Privacy Notice (GDPR + POPIA) — thendalawedding
Privacy Notice (GDPR + POPIA) — thendalawedding
Last updated: 2026-02-17
This Privacy Notice explains how thendalawedding (“we”, “us”) processes personal data/personal information under the GDPR and South Africa’s POPIA.
1) Who we are (Controller / Responsible Party)
Service name: thendalawedding
Controller / Responsible Party: Alexandre Deyrieux
Location: Le Mérévillois, France
Privacy contact email: alexandre.deyrieux@gmail.com
POPIA Information Officer: Same as above
2) What the service is
thendalawedding is a wedding website with a wedding planner and a guestbook for the couple.
There are no user accounts and we aim to store as little personal information as possible.
3) Personal information we process (what we collect)
A. Information the couple provides
Couple contact email (to manage the site / receive messages or administration-related communication, if enabled).
Planner content you enter (e.g., wedding details like date/location/schedule, and free-text notes).
Photos/files uploaded by the couple (if you upload images that include other people, you should ensure you have the right to share them).
B. Information guestbook contributors provide
When someone posts in the guestbook (no authentication):
Name (or nickname) and the message content they submit.
Any extra information the contributor writes inside the message (we recommend not posting sensitive info).
Important: Guestbook posts are typically publicly visible on the website. Please don’t post private or sensitive information.
C. Technical and security information (collected automatically)
IP address, timestamps, basic request metadata (e.g., URL requested, user-agent), and security/admin logs for preventing abuse and maintaining security.
4) Where we get the information from
Directly from the couple (planner content, uploads, email)
Directly from guestbook contributors (name + message)
Automatically from the device/browser when anyone uses the site (technical/security logs)
5) Why we process information (purposes) and legal bases
We only process personal information for the purposes below:
A. Operating the wedding website and planner
Store and display wedding/planner content and couple uploads
Keep the website functioning and secure
GDPR legal basis: performance of a contract / steps at your request, and/or legitimate interests (running the service).
POPIA justification: necessary to provide the service and/or legitimate interests.
B. Guestbook functionality
Publish the guestbook post (name/nickname + message)
Moderate abuse/spam if necessary
GDPR legal basis: legitimate interests (providing a guestbook), and your choice to submit the post.
POPIA justification: consent/voluntary submission and/or legitimate interests.
C. Security, abuse prevention, and administration
Prevent hacking, spam, and misuse
Maintain admin/security logs to investigate incidents
GDPR legal basis: legitimate interests (security).
POPIA: security safeguards obligations and legitimate interests.
D. No marketing
We do not send marketing newsletters or unsolicited electronic direct marketing.
(POPIA restricts unsolicited electronic direct marketing unless conditions are met.)
6) Cookies and similar technologies
A. Cookies we use
We use only essential cookies, typically:
Session cookie (to keep the site working correctly)
CSRF/security cookie (to protect forms and prevent abuse)
These are required for core functionality and security.
B. Cookie banner
You may see a cookie banner even though we only use essential cookies. This is to keep the site transparent and to control any optional third-party content (see Maps below).
C. Embedded Maps (third-party content)
Map embeds (by Google) can cause the visitor’s browser to connect to that third party and may involve cookies and/or online identifiers.
7) Sharing and disclosure
A. We do not sell data
We do not sell personal information and we do not share it with third parties for their own marketing.
B. Service providers (operators/processors)
To run a website, some processing by service providers is unavoidable. These providers act as processors/operators and may process data only to host and operate the service.
Hosting provider: absolutevps.co.za (South Africa)
Database/storage: hosted on the same server (South Africa)
C. Third-party content
If you load embedded maps, the map provider may process visitor data as an independent party when the visitor loads the map (depending on the provider and configuration).
D. Legal disclosure
We may disclose information if required by law or valid legal process.
8) International transfers (EU ↔ South Africa)
A. Storage location
Personal information is stored/processed on infrastructure located in South Africa.
B. GDPR transfers
For visitors/users in the EU/EEA, storing personal data in South Africa is a transfer to a third country. Where required, we rely on appropriate safeguards (such as the European Commission’s Standard Contractual Clauses) with relevant service providers, and we apply technical security measures.
C. POPIA transfers
POPIA restricts transfers outside South Africa unless safeguards/conditions are met.
9) Data retention (how long we keep information)
Planner content / wedding details / couple uploads: retained until site deletion (max 1 year from site creation), unless deleted earlier by the couple.
Guestbook posts: retained until site deletion (max 1 year), unless removed earlier (e.g., moderation or valid deletion request).
Security and admin logs: retained for security purposes, up to 1 year, unless we need to keep them longer for incident investigation (or shorter if feasible).
10) Security
We use reasonable technical and organisational measures, including:
HTTPS/TLS encryption in transit
Password hashing for any admin credentials (no plain-text storage)
Access controls (restricting admin access)
Backups
11) Your rights (GDPR + POPIA)
A. GDPR rights (EU/EEA)
Depending on your situation, you may have the right to:
- access, rectification, erasure, restriction, objection, portability, and to withdraw consent (where consent applies).
- Response timing: GDPR generally requires responding within 1 month, extendable for complex requests (with notice).
B. POPIA rights (South Africa)
You have the right to:
- request access/confirmation of records (Section 23)
- request correction/deletion (Section 24)
POPIA access requests require adequate proof of identity.
12) How to exercise your rights (requests)
Email: alexandre.deyrieux@gmail.com
To help us find the right data, include:
the page/feature involved (planner, guestbook, map page, etc.)
for guestbook: your displayed name/nickname, approximate date/time, and a copy/screenshot or URL of the post
Identity verification
We may need minimal verification to avoid disclosing or deleting the wrong person’s data (especially for access/deletion requests). For POPIA access requests, proof of identity may be required.
Timing commitment
We aim to respond as soon as possible.
For GDPR requests: within 1 month, unless extended for complexity (with notice).
For POPIA: within a reasonable time.
13) Complaints (supervisory authorities)
France / EU
You can lodge a complaint with the CNIL (France) or your local EU data protection authority.
South Africa
You can lodge a complaint with the Information Regulator.
14) Security breaches (data compromises)
If we become aware of a security compromise involving personal information, we will investigate and take reasonable steps to mitigate harm and notify affected people/authorities when legally required.
15) Automated decision-making and profiling
We do not use automated decision-making or profiling that produces legal or similarly significant effects.
16) Changes to this Privacy Notice
We may update this notice to reflect changes to the website or legal requirements. We will post the updated version here and update the “Last updated” date.
Last updated: 2026-04-15