Privacy Policy

1. Identity of the Data Controller

The data controller for the personal data processed in connection with the WPM platform, within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR") and within the meaning of Article 1 of the Moroccan Loi n° 09-08 du 18 février 2009 relative à la protection des personnes physiques à l'égard du traitement des données à caractère personnel ("Loi 09-08"), is the legal entity that operates the website weddingplannermarrakech.com, the WPM software platform, and any associated email and notification systems. The full corporate identity, registered address, and contact details of that legal entity are set out on the corporate identity page of this site. Wherever this Policy uses the words "WPM", "we", "our", or "us", the reference is to that legal entity in its capacity as data controller.

2. Representative in the European Union

Where required by Article 27 of the GDPR, WPM has designated a representative in the European Union to act on its behalf in respect of its obligations under the GDPR with regard to data subjects located in the Union. The contact details of the EU representative are published on the corporate identity page of this site and are reachable by data subjects, by supervisory authorities, and by any other interested party for all questions related to the processing of personal data by WPM. Designation of an EU representative does not in any way limit the legal responsibility of WPM as data controller, nor does it affect any actions which could be initiated against WPM itself.

3. Data Protection Officer (DPO)

WPM has designated an internal point of contact responsible for data protection matters. While the appointment of a Data Protection Officer is not mandatory in respect of the activities of WPM under Article 37 of the GDPR, WPM voluntarily provides a single point of contact for all questions related to the processing of personal data, the exercise of data-subject rights, and any reasoned complaint. That contact is reachable at privacy@weddingplannermarrakech.com. Communications received at that address are processed in accordance with the procedures set out in Sections 12 and 17 of this Policy.

4. Defined Terms

The terms used in this Policy that are defined in Article 4 of the GDPR (such as "personal data", "processing", "controller", "processor", "recipient", "third party", "consent", "personal-data breach", and "profiling") have the meanings set out in that Article. The following additional terms are used in this Policy.

Sub-processor

A processor engaged by WPM that processes personal data on behalf of WPM, within the meaning of Article 28 of the GDPR. The current list of sub-processors is set out in Section 8 of this Policy.

User

Any natural person who interacts with the WPM platform, whether registered or unregistered, including Couples, Vendors, employees of Vendors, employees of WPM-partnered businesses, journalists, regulators, and casual visitors to the public website.

Couple-User

A natural person who registers an account on WPM with the role "Couple".

Vendor-User

A natural person who registers an account on WPM with the role "Vendor", "Vendor-Admin", or any other Vendor-side role, whether on their own behalf or on behalf of the Vendor business of which they are an employee, agent, officer, or representative.

Special Category Data

Personal data of the categories listed in Article 9(1) of the GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; genetic data; biometric data for unique identification; data concerning health; data concerning sex life or sexual orientation). WPM does not deliberately collect Special Category Data; where such data is incidentally collected (for example, religious practice information voluntarily disclosed by a Couple-User in the context of wedding planning), it is processed only on the legal basis of explicit consent under Article 9(2)(a) and only for the strict purpose for which it was provided.

5. Lawful Bases per Processing Activity

Each processing activity carried out by WPM is supported by one or more of the lawful bases set out in Article 6(1) of the GDPR (and, where Special Category Data is involved, in Article 9(2)). The following table sets out, for each principal activity, the categories of data processed, the purpose, the lawful basis, and the retention period.

5.1 Account creation and authentication

Categories of data: identifiers (email, hashed password, OAuth subject identifier where applicable), profile data (name, role, language preference). Purpose: to create and maintain the account, to authenticate the User on each session, to enable account recovery. Lawful basis: performance of a contract under Article 6(1)(b) (the contract being the Terms of Service to which the User has agreed). Retention: for the duration of the account plus thirty (30) days after deletion request, then permanent deletion (subject to Section 10).

5.2 Wedding-planning workspace (Couple-Users)

Categories of data: planning inputs voluntarily provided by the Couple-User (wedding date, guest count, budget bands, venue preferences, vendor shortlists, checklist items, notes, uploaded documents, uploaded photographs). Purpose: to provide the planning workspace and the cross-tool features purchased by the Couple-User. Lawful basis: performance of a contract under Article 6(1)(b). Retention: for the duration of the account; planning data is purged within sixty (60) days of account deletion.

5.3 Vendor profile and brief routing

Categories of data: business identifiers (legal name, registered address, tax ID where provided), capability data (services offered, capacity, languages), pricing schedules (where voluntarily disclosed). Purpose: to operate the Vendor Portal, to route anonymised couple briefs to relevant Vendors, to support quote workflows. Lawful basis: performance of a contract under Article 6(1)(b) and the legitimate interest of WPM under Article 6(1)(f) in operating an editorial vendor catalogue.

5.4 Editorial research and publication

Categories of data: business and individual identifiers of Planners and Vendors who are the subject of editorial review, on-record statements made by Couple-Clients during structured interviews, on-record observations made during Site Visits. Purpose: to research, draft, fact-check, and publish Editorial Outputs. Lawful basis: the legitimate interest of WPM under Article 6(1)(f) in publishing accurate consumer-protection journalism, balanced against the rights and freedoms of the Subjects, and where applicable the freedom of expression and information under Article 11 of the Charter of Fundamental Rights of the European Union and under the journalism exemption codified in Article 85 of the GDPR.

5.5 Billing and payment processing

Categories of data: name, billing address, country, transaction amount, currency, Subscription identifier. Categories not collected by WPM directly: card number, card expiry, card security code, bank account details (these are collected and processed by Paddle as our Merchant of Record). Purpose: to process the Subscription purchase, to issue invoices, to detect and prevent fraud. Lawful basis: performance of a contract under Article 6(1)(b) and compliance with a legal obligation (tax and accounting law) under Article 6(1)(c).

5.6 Transactional and security email

Categories of data: email address, name, account events (sign-in, password reset, billing event, security event). Purpose: to send transactional and security communications that are essential to the operation of the account. Lawful basis: performance of a contract under Article 6(1)(b).

5.7 Marketing communications (opt-in)

Categories of data: email address, language preference, campaign-engagement metrics. Purpose: to send marketing or product-update communications to Users who have opted in. Lawful basis: consent under Article 6(1)(a). Withdrawal of consent: each marketing email contains a one-click unsubscribe link; consent may also be withdrawn at any time by writing to privacy@weddingplannermarrakech.com or by toggling the marketing-consent switch in the User's account settings.

5.8 Product analytics and service improvement

Categories of data: pseudonymous device and session identifiers, page-view events, feature-usage events, performance metrics. Purpose: to measure usage, to detect technical defects, to inform product-development priorities. Lawful basis: the legitimate interest of WPM under Article 6(1)(f) in operating and improving the platform, balanced against the privacy interests of Users and implemented with privacy-preserving defaults (no cross-site tracking, no third-party advertising identifiers, IP-address truncation enabled where supported by the analytics provider).

6. Categories of Personal Data

WPM processes the following categories of personal data, depending on the nature of the User's interaction with the platform: (i) account identifiers (email address, hashed password, OAuth subject identifier where the User signs in with Google); (ii) profile data (display name, role, language preference, profile photograph if voluntarily uploaded); (iii) wedding-planning data voluntarily entered by Couple-Users (wedding date, guest count, budget bands, venue preferences, shortlists, checklist items, notes, uploaded files, photographs); (iv) communications content (in-platform messages, email replies, support requests); (v) Vendor business data (legal name, registered address, tax ID where provided, capability data, pricing schedules, portfolio assets); (vi) editorial-research data (on-record interview transcripts and audio recordings of Couple-Clients, observations recorded during Site Visits, document evidence collected for Audits); (vii) billing data (name, billing address, country, transaction amount, Subscription identifier); (viii) device, session, and event data (pseudonymous device identifier, session identifier, page-view events, feature-usage events, performance metrics, IP address truncated where supported, user-agent string).

7. Sources of Personal Data

WPM obtains personal data from the following sources: (i) directly from the data subject, when the data subject creates an account, completes a profile, populates planning workspaces, sends a message, or otherwise interacts with the platform; (ii) from public registries (the Registre du Commerce et des Sociétés du Royaume du Maroc and equivalent foreign registries) for business identifiers of Vendors; (iii) from on-record interviews voluntarily granted by third parties (Couple-Clients, former employees, suppliers) in the context of editorial research; (iv) from Site Visits conducted in accordance with our Editorial Policy; (v) from authentication providers (Google, where the User signs in with Google), limited to the OAuth claims expressly authorised by the User during the sign-in flow; (vi) from Paddle, in respect of the billing-event payload returned to WPM after a Subscription transaction.

8. Recipients and Sub-processors

WPM engages the following sub-processors, each of which is bound by a written data-processing agreement compliant with Article 28 of the GDPR. The location of processing, the role, the data categories processed, and the transfer mechanism (where applicable) are set out below. WPM updates this list whenever a sub-processor is added, removed, or replaced; data subjects who have consented to receive transactional communications may opt in to receive notification of sub-processor changes by email.

Vercel Inc.

Role: hosting and global edge delivery of the WPM website and API. Location of primary processing: United States, with edge processing in multiple jurisdictions including the European Union. Data categories: all categories transiting through the website and API. Transfer mechanism: Standard Contractual Clauses adopted by the European Commission (Decision 2021/914), supplemented by additional technical and organisational measures as recommended by the European Data Protection Board.

Neon (Postgres database)

Role: managed Postgres database hosting for application data. Location of primary processing: European Union (Frankfurt region). Data categories: account identifiers, profile data, wedding-planning data, Vendor business data, communications content, billing references. Transfer mechanism: data resides within the European Economic Area; no third-country transfer in the ordinary course.

Sanity.io

Role: headless content management system for editorial content. Location of primary processing: European Union and United States. Data categories: editorial content (Editorial Outputs and supporting media), limited Vendor business data mirrored from the operational database. Transfer mechanism: Standard Contractual Clauses (Decision 2021/914), as supplemented.

Paddle.com Market Limited

Role: Merchant of Record for all paid Subscriptions; processor of card and bank data; issuer of invoices. Location of primary processing: United Kingdom and European Union. Data categories: name, billing address, country, payment-method data (card number, card expiry, card security code, bank account details), transaction amount, currency. Paddle acts as data controller in respect of the payment-method data and as data processor in respect of the billing payload returned to WPM. Transfer mechanism: UK adequacy decision (Implementing Decision (EU) 2021/1772) for UK transfers; Standard Contractual Clauses where any onward transfer outside the EEA or the UK occurs.

PostHog Inc.

Role: product analytics. Location of primary processing: European Union (EU instance, Frankfurt region). Data categories: pseudonymous device and session identifiers, page-view events, feature-usage events, performance metrics, truncated IP address. Transfer mechanism: data resides within the European Economic Area; no third-country transfer in the ordinary course.

Resend, Inc.

Role: transactional and marketing email delivery. Location of primary processing: European Union and United States. Data categories: email address, name, email body, delivery and open events. Transfer mechanism: Standard Contractual Clauses (Decision 2021/914), as supplemented.

Cloudflare, Inc.

Role: DNS, content delivery network, distributed denial-of-service protection. Location of primary processing: globally distributed edge infrastructure. Data categories: connection metadata (IP address, request URL, response status, user-agent string). Transfer mechanism: Standard Contractual Clauses where applicable; Cloudflare's published list of certified data-processing locations applies.

Google LLC (sign-in only)

Role: OAuth 2.0 authentication for Users who sign in with Google. Location of primary processing: globally distributed Google infrastructure. Data categories: OAuth subject identifier, name, email address, profile photograph (only the claims expressly authorised by the User during sign-in). Transfer mechanism: Standard Contractual Clauses (Decision 2021/914), as supplemented by Google's published terms.

9. International Data Transfers

Where personal data is transferred outside the European Economic Area, WPM relies on one or more of the transfer mechanisms set out in Chapter V of the GDPR (Articles 44 to 49). In particular, WPM relies on (i) the adequacy decisions adopted by the European Commission under Article 45 of the GDPR (including Implementing Decision (EU) 2021/1772 in respect of the United Kingdom and Implementing Decision (EU) 2023/1795 in respect of the United States in the context of the EU-US Data Privacy Framework, where the recipient is certified under that Framework); (ii) the Standard Contractual Clauses adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021, where adequacy is not available; (iii) the supplementary measures recommended by the European Data Protection Board in its Recommendations 01/2020 on measures that supplement transfer tools, where the assessment indicates that supplementary measures are necessary. A data subject may obtain a copy of the relevant transfer-mechanism documentation by writing to privacy@weddingplannermarrakech.com.

10. Retention Schedule

WPM retains personal data for no longer than is necessary for the purposes for which it is processed, in accordance with Article 5(1)(e) of the GDPR. The following retention periods apply.

• 10.1 Account data: for the duration of the account; deletion within thirty (30) days of a verified deletion request, subject to legal-retention overrides set out below.
• 10.2 Wedding-planning data: for the duration of the account plus sixty (60) days following deletion, after which all planning data is purged.
• 10.3 In-platform messages: for the duration of the account plus ninety (90) days following deletion, to enable any open dispute or complaint to be substantiated.
• 10.4 Billing data: for ten (10) years from the date of the relevant transaction, in compliance with the accounting and tax retention obligations applicable in Morocco and in the relevant European jurisdictions of supply.
• 10.5 Editorial-research data (interview transcripts, Site-Visit notes, document evidence collected for Audits): for the periods set out in Section 4 of our Editorial Policy (minimum five years for Tier 2 evidence, minimum seven years for Tier 1 evidence).
• 10.6 Server access logs and security logs: for ninety (90) days from creation, except for logs relevant to a security incident or to a legal investigation, which are preserved for the duration of the incident plus two (2) years.
• 10.7 Cookie and tracker preference records: for thirteen (13) months from the date the preference was recorded, in line with the guidance of the French CNIL (Délibération n° 2020-091).
• 10.8 Marketing-consent records: for as long as the consent is in force plus thirty-six (36) months following withdrawal, to enable evidence of the consent and its withdrawal to be preserved in accordance with Article 7(1) of the GDPR.

11. Security Measures

In accordance with Article 32 of the GDPR, WPM implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures include (without limitation): encryption of personal data in transit using Transport Layer Security 1.2 or above; encryption of personal data at rest in our managed Postgres database and in our object storage; use of bcrypt or equivalent for password hashing; principle of least privilege for production-system access; multi-factor authentication for all administrative access; quarterly review of access privileges; logging of administrative actions; periodic restoration tests of database back-ups; documented incident-response procedure; periodic review of sub-processor security postures; segregation of production and non-production data; pseudonymisation and minimisation of personal data in non-production environments; the use of well-maintained, security-supported open-source and proprietary components; the publication of a security.txt file at /.well-known/security.txt to facilitate the responsible disclosure of vulnerabilities. WPM reviews these measures at least annually and updates them in response to changes in the state of the art and in the risk landscape.

12. Data Subject Rights

Under Articles 15 to 22 of the GDPR (and analogous provisions of the Loi 09-08), data subjects have the following rights, which may be exercised free of charge by writing to privacy@weddingplannermarrakech.com. WPM responds to verified requests within one (1) month of receipt, with the possibility of extending the period by two (2) further months where necessary, taking into account the complexity and number of the requests, in accordance with Article 12(3) of the GDPR.

• 12.1 Right of access (Article 15). The right to obtain confirmation of whether personal data concerning the data subject is being processed, and where that is the case, access to the personal data and to the information listed in Article 15(1) of the GDPR.
• 12.2 Right to rectification (Article 16). The right to obtain the rectification of inaccurate personal data and the completion of incomplete personal data.
• 12.3 Right to erasure (Article 17). The right to obtain the erasure of personal data without undue delay where one of the grounds in Article 17(1) applies. The right to erasure is subject to the exceptions in Article 17(3), in particular where processing is necessary for exercising the right of freedom of expression and information (Article 17(3)(a)) and for the establishment, exercise, or defence of legal claims (Article 17(3)(e)).
• 12.4 Right to restriction of processing (Article 18). The right to obtain the restriction of processing where one of the grounds in Article 18(1) applies.
• 12.5 Right to data portability (Article 20). The right to receive personal data concerning the data subject, which the data subject has provided to WPM, in a structured, commonly used, and machine-readable format, and the right to transmit that data to another controller without hindrance from WPM, where the processing is based on consent or on a contract and is carried out by automated means.
• 12.6 Right to object (Article 21). The right to object, on grounds relating to the data subject's particular situation, at any time to processing of personal data concerning the data subject which is based on Article 6(1)(e) or (f), including profiling based on those provisions. The right to object to processing for direct-marketing purposes is absolute and may be exercised at any time.
• 12.7 Right not to be subject to automated decision-making (Article 22). The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects them, subject to the exceptions in Article 22(2).
• 12.8 Right to withdraw consent (Article 7(3)). Where processing is based on consent, the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before the withdrawal.

13. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, in accordance with Article 77 of the GDPR. Data subjects in Morocco may lodge a complaint with the Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP), in accordance with Article 18 of the Loi 09-08. Data subjects in France may lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL); in Spain with the Agencia Española de Protección de Datos (AEPD); in Italy with the Garante per la protezione dei dati personali; in Belgium with the Autorité de protection des données / Gegevensbeschermingsautoriteit; in Ireland with the Data Protection Commission; and so on for each Member State. WPM takes the lodging of any complaint seriously, co-operates fully with supervisory authorities, and uses any feedback received to improve its processing operations.

14. Automated Decision-Making and Profiling

WPM does not take any decision based solely on automated processing, within the meaning of Article 22(1) of the GDPR, that produces legal effects concerning the data subject or similarly significantly affects them. Editorial scores published in respect of Planners and Vendors are produced under the methodology set out in Sections 7 and 8 of our Editorial Policy and are reviewed and approved by the WPM Editorial Team prior to publication; they are not the output of an automated decision within the meaning of Article 22. Vendor matching for couple briefs is assisted by software that filters and ranks candidates against the brief criteria, but the final inclusion of any Vendor in the routed shortlist is subject to editorial oversight where the matching algorithm is materially uncertain.

15. Children's Data

The WPM platform is intended for use by adults aged eighteen (18) or over. WPM does not knowingly collect personal data from children. Where the laws of the data subject's habitual residence set a different age threshold for parental consent in relation to information-society services offered to a child (sixteen (16) years under Article 8 of the GDPR, with the possibility for Member States to lower the threshold to thirteen (13) years), WPM will refuse the registration of any User who indicates an age below the applicable threshold. Where WPM becomes aware that personal data of a child has been processed in breach of this Section 15, the data is deleted without undue delay.

16. Cookies and Equivalent Tracking Technologies

This Section sets out the cookies, local-storage entries, and equivalent tracking technologies (collectively, "trackers") used by WPM. The placement and reading of trackers on the User's device complies with Article 5(3) of Directive 2002/58/EC (the "ePrivacy Directive") and with the implementing guidance of the relevant national authorities, including the French CNIL Délibération n° 2020-091 of 17 September 2020. Strictly necessary trackers are placed without prior consent; all other trackers are placed only after the User has given freely given, specific, informed, and unambiguous consent through the consent banner.

16.1 Strictly necessary

Trackers without which the WPM platform cannot function correctly: session identifier (to maintain the User's authenticated session), CSRF token (to protect against cross-site request forgery), language preference (to serve the correct localised content), consent record (to remember the User's tracker-consent decisions). Lawful basis: Article 5(3) ePrivacy Directive, second sentence (strictly necessary exemption). Retention: session lifetime or up to thirteen (13) months for the consent record.

16.2 Functional

Trackers that improve the User's experience but are not strictly necessary: theme preference, last-visited tool memory, in-app dismissal flags. Lawful basis: consent under Article 5(3) ePrivacy Directive. Retention: up to twelve (12) months.

16.3 Analytics

Trackers used to measure usage and to detect technical defects, set by PostHog (EU instance). Lawful basis: consent under Article 5(3) ePrivacy Directive (or, where the analytics tool is configured in a manner that meets the CNIL's exemption criteria for audience measurement, the strictly-necessary exemption). Retention: up to thirteen (13) months.

16.4 Marketing and advertising

WPM does not place third-party marketing or advertising trackers in the ordinary course. Should any such tracker be introduced in the future, the User will be presented with a refreshed consent banner before the tracker is placed.

17. Personal-Data Breach Notification

WPM has implemented procedures to detect, document, and respond to personal-data breaches within the meaning of Article 4(12) of the GDPR. Where a breach is likely to result in a risk to the rights and freedoms of natural persons, WPM notifies the competent supervisory authority within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33(1) of the GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, WPM communicates the breach to the affected data subjects without undue delay, in accordance with Article 34 of the GDPR, in clear and plain language and using the contact channels of record. WPM documents every personal-data breach, including its facts, effects, and remedial action, in accordance with Article 33(5).

18. Updates to This Policy

WPM may update this Privacy Policy from time to time to reflect changes in its processing operations, in the legal landscape, or in the technical infrastructure. Material changes (changes that, in WPM's reasonable assessment, affect the rights of data subjects or the categories of data processed) are communicated to registered Users by email at least thirty (30) days in advance of taking effect. Non-material changes (typographical corrections, clarifications, references) are made on a continuous basis and reflected in the version number and the last-updated date at the head of this Policy. The full version history is preserved and may be inspected on written request to privacy@weddingplannermarrakech.com.

19. Contact

All questions about this Privacy Policy, all requests to exercise data-subject rights, all complaints, and all enquiries from supervisory authorities should be sent to privacy@weddingplannermarrakech.com. WPM acknowledges receipt of every enquiry within five (5) working days and responds substantively within the timelines set out in this Policy.