Privacy Policy

Mehndi.uk ("we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website mehndi.uk and use our services (collectively, the "Platform").

We are the data controller for the personal data we process through the Platform. This means we are responsible for deciding how we hold and use your personal information.

This Privacy Policy applies to all users of the Platform, including couples planning weddings, vendors offering services, and general visitors. By using the Platform, you acknowledge that you have read and understood this Privacy Policy.

Please also read our Terms of Service and Cookie Policy which complement this Privacy Policy.

2.1 Account Information

When you create an account, we collect:

• Full name
• Email address
• Password (encrypted)
• Account type (couple or vendor)
• Profile photo (optional)
• Phone number (optional)

If you sign up using Google OAuth, we receive your name, email address, and profile picture from Google with your consent.

2.2 Profile Information

For Couples:

• Wedding date
• Wedding type/style preferences
• Wedding location/venue area
• Estimated guest count
• Budget range
• Shortlisted vendors
• Checklist items and progress

For Vendors:

• Business name and trading name
• Business address and service areas
• Business description and services offered
• Contact information (phone, email, website)
• Social media links
• Photos and portfolio images
• Pricing information
• Business registration details (for verification)

2.3 Usage Data

We automatically collect information about how you use the Platform:

• Pages visited and features used
• Search queries and filters applied
• Vendors viewed and shortlisted
• Enquiries sent and received
• Reviews submitted and read
• Time spent on pages
• Click patterns and navigation paths

2.4 Device and Technical Data

When you access the Platform, we collect:

• IP address and approximate geolocation
• Browser type and version
• Operating system
• Device type and screen size
• Referring website or source
• Date and time of access
• Unique device identifiers

2.5 Communication Data

We collect information from communications you have with us or other users:

• Enquiry messages between couples and vendors
• Support requests and correspondence
• Reviews and responses
• Feedback and survey responses

2.6 Payment Information

When you make a payment, our payment processor Stripe collects payment details. We do not store complete card numbers or CVV codes. We only receive:

• Last four digits of your card
• Card type and expiry date
• Billing address
• Transaction history and amounts

2.7 Cookies and Tracking Technologies

We use cookies and similar technologies to collect certain information. Please see our Cookie Policy for detailed information.

3.1 Providing Our Services

• Creating and managing your account
• Displaying vendor listings and search results
• Facilitating enquiries and communications
• Processing subscriptions and payments
• Providing wedding planning tools and features

3.2 Improving the Platform

• Analysing usage patterns and trends
• Testing new features and functionality
• Fixing bugs and technical issues
• Optimising user experience and interface

3.3 Personalisation

• Showing relevant vendor recommendations
• Customising search results based on your location and preferences
• Remembering your settings and preferences
• Providing personalised content and suggestions

3.4 Communications

• Sending service-related notifications (enquiries, booking confirmations)
• Responding to your questions and support requests
• Sending marketing communications (with your consent)
• Notifying you of policy or service changes

3.5 Safety and Security

• Detecting and preventing fraud, spam, and abuse
• Verifying vendor identities and claims
• Enforcing our Terms of Service
• Protecting our users and the Platform

3.6 Legal Compliance

• Complying with legal obligations and court orders
• Responding to lawful requests from authorities
• Establishing, exercising, or defending legal claims

Under UK GDPR, we must have a legal basis for processing your personal data. We rely on the following bases:

4.1 Contract Performance

We process data necessary to fulfil our contract with you, including:

• Account creation and management
• Providing our services as described
• Processing payments for subscriptions
• Facilitating enquiries between users

4.2 Legitimate Interests

We process data where it's necessary for our legitimate interests or those of a third party, provided your rights don't override these interests:

• Improving and developing our services
• Marketing our services to existing customers
• Preventing fraud and ensuring security
• Analysing usage patterns

4.3 Consent

We rely on your consent for:

• Sending marketing emails to non-customers
• Using certain non-essential cookies
• Processing sensitive information (if applicable)

You can withdraw consent at any time by contacting us or adjusting your settings.

4.4 Legal Obligation

We process data to comply with legal obligations, such as tax record keeping and responding to lawful requests from authorities.

We do not sell your personal data. We may share your information in the following circumstances:

5.1 With Vendors (for Couples)

When you send an enquiry to a vendor, we share your name, email, phone (if provided), wedding details, and enquiry message with that vendor so they can respond to you.

5.2 With Couples (for Vendors)

Your business information, including contact details, photos, and reviews, is displayed publicly on your listing page to help couples find and contact you.

5.3 With Service Providers

We share data with trusted third-party service providers who assist us in operating the Platform:

• Stripe: Payment processing
• Cloudinary: Image hosting and processing
• Resend: Email delivery
• Google Analytics: Website analytics
• Vercel: Website hosting (if applicable)

These providers are contractually bound to use your data only for the services they provide to us and to maintain appropriate security measures.

5.4 For Legal Reasons

We may disclose your information if required to:

• Comply with a legal obligation, court order, or legal process
• Protect our rights, property, or safety
• Protect the safety of our users or the public
• Detect, prevent, or address fraud, security, or technical issues

5.5 Business Transfers

If Mehndi.uk is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5.6 With Your Consent

We may share your information for other purposes if you give us explicit consent to do so.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

6.1 Retention Periods

• Account data: Retained while your account is active and for 2 years after account closure
• Enquiry messages: Retained for 3 years from the date of the enquiry
• Reviews: Retained while the vendor listing exists or until you request deletion
• Payment records: Retained for 7 years for tax and legal compliance
• Analytics data: Aggregated and anonymised after 26 months

6.2 Data Deletion

When data is no longer needed, we will securely delete or anonymise it. Some data may be retained in backup systems for a limited period as part of our disaster recovery procedures.

Under UK data protection law, you have the following rights regarding your personal data:

7.1 Right of Access

You have the right to request a copy of the personal data we hold about you. This is commonly known as a "subject access request". We will respond within one month.

7.2 Right to Rectification

You have the right to request correction of any inaccurate personal data or completion of incomplete data. You can update most information directly through your account settings.

7.3 Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, such as when:

• The data is no longer necessary for its original purpose
• You withdraw consent (where consent was the legal basis)
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

7.4 Right to Restrict Processing

You have the right to request that we restrict processing of your personal data in certain circumstances, such as while we verify the accuracy of data you have challenged.

7.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller, where technically feasible.

7.6 Right to Object

You have the right to object to processing of your personal data for direct marketing at any time. You can also object to processing based on legitimate interests, and we will consider your objection.

7.7 Right to Withdraw Consent

Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing conducted before withdrawal.

7.8 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@mehndi.uk. We may need to verify your identity before processing your request. We will respond within one month, though this may be extended by two months for complex requests.

7.9 Right to Complain

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

We use cookies and similar tracking technologies to collect and store information about your preferences and activity on the Platform.

8.1 Types of Cookies We Use

• Essential cookies: Required for the Platform to function (authentication, security, load balancing)
• Analytics cookies: Help us understand how visitors use the Platform (Google Analytics)
• Functional cookies: Remember your preferences (language, location)
• Marketing cookies: Used to track effectiveness of our advertising (if applicable)

8.2 Managing Cookies

You can control cookies through your browser settings. Please note that disabling essential cookies may affect the functionality of the Platform.

For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

The Platform integrates with third-party services to provide certain features. These services have their own privacy policies:

• Google (OAuth & Maps): Google Privacy Policy
• Stripe (Payments): Stripe Privacy Policy
• Cloudinary (Images): Cloudinary Privacy Policy
• Resend (Email): Resend Privacy Policy

The Platform may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies before providing any personal information.

The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children under 18.

If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information as soon as possible. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@mehndi.uk.

Your personal data may be transferred to and processed in countries outside the United Kingdom. Some of our service providers are based in the United States and other countries.

When we transfer personal data outside the UK, we ensure appropriate safeguards are in place:

• Transferring to countries with adequacy decisions from the UK government
• Using Standard Contractual Clauses approved by the UK government
• Ensuring service providers have appropriate certifications

You can request more information about international transfers by contacting us.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction.

12.1 Technical Measures

• Encryption of data in transit (HTTPS/TLS)
• Encryption of sensitive data at rest
• Secure password hashing
• Regular security updates and patches
• Firewall and intrusion detection systems
• Regular security testing and audits

12.2 Organisational Measures

• Access controls and authentication requirements
• Staff training on data protection
• Confidentiality agreements with staff and contractors
• Incident response procedures
• Regular review of security policies

12.3 Your Responsibility

While we take security seriously, no method of transmission over the Internet is 100% secure. You are responsible for:

• Keeping your account credentials confidential
• Using a strong, unique password
• Logging out after using shared devices
• Reporting any suspected security incidents to us

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email (for registered users) if changes are material
• Display a notice on the Platform

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after changes take effect constitutes acceptance of the revised policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related enquiries within 30 days.