newsletter subscribers can also delete their data instantly using the “Delete my data” link included in every email footer. We may need to verify your identity. We respond within one month (extendable in complex cases).

You also have the right to complain to the
ICO (ico.org.uk, 0303 123 1113).

8) Security

We use TLS in transit, least-privilege access, patching/updates, backups and monitoring. No internet service is 100% secure; please take care when posting public comments.

10) Changes

We’ll update this policy when needed and change the “Last updated” date. Material changes will be signposted on this page.

11) Contact

Gospel Mount (Data Controller)
Email: privacy@gospelmount.org