Wedding Planner Online: Guest List, Seating & Custom Website

This Privacy Policy explains how HERA TECH VENTURES SL ("Weddings.help") processes the personal data of users of the website weddings.help, the wedding-management dashboard and the public RSVP forms hosted under any *.weddings.help subdomain.

We comply with Regulation (EU) 2016/679 (GDPR), Spanish Organic Law 3/2018 (LOPDGDD), Spanish Law 34/2002 (LSSI-CE), the UK Data Protection Act 2018 / UK GDPR and, where applicable, the Swiss Federal Act on Data Protection (revFADP).

1. Data controller

Company name: HERA TECH VENTURES SL
Tax ID (CIF): B27660273
Registered office: Calle Fromista 15, Portal C, 7º A — 28050 Madrid (Spain)
Email for privacy matters: [email protected] (please include "DATA PROTECTION" in the subject)

We have not appointed a Data Protection Officer (DPO) because we do not meet the criteria of article 37 GDPR (we do not carry out large-scale systematic monitoring or large-scale processing of special-category data). The above contact is the single point of contact for privacy enquiries.

2. Two roles depending on whose data we process

Weddings.help acts in two different capacities depending on whose data is being processed:

As data controller for the personal data of couples (our direct customers) — name, email, billing data, account credentials, account-usage data, marketing preferences.
As data processor for the personal data of wedding guests uploaded or submitted to a couple's account. In this case the couple is the controller and Weddings.help processes the data exclusively on their documented instructions. The data-processing terms applicable to that relationship are integrated as Annex I of our Terms and Conditions.

3. Personal data we process

3.1. Couples (customers)

Identification: name, surname(s), couple names, wedding date.
Contact: email address, optional phone.
Account: hashed password, magic-link tokens, language preference.
Billing: invoice data managed and stored by Stripe; we only retain order references.
Technical: IP address and user-agent during session (for security).
Usage: dashboard actions, feature usage (when consent is given for analytics).
Marketing: opt-in flag if you actively subscribed.

3.2. Wedding guests (data uploaded by couples or submitted via the public RSVP form)

Name, group, attendance status, dietary restrictions (health data — special category under article 9 GDPR).
Optional: phone, email, message to the couple, song request, birthday, "next couple to marry" indicator, gift amount.
Logistics: table number, seat, bus, transport details.

3.3. Affiliates (partner programme)

Tax name, NIF/CIF/NIE, fiscal address, bank or payout method, social-media handles.

3.4. Web visitors

Strictly necessary cookies and security signals (Cloudflare Turnstile).
If you give consent: analytics events (Google Analytics 4, PostHog) and marketing-tracking events (Meta Pixel).

4. Purposes and legal bases

Purpose	Legal basis
Create and maintain your account; deliver the contracted SaaS	Art. 6.1.b — performance of contract
Process payments and issue invoices	Art. 6.1.b — contract; Art. 6.1.c — legal obligation (Spanish tax law)
Respond to support requests	Art. 6.1.b — contract
Process guest data on behalf of the couple	Art. 28 GDPR — data-processing agreement
Health data of guests (allergies / dietary restrictions)	Art. 9.2.a — explicit consent of the guest
Security, fraud prevention, anti-bot (Turnstile), logs	Art. 6.1.f — legitimate interest
Send transactional email (welcome, password reset, RSVP notifications)	Art. 6.1.b — contract
Send commercial communications	Art. 6.1.a — consent (separate opt-in)
Analytics and marketing cookies	Art. 6.1.a — consent (cookie banner)
Comply with legal obligations (e.g., tax-record retention)	Art. 6.1.c — legal obligation
Defend against legal claims	Art. 6.1.f — legitimate interest

5. Retention periods

Couple account: while the contract is active. After cancellation, data is deleted within 30 days, except for billing data retained for the legally required period (currently six years under Spanish General Tax Law).
Guest data: automatically deleted 30 days after the wedding date, or earlier if the couple deletes their account or the specific guest. The couple may also delete each guest individually at any time.
Backups: we keep encrypted backups on Cloudflare R2 for up to 30 days from the time of the backup. After deletion of the active record, backup copies are overwritten in this rolling 30-day window. Backups are used solely for disaster-recovery and are never accessed for any other purpose.
System logs: 90 days, then automatically deleted.
Marketing list: until you unsubscribe. Records of consent are kept for evidence purposes for two years after withdrawal.
Affiliate data: while the affiliate relationship is active + fiscal retention period.

6. Recipients of your data (subprocessors)

We only share your data with providers strictly necessary to deliver the service. Each one acts as a data processor under a signed Data Processing Agreement and is subject to confidentiality and security obligations. The full and up-to-date list is published at /legal/subprocesadores.

Current subprocessors at a glance:

Akamai / Linode — hosting (Frankfurt, Germany — EU).
Cloudflare — CDN, WAF, Turnstile CAPTCHA, R2 storage, encrypted backups (EU).
Stripe — payment processing and invoicing (EU + US under SCC and EU-US Data Privacy Framework).
Resend — transactional email (EU).
DeepL — content translation (Germany).
Google (Analytics 4) — web analytics, only when you consent (EU + US under SCC + DPF).
Meta (Facebook Pixel) — advertising-conversion tracking, only when you consent (US under DPF).
PostHog — product analytics, only when you consent (EU instance, eu.posthog.com).

We never sell personal data and we never share it for purposes beyond delivering the contracted service.

7. International transfers

All databases and primary processing happen within the European Economic Area (EEA). Where transfers outside the EEA occur (Stripe, Google, Meta), they are protected by:

European Commission Standard Contractual Clauses (SCC) of 4 June 2021.
EU-US Data Privacy Framework certification of the recipient where applicable.
Additional technical safeguards (encryption in transit and at rest).

8. Your rights

You can exercise the following rights free of charge at any time:

Access — obtain confirmation and a copy of your data.
Rectification — correct inaccurate data.
Erasure ("right to be forgotten") — delete your data when it is no longer needed or when you withdraw consent.
Restriction — limit processing while a request is reviewed.
Portability — receive your data in a structured, machine-readable JSON format.
Objection — object to processing based on legitimate interest.
Withdraw consent at any time without affecting the lawfulness of past processing.
Not to be subject to fully automated decisions producing legal effects — we do not carry out such decisions.

How to exercise them:

If you are a couple (customer): use the buttons in Dashboard → Settings ("Export my data" and "Delete my wedding") or write to [email protected] with subject "DATA PROTECTION".
If you are a wedding guest: contact the couple that invited you (they are the controller of your data). Alternatively, you may write to us at [email protected] and we will route the request to the relevant couple; we may need to verify your identity and the wedding involved.

We will respond within 30 days. If you believe your rights have been infringed, you may file a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es, or with the data-protection authority of your country of residence.

9. Users outside Spain

European Economic Area: the GDPR applies identically; you may file a complaint with your national data-protection authority.

United Kingdom: we comply with the UK GDPR. The UK is considered adequate by the European Commission, so transfers between EU and UK do not require additional safeguards. UK users may file complaints with the ICO (ico.org.uk).

Switzerland: we comply with the revFADP. Swiss users have the same rights as EU users.

Latin America and other jurisdictions: the processing is governed by Spanish and EU law and your data is stored in the EEA. You retain the rights listed in section 8 and may exercise them at [email protected].

10. Special category data (health)

Dietary restrictions submitted via the RSVP form qualify as health data under article 9 GDPR. We only process them on the basis of the explicit consent given by the guest at the time of completing the form (separate, granular, "opt-in" checkbox) and solely for catering management. This data is deleted within 30 days of the wedding.

11. Security measures

We apply technical and organisational measures appropriate to the risk, including: encryption in transit (TLS 1.3), encryption of backups at rest, hashed passwords (bcrypt), role-based access control, audit logging, multi-factor authentication for administrators, regular dependency updates and a documented breach-response procedure (notification to AEPD within 72 hours where required).

12. Children

Weddings.help is not directed at children under 14 years of age (Spanish age of digital consent under LOPDGDD article 7). If you believe data of a minor has been provided without parental consent, please contact us and we will delete it immediately.

13. Cookies

See our dedicated Cookie Policy for the full inventory and the privacy-preferences panel.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or in-app notice at least 30 days before they take effect. The version in force at any moment is the one published at this URL with the "Last updated" date above.