Curated venues · Bespoke experiences · Timeless memories
Legal · Privacy
This Privacy Policy explains what personal data Brides Venues collects, why we collect it, how we use it, who we share it with, how long we keep it, and the rights you have over it. We write this in plain English wherever we can, and we follow the disclosure standards required by the GDPR (EU), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA), and Indonesia’s Personal Data Protection Law (UU 27/2022).
Applicable jurisdictions
United States · European Economic Area (GDPR) · United Kingdom · Indonesia (UU PDP)
Brides Venues Pte. Ltd. (“Brides Venues”, “we”) is the data controller for personal data processed through the platform. Our registered office is at [REGISTERED ADDRESS — to be inserted by counsel].
For data subjects in the European Economic Area and the United Kingdom, our representative under Article 27 GDPR / UK GDPR is [EU/UK representative to be appointed]. For data subjects in Indonesia, our Data Protection Officer is [DPO name — to be appointed] and can be reached at privacy@bridesvenues.com.
| Purpose | Lawful basis (GDPR Art 6) |
|---|---|
| Creating and operating your account | Performance of a contract (Art 6(1)(b)) |
| Facilitating inquiries, bookings, and payments | Performance of a contract (Art 6(1)(b)) |
| Sending transactional emails (booking confirmations, payment receipts, dispute notices) | Performance of a contract (Art 6(1)(b)) / legitimate interest (Art 6(1)(f)) |
| Sending marketing emails about new venues, editorial features, and special offers | Consent (Art 6(1)(a)) — opt-in only, with easy unsubscribe |
| Fraud prevention, security monitoring, audit logging | Legitimate interest (Art 6(1)(f)) |
| Compliance with tax, anti-money-laundering, accounting obligations | Legal obligation (Art 6(1)(c)) |
| Analytics on aggregated, de-identified usage | Legitimate interest (Art 6(1)(f)) — opt-out via cookie settings |
We do not knowingly process special-category data (health, religion, sexual orientation, etc.) unless you voluntarily provide it (for example dietary restrictions you choose to share with a caterer). In that case we rely on your explicit consent under Article 9(2)(a) GDPR.
When you send an inquiry or confirm a booking, the venue (and any vendors you have selected) receives your name, contact details, wedding date, guest count, and the message you sent. They become independent controllers of that data for the purposes of fulfilling your booking.
We work with carefully selected processors under written data processing agreements:
| Processor | Purpose | Location |
|---|---|---|
| Neon Database | Primary database hosting | EU / US (region-locked) |
| Vercel | Application hosting, CDN | Global edge |
| Resend | Transactional email delivery | US |
| Stripe | Card payments, subscriptions | Global |
| Xendit | South-East Asia payments | Singapore / Indonesia |
| Sentry | Error monitoring, performance | US |
| Cloudflare / S3-compatible | Image storage and delivery | Global |
We may disclose personal data when required by law, regulation, court order, or to enforce our Terms of Service.
We do not sell personal data within the meaning of the CCPA, the UU PDP, or any equivalent regime. We do not share it for advertising targeting outside the platform.
We are headquartered in Singapore and use processors in the EEA, United Kingdom, United States, and Indonesia. When we transfer personal data outside the EEA / UK, we rely on:
A copy of the SCCs is available on request from privacy@bridesvenues.com.
| Category | Retention |
|---|---|
| Account profile | For as long as the account is active. Deleted within 30 days of account closure unless we are required to keep it for legal reasons. |
| Booking and payment records | Seven (7) years after the wedding date, for tax and anti-money-laundering reasons. |
| Messages | Three (3) years after the related booking concludes. |
| Marketing consent and preferences | Until you withdraw consent, plus 90 days for audit. |
| Server logs (IP, user-agent) | Thirty (30) days, then aggregated for analytics. |
You have the following rights over your personal data:
To exercise any of these rights, email privacy@bridesvenues.com or use the Privacy controls in your account. We respond within thirty (30) days. We will verify your identity before completing your request.
The platform is not directed at children under sixteen (16). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
We use industry-standard safeguards: TLS 1.2+ in transit, AES-256 at rest, hashed passwords (Argon2 / bcrypt), role-based access control, audit logging, dependency scanning, and prompt patching of known vulnerabilities. No system is impregnable; if you suspect a breach of your account, email security@bridesvenues.com immediately.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, in accordance with Article 33 GDPR.
We may update this Policy as the platform evolves. Material changes will be notified by email or an in-app notice at least thirty (30) days before they take effect. The current version, version history, and effective date are always available at /privacy.
Privacy questions, rights requests, and complaints can be sent to privacy@bridesvenues.com. Security disclosures should go to security@bridesvenues.com.