Early bird pricing: from 59€/mo — yours forever if you join now

Privacy Policy

Wedding Planner Compass — Version 1.0 — Date: 15.03.2026

§ 1 — Controller

(1) The controller within the meaning of the General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter "GDPR") is:

Ekaterina Kroh
OnPoint Weddings
Kochstraße 23
04275 Leipzig
Germany

Email: info@weddingcompass.app
Phone: +49 177 650 2710
Website: https://weddingcompass.app/

(2) The controller operates the internet-based service "Wedding Planner Compass" (hereinafter "Service") as a sole proprietor (Einzelunternehmer).

(3) The appointment of a data protection officer is not required pursuant to § 38(1) BDSG (German Federal Data Protection Act), as the controller does not regularly employ twenty or more persons engaged in the automated processing of personal data. Data subjects may contact the controller at any time using the email address provided above.

§ 2 — Overview of Data Processing

(1) The Service is a B2B SaaS platform (Software-as-a-Service) for professional wedding planning. It is designed for wedding planning agencies, freelance wedding planners, and comparable service providers (hereinafter collectively referred to as "Customers"). The Service is also available to international customers.

(2) The Service is in an early market phase. The controller continuously develops the Service and associated data protection processes to ensure the highest standards.

(3) This privacy policy applies to both the public website (landing page, contact form, blog) and the SaaS application itself.

(4) The following categories of data subjects are affected by data processing in the course of operations:

Category of Data SubjectDescription
Website visitorsPersons visiting the public website
Customers (controllers)Wedding planning agencies, freelance wedding planners
Employees and representatives of customersPersons authorised by the customer to use the Service
CouplesClients of the customers; invited by the customer (wedding planner) and granted limited access to selected modules of the Service (e.g. guest list, budget, timeline)
Wedding guestsGuests of the respective wedding celebration
VendorsExternal wedding service providers
Newsletter subscribersPersons who have subscribed to the newsletter

(5) The controller processes personal data both in its own capacity as controller (with respect to customer data, website visitors, and technical operations) and as a processor within the meaning of Art. 28 GDPR (with respect to data entered by the customer in the course of using the Service). The processing relationship is governed by a separate Data Processing Agreement (DPA).

(6) The provision of account data (email address, password, first and last name, company name, business address) is required for the conclusion of the contract and the use of the Service. Without this data, the contract cannot be concluded. The provision of a phone number is voluntary. The provision of further data (e.g. optional guest data, budget data) is also voluntary.

§ 3 — Legal Bases for Processing

(1) The processing of personal data is based on the following legal bases:

Legal BasisScope of Application
Art. 6(1)(b) GDPR — Performance of a contractCustomer data for the provision of the Service; wedding, guest, vendor, budget, task, and seating plan data
Art. 6(1)(f) GDPR — Legitimate interestsTroubleshooting and technical improvement; IT security; anonymised statistics; abuse prevention
Art. 6(1)(a) GDPR — ConsentSpecial categories of personal data (Art. 9 GDPR); website analytics (Firebase Analytics, Google Analytics 4); newsletter dispatch
Art. 6(1)(c) GDPR — Legal obligationRetention of billing data (§ 147 AO, § 257 HGB)
Art. 9(2)(a) GDPR — Explicit consentSensitive data in the context of wedding planning (see § 11)

(2) Where the controller relies on legitimate interests as the legal basis for processing, a balancing test against the interests of the data subjects has been carried out. The legitimate interests include, in particular: ensuring IT security, preventing abuse, optimising the Service, and asserting and defending legal claims.

(3) Consent may be withdrawn at any time with effect for the future (Art. 7(3) GDPR).

PART A — WEBSITE (Landing Page and Public Pages)

§ 4 — Website Hosting and Server Log Files

(1) The website is hosted by Google Firebase Hosting (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland).

(2) Each time the website is accessed, the following data is automatically recorded in server log files:

  • IP address of the requesting device
  • Date and time of access
  • Name and URL of the requested page
  • Volume of data transferred
  • HTTP status code
  • Browser type and version
  • Operating system
  • Referrer URL (previously visited page)

(3) This data is processed exclusively to ensure the smooth operation of the website, to detect and defend against attacks, and for technical error analysis. It is not merged with other data sources or used for marketing purposes.

(4) Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the operational security and integrity of the website).

(5) Server log files are automatically deleted after 30 days.

§ 5 — Website Analytics

5.1 Firebase Analytics

(1) This website uses Firebase Analytics (Google Ireland Limited), a web analytics service integrated into the Firebase platform.

(2) Firebase Analytics collects the following data:

  • Page views and time spent on page
  • Device type, screen resolution, operating system, browser
  • Approximate location (based on anonymised data)
  • Interactions (clicks, scroll depth)
  • Language settings

(3) Legal basis: Art. 6(1)(a) GDPR (consent). Firebase Analytics is only activated if the user has given consent via the cookie consent banner.

5.2 Google Analytics 4

(1) In addition, the website uses Google Analytics 4 (Google Ireland Limited). Google Analytics 4 does not store complete IP addresses. IP addresses are only used briefly for geolocation and then discarded.

(2) Legal basis: Art. 6(1)(a) GDPR (consent). Google Analytics 4 is only activated if the user has given consent via the cookie consent banner. Without consent, no analytics cookies are set and no data is transmitted to Google.

(3) Objection/Withdrawal: You may withdraw your consent at any time via the cookie consent banner (accessible via the "Cookie Settings" link in the footer). Alternatively, you can prevent the storage of cookies through appropriate browser settings or use the browser add-on to disable Google Analytics: https://tools.google.com/dlpage/gaoptout

(4) Data processing agreement: A data processing agreement pursuant to Art. 28 GDPR exists with Google Ireland Limited. Further information on data protection at Google: https://policies.google.com/privacy

(5) Third-country transfer: See § 14 of this privacy policy.

§ 6 — Cookie Consent Banner

(1) When visiting the website for the first time, a cookie consent banner is displayed, through which the user can grant or refuse consent to the use of non-essential cookies and technologies (§ 25(1) TDDDG).

(1a) The consent decision is stored in the browser's local storage (technically necessary). A record of the consent is also stored in the provider's database (Firebase Firestore) for documentation purposes pursuant to Art. 7(1) GDPR. Legal basis: § 25(2) No. 2 TDDDG (technically necessary) and Art. 6(1)(f) GDPR (legitimate interest in documenting consent).

(2) The cookie consent banner offers equivalent options to accept and reject non-essential cookies. Withdrawal is possible at any time via the "Cookie Settings" link in the footer and is just as easy as granting consent.

(3) The following cookie categories are distinguished:

CategoryConsent RequiredExamples
Technically necessaryNo (§ 25(2) No. 2 TDDDG)Firebase Auth token, language setting, cookie consent setting
Analytics / StatisticsYesFirebase Analytics, Google Analytics 4

(4) The website functions fully without consent to analytics cookies. In that case, only technically necessary cookies and browser storage mechanisms are used.

(5) The user's consent is stored for 12 months. After this period, the user will be asked for consent again.

§ 7 — Contact Form and Email Contact

(1) The website provides a contact form. When using the contact form, the following data is collected:

  • Name
  • Email address
  • Subject (optional)
  • Message text

(2) The contact form data is processed via Google Firebase (Cloud Functions) and forwarded to the controller by email.

(3) The data is used exclusively for processing the contact enquiry.

(4) Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures), insofar as the enquiry is directed at the conclusion of a contract; otherwise Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries).

(5) The data is deleted after the enquiry has been fully processed, unless statutory retention obligations apply or a contractual relationship is established.

(6) Alternatively, you may contact the controller by email at the address stated in § 1. In this case, the personal data transmitted with the email will be stored.

§ 7a — Audio and Video Conferencing (Google Meet)

(1) For conducting customer meetings, the provider uses Google Meet (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland).

(2) The use of Google Meet is based on an individual arrangement with the customer (e.g. via email, WhatsApp, or phone). No video conferences are initiated without prior arrangement.

(3) When using Google Meet, the following data is processed:

  • Name and email address (invitation)
  • IP address
  • Audio and video data (during the conference)
  • Chat messages (if used)
  • Date, time, and duration of the conference

(4) Legal basis: Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures).

(5) No recordings of video conferences are made unless expressly agreed.

(6) A data processing agreement pursuant to Art. 28 GDPR exists with Google Ireland Limited. Privacy information from Google: https://policies.google.com/privacy

(7) Third-country transfer: See § 14 of this privacy policy.

§ 7b — Appointment Scheduling (Cal.com)

(1) For online appointment scheduling, the provider uses Cal.com (Cal.com, Inc., San Francisco, USA), a scheduling service.

(2) When booking an appointment, the following data is collected:

  • Name
  • Email address
  • Preferred appointment time
  • Optional message

(3) The data is used exclusively for arranging and conducting the appointment. After the appointment has taken place, the data is deleted unless a contractual relationship is established.

(4) Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures).

(5) Third-country transfer: Cal.com, Inc. is based in the USA. The data transfer is secured by the EU-U.S. Data Privacy Framework (adequacy decision). Privacy information from Cal.com: https://cal.com/privacy

§ 8 — Newsletter

(1) The controller offers a newsletter through which interested parties and customers are informed about news regarding the Service, tips for wedding planning, and product updates.

(2) The following data is collected for newsletter registration:

  • Email address (required)
  • Name (optional)

(3) Double opt-in: Newsletter registration uses a double opt-in process. After entering the email address, the user receives a confirmation email with an activation link. The email address is only added to the mailing list after clicking this link.

(4) Legal basis: Art. 6(1)(a) GDPR (consent).

(5) Newsletter service provider: The newsletter is sent via Brevo (Sendinblue) (Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany). A data processing agreement pursuant to Art. 28 GDPR exists with Brevo. Data processing takes place on servers in the EU (Germany/France).

(6) Newsletter tracking: The newsletter service provider may collect statistical data on newsletter usage (open rate, click rate). This data is analysed in anonymised/pseudonymised form and is used exclusively to optimise the newsletter. This tracking only takes place with your consent (Art. 6(1)(a) GDPR).

(7) Unsubscription: You may unsubscribe from the newsletter at any time. An unsubscribe link is included in every newsletter email. Unsubscription is also possible by email to the address stated in § 1. After unsubscription, your email address will be removed from the mailing list, unless statutory retention obligations apply.

§ 8a — Product Updates and Service Announcements

We may occasionally send you emails about new features, product updates, and service changes. These emails are sent on the basis of our legitimate interest in keeping you informed about the service you use (Art. 6(1)(f) GDPR). You can opt out at any time — there's an unsubscribe link at the bottom of every such email.

PART B — SaaS APPLICATION (for Logged-in Customers)

§ 9 — Data Categories in Detail

(1) The following personal data is processed in the course of the Service:

9.1 Account Data

DataPurposeLegal Basis
Email addressAuthentication, communicationArt. 6(1)(b) GDPR
Password (hashed by Firebase Auth)AuthenticationArt. 6(1)(b) GDPR
First and last nameIdentification of the contact personArt. 6(1)(b) GDPR
Company nameB2B verification, invoicingArt. 6(1)(b) and (c) GDPR
Business addressInvoicing, contract administrationArt. 6(1)(b) and (c) GDPR
Phone number (optional)Contact for enquiriesArt. 6(1)(f) GDPR
Display name / job titleDisplay within the ServiceArt. 6(1)(b) GDPR
Unique user ID (UID)Technical identificationArt. 6(1)(b) GDPR
User role (super-admin, admin, couple)Access controlArt. 6(1)(b) GDPR
Agency affiliationOrganisational assignmentArt. 6(1)(b) GDPR

9.1a Social Login (Google Sign-In)

(1) As an alternative to registration with email and password, the Service offers the option to sign in via Google Sign-In (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland).

(2) When using Google Sign-In, the following data is transmitted from Google to the Service:

  • Name (first and last name)
  • Email address
  • Profile picture (if available)
  • Unique Google user ID

(3) This data is used exclusively for creating and authenticating the user account. When using Google Sign-In, no password is stored by the provider — authentication is handled entirely by Google.

(4) Legal basis: Art. 6(1)(b) GDPR (performance of a contract). The use of Google Sign-In is voluntary; alternatively, registration via email and password is available.

(5) A data processing agreement pursuant to Art. 28 GDPR exists with Google Ireland Limited. Privacy information from Google: https://policies.google.com/privacy

(6) Third-country transfer: See § 14 of this privacy policy.

9.2 Planner / Business Data

DataPurposeLegal Basis
Business name, slug, descriptionProfile and identificationArt. 6(1)(b) GDPR
Owner email addressAccount managementArt. 6(1)(b) GDPR
Logo, cover image, gallery URLsBusiness presentationArt. 6(1)(b) GDPR
Invited team member email addresses and namesTeam invitation and access managementArt. 6(1)(b) GDPR

9.3 Wedding Data

DataPurposeLegal Basis
Couple's nameProject assignmentArt. 6(1)(b) GDPR
Wedding dateSchedulingArt. 6(1)(b) GDPR
Total budgetBudget planningArt. 6(1)(b) GDPR
Public slugRSVP form URLArt. 6(1)(b) GDPR
Couple email addressCouple invitation and portal accessArt. 6(1)(b) GDPR

9.4 Guest Data

DataPurposeLegal Basis
Full nameIdentificationArt. 6(1)(b) GDPR
RSVP status, priority, invitation statusGuest managementArt. 6(1)(b) GDPR
Dietary preferences (free text)Menu planning — may contain Art. 9 data (see § 11)Art. 6(1)(b) in conjunction with Art. 9(2)(a) GDPR
Table assignment, seating positionSeating arrangementArt. 6(1)(b) GDPR
Custom form responsesIndividual queriesArt. 6(1)(b) GDPR

9.5 Vendor Data

DataPurposeLegal Basis
Name, categories, description, locationIdentification and classificationArt. 6(1)(b) GDPR
Image URLs, portfolio URL, Instagram URLReferencesArt. 6(1)(b) GDPR
Price range, pricing packages, ratingCalculation and comparisonArt. 6(1)(b) GDPR
Project-related: status, price, payments, commentsProject-related managementArt. 6(1)(b) GDPR

9.6 Budget, Tasks, Calendar, Seating Plan, and Document Data

Budget and financial data, tasks and timelines, calendar events, seating plan and table data, as well as uploaded documents (PDFs, images, spreadsheets) are processed for the provision of the Service. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

9.7 CRM, Contacts, and Lead Data

(1) The Service includes a CRM module for managing business contacts and tracking sales leads. The following personal data may be processed:

DataPurposeLegal Basis
Name, phone number, email address, social media accountContact and lead managementArt. 6(1)(b) GDPR
Desired wedding date, locationPre-contractual assessmentArt. 6(1)(b) GDPR
Lead status (new, contacted, won, lost)Sales pipeline trackingArt. 6(1)(f) GDPR
Notes, documentsInternal organisationArt. 6(1)(f) GDPR

§ 9a — Payment Processing (Stripe)

(1) Payment processing for the Service is handled by Stripe Payments Europe, Limited (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland; hereinafter "Stripe"). Available payment methods are those supported by Stripe at the time of checkout (e.g. credit card, SEPA direct debit, digital wallets). The current payment methods are displayed during the checkout process.

(2) When concluding a paid subscription, the following data is transmitted to Stripe:

DataPurposeLegal Basis
Cardholder namePayment processingArt. 6(1)(b) GDPR
Email addressPayment confirmations, invoicesArt. 6(1)(b) GDPR
Payment method information (as supported by Stripe)Payment processingArt. 6(1)(b) GDPR
IP addressFraud preventionArt. 6(1)(f) GDPR
Billing addressInvoicing, tax obligationsArt. 6(1)(b) and (c) GDPR

(3) Credit card and payment method data are stored and processed exclusively by Stripe. The controller never has access to complete credit card numbers or bank details. Stripe is certified as a PCI-DSS Level 1 Service Provider.

(4) Only the following data is stored in the controller's Firestore:

  • Stripe customer ID (anonymised reference)
  • Subscription status (active, cancelled, expired)
  • Plan and billing period
  • Payment status of the last invoice

(5) Legal basis: Art. 6(1)(b) GDPR (performance of a contract) for payment processing; Art. 6(1)(c) GDPR (legal obligation) for the retention of tax-relevant billing data.

(6) Data processing agreement: A data processing agreement pursuant to Art. 28 GDPR (Stripe DPA) exists with Stripe Payments Europe, Limited. Stripe's privacy policy: https://stripe.com/privacy

(7) Third-country transfer: Stripe Payments Europe, Limited is based in Ireland (EU). Data processing primarily takes place in the EU. Insofar as data is transferred to Stripe, Inc. (USA), this is secured by the EU-U.S. Data Privacy Framework and additionally by SCCs (see § 14).

§ 10 — AI-Supported Data Processing (Google Gemini)

(1) The Service uses the Google Gemini API to provide AI-supported features:

AI FeatureData TransmittedPurpose
Vendor bulk importBase64-encoded files (PDFs, images)Extraction of vendor data
Guest list bulk importBase64-encoded files (PDFs, images)Extraction of guest data
AI image generationVendor name and categoryPreview images for vendor profiles
RSVP translationRSVP form contentTranslation (German/English/Russian)

(2) Processing conditions at Google:

  • The Service uses the Google Gemini API exclusively in the paid tier. The data transmitted is not used by Google for training AI models.
  • Google stores the data for a maximum of 55 days for abuse monitoring purposes. The data is then automatically deleted.
  • Processing takes place on servers of Google LLC in the USA. Third-country transfer: see § 14.

(3) AI labelling (Art. 50 Regulation (EU) 2024/1689 — EU AI Act): AI-generated content is labelled as such within the Service. Machine-readable metadata is used for AI-generated images.

(4) Automated decision-making (Art. 22 GDPR): No automated decision-making within the meaning of Art. 22(1) GDPR takes place. AI-generated content consists exclusively of suggestions without legal or similarly significant effects on data subjects.

(5) AI outputs may be inaccurate and do not constitute legal, tax, or professional advice. The customer is obliged to independently verify AI results.

(6) A data processing agreement exists with Google LLC (Google Cloud DPA + Generative AI DPA). Current DPA: https://cloud.google.com/terms/data-processing-addendum

§ 11 — Special Categories of Personal Data (Art. 9 GDPR)

(1) In the context of wedding planning, the following sensitive data may be involved:

Special Data CategoryContextExamples
Religious or philosophical beliefsWedding ceremonyChurch, Muslim, Jewish, secular ceremony
Health dataMenu planning and accessibilityAllergies, intolerances, wheelchair accessibility

(2) Legal basis: Exclusively explicit consent pursuant to Art. 9(2)(a) GDPR.

(3) The customer (wedding planner) is responsible, as controller, for obtaining explicit consent before entering sensitive data (see DPA § 14 and Acceptable Use Policy Section 4).

(4) Protective measures:

  • Access restricted to the respective wedding project
  • Data minimisation (only planning-relevant information, no detailed medical diagnoses)
  • No profiling, no marketing
  • AES-256 encryption at rest, TLS in transit

(5) Strictly prohibited data: Credit card numbers, bank details, identity documents, biometric or genetic data, data relating to criminal convictions (see Acceptable Use Policy Section 3.1(c) and Section 4.6).

§ 12 — Processors and Third-Party Providers

(1) The following processors are used to provide the Service and the website:

Service Processors

ServicePurposeProviderLocationSafeguards
Firebase AuthenticationUser authenticationGoogle Ireland Ltd / Google LLCIreland / USASCCs + EU-U.S. DPF
Cloud FirestoreCloud databaseGoogle Ireland Ltd / Google LLCIreland / USASCCs + EU-U.S. DPF
Cloud Storage (Firebase)File storageGoogle Ireland Ltd / Google LLCIreland / USASCCs + EU-U.S. DPF
Firebase HostingWeb hostingGoogle Ireland Ltd / Google LLCIreland / USASCCs + EU-U.S. DPF
Cloud Functions (Firebase)Server-side logic, contact formGoogle Ireland Ltd / Google LLCIreland / USASCCs + EU-U.S. DPF
Google Gemini APIAI featuresGoogle LLCUSASCCs + EU-U.S. DPF + Generative AI DPA
StripePayment processingStripe Payments Europe, Ltd. / Stripe, Inc.Ireland / USASCCs + EU-U.S. DPF + Stripe DPA

Website Processors

ServicePurposeProviderLocationSafeguards
Firebase AnalyticsWebsite analyticsGoogle Ireland Ltd / Google LLCIreland / USASCCs + EU-U.S. DPF
Google Analytics 4Website analyticsGoogle Ireland Ltd / Google LLCIreland / USASCCs + EU-U.S. DPF
Brevo (Sendinblue)Newsletter dispatchSendinblue GmbHBerlin, Germany (EU)Brevo DPA
Cal.comAppointment schedulingCal.com, Inc.San Francisco, USAEU-U.S. DPF
Google MeetVideo conferencingGoogle Ireland Ltd / Google LLCIreland / USASCCs + EU-U.S. DPF

(2) Data processing agreements pursuant to Art. 28 GDPR exist with all processors.

(3) The contractual assignment of sub-processors is documented in Annex 1 of the DPA.

§ 13 — Origin of Data

(1) Pursuant to Art. 14(2)(f) GDPR, we provide the following information about the origin of personal data that is not collected directly from the data subject:

Data SubjectsData Source
Wedding guestsInput by the customer (wedding planner) or by the guest themselves via the RSVP form
VendorsInput by the customer (wedding planner)
AI-extracted dataUploaded documents (PDFs, images, Excel files)

§ 14 — Data Transfers to Third Countries

(1) In the course of using the Google services and other services listed in § 12, personal data is transferred to the United States of America (USA).

(2) The data transfer is secured by the following safeguards:

(a) EU-U.S. Data Privacy Framework (Art. 45 GDPR): Google LLC, Stripe, Inc., and Cal.com, Inc. are certified under the DPF. Adequacy decision of the European Commission of 10 July 2023 (C(2023) 4745).

(b) Standard Contractual Clauses (Art. 46(2)(c) GDPR): Additionally, SCCs are in place as a supplementary safeguard in the event that the adequacy decision is revoked.

(3) Firebase services: Primary data processing in the europe-west (EU) region. Processing in the USA is possible in the context of maintenance, support, and infrastructure redundancy.

(4) Brevo (Sendinblue GmbH): Based in Berlin, Germany (EU). No third-country transfer.

(5) Should the adequacy decision be revoked, the transfer will rely on SCCs, supplemented by a Transfer Impact Assessment (TIA). As a last resort, processing will be relocated to the EU or discontinued.

PART C — GENERAL PROVISIONS

§ 15 — Cookies and Browser Storage

(1) The website and the Service use the following cookies and browser storage mechanisms. In addition to HTTP cookies, the Service uses Local Storage and IndexedDB. The same rules applicable to cookies also apply to these storage mechanisms (§ 25 TDDDG).

Technically Necessary (Without Consent)

Storage MechanismPurposeStorage DurationLegal Basis
Firebase Auth Token (IndexedDB)Authentication and sessionID Token: 1 hour (auto-refresh), Refresh Token: until logout§ 25(2) No. 2 TDDDG; Art. 6(1)(b) GDPR
IndexedDB (Firestore Offline Persistence)Local caching for offline functionalityUntil logout§ 25(2) No. 2 TDDDG; Art. 6(1)(b) GDPR
localStorage (language setting)Language selectionUntil manual deletion§ 25(2) No. 2 TDDDG; Art. 6(1)(b) GDPR
Cookie consent settingStorage of cookie preference12 months§ 25(2) No. 2 TDDDG; Art. 6(1)(c) GDPR

Analytics Cookies (Only With Consent)

Storage MechanismPurposeStorage DurationLegal Basis
Firebase Analytics cookiesWebsite analyticsUp to 2 years§ 25(1) TDDDG; Art. 6(1)(a) GDPR
Google Analytics cookies (_ga, _ga_*)Website analyticsUp to 2 years§ 25(1) TDDDG; Art. 6(1)(a) GDPR

(2) Without consent, only technically necessary cookies and storage mechanisms are used. The website is fully functional without analytics cookies.

§ 16 — Public RSVP Form

(1) The Service provides a public RSVP form that is accessible without registration.

(2) Data collected: Name, RSVP status, dietary restrictions/allergies, menu selection, custom responses, timestamp.

(3) The customer is the controller for RSVP data. The operator of this Service is the processor (Art. 28 GDPR).

(4) The customer is required to inform guests prior to their use of the RSVP form in accordance with Art. 13 GDPR and to obtain explicit consent pursuant to Art. 9(2)(a) GDPR for health data (allergies).

(5) Upon submission, an email notification is sent to the couple's email address. No marketing emails, newsletters, or promotional emails are sent.

§ 17 — Data Security

(1) The following measures are implemented:

MeasureDescription
Transport encryptionHTTPS/TLS (minimum TLS 1.2)
Encryption at restAES-256 (Google Default Encryption)
Password hashingFirebase Auth, industry-standard algorithms
Role-based access controlsuper-admin, admin, couple
Firebase Security RulesDocument-based access rules at the database level
Tenant separationagency_id and wedding_id
API securityHTTPS/TLS for all third-party communication

(2) The detailed TOMs (Technical and Organisational Measures) are documented in Annex 2 of the DPA.

§ 18 — Data Retention and Deletion

(1) Personal data is only stored for as long as is necessary for the respective purpose or as required by law.

Data CategoryRetention PeriodNotes
Account dataUntil account deletion + 30 daysSubject to statutory obligations
Wedding/guest/vendor dataUntil deletion by customer or end of contract + 30 days export periodSelf-service deletion available in the Service
Billing data10 years§ 147 AO, § 257 HGB
AI-processed data (Gemini)Max. 55 daysAutomatic deletion by Google
Backup dataMax. 90 days after end of contractAutomatic overwriting
Newsletter dataUntil unsubscriptionDeletion after withdrawal
Contact form dataAfter completion of processingUnless a contractual relationship is established
Server log files30 daysAutomatic deletion
CRM and lead dataUntil deletion by customer or end of contract + 30 days export periodSelf-service deletion available in the Service
Analytics data14 monthsConfigured in Firebase/Google Analytics
Payment data (at Stripe)In accordance with Stripe's policies and statutory retention periodsCredit card data stored exclusively at Stripe; transaction references in the Service: 10 years (§ 147 AO)
Appointment scheduling data (Cal.com)After the appointment has taken placeUnless a contractual relationship is established
Video conferencing data (Google Meet)No storage after conference endNo recordings (§ 7a(5)); metadata in accordance with Google's policies

(2) After termination of the contract: 30-day export period (CSV, JSON), followed by 30-day deletion period (GTC § 7).

(3) Additionally, the requirements of the EU Data Act (Regulation (EU) 2023/2854, Art. 23-25) apply. The provider makes customer data available in the machine-readable formats CSV and JSON.

§ 19 — Data Export and Portability

(1) Integrated export features: PDF export (budget, seating plan), Excel export (guest lists, budget).

(2) After termination of the contract: 30-day full export in machine-readable formats (CSV, JSON) pursuant to GTC § 7.

(3) The right to data portability pursuant to Art. 20 GDPR remains unaffected.

§ 20 — Data Subject Rights

(1) Data subjects have the following rights:

RightGDPR Article
Right of accessArt. 15 GDPR
Right to rectificationArt. 16 GDPR
Right to erasureArt. 17 GDPR
Right to restriction of processingArt. 18 GDPR
Right to data portabilityArt. 20 GDPR
Right to objectArt. 21 GDPR
Right to withdraw consentArt. 7(3) GDPR
Right to lodge a complaint with a supervisory authorityArt. 77 GDPR

(2) Contact: info@weddingcompass.app

(3) Response period: Within one month (Art. 12(3) GDPR). An extension of two months is possible for complex requests.

(4) Generally free of charge (Art. 12(5) GDPR).

(5) Special provision for guest/RSVP data: The customer is the controller for guest and RSVP data. Requests will be forwarded to the responsible customer.

§ 21 — Changes to This Privacy Policy

(1) The controller reserves the right to amend this privacy policy. Material changes will be communicated to customers by email or by notice within the Service.

(2) Current version: https://weddingcompass.app/privacy-policy

§ 22 — Competent Supervisory Authority

(1) The supervisory authority responsible for the controller is:

Saxon Data Protection and Transparency Commissioner (SDTB)
Devrientstraße 1
01067 Dresden
https://www.datenschutz.sachsen.de

(2) Data subjects have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), in particular in the Member State of their habitual residence, their place of work, or the place of the alleged infringement.

Reference to Further Contractual Documents

This privacy policy is related to:

  • General Terms and Conditions (GTC) — in particular § 7 (data export), § 9 (data protection)
  • Data Processing Agreement (DPA) pursuant to Art. 28 GDPR — including annexes (sub-processors, TOMs)
  • Acceptable Use Policy — in particular Section 4 (Art. 9 GDPR), Section 5 (AI usage)