Privacy Policy

It's Official ("we", "us", "our") is operated by HASMITA MISTRY LIMITED, a company registered in England and Wales with company number 11499817. HASMITA MISTRY LIMITED is the data controller for personal data collected through this service, available at https://its-official.co.uk. If you have any questions about this policy, please contact us at privacy@its-official.co.uk.

We collect: Account data: your name, email address and account credentials when you sign up via Clerk. Wedding profile data: information you choose to provide about your wedding, including date, location, guest count, budget, cultural background and style preferences. Vendor profile data: if you are a vendor, the business information you provide including business name, contact details, service category, location, pricing, bio, portfolio photos and availability. Vendor Instagram data: if you are a vendor and choose to connect your Instagram Business or Creator account, we collect your Instagram profile information (username, biography, profile picture URL, account type, media count) and your published media (photos, videos, captions, timestamps, permalinks). This data is fetched via Meta's Instagram Graph API only after you explicitly grant permission via OAuth. Usage data: how you interact with the platform, including pages visited, features used and AI queries made. Vendor communication data: messages exchanged between couples and vendors through the platform, including AI-generated drafts. Guest list data: names, dietary requirements, RSVP responses and contact details for guests you add. Payment data: billing information is handled directly by Stripe. We store only your Stripe customer ID and subscription status - we never see or store your card details. Technical data: IP address, browser type, device information and cookies necessary to operate the service.

We use your data to: • Provide and personalise the wedding planning service • Generate AI-powered plans, recommendations and vendor matches • Display vendor profiles, including any connected Instagram content, to couples searching for vendors • Send vendor inquiries on your behalf • Send you transactional emails (welcome, booking confirmations, planning reminders) • Process payments via Stripe • Improve the platform through aggregated, anonymised analytics • Comply with legal obligations We do not sell your personal data to third parties. We do not use your data for advertising purposes.

Our AI features (wedding planner, vendor matching, assistant chat, mood board analysis) process information you provide to generate personalised recommendations. This data is sent to OpenAI's API for processing. OpenAI does not use API inputs to train their models by default. We recommend you do not submit sensitive personal information (such as financial account details or health information) through AI chat features. AI-generated content is for guidance only. Always verify vendor details, contracts and pricing independently.

If you are a vendor who has connected your Instagram Business or Creator account, the following applies specifically to that integration: What we access: Your public Instagram profile information and your published media, fetched via Meta's Instagram Graph API. We do not access your direct messages, story content, drafts, or any private content. Why we access it: To populate your vendor profile on It's Official with your portfolio photos, helping couples evaluate your work without leaving the platform. How long we keep it: Instagram data is cached on our infrastructure for up to 24 hours, then re-fetched from Instagram to keep your profile current. When you disconnect Instagram via your vendor profile page, we delete all cached Instagram data within 24 hours. When you remove It's Official from your Instagram settings (Settings → Apps and Websites → Remove It's Official), Meta notifies us via webhook and we delete your data within 24 hours. Your control: You can disconnect Instagram at any time from your vendor profile page on It's Official, or revoke access via Instagram's own settings. Either action immediately stops our access to your data. Data deletion: To request immediate deletion of all Instagram data we hold about you, follow Meta's data deletion request process via Instagram, or email us at privacy@its-official.co.uk. Confirmation of deletion is provided within 30 days. See our dedicated Instagram data deletion page for the full process: https://its-official.co.uk/legal/instagram-deletion

We use the following third-party services: Clerk - authentication and user management. Privacy policy: clerk.com/legal/privacy Stripe - payment processing. Privacy policy: stripe.com/gb/privacy OpenAI - AI content generation. Privacy policy: openai.com/privacy Resend - transactional email delivery. Privacy policy: resend.com/legal/privacy-policy Google Maps / Places API - vendor location search. Privacy policy: policies.google.com/privacy Meta Platforms (Instagram Graph API) - vendor Instagram integration. Privacy policy: facebook.com/privacy/policy Vercel - hosting and infrastructure. Privacy policy: vercel.com/legal/privacy-policy Supabase - database hosting. Privacy policy: supabase.com/privacy Each of these services operates under their own privacy policy and terms. We have data processing agreements in place with each provider where required by law.

We process your data under the following legal bases: Contract performance: processing necessary to provide the service you've signed up for. Legitimate interests: improving the platform, preventing fraud, sending planning reminders relevant to your active use. Consent: marketing communications and optional integrations (such as Instagram connection for vendors), where separate consent is obtained. Legal obligation: compliance with applicable laws and regulations.

We retain your data for as long as your account is active. If you delete your account: • Your personal data is deleted within 30 days • Anonymised, aggregated data may be retained for analytics • Vendor communication records may be retained for 90 days to resolve disputes • Payment records are retained for 7 years as required by UK tax law • Instagram data for vendors is deleted within 24 hours of disconnection or revocation, regardless of account status If you cancel your subscription but keep your account, your data is retained until you request deletion.

Under UK GDPR, you have the right to: • Access the personal data we hold about you • Correct inaccurate data • Request deletion of your data ("right to be forgotten") • Restrict or object to processing • Data portability (receive your data in a machine-readable format) • Withdraw consent at any time where processing is based on consent To exercise any of these rights, email us at privacy@its-official.co.uk. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We use cookies that are strictly necessary to operate the service (authentication session cookies, OAuth state cookies for Instagram connection). We do not use tracking or advertising cookies. For more detail, see our Cookie Policy.

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encrypted storage, access controls, and regular security reviews. Instagram access tokens are stored with database-level encryption at rest. However, no internet transmission is 100% secure. In the event of a data breach that affects your rights and freedoms, we will notify you and the ICO within 72 hours as required by law.

Our service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@its-official.co.uk.

We may update this policy from time to time. We will notify you of material changes by email or by a prominent notice within the platform. The date at the top of this page indicates when it was last updated. Continued use of the service after changes constitutes acceptance of the updated policy.

For any privacy-related questions or requests: Email: privacy@its-official.co.uk Website: https://its-official.co.uk It's Official