Legal
Privacy Policy
Effective date: 10 May 2026 · New Zealand version
Showing the New Zealand version
Baraat(“we”, “us”, “our”) operates the website at baraat.app and the associated mobile applications. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under New Zealand Privacy Act 2020 and the Information Privacy Principles (IPPs).
Please read this policy carefully. If you have questions, contact us at hello@baraat.app.
1. Who we are
Baraat is the data controller (or, where applicable in New Zealand, the “business”) for personal data collected through this website and our mobile applications. We are based in the United Kingdom.
2. Data we collect
Couples and general visitors
- Account data: name, email address, and password when you create an account.
- Wedding details: wedding date, location, country, currency, guest count, tradition, and budget — entered voluntarily during onboarding.
- Vendor enquiries: name, email, phone number, wedding details, and message when you submit an enquiry to a vendor.
- Guest list data: guest names, email addresses, phone numbers, dietary requirements, and RSVP responses — entered by you as part of your wedding planning workspace.
- Payment data: when you upgrade to a paid plan, payment is processed by Stripe; we receive transaction metadata (amount, currency, status) but never your full card number.
- Usage data: pages visited, features used, and browser/device information collected via our analytics provider.
Vendors
- Application data: business name, contact name, email address, phone number, website, Instagram handle, and a description of your business when you apply to list.
- Listing data: business information, images, pricing, and categories — entered or updated in your vendor portal.
- Enquiry data: messages sent to you by couples through the platform.
Mobile app permissions
The Baraatmobile app for iOS and Android may request the following device permissions. All access is opt-in — the app prompts you the first time a feature needs the permission, and you can revoke any of them at any time in your phone's Settings without breaking the rest of the app.
- Camera: used only when you choose to take a photo for your wedding cover image, mood board, or invitation design. Photos are uploaded to our image hosting provider (Cloudinary) only when you explicitly save them.
- Photo library: used only when you pick existing photos or videos from your device to add to mood boards, cover images, or invitation designs. Only the items you select are uploaded.
- Contacts: used only on the “Add guests from contacts” screen. Your contact list is read locally on the device so you can choose entries to add as wedding guests. Only the names, email addresses, and phone numbers of contacts you explicitly select are sent to our servers — the full address book never leaves your phone.
- Microphone: used only if you record a save-the-date video using the in-app camera. Audio is captured solely as part of the video file you create.
- Notifications: used to send you reminders about RSVP responses, vendor messages, and wedding-day timing alerts. You can disable these in your phone's Settings.
We do not use any of these permissions in the background, do not collect data when the relevant feature is not in active use, and do not share device-permission data with third parties beyond the service providers listed below.
Cookies and analytics
We use Plausible Analytics, a privacy-friendly analytics tool that does not use cookies and does not track you across sites. It collects only anonymised, aggregate data about page views and referrer sources. No personal data is involved.
We use strictly necessary cookies for session management (when you are logged in). We do not use advertising or tracking cookies.
3. How we use your data
- To provide and operate the Baraat platform — planning tools, vendor directory, and vendor portal.
- To forward vendor enquiries to the relevant vendor on your behalf.
- To notify you and vendors about enquiry activity, booking confirmations, and service updates.
- To review and approve vendor applications.
- To send transactional emails — email verification, password reset, magic sign-in links, RSVP reminders.
- To process payments for paid plans through our payment processor (Stripe).
- To improve the platform based on anonymised usage patterns.
- To comply with legal obligations.
We do not sell your personal information. We do not use your data for advertising.
4. Who we share your data with
We share data only with service providers (“sub-processors”) that help us operate the platform:
- Neon (database hosting, EU region — Frankfurt) — stores all platform data.
- Resend — transactional email delivery.
- Vercel — website hosting and infrastructure.
- Stripe — payment processing for paid plans.
- Cloudinary — image hosting and delivery.
- Sentry — error monitoring (technical logs only, no personal message content).
- Plausible — anonymised analytics.
All vendors receive only the contact details and wedding information you choose to share when submitting an enquiry. We do not share your data with third parties for marketing purposes.
5. How long we keep your data
- Account data: retained while your account is active, and for up to 2 years after closure unless you request deletion.
- Enquiry data: retained for 2 years from submission.
- Guest list data: retained while your wedding workspace is active.
- Vendor applications: retained for 12 months regardless of outcome.
- Payment records: retained for 7 years to meet tax / accounting record-keeping obligations.
6. Your rights
Under the New Zealand Privacy Act 2020, you have the right to:
- Access — request access to the personal information we hold about you (IPP 6).
- Correct — request correction of personal information (IPP 7).
- Be informed — about the purpose for which your information is collected (IPP 3).
Privacy breach notification. If a notifiable privacy breach occurs, we will notify the affected individuals and the Privacy Commissioner as required under Part 6 of the Privacy Act 2020.
To exercise any of these rights, email us at hello@baraat.app. We will respond within the timeframe required by applicable law (one month under NZ Privacy Act; 45 days under CCPA, extendable once for a further 45 days).
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Office of the Privacy Commissioner.
7. Security
We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. All data in transit is encrypted via HTTPS. Database storage is encrypted at rest. We do not store full payment card numbers — those are handled by Stripe under its PCI-DSS certified infrastructure.
8. International transfers
Our primary database is hosted in the European Union (Neon, eu-central-1, Frankfurt). Vercel infrastructure, Resend, Stripe, Cloudinary, and Sentry may process data in the United States and other regions. Where personal information is disclosed outside New Zealand, we comply with IPP 12 and ensure the recipient is subject to comparable safeguards.
9. Children
Baraat is intended for adults aged 18 or over. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.
10. Changes to this policy
We may update this policy from time to time. Material changes will be notified via email or a prominent notice on the website. The effective date at the top of this page will always reflect the latest version.
11. Contact us
For any privacy-related questions or to exercise your rights, contact us at hello@baraat.app, or use our contact form.