Privacy Policy

1. Data Controller

NiiRo AI

Robin Kolb

Email: info@niiro.ai

2. What data is processed

When visiting and using NiiRo Smart Wedding, the following data may be processed:

• technical access data and server logs
• account data of couples and wedding planners
• reply information from guests
• uploaded images and content
• payment data via Stripe checkout

3. Purposes of processing

Personal data is processed for the following purposes:

• Platform operation: Provision and operation of the platform (Art. 6(1)(b) GDPR).
• Wedding management: Managing invitations, guest replies, and galleries (Art. 6(1)(b) GDPR).
• Payment processing: Processing couple activation payments via Stripe (Art. 6(1)(b) GDPR).
• Security: Abuse prevention, error analysis, and system security (Art. 6(1)(f) GDPR).
• Analytics: Anonymous usage statistics via Vercel Analytics, only with your consent (Art. 6(1)(a) GDPR).

4. Legal basis

The processing of personal data is based on the following GDPR legal bases:

• Art. 6(1)(a) (Consent): For analytics cookies and non-essential data processing.
• Art. 6(1)(b) (Contract performance): For providing the platform, account management, and payment processing.
• Art. 6(1)(f) (Legitimate interest): For security measures, error analysis, and abuse prevention.
• Art. 6(1)(c) (Legal obligation): For tax-related retention obligations for payment data.

5. Service providers (processors)

To provide our services, we engage the following processors, each under data processing agreements (DPAs) pursuant to Art. 28 GDPR. A full record of processing activities under Art. 30 GDPR — including contract paths, data categories, storage location, and retention periods — is maintained internally:

Vercel Inc. (USA) — EU-Vertragspartner: Vercel International Limited (Dublin, Irland)

Hosting, Web Analytics (cookieless, consent-based) and performance monitoring. Region: EU (Frankfurt, fra1, pinned in vercel.json — source-code verified; Vercel Dashboard confirm due 2026-04-26 pending). EU contracting party: Vercel International Limited, Dublin, Ireland. Parent: Vercel Inc., USA. Legal basis: Art. 28 GDPR. Transfer: EU-US Data Privacy Framework + EU Standard Contractual Clauses (SCC Module 2).

Supabase Inc. (USA)

PostgreSQL database, authentication, and realtime. Region: EU (AWS Frankfurt, eu-central-1, verified live via server IP). Parent: Supabase Inc., USA/Singapore. Legal basis: Art. 28 GDPR. Transfer: EU-US DPF + SCC Module 2.

Cloudflare Inc. (R2, USA)

Cloudflare R2 Object Storage for photo gallery and media. Region: EU (Western Europe, weur — standard configuration; live confirm via Cloudflare Dashboard due 2026-04-26 pending). Parent: Cloudflare Inc., USA. Legal basis: Art. 28 GDPR. Transfer: EU-US DPF + SCC Module 2.

Upstash Inc. (USA)

Upstash Redis for rate limiting and abuse protection. Region: EU (pending operator confirm via Upstash Console, due 2026-04-26). Parent: Upstash Inc., USA. Data processed: ephemeral IP-based counters (max. 30 days). Legal basis: Art. 6(1)(f) GDPR + Art. 28 GDPR. Transfer: EU-US DPF + SCC Module 2.

Stripe Payments Europe Ltd. (Dublin, Irland) / Stripe Inc. (San Francisco, USA)

Payment processing (PCI DSS Level 1 certified). Primary processing for EU customers: Stripe Payments Europe Ltd., Dublin, Ireland. Parent: Stripe Inc., San Francisco, USA. Legal basis: Art. 28 GDPR + Art. 6(1)(c) GDPR (tax retention obligation). Transfer: EU-US DPF + SCC Module 2.

Resend Inc. (USA)

Transactional emails (invitation links, couple notifications). Region: EU (Frankfurt, when activated in the Resend dashboard — pending operator confirm, due 2026-04-26). Parent: Resend Inc., USA. Legal basis: Art. 28 GDPR. Transfer: EU-US DPF + SCC Module 2.

Google LLC (reCAPTCHA, USA) — EU-Tochter: Google Ireland Limited (Dublin)

Google reCAPTCHA for bot protection on auth endpoints. Activation status (as of 2026-04-20): currently NOT active. Planned activation with auth hardening (T-25); activation occurs only when bot protection is enabled and is subject to consent via the cookie banner pursuant to § 25 TTDSG. EU subsidiary: Google Ireland Limited, Dublin, Ireland. Parent: Google LLC, USA. Data processed (upon activation): IP address, user agent, cookie IDs, mouse movements. Legal basis: Art. 6(1)(f) GDPR + consent under § 25 TTDSG. Transfer: EU-US DPF + SCC Module 2.

The complete record of processing activities (Art. 30 GDPR), including data processing agreements (DPAs), is available on request via info@niiro.ai.

6. Data transfers to third countries

Some of our service providers are based in the USA. Data transfers are based on the EU-US Data Privacy Framework (EU Commission adequacy decision of 10 July 2023) and additionally on EU Standard Contractual Clauses (SCCs).

7. Cookies and local storage

NiiRo Smart Wedding distinguishes between necessary and optional storage:

• Necessary: Login session cookies (__Host-niiro_admin_session, __Host-niiro_photo_session), local app settings. Essential for platform operation.
• Analytics (optional): Vercel Analytics and SpeedInsights are only activated after explicit consent via the cookie banner.

Consent can be revoked at any time via the cookie banner.

8. Data retention

Specific retention periods depend on the processing purpose:

• Account data: until the account is deleted by the user.
• Wedding data (guest replies, gallery, content): up to 12 months after the wedding date.
• Payment data: 10 years per commercial and tax retention obligations.
• Server logs and rate limiting data: maximum 30 days.

9. Data subject rights

As a data subject, you have the following rights under the GDPR:

• Access (Art. 15): You may request information about the personal data we store.
• Rectification (Art. 16): You may request the correction of inaccurate data.
• Erasure (Art. 17): You may request the deletion of your data, unless legal retention obligations apply.
• Restriction (Art. 18): You may request restriction of processing.
• Data portability (Art. 20): You have the right to receive your data in a machine-readable format.
• Objection (Art. 21): You may object to processing based on legitimate interests at any time.
• Right to complain: You have the right to file a complaint with a data protection supervisory authority.

10. Automated decision-making

No automated decision-making including profiling pursuant to Art. 22 GDPR takes place.

11. Privacy contact

For privacy inquiries, please contact us at info@niiro.ai.

Responsible for data protection: Robin Kolb

Due to the size of our company, we are not required to appoint a Data Protection Officer. For all data protection matters, please use the contact address listed above.