Wedding Co-Pilot

Privacy Policy

Effective: May 15, 2026  ·  Version: 1.0

This Privacy Policy explains how DateWhim (we, us, our) collects, uses, and protects your personal data when you use Wedding Co-Pilot (the Service), in accordance with the EU General Data Protection Regulation (GDPR) and other applicable privacy laws.

1. Data Controller

Trading name: DateWhim
Legal form: Sole trader (individual entrepreneur), Hungary
Email: weddingcopilot@outlook.com
Website: www.yourweddingcopilot.com

We are the data controller within the meaning of GDPR Article 4(7) - we determine the purposes and means of processing your personal data.

2. Personal Data We Collect and Why

2.1. Account and Identity Data

Data: email address, password (stored only as a bcrypt hash), Google account identifier (if using Google OAuth), registration timestamp, last login timestamp.

Purpose: creating and authenticating your account; providing secure access to the Service.

Legal basis: GDPR Art. 6(1)(b) - performance of a contract.

2.2. Wedding Profile Data

Data: names of the couple, planned wedding date and venue, estimated guest count, budget, cultural and religious background, and other planning details you voluntarily provide.

Purpose: powering personalised AI-assisted planning features.

Legal basis: GDPR Art. 6(1)(b) - performance of a contract.

2.3. Guest and Third-Party Data

Data: names of guests you add to the guest list, optionally dietary requirements, seating assignments, and other details you enter.

Purpose: powering the seating chart optimizer and guest management features.

Legal basis:GDPR Art. 6(1)(f) - legitimate interests (operating the Service as intended). You are responsible for ensuring that you enter guests' data with their knowledge and in compliance with applicable data protection law.

2.4. Vendor Data

Data: names, categories, quotes, contract status, and notes for wedding vendors you add. These are typically business data but may include personal data where the vendor is a natural person.

Purpose: powering vendor tracking and AI quote analysis features.

Legal basis: GDPR Art. 6(1)(b) - performance of a contract.

2.5. Subscription and Payment Data

Data: subscription plan type, subscription status (active, expired, cancelled), order and subscription identifiers issued by Lemon Squeezy, payment date and amount.

Purpose: managing paid subscriptions, unlocking plan features, fulfilling statutory accounting obligations.

Legal basis: GDPR Art. 6(1)(b) - performance of a contract; GDPR Art. 6(1)(c) - compliance with a legal obligation (accounting law).

Actual payment card details are handled exclusively by Lemon Squeezy; we never see or store them.

2.6. AI Usage Data

Data: timestamps of AI feature use, feature type (e.g., vendor, budget, seating), and your account identifier.

Purpose: preventing abuse, enforcing plan-based rate limits, ensuring Service quality.

Legal basis: GDPR Art. 6(1)(f) - legitimate interests.

2.7. Technical and Log Data

Data: IP address, browser type, operating system, access timestamps, and pages visited. This data is automatically collected by Supabase and Vercel infrastructure.

Purpose: system security, troubleshooting, abuse prevention.

Legal basis: GDPR Art. 6(1)(f) - legitimate interests.

3. Data Processors

We engage the following data processors, each bound by a data processing agreement under GDPR Article 28. Processors may only handle your personal data on our instructions.

3.1. Supabase, Inc. - database and authentication infrastructure

Registered in Singapore; primary data storage location: EU data centre (Frankfurt, Germany). Transfer basis: European Commission Standard Contractual Clauses (SCCs, Decision 2021/914/EU). Privacy policy: supabase.com/privacy.

3.2. Vercel Inc. - application hosting and CDN

340 Pine Street, Suite 701, San Francisco, CA 94104, USA. Served from EU edge locations where possible. Transfer basis: SCCs. Privacy policy: vercel.com/legal/privacy-policy.

3.3. OpenAI, LLC - AI processing

3180 18th Street, San Francisco, CA 94110, USA. When you use AI features, we send relevant wedding profile text to the OpenAI API for processing. OpenAI does not use API customers' data for model training (per OpenAI's API data usage policy). Transfer basis: SCCs. Privacy policy: openai.com/policies/privacy-policy.

3.4. Lemon Squeezy, LLC - payment and subscription management

USA. Your payment card data is handled exclusively by Lemon Squeezy under PCI-DSS compliance. We receive only subscription status and identifiers. Transfer basis: SCCs. Privacy policy: lemonsqueezy.com/privacy.

3.5. Google LLC - OAuth authentication

1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If you sign in with Google, Google processes authentication data under its own privacy policy. We store only the Google user ID and email address returned by OAuth. Privacy policy: policies.google.com/privacy.

3.6. PostHog, Inc. - product analytics

2261 Market Street #4008, San Francisco, CA 94114, USA. We use PostHog (EU cloud, hosted in Frankfurt) to understand how features are used, in order to improve the Service. PostHog is configured in identified-only mode, meaning anonymous visitors are not tracked; only authenticated users' in-product events are collected. No personally identifiable information beyond your account ID is sent. Transfer basis: SCCs. Privacy policy: posthog.com/privacy.

4. Retention Periods

  • Account and wedding profile data: for the duration of the active account, or until deletion is requested; automatically deleted 3 years after the last login if the account is inactive.
  • Guest and vendor data: for the duration of the account.
  • Subscription and billing data: for 8 years from the invoice date, as required by Hungarian accounting law.
  • AI usage logs: maximum 90 days.
  • Technical logs (IP address, access log): maximum 90 days.

After account deletion we promptly erase your data, except where retention is required by law.

5. Your Rights Under GDPR

Under GDPR Chapter III you have the following rights. To exercise them, email us at weddingcopilot@outlook.com. We will respond within 30 days; in complex cases this may be extended by a further 60 days.

5.1. Right of Access (Art. 15)

You may request confirmation of whether we process your personal data and, if so, receive a copy of it along with information about the purposes, legal bases, retention periods, and processors involved.

5.2. Right to Rectification (Art. 16)

You may request correction of inaccurate data or completion of incomplete data. You can also update most of your wedding profile data directly in your account settings.

5.3. Right to Erasure (Art. 17)

You may request deletion of your personal data where it is no longer necessary for the original purpose, you withdraw consent, or you object to processing with no overriding legitimate interest. Erasure cannot be fulfilled where retention is legally required.

5.4. Right to Restriction of Processing (Art. 18)

You may request that we restrict processing - for example, while the accuracy of data is disputed, or while an objection is being assessed. During restriction, data may only be stored, not otherwise used.

5.5. Right to Data Portability (Art. 20)

You may receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV) and transmit it to another controller, where processing is based on consent or contract and carried out by automated means.

5.6. Right to Object (Art. 21)

You may object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

5.7. Rights Related to Automated Decision-Making (Art. 22)

The Service uses automated logic only to determine AI access based on your subscription plan. This is necessary for contract performance. You may request human review of such decisions, express your views, and contest the outcome at any time.

6. Cookies

The Service uses only strictly necessary cookies:

  • Session cookie: maintains your logged-in state. Expires when the browser is closed or the Supabase Auth token expires.
  • CSRF protection cookie: prevents cross-site request forgery. Deleted at the end of each session.

We do not use marketing, tracking, or third-party analytics cookies without your explicit consent. If we introduce such cookies in the future, we will notify you and obtain your consent in advance.

7. Data Security

We and our processors apply appropriate technical and organisational measures under GDPR Article 32, including:

  • Encryption: all data in transit is protected by HTTPS/TLS; passwords are stored as bcrypt hashes.
  • Access control: Row Level Security (RLS) policies in Supabase ensure you can only access your own data.
  • Infrastructure security: database and application run in managed data centres holding ISO 27001 and SOC 2 Type II certifications.
  • SSRF protection: the Moodboard scraper component blocks private network IP ranges via DNS resolution checks.

In the event of a personal data breach, we will notify the supervisory authority (NAIH) within 72 hours of becoming aware of it. Where a breach is likely to result in high risk to you, we will also notify you without undue delay.

8. Supervisory Authority

If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

  • NAIH (Nemzeti Adatvédelmi és Információszabadság Hatóság - Hungarian National Authority for Data Protection and Freedom of Information)
  • Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary
  • Email: ugyfelszolgalat@naih.hu
  • Website: naih.hu

You may also complain to the supervisory authority in your EU member state of habitual residence. In parallel, you may bring court proceedings before a competent court.

9. Additional Rights for California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following additional rights:

  • Right to Know: request disclosure of categories and specific pieces of personal information collected, their sources, business purposes, and any third parties with whom they were shared.
  • Right to Delete: request deletion of personal information we collected from you, subject to exceptions.
  • Right to Opt-Out of Sale/Sharing: we do not sell personal information and do not share it for cross-context behavioral advertising.
  • Right to Non-Discrimination: we will not discriminate against you for exercising CCPA rights.

To submit a CCPA request, email weddingcopilot@outlook.com. We will respond within 45 days.

10. Amendments to This Policy

We reserve the right to amend this Privacy Policy. In case of material changes, we will notify you by email at least 15 days before the effective date. Continued use of the Service after the effective date constitutes acknowledgment of the updated Policy.

The current version of this Policy is always available at /en/privacy.