the vow

Privacy Policy

Last updated: April 2026

1. Data Controller

The Vow ("we", "us", "our") is the data controller responsible for the personal data processed through the-vow.co.uk and any related services. We are committed to protecting your privacy and processing your personal data in accordance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have in relation to it. If you have any questions or concerns about our data practices, please contact us at hello@the-vow.co.uk.

Where required, we will maintain a record of processing activities and, if applicable, register with the Information Commissioner's Office ("ICO"). Our ICO registration reference is available upon request.

2. Data We Collect

We collect and process the following categories of personal data:

  • Account information — your name, email address, password (stored in hashed form), account type (couple or vendor), and the date your account was created.
  • Business profile data (vendors only) — your business name, trading address, contact telephone number, business description, service categories, portfolio images, pricing information, and social media links.
  • Planning data (couples only) — wedding date, venue name, guest count, budget, and any notes or preferences you record within the platform.
  • Usage and technical data — IP address, browser type and version, device type, operating system, pages visited, features used, time spent on the platform, and referring URLs. This data is collected automatically and used in aggregate form to improve the platform.
  • Communications data — messages sent between couples and vendors via the platform's messaging features, enquiries submitted, and correspondence with our support team.
  • Payment data — billing name, billing address, and the last four digits of your payment card. Full card details are processed exclusively by Stripe and are never stored on our servers.
  • Uploaded content — photographs, documents, and other files you upload to your profile or within the platform.

We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided us with personal data, please contact us immediately.

3. Legal Basis for Processing

We rely on the following legal bases under UK GDPR to process your personal data:

  • Performance of a contract — most of our processing is necessary to provide you with the services described in our Terms & Conditions, including creating and managing your account, processing payments, and facilitating communication between couples and vendors.
  • Legitimate interests — we process certain data (including usage analytics and security logging) on the basis of our legitimate interests in maintaining, securing, and improving the platform, provided those interests are not overridden by your rights and freedoms.
  • Consent — where we send you optional marketing communications or deploy non-essential cookies, we will seek your prior consent. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  • Legal obligation — we may process personal data where required to comply with a legal obligation, such as responding to a lawful request from a regulatory authority or law enforcement agency.

4. How We Use Your Data

We use the personal data we collect for the following purposes:

  • Providing the platform — creating and maintaining your account, displaying your vendor profile to prospective couples, enabling search and discovery features, and facilitating booking enquiries.
  • Processing payments — managing your subscription, issuing invoices, and handling billing-related queries in conjunction with Stripe.
  • Facilitating communications — delivering messages exchanged between couples and vendors through the platform's messaging system.
  • Sending notifications — transactional emails such as account confirmations, password resets, booking updates, and subscription renewal reminders. We will only send marketing communications where you have opted in to receive them.
  • Platform improvements — analysing aggregated usage patterns to identify and resolve technical issues, develop new features, and improve the overall user experience.
  • Security and fraud prevention — monitoring for suspicious activity, investigating potential violations of our Terms & Conditions, and protecting the security and integrity of the platform.
  • Customer support — responding to your enquiries, troubleshooting issues, and maintaining records of our communications with you.
  • Legal compliance — meeting our obligations under applicable law, including tax, financial reporting, and data protection legislation.

5. Third-Party Sharing

We do not sell, rent, or trade your personal data to third parties. We share data only in the following limited circumstances:

  • Stripe — our payment processor. Stripe collects and processes your payment card details to fulfil subscriptions and transactions. Stripe is a data processor acting on our behalf and is certified to PCI DSS standards. Their privacy policy is available at stripe.com/gb/privacy.
  • Neon — our database infrastructure provider. Your data is stored in Neon's PostgreSQL-compatible cloud database, hosted within the EU. Neon acts as a data processor and processes data only on our documented instructions.
  • Resend — our transactional email delivery service. We share your email address and relevant notification content with Resend solely to deliver emails on our behalf. Resend does not use this data for its own marketing purposes.
  • Cloudinary — our media hosting and optimisation service. Photographs and other media you upload to the platform are stored and served via Cloudinary. Uploaded content is processed in accordance with Cloudinary's data processing agreement.

We may also disclose personal data to competent authorities where required by law, or where disclosure is necessary to protect the safety of any individual, to prevent fraud, or to enforce our Terms & Conditions. We will notify you of such disclosures where we are legally permitted to do so.

All third-party processors are bound by data processing agreements and are required to implement appropriate technical and organisational security measures.

6. Cookies

We use cookies and similar technologies to support the functioning of the platform. We currently deploy essential cookies only — cookies that are strictly necessary to authenticate your session, maintain your preferences, and ensure the platform operates correctly.

We do not use third-party advertising cookies, cross-site tracking cookies, or any cookie that is not directly necessary for the platform to function. You do not need to consent to essential cookies, as they are required for the service to operate.

Specific cookies we set include:

  • Session token — a secure, HttpOnly, SameSite=Strict cookie used to maintain your authenticated session. Expires after 15 minutes of inactivity.
  • Refresh token — a secure, HttpOnly cookie used to renew your session without requiring you to log in again. Expires after 7 days.

You can configure your browser to block cookies, but doing so may affect your ability to log in and use the platform.

7. Data Retention

We retain your personal data for as long as your account remains active and for a reasonable period thereafter to fulfil legitimate business and legal purposes, including the resolution of disputes and enforcement of our agreements.

Following account deletion, we retain anonymised and aggregated usage data for up to 12 months to support platform analytics and improvement. Identifiable personal data is deleted within 90 days of account closure, subject to any legal obligations requiring longer retention (for example, financial transaction records which may be retained for up to 7 years under UK tax law).

If you wish to request early deletion of your data, please refer to your rights in section 8 below. Where deletion is not possible due to a legal obligation, we will restrict processing and notify you accordingly.

8. Your Rights Under UK GDPR

Under UK GDPR, you have the following rights in respect of the personal data we hold about you:

  • Right of access — you may request a copy of the personal data we hold about you (a "Subject Access Request").
  • Right to rectification — you may ask us to correct any personal data that is inaccurate or incomplete.
  • Right to erasure — in certain circumstances you may ask us to delete your personal data. This right is not absolute and may be limited by legal obligations to retain data.
  • Right to data portability — where processing is based on consent or contract, you may ask us to provide your personal data in a structured, commonly used, machine-readable format.
  • Right to object — you may object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Right to restriction — in certain circumstances you may ask us to restrict processing of your personal data, for example while a dispute about accuracy is being resolved.
  • Right to withdraw consent — where processing is based on your consent, you may withdraw that consent at any time without affecting prior processing.

To exercise any of these rights, please contact us at hello@the-vow.co.uk. We will respond to all valid requests within 30 days. If your request is complex or you have made several requests, we may extend this period by a further two months and will notify you accordingly.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, disclosure, alteration, or destruction. Our security measures include:

  • Encryption in transit — all data transmitted between your browser and our platform is encrypted using TLS 1.2 or higher.
  • Encryption at rest — data stored in our database is encrypted at rest using industry-standard encryption.
  • Password security — passwords are hashed using argon2id, a memory-hard algorithm recommended by OWASP. We never store passwords in plain text or using weaker hashing algorithms.
  • Row-level security — our database enforces row-level security (RLS) policies to ensure that each account can only access its own data, preventing cross-tenant data leakage.
  • Access controls — access to production systems and personal data is restricted to authorised personnel on a need-to-know basis, and is subject to audit logging.
  • Session management — authentication tokens are short-lived (15 minutes) and refresh tokens are hashed before storage, minimising the impact of any token compromise.

While we take all reasonable steps to protect your data, no method of transmission or storage is completely secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the ICO in accordance with our obligations under UK GDPR.

10. International Transfers

Some of our third-party service providers (including Stripe, Resend, and Cloudinary) may process personal data outside of the UK or the European Economic Area ("EEA"). Where such transfers occur, we ensure that appropriate safeguards are in place to protect your personal data in accordance with UK GDPR requirements.

These safeguards may include:

  • Transferring data to countries that have received an adequacy decision from the UK Secretary of State or the European Commission.
  • Implementing UK International Data Transfer Agreements ("IDTAs") or EU Standard Contractual Clauses ("SCCs") with service providers in countries without an adequacy decision.
  • Where applicable, relying on the service provider's certification under a recognised data protection framework.

If you would like more information about the specific safeguards in place for any particular transfer, please contact us at hello@the-vow.co.uk.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the services we offer. We will notify you of any material changes by:

  • Sending a notification to the email address associated with your account; and/or
  • Displaying a prominent notice within the platform on your next login.

The "Last updated" date at the top of this page will always reflect when the policy was most recently revised. We encourage you to review this policy periodically. Continued use of the platform following notification of changes constitutes your acceptance of the updated policy.

12. Contact

If you have any questions, concerns, or requests relating to this Privacy Policy or the way we handle your personal data, please contact us:

Email: hello@the-vow.co.uk

We aim to respond to all privacy-related enquiries within 5 business days and to all Subject Access Requests within 30 calendar days.