Privacy Policy

The data controller for the ApoEsena platform is [legal entity name], [registered address], Cyprus, reachable at [privacy email address].

[Clarify the controller/processor split: for guest data entered on a couple's wedding site, the couple typically acts as controller and ApoEsena as processor — confirm this analysis with your lawyer and document it here, plus a DPO contact if one is appointed.]

We process the following categories of personal data:

• Couple account data — names, email address, password (stored hashed), wedding details (date, venue), site personalisation and purchase history.
• Guest data — guest names and (where provided) email addresses, RSVP responses, party size, dietary or drink preferences, seating assignments, and messages entered through the wedding site.
• Photos and videos uploaded by guests — media shared via the photo-sharing feature, which may contain images of identifiable people.
• Technical data — [logs, IP addresses, analytics/cookies — list what you actually collect, including Google Analytics if enabled, and your cookie/consent approach.]

[For each category, add the purpose and the GDPR legal basis (contract, legitimate interest, consent).]

We use a small number of service providers to run the platform:

• Vercel — hosting, databases and file/photo storage.
• Stripe — payment processing (we never store full card details).
• Resend — transactional email (RSVP confirmations, account emails).

[Confirm the full processor list, link to each provider's DPA, and describe international transfer safeguards (e.g. EU Standard Contractual Clauses / EU–US Data Privacy Framework) where data leaves the EEA. State that data is never sold.]

If you are in the EU/EEA you have the right to access, rectify, erase, restrict and port your personal data, to object to certain processing, and to withdraw consent at any time where processing is based on consent.

[Explain how couples and guests exercise these rights — including how a guest should contact the couple and/or the platform — the response deadline (one month), and the right to complain to the Cyprus Commissioner for Personal Data Protection or another EU supervisory authority.]

We keep personal data only as long as needed to provide the Service and meet legal obligations.

[Define concrete retention periods: how long wedding sites, guest lists, RSVPs and uploaded photos are kept after the wedding date or account deletion; how backups are handled; and what the couple can delete themselves from the dashboard. Invoices/payment records are retained as required by Cyprus tax law.]

Privacy questions and data requests: [privacy email address] · [legal entity name], [registered address], Cyprus.