Privacy Policy

1. Who we are

EverAfter is a wedding planning software service operated from Limassol, Cyprus. We are the data controller for the personal data you provide when creating an account or using the platform. If you have questions about how we handle your data, please contact us using the form at https://www.everafter.com.cy/#contact.

2. What data we collect

We collect the following categories of personal data:

• Account data: your name, email address, and password when you register.
• Wedding project data: the names, contact details, meal preferences, dietary requirements, and seating information of your guests that you enter into the platform.
• Communication data: SMS and email messages sent to your guests through the platform, and any replies received.
• Payment data: billing information processed through our payment provider. We do not store full card numbers on our servers.
• Usage data: anonymised log data, device type, browser type, and IP address collected for security and performance monitoring.
• Uploaded content: photos uploaded by you or your guests via the photo gallery feature.

3. How we use your data

We use your personal data to:

• Provide, operate, and maintain the EverAfter platform and all its features.
• Process payments and manage your subscription or one-time purchase.
• Send transactional communications (e.g., account verification, password resets, billing receipts).
• Deliver the SMS and email notifications you configure for your guests.
• Improve and develop new features based on aggregated, anonymised usage data.
• Comply with legal obligations, including GDPR and Cypriot data protection law.

We do not sell your personal data or your guests' personal data to any third party. We do not use your wedding project data for advertising purposes.

4. Legal basis for processing

Under GDPR, we process your personal data on the following legal bases:

• Contract performance: processing necessary to deliver the services you have purchased.
• Legitimate interests: security monitoring, fraud prevention, and platform improvement.
• Legal obligation: where we are required to retain data by Cypriot or EU law.
• Consent: for optional marketing communications, where you have explicitly opted in.

5. Data retention

We retain your account data for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required by law to retain it for a longer period. Photo galleries can be configured to expire automatically after your wedding date. Guest data you have entered can be exported and deleted at any time from your dashboard.

6. Data sharing and third parties

We share data with trusted third-party service providers solely to operate the platform:

• Cloud hosting: our servers are hosted on infrastructure provided by Fly.io (US). Data is transferred under appropriate GDPR safeguards.
• Payment processing: card payments are processed by Stripe. Stripe's privacy policy is available at stripe.com/privacy.
• SMS delivery: SMS notifications are delivered via our SMS provider. Message content and recipient numbers are transmitted solely for delivery purposes.
• Email delivery: transactional emails are delivered via our email service provider.

All third-party providers are contractually required to process personal data only on our instructions and in compliance with GDPR.

7. Your rights under GDPR

As a data subject under GDPR, you have the right to:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate or incomplete data.
• Erasure: request deletion of your personal data ("right to be forgotten").
• Restriction: request that we restrict processing of your data in certain circumstances.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, please contact us via the contact form. We will respond within 30 days. You also have the right to lodge a complaint with the Cyprus Commissioner for Personal Data Protection at dataprotection.gov.cy.

8. Cookies and tracking

We use essential cookies required for the platform to function (e.g., authentication session cookies). We do not use advertising cookies or third-party tracking pixels. Our cookie consent manager (powered by Klaro) allows you to review and manage any optional cookies. You can withdraw consent at any time by clearing your browser cookies or adjusting your preferences in the cookie banner.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include HTTPS encryption for all data in transit, encrypted storage for sensitive fields, access controls, and regular security reviews. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

10. Children

EverAfter is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Continued use of the platform after any changes constitutes your acceptance of the revised policy.

12. Contact

For any privacy-related questions or to exercise your data rights, please use the contact form on our homepage. We aim to respond to all requests within 30 days.