Privacy Policy
Last updated: 8 March 2026
1. Controller identity
Jules Wren is a trading name of Nodegra Ltd., a company registered in England and Wales (Company No. 16964358).
Data protection contact: privacy@juleswren.com
2. Lawful basis for processing
We process personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The lawful basis for each category of data is set out below.
| Data category | Lawful basis |
|---|---|
| Account data (email, password hash, auth provider) | Art. 6(1)(b) — performance of a contract |
| Event data (event details, page content) | Art. 6(1)(b) — performance of a contract |
| Guest and RSVP data (names, attendance, notes) | Art. 6(1)(f) — legitimate interests of the event organiser |
| Dietary requirements (may reveal health or religion) | Art. 9(2)(a) — explicit consent of the data subject |
| Billing data (plan type, licence status, transaction refs) | Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation |
| Audit logs and rate-limiting data | Art. 6(1)(f) — legitimate interests (security) |
3. Website analytics
We use PostHog (EU Cloud) for anonymous, aggregated page-view and event analytics on our marketing pages only (e.g. the landing page, pricing page, and signup flow). PostHog is configured in cookieless mode — it does not set cookies, does not persist data in your browser, and does not track individual visitors across sessions.
Importantly, we do not run any analytics on couples' wedding websites or guest-facing pages. Your guests are never tracked.
Analytics data is processed by PostHog's EU-hosted infrastructure (Frankfurt, Germany) and is not shared with other third parties.
4. Data we collect
We collect the following categories of personal data:
- Account data: email address, hashed password, authentication provider (e.g. Google), account creation date.
- Event data: event title, partner names, event date, venue details, website page content, uploaded images.
- Guest data: guest names, email addresses (if provided), party groupings, invite types.
- RSVP data: attendance status, dietary requirements, phone number (if provided), free-text notes, answers to custom questions.
- Billing data: plan type, licence status, and Stripe transaction references. We never store full card details — these are processed directly by Stripe.
- Technical data: IP addresses (for rate limiting, not stored persistently), request IDs, audit log entries.
5. How we use your data
- Account data: to create and manage your account, authenticate you, and communicate service updates.
- Event and guest data: to provide the wedding website builder and RSVP management service.
- RSVP data: to record and display guest responses to event organisers.
- Billing data: to process payments and maintain financial records as required by law.
- Technical data: to maintain platform security, prevent abuse, and comply with legal obligations.
We do not sell, rent, or share your personal data with third parties for marketing purposes. We do not display advertisements.
6. Where we get personal information from
- Directly from you: when you create an account, set up an event, or manage your billing details.
- From event guests: when guests submit RSVP responses via a public event page.
- From event organisers: when organisers add guest names, contact details, and party groupings to their guest list. This may include personal data of children (e.g. children attending as guests).
7. Data sharing and sub-processors
We share personal data only with the following service providers (sub-processors), who process data on our behalf under appropriate contractual terms:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, file storage | London, United Kingdom |
| Stripe | Payment processing | United Kingdom / EU |
| Upstash | Rate limiting (Redis) | European Union |
| PostHog | Anonymous website analytics (marketing pages only) | Frankfurt, Germany (EU) |
| Google Maps | Embedded maps on event pages | United States (under SCCs) |
Event organisers are data controllers for the guest personal data they collect. Jules Wren acts as a data processor on their behalf. See our Terms of Service for the full Data Processing Addendum.
8. International transfers
Your personal data is primarily hosted in the United Kingdom (Supabase, London region). Payment data is processed by Stripe within the UK/EU.
Where data is transferred outside the UK/EEA (e.g. Google Maps embed), such transfers are protected by Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner.
9. Data retention
- Account and event data: retained while your account is active. Upon account deletion, all personal data is removed.
- Guest and RSVP data: automatically deleted 6 months after the event date.
- Audit logs: retained for a minimum of 90 days for security purposes, then anonymised.
- Billing records: anonymised (not deleted) and retained for 6 years to comply with HMRC requirements.
10. Your rights
Under the UK GDPR, you have the following rights regarding your personal data:
- Access (Art. 15) — request a copy of your data
- Rectification (Art. 16) — correct inaccurate data
- Erasure (Art. 17) — request deletion of your data
- Restriction (Art. 18) — request we limit processing
- Data portability (Art. 20) — receive your data in a structured, machine-readable format
- Object (Art. 21) — object to processing based on legitimate interests
- Withdraw consent (Art. 7(3)) — withdraw consent at any time where processing is based on consent
- Lodge a complaint — with the Information Commissioner's Office (see section 16)
11. How to exercise your rights
You can exercise most rights directly from your account dashboard (Settings > Account), including data export and account deletion.
For all other requests, or if you are a guest whose data has been collected by an event organiser, contact us at privacy@juleswren.com. We will respond within 30 days.
12. Cookies
We use only essential cookies required for the service to function. We do not use advertising, analytics, or tracking cookies. See our Cookie Policy for full details.
13. Children
Jules Wren is not directed at children under 16 and children cannot create accounts. However, event organisers may include children as guests on their guest list (e.g. children attending a wedding). In these cases, the organiser is responsible as data controller for ensuring they have appropriate authority (such as parental consent) to share that child's personal data.
We process children's guest data (name, dietary requirements, RSVP responses) in the same way as adult guest data, subject to the same retention periods and security measures. If you are a parent or guardian and believe your child's data has been added without appropriate authority, please contact us at privacy@juleswren.com and we will assist with its removal.
14. Security measures
We implement appropriate technical and organisational measures to protect your data, including: encryption in transit (TLS), row-level security for tenant isolation, hashed passwords and tokens, CSRF protection, rate limiting, and regular security audits.
15. Changes to this policy
We may update this privacy policy from time to time. We will notify account holders of material changes by email. The "last updated" date at the top of this page indicates the most recent revision.
16. Supervisory authority
You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Website: ico.org.uk
- Helpline: 0303 123 1113
17. Contact
For privacy-related enquiries, contact us at privacy@juleswren.com.