DFX Parish Retreat Letters

DFX Parish Retreat Letters lets your parish manage the full lifecycle of confidential personal messages for retreat attendants — from collecting letters through a public web form to printing them securely in the admin, while keeping every piece of content fully encrypted and every action fully audited.

How it works

1. Create a retreat and register your attendants.
2. Share each attendant’s unique, private URL with the people who want to write to them — family, friends, spiritual directors.
3. Writers fill in the form on a clean public page: they can type a rich-text message, attach images or documents, and agree to a legal disclaimer. A simple arithmetic CAPTCHA protects against bots.
4. Messages are stored encrypted in the database. Nobody can read them by browsing the admin — they are only revealed at print time.
5. Authorised staff print the messages from the admin panel. Each print is logged with the user’s name, timestamp, and IP address.
6. Messages are handed to attendants during or after the retreat.

Retreat management

• Create retreats with name, location, start and end dates, and a custom welcome message shown on the submission form.
• Set a legal disclaimer text and an acceptance checkbox label that writers must tick before they can submit.
• Enable or disable optional Notes and Internal Notes fields per retreat (Notes are exportable; Internal Notes are not).
• Set custom body CSS classes on the message-form page per retreat, so each retreat can use a different visual style.
• Choose a custom header block and footer block (any WordPress block or template part) to brand the submission form page.
• Delete a retreat together with all its attendants and messages in one action.

Attendant management

• Add attendants individually or import them from a CSV file (supports merge mode to add emergency-contact data without overwriting existing records).
• Each attendant stores: name, surnames, date of birth, and the following optional fields — notes, internal notes, emergency-contact details (name, surnames, relationship, email), inviting person, and incompatibilities.
• Export attendants to CSV including their unique message URL, message count, and all standard fields.
• Sort and filter the attendant list by name, message count, notes, or any other available column.
• The attendant list shows at a glance how many messages each person has received and how many have not yet been printed.
• Delete individual attendants, or remove all attendants from a retreat at once.

Confidential message submission (public form)

• Each attendant has a unique, cryptographically secure URL (based on a random token). Anyone with the link can submit a message without logging in to WordPress.
• The submission form provides a rich-text editor (with formatting, images, and copy-paste from Word or Google Docs).
• Writers can attach images and documents (PDF, DOCX, and other common types). If a message has multiple non-image files, they are bundled into a ZIP for printing.
• An optional legal disclaimer with a configurable acceptance checkbox can be required before submission.
• A simple arithmetic CAPTCHA prevents automated submissions. Logged-in WordPress users skip the CAPTCHA.
• The form URL includes the attendant’s initials as a suffix for easy identification when sharing links, without exposing the full name.
• Rate limiting (20 requests per hour per IP) prevents abuse.

Secure message access and printing

• The admin interface never displays message content — there is no content-preview panel. This protects confidentiality if a screen is visible to others.
• Authorised users open a message and click Print. The plugin decrypts the content on the fly, renders it in a print-ready format with the recipient’s name and the sender’s name, and sends it to the printer.
• Each print action is recorded in a print log (user, timestamp, IP address). The log is visible from the attendant’s message list.
• Multiple images in a single message are laid out so they do not split across pages.

Three-tier permission system

The plugin uses three access levels, each scoped to specific retreats:

Plugin Administrators (WordPress users with the manage_retreat_plugin capability, automatically granted to WordPress Administrators):

• Create and delete retreats.
• Manage all attendants and all messages across all retreats.
• Grant or revoke permissions for any retreat.
• Access Global Settings and Privacy & Compliance pages.

Retreat Managers (assigned per retreat):

• Full control of their assigned retreat: edit retreat details, manage attendants, access all messages.
• Invite and assign Message Managers to their retreat.
• Cannot access other retreats or global settings.

Message Managers (assigned per retreat):

• Read-only access to attendant names for context.
• Can open and print confidential messages for their retreat.
• Cannot edit attendants, retreat details, or permissions.
• All print actions are logged.

User invitations

• Invite any email address to become a Retreat Manager or Message Manager for a specific retreat directly from the retreat’s Access Management tab.
• The invitee receives an email with a secure, time-limited token link.
• If the email address already belongs to a WordPress user, they are granted the role immediately on acceptance. If not, a new WordPress account is created for them.
• Pending invitations can be cancelled at any time. Expired invitations are cleaned up automatically.

Encryption and data security

• All message content and file attachments are encrypted with AES-256-CBC and authenticated with HMAC-SHA256 before being written to the database or disk.
• The encryption key is generated automatically on first activation and stored in the database. An admin notice prompts you to move it to wp-config.php by defining the constant DFXPRL_ENCRYPTION_KEY for better security. If the constant and the database key ever differ, the plugin detects the mismatch and offers a one-click resolution.
• Every sensitive admin action (permission grants, revocations, invitation events) is written to a permission audit log.

GDPR and privacy compliance

• Right to Erasure (GDPR Article 17): delete all personal data for a specific email address or attendant in one action.
• Data Portability (GDPR Article 20): export all personal data associated with an email address as a structured file.
• IP address anonymisation: sender IP addresses are automatically anonymised after a configurable retention period (default 30 days). A daily WordPress cron job handles the cleanup.
• Configurable data retention: set how long messages and audit log entries are kept before automatic deletion.
• Spanish privacy law (LOPD-GDD): the plugin was designed with Spanish data-protection requirements in mind, in addition to GDPR.
• All settings are found under Retreats > Privacy & Compliance.

Global settings

Under Retreats > Global Settings you can configure:

• Default header and footer blocks for the message submission form (overridable per retreat).
• Default body CSS classes for the submission form page.
• Encryption key management (including the option to remove a database-stored key in favour of the wp-config.php constant).

Internationalisation

• The plugin ships with a complete Spanish (es_ES) translation.
• A .pot template file is included so you can add your own language.
• The public submission form uses informal Spanish (“tú”) for a friendlier tone.