Curated venues · Bespoke experiences · Timeless memories
Legal · Privacy
This Privacy Policy explains what personal data Brides Venues collects, why we collect it, how we use it, who we share it with, how long we keep it, and the rights you have over it. We write this in plain English wherever we can, and we follow the disclosure standards required by Indonesia’s Personal Data Protection Law (UU 27/2022) and — for couples they apply to — the GDPR (EU), the UK Data Protection Act 2018, and the California Consumer Privacy Act (CCPA).
Data-protection standards
Indonesia (UU PDP) · EEA (GDPR) · United Kingdom (UK GDPR) · California (CCPA)
Our governing law is Indonesia (UU PDP). We apply these international standards where they apply to you — we are not established or registered in those regions.
Brides Venues (“Brides Venues”, “we”) is the data controller for personal data processed through the platform. We are a wedding concierge based in Bali, Indonesia.
For any privacy question, rights request, or complaint, contact us at hello@bridesvenues.com — this is our single, monitored contact address.
| Purpose | Lawful basis (GDPR Art 6) |
|---|---|
| Creating and operating your account | Performance of a contract (Art 6(1)(b)) |
| Facilitating inquiries, bookings, and payments | Performance of a contract (Art 6(1)(b)) |
| Sending transactional emails (booking confirmations, payment receipts, dispute notices) | Performance of a contract (Art 6(1)(b)) / legitimate interest (Art 6(1)(f)) |
| Sending marketing emails about new venues, editorial features, and special offers | Consent (Art 6(1)(a)) — opt-in only, with easy unsubscribe |
| Fraud prevention, security monitoring, audit logging | Legitimate interest (Art 6(1)(f)) |
| Compliance with tax, anti-money-laundering, accounting obligations | Legal obligation (Art 6(1)(c)) |
| Analytics on aggregated, de-identified usage | Legitimate interest (Art 6(1)(f)) — opt-out via cookie settings |
We do not knowingly process special-category data (health, religion, sexual orientation, etc.) unless you voluntarily provide it (for example dietary restrictions you choose to share with a caterer). In that case we rely on your explicit consent under Article 9(2)(a) GDPR.
When you send an inquiry or confirm a booking, the venue (and any vendors you have selected) receives your name, contact details, wedding date, guest count, and the message you sent. They become independent controllers of that data for the purposes of fulfilling your booking.
We work with carefully selected processors under written data processing agreements:
| Processor | Purpose | Location |
|---|---|---|
| Neon Database | Primary database hosting | EU / US (region-locked) |
| Vercel | Application hosting, CDN | Global edge |
| Resend | Transactional email delivery | US |
| Stripe | Card payments, subscriptions | Global |
| Xendit | South-East Asia payments | Singapore / Indonesia |
| Sentry | Error monitoring, performance | US |
| Cloudflare / S3-compatible | Image storage and delivery | Global |
We may disclose personal data when required by law, regulation, court order, or to enforce our Terms of Service.
We do not sell personal data within the meaning of the CCPA, the UU PDP, or any equivalent regime. We do not share it for advertising targeting outside the platform.
We are based in Bali, Indonesia and use the processors listed above, which operate in Indonesia, the EEA, the United Kingdom, and the United States. When we transfer personal data across borders, we rely on:
A copy of the SCCs is available on request from hello@bridesvenues.com.
| Category | Retention |
|---|---|
| Account profile | For as long as the account is active. Deleted within 30 days of account closure unless we are required to keep it for legal reasons. |
| Booking and payment records | Seven (7) years after the wedding date, for tax and anti-money-laundering reasons. |
| Messages | Three (3) years after the related booking concludes. |
| Marketing consent and preferences | Until you withdraw consent, plus 90 days for audit. |
| Server logs (IP, user-agent) | Thirty (30) days, then aggregated for analytics. |
You have the following rights over your personal data:
To exercise any of these rights, email hello@bridesvenues.com or use the Privacy controls in your account. We respond within thirty (30) days. We will verify your identity before completing your request.
The platform is not directed at children under sixteen (16). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
We use industry-standard safeguards: TLS 1.2+ in transit, AES-256 at rest, hashed passwords (Argon2 / bcrypt), role-based access control, audit logging, dependency scanning, and prompt patching of known vulnerabilities. No system is impregnable; if you suspect a breach of your account, email hello@bridesvenues.com immediately.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, in accordance with Article 33 GDPR.
We may update this Policy as the platform evolves. Material changes will be notified by email or an in-app notice at least thirty (30) days before they take effect. The current version, version history, and effective date are always available at /privacy.
Privacy questions, rights requests, and complaints can be sent to hello@bridesvenues.com. Security disclosures should go to hello@bridesvenues.com.