Data controller
The data controller is Biagio Distefano, a self-employed sole-trader based in Austria, operating the Nozze.io service. For any data-subject request you can reach us at [email protected].
Data we process
For the couple owning the account: email, first and last name, hashed password, phone number if provided, wedding data (slug, couple name, date, location, uploaded content). For guests added by the couple: name, email, phone number, allergies and dietary preferences, RSVP. We never process card data directly: the full payment flow happens on Stripe Checkout and we only receive transaction metadata. For inbound WhatsApp messages, Twilio forwards us the sender phone number, the message body and any attachments.
Purposes and legal bases (GDPR arts. 6 and 9)
Performance of the contract (art. 6(1)(b) GDPR) to provide the service, manage the subscription, send transactional emails and route inbound WhatsApp messages. Explicit consent (art. 9(2)(a) GDPR) for allergies and dietary needs, which are special categories: collected only when the couple or guest voluntarily provides them. Legal obligation (art. 6(1)(c) GDPR) for tax-document retention. Legitimate interest (art. 6(1)(f) GDPR) for the strictly necessary security and anti-fraud logs.
Recipients and processors
To provide the service we share strictly necessary data with the following processors, bound by art. 28 GDPR contracts: Hetzner Online GmbH (Germany) for service hosting and storage of data and uploaded files; Brevo SAS (France) for transactional email and guest invitations sent through the mail.nozze.io domain; Fastmail Pty Ltd (Australia, under Standard Contractual Clauses) for the service mailboxes (e.g. support@, privacy@) we use to reply to your requests; Twilio Inc. (United States, under Standard Contractual Clauses) to receive WhatsApp messages sent to the service number; Stripe Payments Europe Ltd. (Ireland) and Stripe Inc. (United States, under SCC and DPF) for payment processing, as Merchant of Record.
Transfers outside the EU
Your data and uploaded files live in EU data centers (Hetzner, Germany). Non-EU services (Stripe Inc. and Twilio Inc. in the United States, Fastmail Pty Ltd in Australia) only receive the data needed for their function and operate under Standard Contractual Clauses approved by the European Commission (and, for Stripe, under EU-US Data Privacy Framework certification).
Retention period
Account data is retained for the duration of the contract and deleted on request or within 30 days of service termination, subject to tax obligations (invoices issued by Stripe as MoR are retained for 10 years under art. 2220 of the Italian Civil Code). Guest data is deleted together with its parent wedding or when the couple removes it. Security logs are kept for a maximum of 12 months.
Your rights
You can exercise the rights under GDPR arts. 15-22 at any time: access, rectification, erasure, restriction, portability and objection. From the "Account" area you can export your data and delete your account in self-service. For any other request write to [email protected]; we respond within 30 days.
Complaint to the supervisory authority
Under art. 77 GDPR you may lodge a complaint with the supervisory authority of the Member State of your residence, place of work, or where you believe the breach occurred. In Italy: Garante per la protezione dei dati personali (https://www.garanteprivacy.it). In Austria, where the controller is established, the competent authority is the Datenschutzbehörde (https://www.dsb.gv.at).