Privacy Policy
Wedding Planner Compass — Version 1.0 — Date: 15.03.2026
§ 1 — Controller
(1) The controller within the meaning of the General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter "GDPR") is:
Ekaterina Kroh
OnPoint Weddings
Kochstraße 23
04275 Leipzig
Germany
Email: info@weddingcompass.app
Phone: +49 177 650 2710
Website: https://weddingcompass.app/
(2) The controller operates the internet-based service "Wedding Planner Compass" (hereinafter "Service") as a sole proprietor (Einzelunternehmer).
(3) The appointment of a data protection officer is not required pursuant to § 38(1) BDSG (German Federal Data Protection Act), as the controller does not regularly employ twenty or more persons engaged in the automated processing of personal data. Data subjects may contact the controller at any time using the email address provided above.
§ 2 — Overview of Data Processing
(1) The Service is a B2B SaaS platform (Software-as-a-Service) for professional wedding planning. It is designed for wedding planning agencies, freelance wedding planners, and comparable service providers (hereinafter collectively referred to as "Customers"). The Service is also available to international customers.
(2) The Service is in an early market phase. The controller continuously develops the Service and associated data protection processes to ensure the highest standards.
(3) This privacy policy applies to both the public website (landing page, contact form, blog) and the SaaS application itself.
(4) The following categories of data subjects are affected by data processing in the course of operations:
| Category of Data Subject | Description |
|---|---|
| Website visitors | Persons visiting the public website |
| Customers (controllers) | Wedding planning agencies, freelance wedding planners |
| Employees and representatives of customers | Persons authorised by the customer to use the Service |
| Couples | Clients of the customers; invited by the customer (wedding planner) and granted limited access to selected modules of the Service (e.g. guest list, budget, timeline) |
| Wedding guests | Guests of the respective wedding celebration |
| Vendors | External wedding service providers |
| Newsletter subscribers | Persons who have subscribed to the newsletter |
(5) The controller processes personal data both in its own capacity as controller (with respect to customer data, website visitors, and technical operations) and as a processor within the meaning of Art. 28 GDPR (with respect to data entered by the customer in the course of using the Service). The processing relationship is governed by a separate Data Processing Agreement (DPA).
(6) The provision of account data (email address, password, first and last name, company name, business address) is required for the conclusion of the contract and the use of the Service. Without this data, the contract cannot be concluded. The provision of a phone number is voluntary. The provision of further data (e.g. optional guest data, budget data) is also voluntary.
§ 3 — Legal Bases for Processing
(1) The processing of personal data is based on the following legal bases:
| Legal Basis | Scope of Application |
|---|---|
| Art. 6(1)(b) GDPR — Performance of a contract | Customer data for the provision of the Service; wedding, guest, vendor, budget, task, and seating plan data |
| Art. 6(1)(f) GDPR — Legitimate interests | Troubleshooting and technical improvement; IT security; anonymised statistics; abuse prevention |
| Art. 6(1)(a) GDPR — Consent | Special categories of personal data (Art. 9 GDPR); website analytics (Firebase Analytics, Google Analytics 4); newsletter dispatch |
| Art. 6(1)(c) GDPR — Legal obligation | Retention of billing data (§ 147 AO, § 257 HGB) |
| Art. 9(2)(a) GDPR — Explicit consent | Sensitive data in the context of wedding planning (see § 11) |
(2) Where the controller relies on legitimate interests as the legal basis for processing, a balancing test against the interests of the data subjects has been carried out. The legitimate interests include, in particular: ensuring IT security, preventing abuse, optimising the Service, and asserting and defending legal claims.
(3) Consent may be withdrawn at any time with effect for the future (Art. 7(3) GDPR).
PART A — WEBSITE (Landing Page and Public Pages)
§ 4 — Website Hosting and Server Log Files
(1) The website is hosted by Google Firebase Hosting (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland).
(2) Each time the website is accessed, the following data is automatically recorded in server log files:
- IP address of the requesting device
- Date and time of access
- Name and URL of the requested page
- Volume of data transferred
- HTTP status code
- Browser type and version
- Operating system
- Referrer URL (previously visited page)
(3) This data is processed exclusively to ensure the smooth operation of the website, to detect and defend against attacks, and for technical error analysis. It is not merged with other data sources or used for marketing purposes.
(4) Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the operational security and integrity of the website).
(5) Server log files are automatically deleted after 30 days.
§ 5 — Website Analytics
5.1 Firebase Analytics
(1) This website uses Firebase Analytics (Google Ireland Limited), a web analytics service integrated into the Firebase platform.
(2) Firebase Analytics collects the following data:
- Page views and time spent on page
- Device type, screen resolution, operating system, browser
- Approximate location (based on anonymised data)
- Interactions (clicks, scroll depth)
- Language settings
(3) Legal basis: Art. 6(1)(a) GDPR (consent). Firebase Analytics is only activated if the user has given consent via the cookie consent banner.
5.2 Google Analytics 4
(1) In addition, the website uses Google Analytics 4 (Google Ireland Limited). Google Analytics 4 does not store complete IP addresses. IP addresses are only used briefly for geolocation and then discarded.
(2) Legal basis: Art. 6(1)(a) GDPR (consent). Google Analytics 4 is only activated if the user has given consent via the cookie consent banner. Without consent, no analytics cookies are set and no data is transmitted to Google.
(3) Objection/Withdrawal: You may withdraw your consent at any time via the cookie consent banner (accessible via the "Cookie Settings" link in the footer). Alternatively, you can prevent the storage of cookies through appropriate browser settings or use the browser add-on to disable Google Analytics: https://tools.google.com/dlpage/gaoptout
(4) Data processing agreement: A data processing agreement pursuant to Art. 28 GDPR exists with Google Ireland Limited. Further information on data protection at Google: https://policies.google.com/privacy
(5) Third-country transfer: See § 14 of this privacy policy.
§ 6 — Cookie Consent Banner
(1) When visiting the website for the first time, a cookie consent banner is displayed, through which the user can grant or refuse consent to the use of non-essential cookies and technologies (§ 25(1) TDDDG).
(1a) The consent decision is stored in the browser's local storage (technically necessary). A record of the consent is also stored in the provider's database (Firebase Firestore) for documentation purposes pursuant to Art. 7(1) GDPR. Legal basis: § 25(2) No. 2 TDDDG (technically necessary) and Art. 6(1)(f) GDPR (legitimate interest in documenting consent).
(2) The cookie consent banner offers equivalent options to accept and reject non-essential cookies. Withdrawal is possible at any time via the "Cookie Settings" link in the footer and is just as easy as granting consent.
(3) The following cookie categories are distinguished:
| Category | Consent Required | Examples |
|---|---|---|
| Technically necessary | No (§ 25(2) No. 2 TDDDG) | Firebase Auth token, language setting, cookie consent setting |
| Analytics / Statistics | Yes | Firebase Analytics, Google Analytics 4 |
(4) The website functions fully without consent to analytics cookies. In that case, only technically necessary cookies and browser storage mechanisms are used.
(5) The user's consent is stored for 12 months. After this period, the user will be asked for consent again.
§ 7 — Contact Form and Email Contact
(1) The website provides a contact form. When using the contact form, the following data is collected:
- Name
- Email address
- Subject (optional)
- Message text
(2) The contact form data is processed via Google Firebase (Cloud Functions) and forwarded to the controller by email.
(3) The data is used exclusively for processing the contact enquiry.
(4) Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures), insofar as the enquiry is directed at the conclusion of a contract; otherwise Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries).
(5) The data is deleted after the enquiry has been fully processed, unless statutory retention obligations apply or a contractual relationship is established.
(6) Alternatively, you may contact the controller by email at the address stated in § 1. In this case, the personal data transmitted with the email will be stored.
§ 7a — Audio and Video Conferencing (Google Meet)
(1) For conducting customer meetings, the provider uses Google Meet (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland).
(2) The use of Google Meet is based on an individual arrangement with the customer (e.g. via email, WhatsApp, or phone). No video conferences are initiated without prior arrangement.
(3) When using Google Meet, the following data is processed:
- Name and email address (invitation)
- IP address
- Audio and video data (during the conference)
- Chat messages (if used)
- Date, time, and duration of the conference
(4) Legal basis: Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures).
(5) No recordings of video conferences are made unless expressly agreed.
(6) A data processing agreement pursuant to Art. 28 GDPR exists with Google Ireland Limited. Privacy information from Google: https://policies.google.com/privacy
(7) Third-country transfer: See § 14 of this privacy policy.
§ 7b — Appointment Scheduling (Cal.com)
(1) For online appointment scheduling, the provider uses Cal.com (Cal.com, Inc., San Francisco, USA), a scheduling service.
(2) When booking an appointment, the following data is collected:
- Name
- Email address
- Preferred appointment time
- Optional message
(3) The data is used exclusively for arranging and conducting the appointment. After the appointment has taken place, the data is deleted unless a contractual relationship is established.
(4) Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures).
(5) Third-country transfer: Cal.com, Inc. is based in the USA. The data transfer is secured by the EU-U.S. Data Privacy Framework (adequacy decision). Privacy information from Cal.com: https://cal.com/privacy
§ 8 — Newsletter
(1) The controller offers a newsletter through which interested parties and customers are informed about news regarding the Service, tips for wedding planning, and product updates.
(2) The following data is collected for newsletter registration:
- Email address (required)
- Name (optional)
(3) Double opt-in: Newsletter registration uses a double opt-in process. After entering the email address, the user receives a confirmation email with an activation link. The email address is only added to the mailing list after clicking this link.
(4) Legal basis: Art. 6(1)(a) GDPR (consent).
(5) Newsletter service provider: The newsletter is sent via Brevo (Sendinblue) (Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany). A data processing agreement pursuant to Art. 28 GDPR exists with Brevo. Data processing takes place on servers in the EU (Germany/France).
(6) Newsletter tracking: The newsletter service provider may collect statistical data on newsletter usage (open rate, click rate). This data is analysed in anonymised/pseudonymised form and is used exclusively to optimise the newsletter. This tracking only takes place with your consent (Art. 6(1)(a) GDPR).
(7) Unsubscription: You may unsubscribe from the newsletter at any time. An unsubscribe link is included in every newsletter email. Unsubscription is also possible by email to the address stated in § 1. After unsubscription, your email address will be removed from the mailing list, unless statutory retention obligations apply.
§ 8a — Product Updates and Service Announcements
We may occasionally send you emails about new features, product updates, and service changes. These emails are sent on the basis of our legitimate interest in keeping you informed about the service you use (Art. 6(1)(f) GDPR). You can opt out at any time — there's an unsubscribe link at the bottom of every such email.
PART B — SaaS APPLICATION (for Logged-in Customers)
§ 9 — Data Categories in Detail
(1) The following personal data is processed in the course of the Service:
9.1 Account Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Authentication, communication | Art. 6(1)(b) GDPR |
| Password (hashed by Firebase Auth) | Authentication | Art. 6(1)(b) GDPR |
| First and last name | Identification of the contact person | Art. 6(1)(b) GDPR |
| Company name | B2B verification, invoicing | Art. 6(1)(b) and (c) GDPR |
| Business address | Invoicing, contract administration | Art. 6(1)(b) and (c) GDPR |
| Phone number (optional) | Contact for enquiries | Art. 6(1)(f) GDPR |
| Display name / job title | Display within the Service | Art. 6(1)(b) GDPR |
| Unique user ID (UID) | Technical identification | Art. 6(1)(b) GDPR |
| User role (super-admin, admin, couple) | Access control | Art. 6(1)(b) GDPR |
| Agency affiliation | Organisational assignment | Art. 6(1)(b) GDPR |
9.1a Social Login (Google Sign-In)
(1) As an alternative to registration with email and password, the Service offers the option to sign in via Google Sign-In (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland).
(2) When using Google Sign-In, the following data is transmitted from Google to the Service:
- Name (first and last name)
- Email address
- Profile picture (if available)
- Unique Google user ID
(3) This data is used exclusively for creating and authenticating the user account. When using Google Sign-In, no password is stored by the provider — authentication is handled entirely by Google.
(4) Legal basis: Art. 6(1)(b) GDPR (performance of a contract). The use of Google Sign-In is voluntary; alternatively, registration via email and password is available.
(5) A data processing agreement pursuant to Art. 28 GDPR exists with Google Ireland Limited. Privacy information from Google: https://policies.google.com/privacy
(6) Third-country transfer: See § 14 of this privacy policy.
9.2 Planner / Business Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Business name, slug, description | Profile and identification | Art. 6(1)(b) GDPR |
| Owner email address | Account management | Art. 6(1)(b) GDPR |
| Logo, cover image, gallery URLs | Business presentation | Art. 6(1)(b) GDPR |
| Invited team member email addresses and names | Team invitation and access management | Art. 6(1)(b) GDPR |
9.3 Wedding Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Couple's name | Project assignment | Art. 6(1)(b) GDPR |
| Wedding date | Scheduling | Art. 6(1)(b) GDPR |
| Total budget | Budget planning | Art. 6(1)(b) GDPR |
| Public slug | RSVP form URL | Art. 6(1)(b) GDPR |
| Couple email address | Couple invitation and portal access | Art. 6(1)(b) GDPR |
9.4 Guest Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Full name | Identification | Art. 6(1)(b) GDPR |
| RSVP status, priority, invitation status | Guest management | Art. 6(1)(b) GDPR |
| Dietary preferences (free text) | Menu planning — may contain Art. 9 data (see § 11) | Art. 6(1)(b) in conjunction with Art. 9(2)(a) GDPR |
| Table assignment, seating position | Seating arrangement | Art. 6(1)(b) GDPR |
| Custom form responses | Individual queries | Art. 6(1)(b) GDPR |
9.5 Vendor Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Name, categories, description, location | Identification and classification | Art. 6(1)(b) GDPR |
| Image URLs, portfolio URL, Instagram URL | References | Art. 6(1)(b) GDPR |
| Price range, pricing packages, rating | Calculation and comparison | Art. 6(1)(b) GDPR |
| Project-related: status, price, payments, comments | Project-related management | Art. 6(1)(b) GDPR |
9.6 Budget, Tasks, Calendar, Seating Plan, and Document Data
Budget and financial data, tasks and timelines, calendar events, seating plan and table data, as well as uploaded documents (PDFs, images, spreadsheets) are processed for the provision of the Service. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
9.7 CRM, Contacts, and Lead Data
(1) The Service includes a CRM module for managing business contacts and tracking sales leads. The following personal data may be processed:
| Data | Purpose | Legal Basis |
|---|---|---|
| Name, phone number, email address, social media account | Contact and lead management | Art. 6(1)(b) GDPR |
| Desired wedding date, location | Pre-contractual assessment | Art. 6(1)(b) GDPR |
| Lead status (new, contacted, won, lost) | Sales pipeline tracking | Art. 6(1)(f) GDPR |
| Notes, documents | Internal organisation | Art. 6(1)(f) GDPR |
§ 9a — Payment Processing (Stripe)
(1) Payment processing for the Service is handled by Stripe Payments Europe, Limited (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland; hereinafter "Stripe"). Available payment methods are those supported by Stripe at the time of checkout (e.g. credit card, SEPA direct debit, digital wallets). The current payment methods are displayed during the checkout process.
(2) When concluding a paid subscription, the following data is transmitted to Stripe:
| Data | Purpose | Legal Basis |
|---|---|---|
| Cardholder name | Payment processing | Art. 6(1)(b) GDPR |
| Email address | Payment confirmations, invoices | Art. 6(1)(b) GDPR |
| Payment method information (as supported by Stripe) | Payment processing | Art. 6(1)(b) GDPR |
| IP address | Fraud prevention | Art. 6(1)(f) GDPR |
| Billing address | Invoicing, tax obligations | Art. 6(1)(b) and (c) GDPR |
(3) Credit card and payment method data are stored and processed exclusively by Stripe. The controller never has access to complete credit card numbers or bank details. Stripe is certified as a PCI-DSS Level 1 Service Provider.
(4) Only the following data is stored in the controller's Firestore:
- Stripe customer ID (anonymised reference)
- Subscription status (active, cancelled, expired)
- Plan and billing period
- Payment status of the last invoice
(5) Legal basis: Art. 6(1)(b) GDPR (performance of a contract) for payment processing; Art. 6(1)(c) GDPR (legal obligation) for the retention of tax-relevant billing data.
(6) Data processing agreement: A data processing agreement pursuant to Art. 28 GDPR (Stripe DPA) exists with Stripe Payments Europe, Limited. Stripe's privacy policy: https://stripe.com/privacy
(7) Third-country transfer: Stripe Payments Europe, Limited is based in Ireland (EU). Data processing primarily takes place in the EU. Insofar as data is transferred to Stripe, Inc. (USA), this is secured by the EU-U.S. Data Privacy Framework and additionally by SCCs (see § 14).
§ 10 — AI-Supported Data Processing (Google Gemini)
(1) The Service uses the Google Gemini API to provide AI-supported features:
| AI Feature | Data Transmitted | Purpose |
|---|---|---|
| Vendor bulk import | Base64-encoded files (PDFs, images) | Extraction of vendor data |
| Guest list bulk import | Base64-encoded files (PDFs, images) | Extraction of guest data |
| AI image generation | Vendor name and category | Preview images for vendor profiles |
| RSVP translation | RSVP form content | Translation (German/English/Russian) |
(2) Processing conditions at Google:
- The Service uses the Google Gemini API exclusively in the paid tier. The data transmitted is not used by Google for training AI models.
- Google stores the data for a maximum of 55 days for abuse monitoring purposes. The data is then automatically deleted.
- Processing takes place on servers of Google LLC in the USA. Third-country transfer: see § 14.
(3) AI labelling (Art. 50 Regulation (EU) 2024/1689 — EU AI Act): AI-generated content is labelled as such within the Service. Machine-readable metadata is used for AI-generated images.
(4) Automated decision-making (Art. 22 GDPR): No automated decision-making within the meaning of Art. 22(1) GDPR takes place. AI-generated content consists exclusively of suggestions without legal or similarly significant effects on data subjects.
(5) AI outputs may be inaccurate and do not constitute legal, tax, or professional advice. The customer is obliged to independently verify AI results.
(6) A data processing agreement exists with Google LLC (Google Cloud DPA + Generative AI DPA). Current DPA: https://cloud.google.com/terms/data-processing-addendum
§ 11 — Special Categories of Personal Data (Art. 9 GDPR)
(1) In the context of wedding planning, the following sensitive data may be involved:
| Special Data Category | Context | Examples |
|---|---|---|
| Religious or philosophical beliefs | Wedding ceremony | Church, Muslim, Jewish, secular ceremony |
| Health data | Menu planning and accessibility | Allergies, intolerances, wheelchair accessibility |
(2) Legal basis: Exclusively explicit consent pursuant to Art. 9(2)(a) GDPR.
(3) The customer (wedding planner) is responsible, as controller, for obtaining explicit consent before entering sensitive data (see DPA § 14 and Acceptable Use Policy Section 4).
(4) Protective measures:
- Access restricted to the respective wedding project
- Data minimisation (only planning-relevant information, no detailed medical diagnoses)
- No profiling, no marketing
- AES-256 encryption at rest, TLS in transit
(5) Strictly prohibited data: Credit card numbers, bank details, identity documents, biometric or genetic data, data relating to criminal convictions (see Acceptable Use Policy Section 3.1(c) and Section 4.6).
§ 12 — Processors and Third-Party Providers
(1) The following processors are used to provide the Service and the website:
Service Processors
| Service | Purpose | Provider | Location | Safeguards |
|---|---|---|---|---|
| Firebase Authentication | User authentication | Google Ireland Ltd / Google LLC | Ireland / USA | SCCs + EU-U.S. DPF |
| Cloud Firestore | Cloud database | Google Ireland Ltd / Google LLC | Ireland / USA | SCCs + EU-U.S. DPF |
| Cloud Storage (Firebase) | File storage | Google Ireland Ltd / Google LLC | Ireland / USA | SCCs + EU-U.S. DPF |
| Firebase Hosting | Web hosting | Google Ireland Ltd / Google LLC | Ireland / USA | SCCs + EU-U.S. DPF |
| Cloud Functions (Firebase) | Server-side logic, contact form | Google Ireland Ltd / Google LLC | Ireland / USA | SCCs + EU-U.S. DPF |
| Google Gemini API | AI features | Google LLC | USA | SCCs + EU-U.S. DPF + Generative AI DPA |
| Stripe | Payment processing | Stripe Payments Europe, Ltd. / Stripe, Inc. | Ireland / USA | SCCs + EU-U.S. DPF + Stripe DPA |
Website Processors
| Service | Purpose | Provider | Location | Safeguards |
|---|---|---|---|---|
| Firebase Analytics | Website analytics | Google Ireland Ltd / Google LLC | Ireland / USA | SCCs + EU-U.S. DPF |
| Google Analytics 4 | Website analytics | Google Ireland Ltd / Google LLC | Ireland / USA | SCCs + EU-U.S. DPF |
| Brevo (Sendinblue) | Newsletter dispatch | Sendinblue GmbH | Berlin, Germany (EU) | Brevo DPA |
| Cal.com | Appointment scheduling | Cal.com, Inc. | San Francisco, USA | EU-U.S. DPF |
| Google Meet | Video conferencing | Google Ireland Ltd / Google LLC | Ireland / USA | SCCs + EU-U.S. DPF |
(2) Data processing agreements pursuant to Art. 28 GDPR exist with all processors.
(3) The contractual assignment of sub-processors is documented in Annex 1 of the DPA.
§ 13 — Origin of Data
(1) Pursuant to Art. 14(2)(f) GDPR, we provide the following information about the origin of personal data that is not collected directly from the data subject:
| Data Subjects | Data Source |
|---|---|
| Wedding guests | Input by the customer (wedding planner) or by the guest themselves via the RSVP form |
| Vendors | Input by the customer (wedding planner) |
| AI-extracted data | Uploaded documents (PDFs, images, Excel files) |
§ 14 — Data Transfers to Third Countries
(1) In the course of using the Google services and other services listed in § 12, personal data is transferred to the United States of America (USA).
(2) The data transfer is secured by the following safeguards:
(a) EU-U.S. Data Privacy Framework (Art. 45 GDPR): Google LLC, Stripe, Inc., and Cal.com, Inc. are certified under the DPF. Adequacy decision of the European Commission of 10 July 2023 (C(2023) 4745).
(b) Standard Contractual Clauses (Art. 46(2)(c) GDPR): Additionally, SCCs are in place as a supplementary safeguard in the event that the adequacy decision is revoked.
(3) Firebase services: Primary data processing in the europe-west (EU) region. Processing in the USA is possible in the context of maintenance, support, and infrastructure redundancy.
(4) Brevo (Sendinblue GmbH): Based in Berlin, Germany (EU). No third-country transfer.
(5) Should the adequacy decision be revoked, the transfer will rely on SCCs, supplemented by a Transfer Impact Assessment (TIA). As a last resort, processing will be relocated to the EU or discontinued.
PART C — GENERAL PROVISIONS
§ 15 — Cookies and Browser Storage
(1) The website and the Service use the following cookies and browser storage mechanisms. In addition to HTTP cookies, the Service uses Local Storage and IndexedDB. The same rules applicable to cookies also apply to these storage mechanisms (§ 25 TDDDG).
Technically Necessary (Without Consent)
| Storage Mechanism | Purpose | Storage Duration | Legal Basis |
|---|---|---|---|
| Firebase Auth Token (IndexedDB) | Authentication and session | ID Token: 1 hour (auto-refresh), Refresh Token: until logout | § 25(2) No. 2 TDDDG; Art. 6(1)(b) GDPR |
| IndexedDB (Firestore Offline Persistence) | Local caching for offline functionality | Until logout | § 25(2) No. 2 TDDDG; Art. 6(1)(b) GDPR |
| localStorage (language setting) | Language selection | Until manual deletion | § 25(2) No. 2 TDDDG; Art. 6(1)(b) GDPR |
| Cookie consent setting | Storage of cookie preference | 12 months | § 25(2) No. 2 TDDDG; Art. 6(1)(c) GDPR |
Analytics Cookies (Only With Consent)
| Storage Mechanism | Purpose | Storage Duration | Legal Basis |
|---|---|---|---|
| Firebase Analytics cookies | Website analytics | Up to 2 years | § 25(1) TDDDG; Art. 6(1)(a) GDPR |
| Google Analytics cookies (_ga, _ga_*) | Website analytics | Up to 2 years | § 25(1) TDDDG; Art. 6(1)(a) GDPR |
(2) Without consent, only technically necessary cookies and storage mechanisms are used. The website is fully functional without analytics cookies.
§ 16 — Public RSVP Form
(1) The Service provides a public RSVP form that is accessible without registration.
(2) Data collected: Name, RSVP status, dietary restrictions/allergies, menu selection, custom responses, timestamp.
(3) The customer is the controller for RSVP data. The operator of this Service is the processor (Art. 28 GDPR).
(4) The customer is required to inform guests prior to their use of the RSVP form in accordance with Art. 13 GDPR and to obtain explicit consent pursuant to Art. 9(2)(a) GDPR for health data (allergies).
(5) Upon submission, an email notification is sent to the couple's email address. No marketing emails, newsletters, or promotional emails are sent.
§ 17 — Data Security
(1) The following measures are implemented:
| Measure | Description |
|---|---|
| Transport encryption | HTTPS/TLS (minimum TLS 1.2) |
| Encryption at rest | AES-256 (Google Default Encryption) |
| Password hashing | Firebase Auth, industry-standard algorithms |
| Role-based access control | super-admin, admin, couple |
| Firebase Security Rules | Document-based access rules at the database level |
| Tenant separation | agency_id and wedding_id |
| API security | HTTPS/TLS for all third-party communication |
(2) The detailed TOMs (Technical and Organisational Measures) are documented in Annex 2 of the DPA.
§ 18 — Data Retention and Deletion
(1) Personal data is only stored for as long as is necessary for the respective purpose or as required by law.
| Data Category | Retention Period | Notes |
|---|---|---|
| Account data | Until account deletion + 30 days | Subject to statutory obligations |
| Wedding/guest/vendor data | Until deletion by customer or end of contract + 30 days export period | Self-service deletion available in the Service |
| Billing data | 10 years | § 147 AO, § 257 HGB |
| AI-processed data (Gemini) | Max. 55 days | Automatic deletion by Google |
| Backup data | Max. 90 days after end of contract | Automatic overwriting |
| Newsletter data | Until unsubscription | Deletion after withdrawal |
| Contact form data | After completion of processing | Unless a contractual relationship is established |
| Server log files | 30 days | Automatic deletion |
| CRM and lead data | Until deletion by customer or end of contract + 30 days export period | Self-service deletion available in the Service |
| Analytics data | 14 months | Configured in Firebase/Google Analytics |
| Payment data (at Stripe) | In accordance with Stripe's policies and statutory retention periods | Credit card data stored exclusively at Stripe; transaction references in the Service: 10 years (§ 147 AO) |
| Appointment scheduling data (Cal.com) | After the appointment has taken place | Unless a contractual relationship is established |
| Video conferencing data (Google Meet) | No storage after conference end | No recordings (§ 7a(5)); metadata in accordance with Google's policies |
(2) After termination of the contract: 30-day export period (CSV, JSON), followed by 30-day deletion period (GTC § 7).
(3) Additionally, the requirements of the EU Data Act (Regulation (EU) 2023/2854, Art. 23-25) apply. The provider makes customer data available in the machine-readable formats CSV and JSON.
§ 19 — Data Export and Portability
(1) Integrated export features: PDF export (budget, seating plan), Excel export (guest lists, budget).
(2) After termination of the contract: 30-day full export in machine-readable formats (CSV, JSON) pursuant to GTC § 7.
(3) The right to data portability pursuant to Art. 20 GDPR remains unaffected.
§ 20 — Data Subject Rights
(1) Data subjects have the following rights:
| Right | GDPR Article |
|---|---|
| Right of access | Art. 15 GDPR |
| Right to rectification | Art. 16 GDPR |
| Right to erasure | Art. 17 GDPR |
| Right to restriction of processing | Art. 18 GDPR |
| Right to data portability | Art. 20 GDPR |
| Right to object | Art. 21 GDPR |
| Right to withdraw consent | Art. 7(3) GDPR |
| Right to lodge a complaint with a supervisory authority | Art. 77 GDPR |
(2) Contact: info@weddingcompass.app
(3) Response period: Within one month (Art. 12(3) GDPR). An extension of two months is possible for complex requests.
(4) Generally free of charge (Art. 12(5) GDPR).
(5) Special provision for guest/RSVP data: The customer is the controller for guest and RSVP data. Requests will be forwarded to the responsible customer.
§ 21 — Changes to This Privacy Policy
(1) The controller reserves the right to amend this privacy policy. Material changes will be communicated to customers by email or by notice within the Service.
(2) Current version: https://weddingcompass.app/privacy-policy
§ 22 — Competent Supervisory Authority
(1) The supervisory authority responsible for the controller is:
Saxon Data Protection and Transparency Commissioner (SDTB)
Devrientstraße 1
01067 Dresden
https://www.datenschutz.sachsen.de
(2) Data subjects have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), in particular in the Member State of their habitual residence, their place of work, or the place of the alleged infringement.
Reference to Further Contractual Documents
This privacy policy is related to:
- General Terms and Conditions (GTC) — in particular § 7 (data export), § 9 (data protection)
- Data Processing Agreement (DPA) pursuant to Art. 28 GDPR — including annexes (sub-processors, TOMs)
- Acceptable Use Policy — in particular Section 4 (Art. 9 GDPR), Section 5 (AI usage)