Last updated: May 2026
This Privacy Policy provides information pursuant to Articles 12, 13 and 14 of the General Data Protection Regulation (GDPR) about the processing of personal data when using the Wedwi website, platform and services.
1. Controller
The controller within the meaning of the GDPR is:
Efficient Operations GmbH
Schuerenbruch 13
32479 Hille
Germany
Email: daniel@wedwi.com
No data protection officer has currently been appointed.
2. Scope
This Privacy Policy applies to:
visits to the website www.wedwi.com
registration and use of a Wedwi account
creation and management of event pages and digital wedding guestbooks
upload of audio and video messages by guests
use of login, payment, support, analytics and marketing functions
Wedwi is intended for wedding couples or persons who create a digital wedding guestbook. Guests can upload audio or video messages for a specific event via a QR code or link without creating their own account.
3. Definitions
Personal data means any information relating to an identified or identifiable natural person. Processing means any operation relating to personal data, including collection, storage, use, disclosure, deletion or restriction.
Audio and video contributions may contain personal data, in particular names, voices, faces, personal messages and technical metadata. Wedwi does not use audio or video contributions for biometric identification and does not create biometric profiles.
4. Provision of the website and technical log data
Whenever our website or platform is accessed, technically necessary data is processed. This includes in particular IP address, date and time of access, requested URL, referrer URL, browser type, operating system, device information, HTTP status codes, amount of data transferred, and security and error logs.
The processing is carried out to provide the website, ensure technical functionality, maintain IT security, analyze errors, prevent abuse and fraud, and defend against attacks. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest is the secure and stable operation of the website and platform.
The recipient of this data is in particular Cloudflare as provider of hosting, security, performance, storage and technical infrastructure. Log data is retained only for as long as necessary for these purposes or as required by legal obligations.
5. Registration, account and login
Customers can create a Wedwi account and sign in by email, Google Login or Facebook Login. In this context we process in particular name, email address, account ID, login method, authentication status, registration and login times, technical login data, and account and security settings.
The processing is carried out to create, manage and secure the account, authenticate users, provide the dashboard and prevent unauthorized use. The legal bases are Art. 6(1)(b) GDPR for contractual account functions and Art. 6(1)(f) GDPR for security and abuse prevention.
We use Clerk for authentication and account management. If Google Login or Facebook Login is used, data may also be transferred to Google or Meta. These providers may carry out their own processing, in particular if you are logged in to their services.
Account data is generally stored for the duration of the customer relationship and then deleted or restricted, unless statutory retention obligations or legitimate reasons require further retention.
6. Event page, digital wedding guestbook and dashboard
When customers create an event, we process in particular event name, description, banner image, event date or event start, event page settings, QR code, upload link, dashboard data, purchased package and management actions taken by the customer.
The processing is carried out to create and provide the event page, QR code, upload page, digital wedding guestbook, dashboard features, download features and automatic montage. The legal basis is Art. 6(1)(b) GDPR.
Where processing is necessary for IT security, troubleshooting, abuse detection or the defense of legal claims, it is additionally based on Art. 6(1)(f) GDPR.
Event data is made available at least for the contractually guaranteed availability period. It may then be deleted unless longer retention has been agreed or is legally required.
7. Guest contributions, audio and video uploads
Guests can voluntarily upload an audio or video message via a QR code or link and provide their name. The data processed includes in particular the provided name, the audio or video file, image and sound content, upload time, technical metadata, IP address and device information.
Before submission, the guest is informed that their name and audio or video message will be processed for the relevant wedding guestbook and made available to the wedding couple. The guest must also accept the upload terms applicable to guests and acknowledge this Privacy Policy. Processing is carried out to technically store the contribution, assign it to the correct event, make it accessible to the wedding couple, include it in the digital guestbook and, where applicable, include it in a wedding montage.
The legal basis for processing guest contributions is in particular Art. 6(1)(f) GDPR. The legitimate interests are the provision of the digital wedding guestbook booked by the wedding couple, the secure technical processing of voluntarily submitted content and the fulfillment of the legitimate expectations of the wedding couple and guests who upload a contribution for the event.
Guests do not have their own Wedwi account. Individual guest contributions are generally managed by the wedding couple in the dashboard. Wedwi is not required to collect or store additional information to identify guests or individual contributions beyond what is necessary for the service. If Wedwi cannot clearly identify a person or a specific contribution, data subject rights can be handled only to the extent the data subject provides sufficient information for identification and handling is legally required.
If a contribution has already been included in a montage, exported, downloaded or stored outside Wedwi, Wedwi cannot technically recall those external copies.
Guests should not upload content they are not entitled to provide. If other persons are visible or audible, the guest should ensure that those persons agree to the recording and use as part of the wedding guestbook. For minors, consent from a parent or legal guardian should be obtained.
8. Special categories of personal data
Wedwi does not request customers or guests to provide special categories of personal data within the meaning of Art. 9 GDPR, such as health data, political opinions, religious or philosophical beliefs or data concerning sex life. Audio and video content may nevertheless contain such information in individual cases.
Wedwi does not intentionally analyze such information and does not use it for profiling, advertising or automated decisions. Technical processing takes place only as part of the content voluntarily provided by the customer or guest and only to provide the booked service.
9. Data of third parties in uploaded content
When customers or guests upload content, it may contain personal data of other persons, such as persons visible or audible in audio or video contributions. We receive this data not directly from the affected person, but from the relevant customer or guest.
Processing is carried out to provide the digital wedding guestbook and montage. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest and the legitimate interest of the wedding couple lie in providing a private wedding guestbook for the relevant event.
Individual notification of every person visible or audible in a contribution is generally not possible for Wedwi because Wedwi does not identify these persons and does not have their contact details.
10. Payment, invoice and Paddle
Payments for Wedwi are processed through Paddle. Paddle acts as Merchant of Record. This means that Paddle handles payment, tax calculation, invoicing, payment confirmations, fraud prevention and, where applicable, refunds in its own name.
In connection with orders, we process in particular order status, selected package, Paddle transaction ID, payment status, billing information, country, tax information and support information relating to the order. We do not store full credit card details.
The legal bases are Art. 6(1)(b) GDPR for contract performance, Art. 6(1)(c) GDPR for statutory commercial and tax obligations, and Art. 6(1)(f) GDPR for fraud prevention, support and evidence purposes.
Paddle processes personal data as an independent controller. Paddle's privacy information and buyer terms also apply.
11. Support and communication
If you contact us, we process in particular name, email address, content of the request, communication history, technical information and, where necessary, account or order data.
Processing is carried out to respond to requests, provide customer support, troubleshoot issues, document communications and defend or enforce legal claims. The legal bases are Art. 6(1)(b) GDPR where the request concerns a contract and Art. 6(1)(f) GDPR. Our legitimate interest is proper support and documentation.
Automated account and login communication may be sent through Clerk. Manual support communication is handled through Google Workspace or Gmail.
12. Cookies and similar technologies
We use cookies and similar technologies. Technically necessary cookies and technologies are used in particular to provide the website, login, security, session management, error analysis and necessary settings. The legal basis for the processing of personal data is Art. 6(1)(f) GDPR or Art. 6(1)(b) GDPR where necessary for contract performance. Access to terminal devices is based on Section 25(2) of the German Telecommunications Digital Services Data Protection Act (TDDDG).
Non-essential cookies and similar technologies, in particular for analytics, marketing and remarketing, are used only if you have consented through our cookie consent tool. The legal bases are Art. 6(1)(a) GDPR and Section 25(1) TDDDG.
You can withdraw or change your consent at any time through the cookie settings with effect for the future.
13. Google Analytics 4 and Google Tag Manager
We use Google Analytics 4 and Google Tag Manager. For users in the European Economic Area, the provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google LLC, USA, may also be involved.
Google Analytics is used to analyze website usage, measure reach and optimize our offering. Usage data, device information, event data, shortened IP addresses, cookie IDs and approximate location data may be processed. Google Tag Manager is used to manage website tags and may process technical data when triggering other services.
These services are used only with your consent under Art. 6(1)(a) GDPR and Section 25(1) TDDDG. Google may transfer data to the USA and other third countries. Where required, such transfers are based on appropriate safeguards, in particular adequacy decisions, certifications under the EU-U.S. Data Privacy Framework or EU Standard Contractual Clauses.
14. Meta Pixel and Facebook Login
We use Meta Pixel for conversion measurement, marketing and remarketing, where you have consented. The provider is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland. Meta Platforms, Inc., USA, may also be involved.
Meta Pixel may process information about your use of our website and link it to your Meta account if you are logged in or if Meta recognizes you. We generally receive aggregated or pseudonymous reports.
The legal bases are Art. 6(1)(a) GDPR and Section 25(1) TDDDG. Meta may transfer data to the USA and other third countries. Where required, such transfers are based on appropriate safeguards.
If you use Facebook Login, data required for authentication is processed between Wedwi, Clerk and Meta. Meta may carry out its own data processing.
15. Pinterest Tag
We use Pinterest Tag for conversion measurement, marketing and remarketing, where you have consented. The provider is Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.
Pinterest may process information about your use of our website and may link it to a Pinterest account. The legal bases are Art. 6(1)(a) GDPR and Section 25(1) TDDDG. Pinterest may transfer data to the USA and other third countries. Where required, such transfers are based on appropriate safeguards.
16. Recipients and processors
We disclose personal data only where necessary for the purposes described in this Privacy Policy, where a legal basis exists or where you have consented. Recipients may include:
Cloudflare for hosting, storage, security, performance and technical infrastructure
Clerk for authentication, account management and login communication
Google for Google Login, Google Workspace, Google Analytics and Google Tag Manager
Meta for Facebook Login and Meta Pixel
Pinterest for Pinterest Tag
Paddle for payment, tax, invoicing and refunds
tax advisors, legal advisors, banks, payment service providers and authorities where necessary
Where service providers process personal data on our behalf, we enter into data processing agreements under Art. 28 GDPR. Some providers act as independent controllers for specific processing activities, in particular Paddle as Merchant of Record and login, analytics and marketing providers in relation to their own services.
17. International transfers
Personal data may be transferred to or processed by recipients outside the European Union or European Economic Area, in particular in the USA. This concerns in particular Cloudflare, Clerk, Google, Meta, Pinterest and Paddle to the extent these providers process data outside the EU or EEA.
Where no adequacy decision of the European Commission exists for the relevant third country, transfers are based on appropriate safeguards under Art. 44 et seq. GDPR, in particular EU Standard Contractual Clauses, supplementary protective measures or certifications under the EU-U.S. Data Privacy Framework.
18. Retention period
We retain personal data only for as long as necessary for the relevant purposes or as required by statutory retention periods. The specific retention period depends on the type of data, purpose of processing, contractual requirements, legal obligations and legitimate interests.
For Wedwi content, the following applies in particular:
event data, audio and video contributions and montages remain available for at least 3 months from the event start or, if the montage is provided later, from the date the montage is made available
customers can delete individual contributions in the dashboard; deleted contributions are archived and fully deleted no later than after 3 months, unless legal obligations or legitimate reasons require longer retention
after the guaranteed availability period, content may be deleted
technical backups and security copies are overwritten or deleted in regular deletion cycles
Account data is generally stored for the duration of the customer relationship. Payment and invoice data is retained according to statutory commercial and tax retention obligations. Support communications are retained for as long as necessary for handling, documentation and defending legal claims.
19. Requirement to provide personal data
Providing personal data is generally voluntary. However, certain data is required for specific functions. Without the data required for account, payment, event page or upload functions, we cannot provide the relevant functions or can provide them only in a limited manner.
There is generally no statutory obligation to provide personal data, except where information is required for statutory, tax or accounting obligations.
20. Data subject rights
Data subjects have the following rights subject to the statutory requirements:
right of access under Art. 15 GDPR
right to rectification under Art. 16 GDPR
right to erasure under Art. 17 GDPR
right to restriction of processing under Art. 18 GDPR
right to data portability under Art. 20 GDPR
right to object under Art. 21 GDPR
right to withdraw consent with effect for the future
right to lodge a complaint with a supervisory authority under Art. 77 GDPR
To exercise your rights, you can contact us at daniel@wedwi.com.
Where we cannot clearly identify a data subject or a specific data record, we may request additional information to process a request. If we can demonstrate that we are not in a position to identify the data subject, Articles 15 to 20 GDPR do not apply in accordance with Art. 11 GDPR unless the data subject provides additional information enabling identification.
The data protection supervisory authority responsible for us is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia, Kavalleriestr. 2-4, 40213 Duesseldorf, Germany.
21. Right to object under Art. 21 GDPR
Where we process personal data on the basis of Art. 6(1)(f) GDPR, you may object to such processing at any time on grounds relating to your particular situation.
We will then no longer process the affected personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.
If we process personal data for direct marketing, you may object to processing for such marketing at any time.
22. Automated decisions
We do not make solely automated decisions within the meaning of Art. 22 GDPR that produce legal effects concerning you or similarly significantly affect you.
23. Data security
We take appropriate technical and organizational measures to protect personal data against loss, destruction, alteration, unauthorized access and unauthorized disclosure. These measures include access restrictions, encryption in transit, secure infrastructure, logging and abuse detection.
24. Changes to this Privacy Policy
We may update this Privacy Policy if our services, providers, data processing activities or legal requirements change. The current version is available on our website.
