Privacy Policy

Last updated: 12 April 2026

ourbigwedding.day ("we", "us", "our") is a wedding guest management service operated by Lee James Apps, a sole trader based in the United Kingdom. We take your privacy seriously and are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy explains what data we collect, why we collect it, how we use it, who we share it with, and what rights you have.

1. Who we are

Data controller: Lee James Apps
Email: hello@ourbigwedding.day
Website: ourbigwedding.day

For wedding hubs, the couple (our customer) is the data controller for their guests' data. We act as a data processor on their behalf.

2. What data we collect

Data we collect from couples (our customers)

• Couple names and display name
• Email address (for account login and correspondence)
• Wedding date, venue name, address, and postcode
• Account password (stored hashed — we cannot read it)
• Wedding story, tagline, theme preference, and settings
• Payment information via Stripe (we never see or store card numbers — Stripe handles this directly)

Data we collect from guests (on behalf of the couple)

• Guest names and party groupings
• Party leader email address (one per party/household)
• Access PIN (stored hashed — we cannot read it)
• RSVP responses (attending/declined/pending, per event)
• Menu choices (starter, main, dessert per event)
• Dietary requirements and allergy information — this is special category (health) data under UK GDPR. It is provided voluntarily by the guest and processed solely for the purpose of catering at the wedding
• Whether an allergy is flagged as severe
• Age category (adult, child, infant)
• Private messages sent to the couple
• Plus-one details (if added by the party leader)

Data we collect automatically

• IP address (temporarily, for rate limiting login attempts — not stored long-term)
• Browser session cookies (essential for login — see Section 7)

Data we do NOT collect

• We do not use analytics (no Google Analytics, no tracking pixels)
• We do not collect phone numbers
• We do not collect location data beyond the venue address the couple provides
• We do not serve advertising or share data with advertisers

3. Why we collect it (lawful basis)

Data	Purpose	Lawful basis
Couple account data	Provide the wedding hub service	Contract (you purchased the service)
Couple email	Send welcome email, password resets, operator notifications	Contract
Guest names & RSVPs	Enable RSVP collection on behalf of the couple	Legitimate interest (the couple needs to manage their wedding)
Guest email + PIN	Authenticate guest access to their personal hub	Legitimate interest
Menu choices	Allow the couple to collect meal preferences for the venue	Legitimate interest
Dietary & allergy data	Ensure the venue can safely cater for each guest	Explicit consent (provided voluntarily by the guest)
Messages	Enable private communication between the couple and guests	Legitimate interest
Payment data (via Stripe)	Process the one-off payment for the hub	Contract
IP address	Rate limiting to prevent brute-force login attempts	Legitimate interest (security)

4. Who we share data with

We share your data only with the following third-party processors, solely for the purposes described:

Provider	Purpose	Data shared	Location
Stripe	Payment processing	Email, payment amount (card details go directly to Stripe — we never see them)	US (EU-US Data Privacy Framework)
Resend	Transactional email delivery	Recipient email, email content (invitations, PIN resets, announcements)	US (standard contractual clauses)
Let's Encrypt	SSL certificates	Domain names only (no personal data)	US

We do not sell, rent, or trade your personal data to anyone. Ever.

The couple and their venue: The couple (our customer) can export guest data (names, RSVPs, menu choices, dietary requirements) as a PDF or CSV to share with their wedding venue or caterer. This is the couple's decision — we facilitate it but don't control how they share the export.

5. How long we keep data

• Wedding hub data (all guest and couple data): retained for the lifetime of the hub, which is from signup until 6 months after the wedding date. After that, the hub is archived and data is deleted.
• Payment records: retained by Stripe per their own retention policy. We store only the Stripe session ID and payment amount in our registry for our records.
• Email logs: delivery logs (to/subject/timestamp — not email content) retained for 12 months for debugging, then deleted.
• Rate limiting data: IP-based login attempt counters auto-expire after 15 minutes.

You can request early deletion at any time — see Section 6.

6. Your rights

Under UK GDPR, you have the following rights:

• Right of access — request a copy of all personal data we hold about you
• Right to rectification — ask us to correct inaccurate data
• Right to erasure ("right to be forgotten") — ask us to delete your data
• Right to restrict processing — ask us to stop using your data in certain ways
• Right to data portability — receive your data in a structured, machine-readable format (we provide CSV exports)
• Right to object — object to processing based on legitimate interest
• Right to withdraw consent — for special category data (dietary/allergy info), you can withdraw consent at any time by clearing the field in your RSVP

To exercise any of these rights, email hello@ourbigwedding.day. We will respond within 30 days.

For guests: if you'd like your data removed from a specific wedding hub, you can either ask the couple directly (they can delete your party from their admin) or email us and we'll handle it.

If you're unhappy with how we've handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

7. Cookies

We use only essential cookies required for the site to function. We do not use analytics, advertising, or tracking cookies.

Cookie	Purpose	Duration
PHPSESSID	Admin login session	Browser session (deleted when you close the browser)
wd_guest_session	Guest login (remembers you so you don't need to re-enter your PIN)	1 year

Because these cookies are strictly necessary for the service to work, we do not require your consent under the UK Privacy and Electronic Communications Regulations (PECR). No cookie banner is needed.

8. Security

We take the security of your data seriously:

• All data is transmitted over HTTPS with per-tenant SSL certificates
• Passwords and PINs are hashed using bcrypt — we cannot read them
• Guest session cookies are HMAC-signed with a per-tenant secret and set with HttpOnly, Secure, and SameSite attributes
• Login attempts are rate limited (5 attempts per 15 minutes) to prevent brute-force attacks
• All data files are blocked from direct HTTP access via nginx rules
• Password reset tokens are hashed before storage and expire after 30 minutes
• CSRF protection is applied to all state-changing actions
• Sensitive files (API keys, session secrets) are stored with restrictive file permissions

9. Children's data

Wedding hubs may include children as guests (marked as "child" or "infant" by the couple). This data is minimal (name and age category only) and is collected on behalf of the couple for catering purposes. We do not knowingly collect data directly from children under 13.

10. International transfers

Your data is stored on a server in the United Kingdom (hosted with a UK-based VPS provider). Email delivery (via Resend) and payment processing (via Stripe) involve transfers to the United States, covered by Standard Contractual Clauses and/or the EU-US Data Privacy Framework.

11. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top will change. For significant changes, we'll notify active customers by email.

12. Contact

For any privacy-related questions or requests:
Email: hello@ourbigwedding.day
Operated by: Lee James Apps, United Kingdom