Privacy Policy

WeddingRef is a private referral network for professional wedding photographers and filmmakers, operated by Braulio Lara, Czech Republic. For data protection purposes we are the data controller for member data, and members act as data controllers for the couple contact information they post.

Contact: hello@weddingref.com

Member data (you):

• Name, email address, password (hashed, never stored in plain text)
• Profile information: city, country, bio, Instagram handle, website URL
• Verification link or handle submitted at signup
• Profile photos and portfolio images you upload
• Token balance and transaction history
• Session tokens (stored in an httpOnly cookie, not accessible by browser scripts)

Couple data (posted in referrals):

• Name, email address, and phone number of the couple
• Event date, location, style preferences, and budget
• A short note written by the referring photographer

Usage data:

• Log data (timestamps of API requests, IP addresses) for security purposes
• Which referrals you have unlocked

• Service delivery: To provide the referral platform, manage your account, process token transactions, and display your public profile.
• Communications: To send account verification emails, welcome messages, referral unlock notifications, and important service updates. We do not send marketing emails without your explicit consent.
• Security: To detect and prevent fraud, abuse, and unauthorised access.
• Legal compliance: To comply with applicable law and respond to lawful requests.

Legal basis: contract performance (Art. 6(1)(b) GDPR) for service delivery; legitimate interests (Art. 6(1)(f) GDPR) for security; legal obligation (Art. 6(1)(c) GDPR) for compliance.

When you post a referral containing a couple's contact details, you are sharing personal data of third parties. You are responsible for ensuring you have obtained the couple's informed consent to share their data on a platform accessible to other photographers. By posting a referral you warrant that this consent exists.

Couple data is only accessible to verified logged-in members. Regular referral contact details additionally require a token unlock. Referral listings and all associated personal data are automatically deleted 30 days after the listed event date.

We do not sell your personal data. We share data only with:

• Supabase (database infrastructure, hosted in EU region) — processes member and referral data.
• Resend — transactional email delivery (verification emails, notifications).
• Stripe — payment processing for token purchases. Stripe is a data controller for your payment information; see Stripe's Privacy Policy.
• Google — optional Google Calendar integration for availability checks. Only used if you connect your calendar.

All processors are bound by data processing agreements and handle data in accordance with GDPR.

We use a single essential cookie: rw_session — an httpOnly, Secure cookie containing your authentication token. It expires after 30 days. This cookie is strictly necessary for the service to function and does not require your consent under GDPR.

We do not use analytics, tracking, or advertising cookies.

• Account data is retained for as long as your account is active plus 12 months after deletion (for legal and dispute-resolution purposes).
• Couple data in referrals is deleted automatically 30 days after the event date.
• Payment records are retained for 7 years as required by Czech accounting law.

As a resident of the EU/EEA you have the right to:

• Access: request a copy of the personal data we hold about you.
• Rectification: correct inaccurate data (most profile data can be updated directly in your dashboard).
• Erasure: request deletion of your account and personal data.
• Restriction: request that we limit processing of your data in certain circumstances.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email us at hello@weddingref.com. We will respond within 30 days. You also have the right to lodge a complaint with the Czech data protection authority (ÚOOÚ): www.uoou.cz.

We implement appropriate technical measures including password hashing (bcrypt), httpOnly session cookies, HTTPS-only connections, and access controls. No system is completely secure; if you believe your account has been compromised please contact us immediately.

We may update this Privacy Policy. We will notify you by email of material changes. The date at the top of this page reflects the most recent update.

For any privacy-related questions or to exercise your rights: hello@weddingref.com

For the full terms governing your use of the Platform, see our Terms of Service.