Legal
Privacy Policy
Last updated 1 May 2026 · Version 1.0
1. Who we are
Friendly Wedding is operated by Tanvrit Pvt. Ltd., 168 Plot No 945, Gayatri Mandir se Purab, New Ariya, Sasaram, Bihar 821115, India. We are the data fiduciary for your wedding-planning data under India's Digital Personal Data Protection Act, 2023 (DPDPA).
2. Data Protection Officer
Vivek Singh, Founder, acting as Data Protection Officer until Tanvrit appoints a separate DPO. Reach the DPO at dpo@tanvrit.com. Response within 7 days; resolution within 30 days for any data principal request under DPDPA Section 11.
3. Personal data we collect
Account: name, email, phone (used for OTP authentication and account recovery). Wedding profile: organiser name, co-organiser names, event names and dates, venue addresses (you enter these for your own planning). Guest list (uploaded by you): guest names, contact email/phone, dietary preferences, RSVP responses, table assignments, photos uploaded after consent. Auth: passwords, OTPs (transient), magic-link tokens, passkey credentials, refresh tokens. Device & telemetry: device ID, OS version, IP address, crash logs, performance metrics. Transactional: order IDs and invoices for paid features (we do not store card numbers — Stripe and Razorpay process those directly). Communications: any message you send to support@tanvrit.com or dpo@tanvrit.com.
4. Lawful basis (DPDPA Section 4 + 7)
Account, auth, and transactional data — processed under your consent given at signup (Section 6). Device telemetry and crash logs — processed under "certain legitimate uses" (Section 7) for security and product reliability. Guest data you upload — processed under your consent on behalf of the guest as event organiser; you confirm at upload that you have the guests' consent to store their contact details for the purpose of the event.
5. Sharing and cross-border transfers
We use the following sub-processors. Each is named with the data shared and the purpose. We do not sell data and do not share your data for advertising. Google Cloud Run (asia-south1, Mumbai) — application server hosting; India data residency. MongoDB Atlas — system of record for accounts and wedding-event data. Cloudflare — CDN and TLS termination for the public surface (friendly.wedding); global edge for static assets. Stripe Inc. (US) — international card payments for paid tiers. Razorpay (India) — UPI and domestic card payments. Twilio (US, routed through Indian DLT carriers) — OTP SMS delivery. Cross-border transfer disclosure under DPDPA Section 16: Stripe, Twilio, and Cloudflare process data in jurisdictions outside India for the specific purposes named above. We do not transfer your data to any country listed by the Central Government as restricted.
6. Data principal rights (DPDPA Section 11)
You have the right to: Access — request a copy of all data we hold about you. Email dpo@tanvrit.com from your registered email. Correction — request correction of inaccurate or outdated data. Most fields can be edited in-app; for the rest email the DPO. Erasure — request deletion of your account and personal data. Use the public form at https://friendly.wedding/account/delete or email the DPO. Grievance redressal — escalate to the Data Protection Board of India under DPDPA Section 28 if a request is not resolved within 30 days. Nominate — appoint another person to exercise your rights in case of death or incapacity (Section 14). Email the DPO with the nominee's details.
7. Children's data
Friendly Wedding is a planning tool for adults organising weddings. We do not knowingly collect data from users under 18 as account holders. Guest lists may include minor relatives for which the organiser provides contact data; in that case the organiser confirms they have the parent or guardian's consent. If you believe a minor has signed up, email dpo@tanvrit.com and we will delete the account within 72 hours.
8. Security
JWT authentication with mutex-protected token refresh; AES-256-GCM field-level encryption on PII; TLS 1.3 in transit via Cloudflare; role-based access controls; OTP rate limiting on auth endpoints; audit trails on all data-mutating operations. Best-effort availability today on Google Cloud asia-south1; a public uptime SLA will ship after our launch monitoring stack is live. We do not currently claim ISO 27001 or SOC 2 certification.
9. Breach notification (72-hour clock)
In the event of a personal data breach, we will notify the Data Protection Board of India within 72 hours of detection per DPDPA Section 8(6), and notify each affected data principal of the nature of the breach, the categories of data involved, and the steps we have taken in response.
10. Retention
Account and guest data — retained while your account is active; purged within 90 days of an erasure request. Auth logs — 365 days for fraud and abuse investigation. Financial records — 7 years per Indian Income Tax Act § 44AA and GST Act § 35(1). These records survive an erasure request as a legal obligation. Anonymised aggregate analytics — may be retained indefinitely; never includes any individual identifier.
11. Cookies and local storage
Essential: authentication tokens (refresh and access tokens stored in localStorage; we will migrate to httpOnly cookies in a forthcoming release for stronger XSS protection), session identifiers, anti-CSRF tokens (X-Requested-With header). Optional: theme preferences, language preferences. We do not use advertising or third-party tracking cookies. We do not run a Cookie Consent banner today; the only cookies we set are essential.
12. Updates to this policy
We will email registered users at least 30 days before any material change to this policy. Non-material clarifications may be applied with the Last Updated date below being the only signal.
13. Contact and grievance redressal
Data Protection Officer — dpo@tanvrit.com. Postal — Tanvrit Pvt. Ltd., 168 Plot No 945, Gayatri Mandir se Purab, New Ariya, Sasaram, Bihar 821115, India. Escalation to the Data Protection Board of India per DPDPA Section 28 if a request is not resolved within 30 days.