Privacy Policy

1. Overview

Data Mobile Cloud ("Our Vow Story", "we", "us", or "our") operates the website at ourvowstory.com and the wedding planning application at app.ourvowstory.com (together, the "Service").

Data Mobile Cloud is the data controller for personal data processed in connection with the Service.

This Privacy Policy explains what personal data we collect, how we use it, the legal basis for each use, who we share it with, and what rights you have over it. It applies to all users of the Service, including couples, collaborators (such as wedding party members and family), and guests who respond to RSVPs. It covers users based in the United Kingdom, the European Economic Area (EEA), and internationally.

By using our Service, you acknowledge you have read this policy. If you do not agree, please do not use the Service.

2. Data we collect

Account information

• Name and email address when you register an account
• Password (stored as a secure one-way hash — we cannot read it)
• Optional two-factor authentication settings

Wedding planning data

• Wedding date, venue, and event details you enter
• Guest names, email addresses, phone numbers, RSVP responses, and dietary requirements you record
• Budget entries, supplier names, contract values, and payment records
• Seating arrangements and table plans
• Tasks, timeline events, and appointments
• Files you upload (e.g. supplier contracts, documents)

Billing information

• When you subscribe to a paid plan, payment is processed by Stripe or PayPal. We do not store your full card number or bank details — only a billing reference and subscription status provided by the payment processor.

Usage and technical data

• IP address, browser type, and device type when you access the Service
• Pages visited and features used within the app, collected via Cloudflare Web Analytics (see Third-party Services)
• Session data stored in a secure, encrypted cookie for up to 30 days

Communications

• Email address when you contact us for support or sign up for updates
• Content of messages you send to our support team

3. How we use your data

We use the data we collect for the following purposes. For each, we identify the legal basis under UK GDPR Article 6:

• To provide the Service — storing and displaying your wedding planning data, sending RSVP emails to your guests, generating seating plans, and producing exports such as PDFs. Legal basis: performance of a contract (Article 6(1)(b)).
• To manage your account — authenticating your identity, maintaining your session, and enabling collaboration with people you invite. Legal basis: performance of a contract (Article 6(1)(b)).
• To process payments — creating and managing your subscription through Stripe or PayPal, sending payment reminders, and managing billing events. Legal basis: performance of a contract (Article 6(1)(b)).
• To send transactional emails — RSVP invitations to your guests, appointment reminders, task reminders, payment due notices, email verification, and team invitations. These are service emails, not marketing. Legal basis: performance of a contract (Article 6(1)(b)).
• To improve the Service — analysing aggregated, anonymised usage data to understand how features are used and where we can make improvements. Legal basis: legitimate interests (Article 6(1)(f)) — our interest in improving and developing the Service, balanced against minimal impact on users given the data is anonymised.
• To ensure security — detecting and preventing fraud, abuse, and unauthorised access; enforcing rate limits. Legal basis: legitimate interests (Article 6(1)(f)) — our interest and users' interest in keeping the Service secure.
• To comply with legal obligations — retaining billing records as required by law, and responding to lawful requests from authorities. Legal basis: legal obligation (Article 6(1)(c)).

We do not use your data for advertising, and we do not sell, rent, or trade your personal data with third parties for their own commercial purposes.

Automated decision-making: We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.

4. Third-party services

We use a small number of carefully selected third-party services to operate the Service. Each is listed below with details of what data they receive and why.

5. International data transfers

Our Vow Story is based in the United Kingdom. Some of the third-party services we use are headquartered in the United States and may process your personal data outside the UK and EEA. Where this occurs, we ensure appropriate safeguards are in place as required by UK GDPR Chapter V.

The following third-party services may transfer or process data outside the UK:

• Stripe (USA) — transfers are covered by Stripe's binding corporate rules and Standard Contractual Clauses (SCCs) approved by the ICO.
• PayPal (USA) — transfers are covered by PayPal's Standard Contractual Clauses and its participation in approved transfer mechanisms.
• Resend (USA) — transfers are covered by Standard Contractual Clauses.
• Inngest (USA) — event payloads are processed on Inngest's infrastructure under Standard Contractual Clauses.
• Railway — application infrastructure is hosted on Railway. Please refer to Railway's privacy policy for details of their data locations and transfer mechanisms.

Standard Contractual Clauses (SCCs) are legally binding contracts approved by the ICO that require the recipient of personal data to protect it to the same standard as required under UK law. You can request a copy of the relevant SCCs by contacting us at privacy@ourvowstory.com.

6. Cookies & tracking

We use a minimal number of cookies, all of which are necessary to operate the Service:

• Session cookie — set when you sign in, used to keep you authenticated for up to 30 days. This cookie is HTTP-only and secure, meaning it cannot be read by JavaScript.
• CSRF token — a short-lived cookie used to prevent cross-site request forgery attacks on form submissions.

We do not use any advertising cookies, third-party tracking pixels, or behavioural profiling cookies. Cloudflare Web Analytics, which we use for page-level analytics, operates without cookies and without tracking individual users.

You can configure your browser to block or delete cookies; however, blocking our session cookie will prevent you from signing in.

7. Data storage & security

Your data is stored in a PostgreSQL database hosted within the European Union. Uploaded files are stored in encrypted object storage. All data is transmitted over HTTPS/TLS.

We implement industry-standard security practices including:

• Passwords hashed using bcrypt — we cannot recover or read your password
• Encrypted HTTPS connections for all traffic
• Optional two-factor authentication (TOTP) for your account
• Role-based access controls for team collaboration — collaborators only see data appropriate to their role
• Rate limiting on sensitive endpoints (sign-in, RSVP, email sending) to prevent abuse

While we take security seriously, no system is completely infallible. In the unlikely event of a data breach that affects your personal data, we will notify you and relevant authorities as required by applicable law.

8. Data retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

• Active accounts — your wedding data is retained for the lifetime of your account and for a reasonable period thereafter, to allow you to access memories and archives after your wedding date.
• Deleted accounts — when you delete your account, your personal data and wedding information is permanently purged from our systems within 30 days, subject to any legal retention obligations.
• Billing records — transaction records may be retained for up to 7 years to comply with financial and tax obligations, even after account deletion.
• Guest data — names and contact details of guests you enter are retained only for the duration of your account and deleted with it.

You can request deletion of your account and data at any time from your account settings, or by contacting us at the address below.

9. Your rights

Under UK and EU data protection law (UK GDPR / GDPR), you have the following rights regarding your personal data:

You can exercise most of these rights directly from your account settings, including data export and account deletion. For other requests, please contact us at privacy@ourvowstory.com. We will respond within one calendar month as required by UK GDPR. There is no charge for making a request.

If you are based in the UK, you also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. If you are based in the EEA, you may also contact your local supervisory authority.

10. Children's privacy

Our Vow Story is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) and by posting the updated policy on this page with a new effective date.

Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy. We encourage you to review this page periodically.

12. Contact us

If you have any questions about this Privacy Policy, wish to exercise your rights, or have a concern about how we handle your data, please contact our data controller: