Legal
Privacy Policy
Effective date: 10 May 2026 · United States version
Showing the United States version
Baraat(“we”, “us”, “our”) operates the website at baraat.app and the associated mobile applications. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable US state privacy laws.
Please read this policy carefully. If you have questions, contact us at hello@baraat.app.
1. Who we are
Baraat is the data controller (or, where applicable in US, the “business”) for personal data collected through this website and our mobile applications. We are based in the United Kingdom.
2. Data we collect
Couples and general visitors
- Account data: name, email address, and password when you create an account.
- Wedding details: wedding date, location, country, currency, guest count, tradition, and budget — entered voluntarily during onboarding.
- Vendor enquiries: name, email, phone number, wedding details, and message when you submit an enquiry to a vendor.
- Guest list data: guest names, email addresses, phone numbers, dietary requirements, and RSVP responses — entered by you as part of your wedding planning workspace.
- Payment data: when you upgrade to a paid plan, payment is processed by Stripe; we receive transaction metadata (amount, currency, status) but never your full card number.
- Usage data: pages visited, features used, and browser/device information collected via our analytics provider.
Vendors
- Application data: business name, contact name, email address, phone number, website, Instagram handle, and a description of your business when you apply to list.
- Listing data: business information, images, pricing, and categories — entered or updated in your vendor portal.
- Enquiry data: messages sent to you by couples through the platform.
Mobile app permissions
The Baraatmobile app for iOS and Android may request the following device permissions. All access is opt-in — the app prompts you the first time a feature needs the permission, and you can revoke any of them at any time in your phone's Settings without breaking the rest of the app.
- Camera: used only when you choose to take a photo for your wedding cover image, mood board, or invitation design. Photos are uploaded to our image hosting provider (Cloudinary) only when you explicitly save them.
- Photo library: used only when you pick existing photos or videos from your device to add to mood boards, cover images, or invitation designs. Only the items you select are uploaded.
- Contacts: used only on the “Add guests from contacts” screen. Your contact list is read locally on the device so you can choose entries to add as wedding guests. Only the names, email addresses, and phone numbers of contacts you explicitly select are sent to our servers — the full address book never leaves your phone.
- Microphone: used only if you record a save-the-date video using the in-app camera. Audio is captured solely as part of the video file you create.
- Notifications: used to send you reminders about RSVP responses, vendor messages, and wedding-day timing alerts. You can disable these in your phone's Settings.
We do not use any of these permissions in the background, do not collect data when the relevant feature is not in active use, and do not share device-permission data with third parties beyond the service providers listed below.
Cookies and analytics
We use Plausible Analytics, a privacy-friendly analytics tool that does not use cookies and does not track you across sites. It collects only anonymised, aggregate data about page views and referrer sources. No personal data is involved.
We use strictly necessary cookies for session management (when you are logged in). We do not use advertising or tracking cookies.
3. How we use your data
- To provide and operate the Baraat platform — planning tools, vendor directory, and vendor portal.
- To forward vendor enquiries to the relevant vendor on your behalf.
- To notify you and vendors about enquiry activity, booking confirmations, and service updates.
- To review and approve vendor applications.
- To send transactional emails — email verification, password reset, magic sign-in links, RSVP reminders.
- To process payments for paid plans through our payment processor (Stripe).
- To improve the platform based on anonymised usage patterns.
- To comply with legal obligations.
We do not sell your personal information. We also do not "share" your personal information for cross-context behavioural advertising as those terms are defined under the CCPA.
4. Who we share your data with
We share data only with service providers (“sub-processors”) that help us operate the platform:
- Neon (database hosting, EU region — Frankfurt) — stores all platform data.
- Resend — transactional email delivery.
- Vercel — website hosting and infrastructure.
- Stripe — payment processing for paid plans.
- Cloudinary — image hosting and delivery.
- Sentry — error monitoring (technical logs only, no personal message content).
- Plausible — anonymised analytics.
All vendors receive only the contact details and wedding information you choose to share when submitting an enquiry. We do not share your data with third parties for marketing purposes.
5. How long we keep your data
- Account data: retained while your account is active, and for up to 2 years after closure unless you request deletion.
- Enquiry data: retained for 2 years from submission.
- Guest list data: retained while your wedding workspace is active.
- Vendor applications: retained for 12 months regardless of outcome.
- Payment records: retained for 7 years to meet tax / accounting record-keeping obligations.
6. Your rights
Under the CCPA/CPRA and other applicable US state privacy laws, you have the right to:
- Know — request that we disclose what categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it (12-month lookback).
- Delete — request that we delete personal information we have collected from you, subject to certain exceptions.
- Correct — request that we correct inaccurate personal information.
- Opt out of sale or sharing — direct us not to sell or share your personal information for cross-context behavioural advertising. We do not sell or share your personal information, but you can submit a formal request via our Do Not Sell or Share My Personal Information page.
- Limit use of sensitive personal information — direct us to limit our use of sensitive personal information to what is necessary to provide the requested service.
- Non-discrimination — you will not receive discriminatory treatment for exercising any of these rights.
California residents may also designate an authorised agent to make a request on their behalf, subject to verification.
If you reside in another US state with a comprehensive privacy law (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Tennessee, Indiana, Florida, or New Jersey), you have substantively similar rights under your state law. Contact us using the email below to exercise them.
Notice of financial incentive. Baraat does not offer financial incentives in exchange for the collection, sale, or deletion of personal information.
Shine the Light (California Civil Code § 1798.83).California residents may request information about our disclosure (if any) of personal information to third parties for those parties' direct marketing purposes. We do not make such disclosures.
To exercise any of these rights, email us at hello@baraat.app. We will respond within the timeframe required by applicable law (one month under CCPA/CPRA; 45 days under CCPA, extendable once for a further 45 days).
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the California Privacy Protection Agency.
7. Security
We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. All data in transit is encrypted via HTTPS. Database storage is encrypted at rest. We do not store full payment card numbers — those are handled by Stripe under its PCI-DSS certified infrastructure.
8. International transfers
Our primary database is hosted in the European Union (Neon, eu-central-1, Frankfurt). Vercel infrastructure, Resend, Stripe, Cloudinary, and Sentry may process data in the United States and other regions.
9. Children
Baraat is intended for adults aged 18 or over. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it. (We comply with the US Children’s Online Privacy Protection Act (COPPA) by not knowingly collecting information from children under 13.)
10. Changes to this policy
We may update this policy from time to time. Material changes will be notified via email or a prominent notice on the website. The effective date at the top of this page will always reflect the latest version.
11. Contact us
For any privacy-related questions or to exercise your rights, contact us at hello@baraat.app, or use our contact form.