TheBigDayPage
Home

Privacy Policy

1. Data Controller

The controller responsible for processing your personal data within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection laws is:

CreaCrate Productions e.U.
Lotte-Hass-Weg 2/11
1220 Vienna
Austria
Email (for data protection inquiries): privacy@thebigdaypage.com
Further company details are available in the Impressum.

2. General Information on Data Processing

This privacy policy applies to the use of our website and the web application known as "TheBigDayPage" (hereinafter referred to as "the service").

The provision of personal data is generally voluntary. However, some data is required for the functionality of our services. For example, user accounts, photo uploads, subscriptions, and payment processing via third-party providers (such as Stripe) require certain personal information to function properly.

If you do not provide the requested data, you may not be able to use specific features, such as accessing your personal wedding page, subscribing to paid photo gallery plans, or submitting contact forms.

This policy outlines the types of personal data we collect, the purposes and legal bases for processing this data, and your rights as a data subject.

3. Personal Data We Collect & Purposes of Processing

When visiting the website

Data collected: IP address, browser type, access time
Purpose: Technical functionality, IT security (e.g., protection against attacks), and usage analytics
Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest)
Storage period: Up to 30 days (data processed by Vercel and Appwrite infrastructure located in the EU)

Vercel Web Analytics

We use Vercel Web Analytics to measure page views, routes, and aggregated usage patterns. This analytics setup does not use cookies and processes anonymous, aggregated data only. No personal identifiers or full IP addresses are stored for analytics, and session data is not retained beyond 24 hours. Data points may include page/route, referrer, device/browser type and version, network type, and country (ISO code). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure, performant service and audience measurement without tracking). Provider: Vercel Inc. (EU processing with safeguards). Where transfers outside the EU occur, they are protected by Standard Contractual Clauses (Art. 46 GDPR). You can learn more in Vercel's privacy notices.

PostHog Product Analytics

We use PostHog to understand how users interact with the application (e.g., which template is selected, when wedding settings are saved, when media is uploaded, when a subscription plan is upgraded). PostHog is configured with in-memory persistence only — no cookies or localStorage are used, meaning no personal identifiers are stored between sessions. Data is processed exclusively on PostHog EU Cloud infrastructure (eu.i.posthog.com), ensuring all data remains within the European Union. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in understanding product usage without personal profiling). Provider: PostHog Inc. (EU Cloud). You can learn more in PostHog's privacy policy.

Bot Detection (BotID)

We use bot detection technology (BotID) on certain endpoints to prevent automated abuse and fraud (e.g., newsletter sign-ups, payment initiation, media uploads, and email sending). This technology analyses device and browser environment signals — such as browser behaviour and JavaScript execution characteristics — to distinguish human visitors from automated bots. No personal profiles are created and the data is not used for advertising or tracking purposes. Processing is performed entirely within your browser; no fingerprint data is transmitted to third parties. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protecting our services from automated abuse and fraud).

When creating an account or using the app

Data collected: Email address, password (hashed), and wedding-related information such as couple’s names, wedding date, location, and personal messages
Purpose: Creating and managing user accounts, providing access to personal wedding pages, storing and displaying uploaded content
Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract)

When using paid features (via Stripe)

Data collected: Email address, payment method, billing details, IP address
Purpose: Payment processing
Processor: Stripe Payments Europe Ltd.
Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract)

When contacting us (e.g., via contact form)

Data collected: Email address, optionally name and message contents
Purpose: Responding to inquiries
Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in responding to inquiries)

Email communication

Sending emails

Service provider: Resend (servers located in Ireland)
Purpose: Delivering transactional system emails such as registration confirmations or subscription reminders
Legal basis: Art. 6 (1) lit. b and f GDPR (performance of a contract and legitimate interest)

Receiving emails

Service provider: Zoho Mail
Purpose: Receiving and handling incoming support inquiries
Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in responding to inquiries)
Note: Data may be processed in third countries (e.g., India, USA), safeguarded by EU Standard Contractual Clauses (Art. 46 GDPR)

Marketing and Reminder Emails

Purpose: From time to time, we may send emails with helpful reminders (e.g., post-wedding memory preservation tips), upgrade offers, or other promotional messages tailored to your account status (e.g., after your wedding date or after several months of free usage).
Legal basis: Art. 6 (1) lit. a GDPR (consent)
Note: These emails are only sent if you have explicitly opted in during registration. You can unsubscribe at any time via the link in the email or by contacting us at privacy@thebigdaypage.com.

Newsletter subscription

If you subscribe to our newsletter via our website (e.g., on the coming soon or landing page), we collect and process the following personal data:

Data collected: Email address, IP address at the time of registration, date and time of registration and confirmation (double-opt-in)
Purpose: To send you periodic updates, announcements, and marketing communications related to TheBigDayPage
Service provider: Resend (servers located in Ireland)
Legal basis: Art. 6 (1) lit. a GDPR (consent)
Note: You may withdraw your consent at any time by clicking the unsubscribe link included in every newsletter or by contacting us at privacy@thebigdaypage.com

4. Legal Basis Summary

The following table summarizes the legal bases for different processing purposes:

  • Account creation & login: Art. 6 (1) lit. b GDPR (contract)
  • Website operation & security: Art. 6 (1) lit. f GDPR (legitimate interest)
  • Payment processing via Stripe: Art. 6 (1) lit. b GDPR (contract)
  • Support/contact requests: Art. 6 (1) lit. f GDPR (legitimate interest in responding to inquiries)
  • Hosting of wedding pages & galleries: Art. 6 (1) lit. b GDPR (contract)
  • Session/misuse protection: Art. 6 (1) lit. f GDPR (legitimate interest)

Email Scenarios & Legal Grounds

  • 1. Registration: Account creation and confirmation – Art. 6 (1) lit. b GDPR
  • 2. Password reset: Reset links – Art. 6 (1) lit. b GDPR
  • 3. Subscription confirmation: Welcome email, Stripe confirmation – Art. 6 (1) lit. b GDPR
  • 4. Payment reminders / failed payments: Notifications about subscription issues – Art. 6 (1) lit. b GDPR (performance of a contract)
  • 5. Support replies: Replies to contact forms or emails – Art. 6 (1) lit. f GDPR (legitimate interest in responding to inquiries)
  • 6. Functional updates (non-promotional): Feature information to active users – Art. 6 (1) lit. f GDPR
  • 7. Promotional newsletters or campaigns: Only with explicit consent – Art. 6 (1) lit. a GDPR

5. Data Recipients

  • Hosting: Vercel Inc. (USA) – safeguarded by EU Standard Contractual Clauses (SCC)
  • Backend infrastructure: Appwrite Ltd. (Frankfurt, Germany) – acting as a data processor under Art. 28 GDPR
  • Media storage and delivery: Amazon Web Services (AWS S3) – used to store and serve uploaded media files; processing location depends on configured AWS region and may involve third-country transfers under appropriate safeguards.
  • Payment processing: Stripe Payments Europe Ltd.
  • Email/Newsletter sending: Resend Inc. (Ireland) – acting as processor under Art. 28 GDPR; data may be transferred under SCC if sub-processors are located outside the EU.
  • Email reception: Zoho Corporation – Data transfer to third countries (e.g., India, USA) based on SCC (Art. 46 GDPR)
  • Rate limiting and abuse prevention: Upstash, Inc. (Redis infrastructure) – used for request throttling and misuse prevention; technical request metadata (including IP-based and user-based rate limit identifiers) may be processed.
  • Product analytics: PostHog Inc. (EU Cloud, eu.i.posthog.com) – in-memory only, no cross-session identifiers

6. Data Transfers to Third Countries

Where personal data is transferred to countries outside the EEA, we rely on appropriate safeguards under Art. 46 GDPR, in particular the European Commission’s Standard Contractual Clauses (SCCs), unless an adequacy decision applies. We also implement transfer impact assessments and supplementary safeguards where required.

Relevant service providers may include:

  • Stripe (payment processing)
  • Vercel (hosting and analytics)
  • Amazon Web Services (media storage and delivery)
  • Upstash (rate limiting and abuse prevention)
  • Zoho (email services)

7. Data Retention Periods

  • User account data: Retained for the duration of the active account. After deletion, some personal data (e.g. email address, payment history) may be retained for up to 12 months to comply with legal obligations or provide limited post-deletion support.
  • Payment data: 7 years (for tax compliance)
  • Uploaded photos & videos: Retained while your account is active. If a paid subscription ends through non-renewal or cancellation at period end, media is typically scheduled for deletion after an additional grace period of approximately 6 months (183 days) after entitlement ends. In entitlement-revocation cases such as a full refund or a lost payment dispute, media is typically scheduled for deletion after 30 days from the revocation event. If a free plan expires, media is typically scheduled for deletion after an additional grace period of approximately 6 months. Deletion is performed by scheduled background jobs; once processed, media is permanently removed.
  • Server logs (IP addresses): Up to 30 days
  • Support inquiries: Up to 6 months after resolution
  • Newsletter subscriptions: Newsletter data (email address, consent logs): Stored until you withdraw your consent or unsubscribe from the newsletter. After unsubscription, data may be retained for up to 6 months solely to document lawful consent withdrawal.

8. Data Subject Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): You have the right to know whether we process personal data about you and, if so, to receive a copy of that data along with additional information.
  • Right to rectification (Art. 16 GDPR): You have the right to request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17 GDPR): You may request that we delete your personal data if certain grounds are met.
  • Right to restriction of processing (Art. 18 GDPR): You may request that we limit the processing of your data in specific circumstances.
  • Right to data portability (Art. 20 GDPR): You have the right to obtain your personal data in a structured, commonly used format and transfer it to another controller.
  • Right to object (Art. 21 GDPR): You can object to the processing of your data based on our legitimate interests or for direct marketing purposes.
  • Right to withdraw consent (Art. 7(3) GDPR): If processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to lodge a complaint: If you believe your data protection rights have been violated, you can lodge a complaint with your local data protection authority. For Austria, this is the Datenschutzbehörde (DSB).

You may withdraw your consent at any time by contacting us at privacy@thebigdaypage.com.

We will respond to your request without undue delay and in any event within one month, in accordance with Art. 12 GDPR.

We do not carry out solely automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR.

9. Cookies & Similar Technologies

We use cookies and similar browser storage technologies only where technically necessary for the operation of the service. This includes session cookies used for authentication (via Appwrite), payment session cookies (via Stripe), and session storage used during newsletter confirmation and resend flows. Authentication is managed via a secure, HTTP-only Appwrite session cookie; no authentication tokens are written to localStorage — any tokens held in memory are cleared when the session ends.

These cookies and storage entries are used exclusively to provide core security and account functions and are not used for advertising purposes. They do not require consent under GDPR/ePrivacy where they are strictly necessary to provide the requested service. Accordingly, we do not use a cookie consent banner.

For detailed information on specific cookies and browser storage purposes, please refer to our Cookie Policy.

10. Changes to this Privacy Policy

We may update this privacy policy to reflect changes in our services, legal requirements, or technical developments. The date of the latest change will always be indicated below.

Last updated: March 3, 2026

Privacy Policy - TheBigDayPage