Legal

Privacy Policy

Last updated: 27 April 2026

1. Data Controller

The data controller for personal data collected through porokca.si is:

[COMPANY NAME] [COMPANY ADDRESS] Tax number: [TAX NUMBER] Registration number: [REGISTRATION NUMBER] Email: [EMAIL]

This Privacy Policy describes how we collect, process, store, and protect your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national implementing legislation.

2. Data We Collect

Account Data

  • Email address — for registration, login, and communication.
  • Password stored as a bcrypt hash — we never store plain-text passwords.
  • Registration date and last login timestamp.
  • Subscription plan and payment status (we do not store card details — this is handled by Stripe).

Wedding Page Data

  • Partners' names or display names.
  • Wedding date and venue.
  • Cover photo (stored at Cloudinary).
  • Custom content (text sections, schedule, menus).

Guest Data

  • Guest name submitted with RSVP.
  • Dietary requirements and special notes.
  • Attendance status (attending / not attending).
  • Photos uploaded by guests (stored on Cloudflare R2).

Technical and Analytics Data

  • IP address and browser type (for security and diagnostics).
  • Usage data: pages visited, session duration (Vercel Analytics).
  • Session cookies for maintaining login state (NextAuth.js).

3. Purpose and Legal Basis

  • Providing the service (Art. 6(1)(b) GDPR): Creating and managing wedding pages, the RSVP system, and the photo gallery — performance of contract.
  • Legitimate interests (Art. 6(1)(f) GDPR): Platform security, abuse prevention, and analytics to improve the service.
  • Legal obligation (Art. 6(1)(c) GDPR): Compliance with tax, accounting, and regulatory obligations.
  • Consent (Art. 6(1)(a) GDPR): Marketing communications — only with your explicit opt-in consent, which you may withdraw at any time.

4. Data Processors

We share your data with the following carefully selected processors, each contractually bound to data protection obligations:

  • Cloudflare R2 (photos.porokca.si): Guest photo storage. Processed under Cloudflare's DPA and SCCs.
  • Vercel Inc.: Application hosting and analytics. Data processed in the EU or with appropriate safeguards.
  • MongoDB Atlas: Database (account data, wedding pages, RSVPs). EU region.
  • Stripe Inc.: Payment processing. Stripe is an independent data controller for card data; porokca.si does not store payment card details.
  • [Email provider]: Sending system emails (notifications, confirmations). Details: [PLACEHOLDER].
  • Cloudinary: Storage for wedding page cover photos.

5. International Data Transfers

Some of our processors (e.g. Cloudflare, Vercel, Stripe, MongoDB) are headquartered in the United States. Transfers of data outside the EEA take place on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914/EU) or equivalent safeguards.

You may request a copy of the safeguards for individual transfers by emailing [EMAIL].

6. Retention Periods

  • Account data: Retained until account closure or deletion request. Deleted within 30 days of account closure.
  • Guest photos: Retained for 12 months after the wedding date in the settings, or until manually deleted — whichever comes first.
  • RSVP data: Retained until deleted by the Couple or account closure.
  • Payment metadata: Retained for 7 years to comply with tax and accounting law.
  • Analytics data: Anonymised within 14 months.
  • Security logs: Retained for 90 days.

7. Your Rights (GDPR)

Under GDPR, you have the following rights:

Submit rights requests to [EMAIL]. We respond within 30 days free of charge. For complex requests we may extend by a further 60 days, informing you accordingly.

Right of access (Art. 15)

Right to obtain confirmation of processing and a copy of all personal data we hold about you.

Right to rectification (Art. 16)

Right to request correction of inaccurate or incomplete data.

Right to erasure (Art. 17)

Right to request deletion of your data ("right to be forgotten") where there is no longer a lawful basis for processing.

Right to restriction (Art. 18)

Right to request restriction of processing in certain circumstances.

Right to portability (Art. 20)

Right to receive your data in a structured, machine-readable format and transfer it to another provider.

Right to object (Art. 21)

Right to object to processing based on legitimate interests, including direct marketing.

8. Cookies

Porokca.si uses only functional cookies strictly necessary for the Service to operate:

  • NextAuth.js session cookies — to maintain your login state.
  • Language preference cookies — to remember your chosen language.

We do not use tracking or advertising cookies. We do not use Google Analytics or Meta Pixel. Vercel Analytics collects anonymous aggregate visit data without cookies. For full details, see our Cookie Policy.

9. Data Security

  • All data is transmitted over encrypted connections (TLS 1.2/1.3).
  • Passwords are stored using bcrypt hashing.
  • Database access is restricted by security policies and VPN controls.
  • Guest photos are accessible via public preview URLs and time-limited signed URLs for originals.
  • We perform regular security reviews and apply updates promptly.

No internet transmission method is 100% secure. In the event of a data breach affecting your personal data, we will notify you within 72 hours of discovery in accordance with Art. 33–34 GDPR.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance by email. The date of the last update is shown at the top of this document.

11. Supervisory Authority

As porokca.si is operated by a Slovenian company, the lead supervisory authority is:

Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec) Dunajska cesta 22, 1000 Ljubljana, Slovenia Email: gp.ip@ip-rs.si | Web: www.ip-rs.si

If you are habitually resident in another EU Member State, you also have the right to lodge a complaint with the supervisory authority of that Member State.

12. Contact

For any questions about this Privacy Policy or to exercise your rights, please contact us:

Email: [EMAIL] Post: [COMPANY NAME], [COMPANY ADDRESS]

© 2025 Porokca