Closed Beta. Request early access to be one of the first to try Weddinguru!
Legal

GDPR
Compliance

How we protect your data rights under UK GDPR

Last updated: 1 January 2024

GDPR Compliant

Full UK GDPR compliance

Our Commitment to Data Protection

At Weddinguru, we take data protection seriously. We are fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This page outlines how we comply with data protection laws and explains your rights as a data subject.

1. Data Controller Information

Weddinguru Ltd is the data controller for the personal data we process. Our contact details are:

  • Company: Weddinguru Ltd
  • Address: 123 Wedding Lane, London, UK
  • Email: privacy@weddinguru.co.uk
  • ICO Registration Number: ZA123456

2. Your Data Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right of Access

You have the right to request a copy of the personal data we hold about you. We will provide this information within 30 days of receiving your request.

Right to Rectification

If any of the personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct it.

Right to Erasure (Right to be Forgotten)

You can request that we delete your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected.

Right to Restrict Processing

You can request that we limit how we process your personal data while we verify its accuracy or consider your objection to processing.

Right to Data Portability

You can request to receive your personal data in a structured, commonly used, and machine-readable format, and to have it transferred to another controller.

Right to Object

You can object to the processing of your personal data in certain circumstances, including processing for direct marketing purposes.

Rights Related to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you.

3. Lawful Bases for Processing

We process personal data under the following lawful bases:

  • Contract: Processing necessary to perform our contract with you
  • Legitimate Interests: Processing necessary for our legitimate business interests
  • Consent: Where you have given clear consent for marketing communications
  • Legal Obligation: Processing necessary to comply with our legal obligations

4. Data Security Measures

We implement appropriate technical and organisational measures to protect your data:

  • All data is encrypted in transit using TLS 1.3
  • Data at rest is encrypted using AES-256
  • Two-factor authentication is available for all accounts
  • Regular security audits and penetration testing
  • Access controls based on the principle of least privilege
  • Regular staff training on data protection
  • Data stored in UK data centres

5. Data Processing Agreements

When we use third-party processors to handle your data, we ensure they are GDPR compliant and have appropriate data processing agreements in place. Our key sub-processors include:

  • Amazon Web Services (hosting) - UK/EU data centres
  • Stripe (payment processing) - UK GDPR compliant
  • SendGrid (email delivery) - UK GDPR compliant

6. Data Breach Procedures

In the event of a personal data breach, we have procedures in place to:

  • Detect and identify breaches promptly
  • Notify the ICO within 72 hours where required
  • Notify affected individuals without undue delay where required
  • Document all breaches and remedial actions

7. International Data Transfers

We primarily store and process data within the UK and EU. Where we transfer data outside these regions, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

8. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected. Our standard retention periods are:

  • Active account data: retained while account is active
  • Deleted account data: 30 days after deletion request
  • Invoice and financial records: 7 years (legal requirement)
  • Marketing consent records: 3 years after last interaction

Exercise Your Rights

To exercise any of your data protection rights, please contact our Data Protection Officer:

  • Email: dpo@weddinguru.co.uk
  • Post: Data Protection Officer, Weddinguru Ltd, 123 Wedding Lane, London, UK

We will respond to your request within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.