Data controller
Vowlora's role depends on the processing activity.
The data controller is Enzo Guilmer, undefined, SIREN 943886077, located at 1E Rue de l'abbé reulet, 33510 Andernos. For any privacy question, the contact point is vowlora@gmail.com.
Vowlora acts as data controller for account management, billing, security, analytics, support and service operation data.
For guest data entered by organizers to plan a wedding, you determine the purposes for organizing the event. Vowlora mainly processes this data as a processor on your behalf to provide the requested features. Vowlora remains responsible for the technical processing required for security, hosting and service operation.
Data collected
We collect data needed for the account, the wedding and enabled modules.
Depending on your use, Vowlora may process:
- account data: email, Supabase user identifier, login metadata and preferences;
- wedding data: title, couple names, date, venue where applicable, tables, groups, room layout and seating configuration;
- guest data: first name, last name, group, RSVP status, plus-ones, children, table, seating category, placement links, allergies or dietary requirements;
- RSVP data: page code, configuration, attendance, chosen moments, menus, accommodation, transport, music requests and messages;
- budget data: line items, amounts, vendors, payment dates, payment methods and notes;
- menu, music and deadline data: caterer, dishes, playlists, tracks, DJ requests, tasks, dates, reminders, venues and notes;
- payment data: Stripe customer, session, subscription, status, amount and invoice identifiers, without storing card numbers;
- technical data: IP address, browser, device, application logs, security events and performance metrics.
Diets and allergies
Dietary and allergy details may constitute health data.
When the RSVP module or guest list collects dietary preferences, allergies or similar details, this information may constitute sensitive data under GDPR when it reveals a health condition.
This data should only be entered when necessary for organizing the meal or for guest safety. When a guest enters it in the RSVP form, processing is based on their explicit consent. The organizer may disable this field when not needed for the event.
Why we use data
Each processing purpose serves the product, security or our obligations.
Data is used to:
- create and secure your account;
- save and synchronize your weddings and planning modules;
- display RSVP pages and record guest responses;
- apply plan limits and manage payments via Stripe;
- generate exports or documents requested by you;
- prevent abuse, verify public forms with Cloudflare Turnstile and resolve incidents;
- measure product usage and diagnose errors with PostHog, where required consent has been given.
Legal bases
Each purpose rests on a legal basis provided by GDPR.
| Processing | Legal basis |
|---|---|
| Account creation, login and management | Contract performance |
| Provision of wedding modules, event storage, exports and RSVP | Contract performance |
| Processing of guest data entered by the organizer | Contract performance with the organizer, Vowlora acting mainly as processor |
| Dietary preferences, allergies and similar details entered by a guest | Explicit consent of the guest |
| Payments, subscriptions, invoices and plan management | Contract performance and legal accounting or tax obligations |
| Security, abuse prevention, RSVP page protection and Turnstile verification | Legitimate interest in protecting the service and its users |
| User support and request handling | Contract performance or legitimate interest depending on the request |
| Product usage measurement and diagnostics with PostHog | Consent where required |
Storage and providers
Application data is stored in Supabase; specialized services may intervene.
Main application data is stored in Supabase: accounts, weddings, guest lists, plans, RSVP, budget, menus, music, deadlines and billing entitlements.
- Supabase: authentication, PostgreSQL database, functions and access controls;
- Stripe: payment, customer, subscription, billing and management portal;
- PostHog: product usage measurement, product identification and error tracking;
- Cloudflare Turnstile: anti-spam verification on public RSVP forms;
- Vercel or equivalent infrastructure: application hosting and server route execution.
We do not sell your personal data or that of your guests.
Cookies and local storage
Some cookies are necessary; analytics cookies are subject to consent where required.
Vowlora uses cookies and local storage to maintain the session, retain some preferences and, with your consent where required, measure product usage.
| Name or family | Purpose | Type | Indicative duration |
|---|---|---|---|
| sb-* | Supabase session and authentication | Essential | Session-based |
| vowlora_remembered_email | Remember email on the login page if requested | Preference | Up to 1 year |
| wedding-sidebar-open | Retain the open or closed state of the sidebar | Preference | Up to 1 year |
| wedding-last-selected-event | Retrieve the last opened wedding | Preference | Up to 1 year |
| ph_* / posthog | Product usage measurement and diagnostics via PostHog | Analytics subject to consent | Variable depending on configuration |
| cf-turnstile | Anti-spam verification for public RSVP forms | Security | According to Cloudflare |
| wedding-editor:* | Local interface preferences, such as layout suggestions | Local storage | Until browser deletion |
Guest data
Guests do not necessarily create an account, but their responses may be stored.
When you add guests or publish an RSVP page, their information is processed to organize the event: invitation search, attendance, plus-ones, menus, diets, transport, accommodation, music and messages.
You commit to informing your guests about the use of their data in Vowlora and not to entering excessive or irrelevant information about the event.
Data sharing
Data is only shared to provide the service or when you decide so.
Your data may be transmitted to the technical providers listed above, strictly to provide the service. It may also be visible to people with whom you share an RSVP link, an export or a document.
We may share certain data with authorities if required by law or to protect the service against misuse.
International transfers
Some providers may process data outside the European Economic Area.
The providers used by Vowlora may host or process certain data within or outside the European Economic Area, including for hosting, authentication, payment, security, anti-spam, usage measurement or technical support.
When personal data is transferred outside the European Economic Area, Vowlora relies on the safeguards provided by GDPR, such as an adequacy decision, standard contractual clauses or appropriate supplementary measures depending on the provider concerned.
Retention periods
We retain data as long as necessary for your account, your wedding and our obligations.
| Category | Retention period |
|---|---|
| User account | Until account deletion |
| Wedding data, guests, RSVP, budget, menus, music and deadlines | Until deletion of the relevant event or account |
| Technical backups | Up to 30 days after deletion |
| Technical and security logs | Up to 6 months |
| Usage metrics and PostHog events | Up to 13 months maximum |
| Billing data, payments and accounting | Up to 10 years where required by accounting or tax obligations |
| GDPR rights requests and support exchanges | Up to 3 years after closure of the request |
You can request deletion of your account or certain data at vowlora@gmail.com. Some data may be retained longer only where required by law or where necessary for the establishment, exercise or defense of rights.
Account deletion
Account deletion removes associated events, with some mandatory retention.
When your account is deleted, associated wedding events and the application data attached to them are deleted from Vowlora. Active Stripe subscriptions linked to the account are cancelled.
Some data may be retained for the periods indicated above where necessary for accounting or tax obligations, security, technical backups, proof of a request or defense of rights. Technical backups are purged within a maximum of 30 days.
Security
Restricted access, Supabase RLS, RSVP codes and anti-spam protect the data.
The service uses Supabase authentication, per-user access policies, codes for RSVP pages, server-side controls and Turnstile anti-spam verification to limit unauthorized access.
No system is perfectly secure. In the event of an incident likely to pose a risk to your rights, we will take appropriate measures and inform you where required by law.
Your rights
Access, rectification, deletion, objection: you remain in control.
Under GDPR and applicable privacy law, you may request access, rectification, erasure, restriction, objection or portability of your personal data.
To exercise your rights, write to vowlora@gmail.com. You may also lodge a complaint with your local supervisory authority if you believe your rights are not being respected.
Vowlora responds to rights requests within one month of receipt. This deadline may be extended by two months for complex or multiple requests. Proof of identity may be requested where necessary to protect your data.
Minors
Vowlora is intended for adult organizers; children may appear as guests.
The service is not intended to be used by minors as account holders. Children may appear in a guest list or an RSVP response when necessary to organize the wedding.
Policy updates
The policy is updated when the service or providers change.
This policy may be updated to reflect changes to Vowlora, the services used or legal obligations. The update date is shown at the top of the page.
Contact
Questions about your data? Write to us directly.
For any question about this policy or your data, contact Vowlora at vowlora@gmail.com.