Privacy Policy (EU / EEA) — Baraat

Baraat(“we”, “us”, “our”) operates the website at baraat.app and the associated mobile applications. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under EU General Data Protection Regulation (Regulation (EU) 2016/679) and applicable national implementations.

Please read this policy carefully. If you have questions, contact us at hello@baraat.app.

1. Who we are

Baraat is the data controller (or, where applicable in EU / EEA, the “business”) for personal data collected through this website and our mobile applications. We are based in the United Kingdom.

EU representative. Under Article 27 of the EU GDPR, controllers based outside the EU who offer services to EU data subjects are required to designate a representative in the Union. Our designated EU representative is [LAWYER: insert EU representative name + address before public EU launch].

2. Data we collect

Couples and general visitors

Account data: name, email address, and password when you create an account.
Wedding details: wedding date, location, country, currency, guest count, tradition, and budget — entered voluntarily during onboarding.
Vendor enquiries: name, email, phone number, wedding details, and message when you submit an enquiry to a vendor.
Guest list data: guest names, email addresses, phone numbers, dietary requirements, and RSVP responses — entered by you as part of your wedding planning workspace.
Payment data: when you upgrade to a paid plan, payment is processed by Stripe; we receive transaction metadata (amount, currency, status) but never your full card number.
Usage data: pages visited, features used, and browser/device information collected via our analytics provider.

Vendors

Application data: business name, contact name, email address, phone number, website, Instagram handle, and a description of your business when you apply to list.
Listing data: business information, images, pricing, and categories — entered or updated in your vendor portal.
Enquiry data: messages sent to you by couples through the platform.

Mobile app permissions

The Baraatmobile app for iOS and Android may request the following device permissions. All access is opt-in — the app prompts you the first time a feature needs the permission, and you can revoke any of them at any time in your phone's Settings without breaking the rest of the app.

Camera: used only when you choose to take a photo for your wedding cover image, mood board, or invitation design. Photos are uploaded to our image hosting provider (Cloudinary) only when you explicitly save them.
Photo library: used only when you pick existing photos or videos from your device to add to mood boards, cover images, or invitation designs. Only the items you select are uploaded.
Contacts: used only on the “Add guests from contacts” screen. Your contact list is read locally on the device so you can choose entries to add as wedding guests. Only the names, email addresses, and phone numbers of contacts you explicitly select are sent to our servers — the full address book never leaves your phone.
Microphone: used only if you record a save-the-date video using the in-app camera. Audio is captured solely as part of the video file you create.
Notifications: used to send you reminders about RSVP responses, vendor messages, and wedding-day timing alerts. You can disable these in your phone's Settings.

We do not use any of these permissions in the background, do not collect data when the relevant feature is not in active use, and do not share device-permission data with third parties beyond the service providers listed below.

Cookies and analytics

We use Plausible Analytics, a privacy-friendly analytics tool that does not use cookies and does not track you across sites. It collects only anonymised, aggregate data about page views and referrer sources. No personal data is involved.

We use strictly necessary cookies for session management (when you are logged in). We do not use advertising or tracking cookies.

3. How we use your data

To provide and operate the Baraat platform — planning tools, vendor directory, and vendor portal.
To forward vendor enquiries to the relevant vendor on your behalf.
To notify you and vendors about enquiry activity, booking confirmations, and service updates.
To review and approve vendor applications.
To send transactional emails — email verification, password reset, magic sign-in links, RSVP reminders.
To process payments for paid plans through our payment processor (Stripe).
To improve the platform based on anonymised usage patterns.
To comply with legal obligations.

We do not sell your personal information. We do not use your data for advertising.

4. Legal basis for processing

Contract performance (Article 6(1)(b)): processing necessary to deliver the services you have signed up for.
Legitimate interests (Article 6(1)(f)): improving the platform, preventing fraud, and ensuring security — where these do not override your rights.
Consent (Article 6(1)(a)): for any optional communications (such as a future marketing newsletter, if we introduce one), and for processing of any data category that requires consent under EU GDPR.
Legal obligation (Article 6(1)(c)): where we are required to retain or disclose data by law.

5. Who we share your data with

We share data only with service providers (“sub-processors”) that help us operate the platform:

Neon (database hosting, EU region — Frankfurt) — stores all platform data.
Resend — transactional email delivery.
Vercel — website hosting and infrastructure.
Stripe — payment processing for paid plans.
Cloudinary — image hosting and delivery.
Sentry — error monitoring (technical logs only, no personal message content).
Plausible — anonymised analytics.

All vendors receive only the contact details and wedding information you choose to share when submitting an enquiry. We do not share your data with third parties for marketing purposes.

6. How long we keep your data

Account data: retained while your account is active, and for up to 2 years after closure unless you request deletion.
Enquiry data: retained for 2 years from submission.
Guest list data: retained while your wedding workspace is active.
Vendor applications: retained for 12 months regardless of outcome.
Payment records: retained for 7 years to meet tax / accounting record-keeping obligations.

7. Your rights

Under EU GDPR you have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate data.
Erasure (“right to be forgotten”) — ask us to delete your data in certain circumstances.
Restriction — ask us to pause processing your data.
Portability — receive your data in a structured, machine-readable format.
Object — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent, you may withdraw it at any time.
Not be subject to automated decision-making — Baraat does not currently make decisions about you using solely automated means with legal or similarly significant effects.

To exercise any of these rights, email us at hello@baraat.app. We will respond within the timeframe required by applicable law (one month under EU GDPR; 45 days under CCPA, extendable once for a further 45 days).

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the your local Data Protection Authority.

8. Security

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. All data in transit is encrypted via HTTPS. Database storage is encrypted at rest. We do not store full payment card numbers — those are handled by Stripe under its PCI-DSS certified infrastructure.

9. International transfers

Our primary database is hosted in the European Union (Neon, eu-central-1, Frankfurt). Vercel infrastructure, Resend, Stripe, Cloudinary, and Sentry may process data in the United States and other regions. Where data is transferred outside the UK/EEA, we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Agreement, or an adequacy decision, as applicable, and supplement those with the technical and organisational measures listed above.

10. Children

Baraat is intended for adults aged 18 or over. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. Material changes will be notified via email or a prominent notice on the website. The effective date at the top of this page will always reflect the latest version.

12. Contact us

For any privacy-related questions or to exercise your rights, contact us at hello@baraat.app, or use our contact form.