Data controller
The data controller is Nozze.io, based in Italy. For any data-subject request you can reach us at privacy@nozze.io.
Data we process
For the couple owning the account: email, first and last name, hashed password, phone number if provided, wedding data (slug, couple name, date, location, uploaded content). For guests added by the couple: name, email, phone number, allergies and dietary preferences, RSVP. We never process card data directly: the full payment flow happens on Stripe Checkout and we only receive transaction metadata. For inbound WhatsApp messages, Twilio forwards us the sender phone number, the message body and any attachments.
Purposes and legal bases (GDPR arts. 6 and 9)
Performance of the contract (art. 6(1)(b) GDPR) to provide the service, manage the subscription, send transactional emails and route inbound WhatsApp messages. Explicit consent (art. 9(2)(a) GDPR) for allergies and dietary needs, which are special categories: collected only when the couple or guest voluntarily provides them. Legal obligation (art. 6(1)(c) GDPR) for tax-document retention. Legitimate interest (art. 6(1)(f) GDPR) for the strictly necessary security and anti-fraud logs.
Recipients and processors
To provide the service we share strictly necessary data with the following processors, bound by art. 28 GDPR contracts: Hetzner Online GmbH (Germany) for application hosting, PostgreSQL database and Object Storage for uploaded images; Brevo / Sendinblue SAS (France) for transactional email and guest invitations sent through the mail.nozze.io domain; Twilio Inc. (United States, under Standard Contractual Clauses) to receive WhatsApp messages sent to the service number; Stripe Payments Europe Ltd. (Ireland) and Stripe Inc. (United States, under SCC and DPF) for payment processing, as Merchant of Record.
Transfers outside the EU
Database, uploaded files and backups live in EU data centers (Hetzner, Germany). US-based services (Stripe Inc., Twilio Inc.) only receive the data needed for their function and operate under Standard Contractual Clauses approved by the European Commission (and, for Stripe, under EU-US Data Privacy Framework certification).
Retention period
Account data is retained for the duration of the contract and deleted on request or within 30 days of service termination, subject to tax obligations (invoices issued by Stripe as MoR are retained for 10 years under art. 2220 of the Italian Civil Code). Guest data is deleted together with its parent wedding or when the couple removes it. Security logs are kept for a maximum of 12 months.
Your rights
You can exercise the rights under GDPR arts. 15-22 at any time: access, rectification, erasure, restriction, portability and objection. From the "Account" area you can export your data and delete your account in self-service. For any other request write to privacy@nozze.io; we respond within 30 days.
Complaint to the supervisory authority
You always have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali, https://www.garanteprivacy.it) under art. 77 GDPR.