← Back to myMemlo

Privacy Policy

Last updated: 24 March 2026

1. Who We Are

myMemlo (accessible at mymemlo.com) is a wedding photo-gallery sharing service operated by [YOUR COMPANY NAME], registered at [YOUR ADDRESS], Croatia(OIB / VAT: [YOUR OIB]).

We are the data controller for the personal data described in this policy. For all privacy matters contact us at privacy@mymemlo.com.

2. What Data We Collect and Why

2.1 Venue & Admin Accounts

  • Name and business email address: to create and manage your admin account.
  • Login session data: stored in a secure, HTTP-only session cookie to keep you signed in.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

2.2 Couple Booking Data

  • Couple names and wedding date: used to create the gallery and generate the QR card.
  • Email address: used to send booking confirmation, QR code PDF, and renewal reminders.
  • Payment information: processed directly by Stripe, Inc. We never store card numbers or bank details; Stripe returns only a customer ID and subscription reference.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

2.3 Wedding Guest Usage

  • Guests access galleries anonymously using a wedding code. We do not require registration or collect personal data from guests.
  • Standard server logs (IP address, browser type, timestamp) are generated automatically by our hosting infrastructure (Vercel) and retained for up to 30 days for security and debugging purposes.

Legal basis: legitimate interests (Art. 6(1)(f) GDPR): operating a secure service.

2.4 Uploaded Photos and Videos

  • Wedding photos and videos uploaded by venue staff are stored in our secure cloud storage.
  • Galleries are accessible only via the unique wedding code and expire after 12 months (or sooner if not renewed).
  • You may request permanent deletion of a gallery and all associated media at any time by contacting us.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

3. Third-Party Processors

We share data with the following sub-processors, all of whom are bound by data processing agreements:

ProcessorPurposeLocation
Supabase, Inc.Database, file storage, authenticationEU (AWS eu-central-1)
Stripe, Inc.Payment processingUSA (EU SCCs apply)
Resend, Inc.Transactional email deliveryUSA (EU SCCs apply)
Vercel, Inc.Web hosting and edge infrastructureUSA / EU (EU SCCs apply)

SCCs = Standard Contractual Clauses (EU Commission Decision 2021/914), the lawful mechanism for transferring personal data to countries outside the European Economic Area.

4. Data Retention

  • Gallery data and media: retained for the duration of the active subscription plus 30 days after expiry, then permanently deleted.
  • Booking and payment records: retained for 7 years to comply with Croatian accounting and tax law (Zakon o računovodstvu, NN 78/15 i izmjene).
  • Admin account data: retained for the lifetime of the account; deleted within 30 days of account closure on request.
  • Server logs: deleted after 30 days.

5. Your Rights Under GDPR

As a data subject under EU/EEA law you have the right to:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: ask us to correct inaccurate or incomplete data.
  • Erasure (“right to be forgotten”): request deletion of your data where we have no overriding legal obligation to retain it.
  • Restriction of processing: ask us to pause processing while a dispute is resolved.
  • Data portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on consent (e.g. non-essential cookies), you may withdraw at any time.

To exercise any right, email us at privacy@mymemlo.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Croatian Data Protection Authority (AZOP): azop.hr · azop@azop.hr.

6. Cookies

We use cookies as described in our Cookie Policy. You can manage your cookie preferences at any time using the banner on our website or by contacting us.

7. Security

We implement appropriate technical and organisational measures to protect your data, including: TLS encryption in transit, encrypted storage at rest, role-based access control, and regular security reviews. No system is perfectly secure; if you discover a vulnerability please report it responsibly to privacy@mymemlo.com.

8. Children

Our service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it promptly.

9. Changes to This Policy

We may update this policy from time to time. When we do, we will revise the “Last updated” date at the top and, for material changes, notify affected users by email.

10. Contact

[YOUR COMPANY NAME]
[YOUR ADDRESS], Croatia
Email: privacy@mymemlo.com