Privacy Policy

Data Controller pursuant to Article 4(7) GDPR:

Mihael Traxler-Simic e.U.
Goldschlagstraße 161-167
1140 Vienna
Austria
Email: hello@wedcloud.app

1. Principles of Data Processing

We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with applicable data protection regulations, in particular the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG), as well as this privacy policy.

2. Data We Collect

2.1 Account Data (Registration & Authentication)

• Email address
• Name (optional)
• Password (stored encrypted)
• Authentication data from third-party providers (Google, Apple — if used)

2.2 Wedding Data

• Wedding name and date
• Wedding URL/slug
• Planning details (timetable, menu, seating plan)
• Invitation texts and designs
• Guest list (names, email addresses, RSVP status, dietary restrictions)

2.3 Media Content

• Photos and videos uploaded by users and guests
• Voice notes (via WhatsApp integration)
• Guestbook entries (text and images)

2.4 Biometric Data (Face Recognition)

• Face recognition data from photos (bounding boxes, confidence scores, face IDs)
• Emotion detection (happiness, sadness, surprise, etc.)
• Scene recognition and image labels
• Legal Basis: Consent pursuant to Art. 6(1)(a) GDPR and Art. 9(2)(a) GDPR (explicit consent for biometric data)

2.5 Payment Data

• Email address for invoices
• Subscription status and plan information
• Customer ID with LemonSqueezy
• Note: Credit card and bank details are processed exclusively by our payment provider LemonSqueezy and are not stored on our servers.

2.6 Communication Data (WhatsApp)

• Phone number
• Display name
• Message content and timestamps
• Media files (photos, videos, voice notes)
• Delivery status

2.7 Usage Data (Analytics)

• Page views and click behavior
• Feature usage (uploads, face recognition, seating plan usage)
• Device type and browser (anonymized)
• Session duration

2.8 Music Data (Spotify Integration)

• Spotify user ID and display name
• Spotify access tokens (encrypted)
• Playlist IDs and song requests

3. Purposes of Data Processing

4. Sub-Processors and Third-Party Services

We use the following third-party services to provide our platform. Data Processing Agreements (DPA) pursuant to Art. 28 GDPR have been concluded with all sub-processors, or appropriate Standard Contractual Clauses (SCC) are in place for third-country transfers.

4.1 Supabase Inc.

• Service: Database hosting, user authentication, real-time data
• Data Processed: Account data, wedding data, guest data, media metadata, session tokens
• Server Location: EU (Frankfurt, Germany)
• Privacy Policy: https://supabase.com/privacy

4.2 Cloudflare, Inc.

• Service: Media storage (R2 Object Storage), Content Delivery Network (CDN), image optimization, Worker API
• Data Processed: Photos, videos, voice notes, file metadata, IP addresses (for CDN)
• Server Location: Global with EU data centers
• Privacy Policy: https://www.cloudflare.com/privacypolicy/

4.3 Amazon Web Services (AWS) — Amazon Rekognition

• Service: Face detection and grouping, scene and object recognition, emotion analysis
• Data Processed: Photo data (image bytes), biometric face data (face IDs, bounding boxes, confidence scores), scene labels, emotion data
• Server Location: EU (Frankfurt, Germany — eu-central-1)
• Privacy Policy: https://aws.amazon.com/privacy/
• Special Note: Biometric data is only processed with explicit consent. Face data can be deleted upon request.

4.4 Anthropic PBC — Claude AI

• Service: AI-powered features (seating assignment, natural language photo search, timetable generation, menu recommendations, photo timeline classification)
• Data Processed: Anonymized guest metadata (names, relationships, dietary restrictions), photo labels, wedding timetables, menu data
• Server Location: USA
• Privacy Policy: https://www.anthropic.com/privacy
• Third-Country Transfer: Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR
• Note: Anthropic does not use API data for model training per their usage policy.

4.5 LemonSqueezy (Lemon Squeezy, LLC)

• Service: Payment processing, subscription management, invoicing, tax handling (Merchant of Record)
• Data Processed: Email address, payment information, subscription status, invoice data
• Server Location: USA
• Privacy Policy: https://www.lemonsqueezy.com/privacy
• Third-Country Transfer: Standard Contractual Clauses (SCC)
• Special Note: As “Merchant of Record,” LemonSqueezy is independently responsible for handling payments, taxes (including VAT), and refunds.

4.6 PostHog, Inc.

• Service: Product analytics, usage statistics, feature usage
• Data Processed: Anonymized usage events, page interactions, feature usage, device type (anonymized)
• Server Location: EU (Frankfurt, Germany)
• Privacy Policy: https://posthog.com/privacy

4.7 Resend, Inc.

• Service: Transactional email delivery (welcome emails, guest invitations, payment confirmations, notifications)
• Data Processed: Email addresses, names, email content
• Server Location: USA
• Privacy Policy: https://resend.com/privacy
• Third-Country Transfer: Standard Contractual Clauses (SCC)

4.8 Spotify AB

• Service: Music integration (playlist creation, song search, guest song requests)
• Data Processed: Spotify user ID, display name, access tokens, playlist IDs, song requests
• Server Location: EU (Sweden)
• Privacy Policy: https://www.spotify.com/legal/privacy-policy/
• Special Note: Spotify integration is optional and requires explicit OAuth authorization by the user.

4.9 Meta Platforms Ireland Limited — WhatsApp Business API

• Service: WhatsApp messaging (photo/video upload via WhatsApp, guestbook entries, guest registration)
• Data Processed: Phone numbers, display names, message content, media files, delivery status, message timestamps
• Server Location: EU (Ireland) and USA
• Privacy Policy: https://www.whatsapp.com/legal/privacy-policy/
• Third-Country Transfer: Standard Contractual Clauses (SCC) for US processing
• Special Note: WhatsApp integration is optional. Phone numbers are only stored for the duration of active use.

4.10 Vercel Inc.

• Service: Website hosting and deployment, edge network
• Data Processed: IP addresses, HTTP request data, server logs
• Server Location: Global with EU data centers
• Privacy Policy: https://vercel.com/legal/privacy-policy

5. Data Transfers to Third Countries

Some of our sub-processors are located outside the European Economic Area (EEA), particularly in the United States. For these transfers, we rely on:

• EU Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR
• EU-U.S. Data Privacy Framework (where the recipient is certified)
• Adequacy Decisions of the European Commission (where available)

6. Data Retention Periods

7. Your Rights

Under the GDPR, you have the following rights:

7.1 Right of Access (Art. 15 GDPR)

You have the right to request information about your stored personal data.

7.2 Right to Rectification (Art. 16 GDPR)

You have the right to have inaccurate data corrected.

7.3 Right to Erasure (Art. 17 GDPR)

You have the right to request the deletion of your data, provided no legal retention obligations apply.

7.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request the restriction of processing of your data.

7.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used, and machine-readable format.

7.6 Right to Object (Art. 21 GDPR)

You have the right to object to the processing of your data where processing is based on legitimate interest.

7.7 Right to Withdraw Consent (Art. 7(3) GDPR)

You may withdraw your consent at any time with effect for the future.

7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the competent supervisory authority:

Austrian Data Protection Authority (Datenschutzbehörde)
Barichgasse 40-42
1030 Vienna, Austria
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at

8. Cookies

For detailed information about our use of cookies, please see our Cookie Policy.

9. Automated Decision-Making

We use automated decision-making in the following areas:

• Face Recognition: Automatic grouping of photos by recognized individuals. This is done exclusively with your explicit consent and serves to improve user experience. You can disable this feature at any time.
• AI Seating Assignment: Automatic suggestions for seating arrangements based on guest relationships. All suggestions require manual confirmation by the user.
• AI Photo Search: Automatic interpretation of natural language for photo filtering. No decisions are made that have legal effects.

10. Data Security

We implement the following technical and organizational measures:

• Encryption of all data in transit (TLS/HTTPS)
• Encryption of data at rest in the database
• Row-Level Security (RLS) in the database
• Secure authentication with encrypted passwords
• Webhook signature verification (HMAC-SHA256) for all incoming webhooks
• Regular security updates
• Access restrictions and principle of least privilege

11. Changes to This Privacy Policy

We reserve the right to update this privacy policy to ensure it always complies with current legal requirements or to reflect changes in our services. The new privacy policy will apply to your subsequent visits.

12. Contact

If you have any questions about data protection, please contact:

Mihael Traxler-Simic e.U.
Email: hello@wedcloud.app

This is a convenience translation. The German version is legally binding.

Last updated: March 6, 2026