Privacy Policy

1. Introduction and Scope

DearTable ("we," "us," or "our") operates a wedding management platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our service.

This policy complies with the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), UK Data Protection Act 2018, and other applicable data protection laws worldwide.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Name, email address, phone number, password
• Wedding Details: Bride/groom names, wedding date, venue information
• Guest Information: Names, email addresses, phone numbers, dietary preferences, RSVP responses
• Custom Content: Invitation messages, special instructions, personal notes
• Payment Information: Billing details (processed securely by third-party payment processors)

2.2 Information Collected Automatically

• Usage Data: Features used, pages visited, time spent on platform
• Device Information: IP address, browser type, operating system, device identifiers
• Email Analytics: Email delivery status, open rates, click rates (for invitations sent)
• AI Usage: AI feature interactions, seating generation requests, success/failure rates

2.3 Information from Third Parties

• Authentication Services: If you sign in via Google or other OAuth providers
• Email Service Providers: Delivery and engagement metrics from our email partners
• Payment Processors: Transaction confirmations and billing status

3. How We Use Your Information

3.1 Primary Uses

• Service Provision: Creating and managing your wedding guest lists and invitations
• Email Delivery: Sending wedding invitations and RSVP reminders on your behalf
• AI Features: Generating seating arrangements and providing intelligent recommendations
• Account Management: Authentication, subscription management, customer support
• Platform Improvement: Analytics to enhance user experience and platform functionality

3.2 Legal Bases for Processing (GDPR)

• Contract Performance: Processing necessary to provide our wedding management services
• Legitimate Interest: Platform improvement, fraud prevention, and customer support
• Consent: Marketing communications and optional features (where applicable)
• Legal Obligation: Compliance with tax, accounting, and legal requirements

4. Information Sharing and Disclosure

4.1 Service Providers

We share information with trusted third-party service providers who assist in operating our platform:

• Email Services: Resend and other email delivery providers for sending invitations
• Cloud Infrastructure: Supabase, AWS, or similar for data storage and processing
• AI Services: OpenAI, DeepSeek, or other AI providers for intelligent features
• Payment Processing: Stripe, PayPal, or similar for subscription billing
• Analytics: Services for platform usage analysis and improvement

4.2 Legal Requirements

We may disclose information when required by law or to:

• Comply with legal process, court orders, or government requests
• Protect our rights, property, or safety, or that of our users
• Investigate fraud, security issues, or terms of service violations
• Enforce our legal agreements and policies

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of the business transaction, subject to continued protection under this privacy policy.

5. International Data Transfers

DearTable operates globally and may transfer your personal data across international borders. When we transfer data from the European Economic Area (EEA) or UK to other countries, we ensure appropriate safeguards:

• Adequacy Decisions: Transfers to countries with adequate data protection (as determined by the European Commission)
• Standard Contractual Clauses: EU-approved contractual terms with service providers
• Data Processing Agreements: Binding agreements ensuring GDPR-level protection
• Encryption and Security: Data is encrypted in transit and at rest

6. Data Security and Protection

We implement comprehensive security measures to protect your personal information:

• Encryption: All data is encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access Controls: Role-based access with multi-factor authentication for staff
• Regular Audits: Security assessments and penetration testing
• Data Minimization: We collect only necessary information and delete when no longer needed
• Incident Response: Procedures for detecting, responding to, and reporting security breaches

7. Your Privacy Rights

7.1 Rights Under GDPR (EU/UK Residents)

• Right of Access: Request a copy of your personal data we hold
• Right to Rectification: Correct inaccurate or incomplete information
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing: Limit how we use your data in certain circumstances
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Opt out of certain types of data processing
• Right to Withdraw Consent: Revoke consent for processing based on consent

7.2 Rights Under CCPA (California Residents)

• Right to Know: Information about data collection, use, and sharing
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt out of the "sale" of personal information (we do not sell data)
• Right to Non-Discrimination: Equal service regardless of privacy choices

7.3 How to Exercise Your Rights

To exercise any of these rights, contact us at:

8. Cookies and Tracking Technologies

8.1 Types of Cookies We Use

• Essential Cookies: Required for authentication and platform functionality
• Analytics Cookies: Help us understand how users interact with our platform
• Preference Cookies: Remember your settings and preferences
• Marketing Cookies: Used for targeted advertising (with your consent)

8.2 Cookie Management

You can control cookies through your browser settings. Note that disabling essential cookies may affect platform functionality.

8.3 Third-Party Tracking

We may use third-party analytics services (such as Google Analytics) that collect information about your use of our platform. These services have their own privacy policies.

9. Data Retention

We retain personal information only for as long as necessary to provide our services and comply with legal obligations:

9.1 General Retention Principles

• Active Accounts: Data is retained while your account remains active and in use
• Account Closure: Upon account deletion, most personal data is removed within 30-90 days
• Business Requirements: Some data may be retained longer where required by law or legitimate business interests
• User Control: You can request immediate deletion of your data at any time

9.2 Specific Retention Periods

• Wedding & Guest Data: Retained as long as your account is active, deleted upon account closure
• Email Delivery Logs: Retained for up to 2 years for delivery verification and anti-spam compliance
• AI Usage Logs: Retained for service improvement and billing purposes, typically 1-2 years
• Security Logs: Retained for up to 1 year for security incident investigation
• Backup Data: May be retained in encrypted backups for up to 90 days for disaster recovery

9.3 Legal and Compliance Retention

Certain data may be retained longer when required by applicable law:

• Tax Records: Financial transaction data may be retained for up to 7 years as required by tax authorities
• Legal Proceedings: Data relevant to ongoing legal matters will be retained until resolution
• Regulatory Compliance: Data required for compliance with specific industry regulations

9.4 Data Anonymization

Where possible, we anonymize personal data for legitimate business purposes such as analytics and platform improvement. Truly anonymized data is no longer considered personal data under GDPR and may be retained indefinitely.

10. Children's Privacy

DearTable is not intended for use by children under 16 years of age (or 13 in the US). We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it promptly.

If you believe we have collected information from a child, please contact us immediately at privacy@drtable.uk.

11. Updates to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will:

• Post the updated policy on our website with a new "Last Updated" date
• Notify you by email for material changes
• Provide prominent notice on our platform for significant changes
• Obtain your consent where required by law

We encourage you to review this policy periodically to stay informed about how we protect your privacy.

12. Supervisory Authority Contacts

If you have concerns about our data processing practices, you have the right to lodge a complaint with your local supervisory authority:

• EU Residents: Your national Data Protection Authority
• UK Residents: Information Commissioner's Office (ICO) - ico.org.uk
• California Residents: California Attorney General - oag.ca.gov
• Other Jurisdictions: Your local privacy regulator

13. Contact Information

For any questions about this Privacy Policy or our data practices, please contact us: