Privacy Policy

1. Who we are

ItsaYes is a pre-launch wedding planning project currently operated by an individual founder. You can contact us at contact@itsayes.io for any privacy-related questions or data requests.

2. Data we collect

We collect information that is necessary to provide and secure the platform:

• Account data: name, email address, password hash, workspace membership, and billing preferences if you subscribe to paid plans.
• Planning data: wedding information, guest lists, tasks, budgets, uploaded files, and comments you voluntarily enter into the product.
• Support and communications: messages sent through chat, email, or surveys plus metadata (timestamps, channel, troubleshooting context).
• Device and usage data: IP address, device identifiers, browser, operating system, pages viewed, scroll/interaction events, and referral URLs captured automatically when you visit our marketing site or authenticated app.
• Cookies and similar technologies: session cookies required to keep you logged in, CSRF tokens, and analytics cookies set by Google Analytics 4 that store a random client identifier to measure traffic patterns.

We do not intentionally collect sensitive information such as government IDs or payment card numbers inside the planning workspace. Please do not upload content that is not relevant to your wedding planning needs.

3. How we use your information

• Authenticate you, create workspaces, and deliver collaboration features.
• Operate, maintain, and troubleshoot the Supabase infrastructure that stores your wedding data.
• Measure marketing performance, product adoption, and reliability metrics through analytics dashboards.
• Respond to support requests, detect abuse, and protect the platform from fraud or security threats.
• Comply with legal obligations, enforce our terms, and communicate policy or feature updates.

4. Service providers and sharing

We rely on vetted vendors to deliver parts of the service. These processors only access data as needed to provide their tooling and must meet confidentiality and security standards.

• Supabase for authentication, database, storage, and serverless functions.
• Vercel for application hosting, performance monitoring, and anonymous edge logs.
• Resend (or equivalent) for transactional email delivery.
• Google Analytics 4 for aggregated traffic and product analytics using the measurement ID configured in our environment.
• Customer support and productivity tools (e.g., issue trackers or helpdesk) when you contact us.

We do not sell your personal information. We may share data if required by law, to investigate security incidents, or in connection with a business transaction (e.g., merger or financing) where appropriate safeguards are in place.

5. Cookies, analytics, and tracking controls

Essential cookies are required for authentication, CSRF protection, and load balancing. Optional analytics cookies are set when marketing visitors or signed-in users allow measurement. Google Analytics 4 stores a randomly generated identifier in cookies (such as _ga) with up to a 2-year lifespan to understand returning visits, device types, and page flows. We configure GA4 to avoid sending payment information and to truncate IP addresses in supported regions.

You can adjust browser settings to block cookies, use the in-product preference center (when available) to disable analytics, or install the Google Analytics opt-out add-on. We also honor the Global Privacy Control (GPC) signal by suppressing non-essential tracking when your browser sends Sec-GPC: 1 or navigator.globalPrivacyControl = true.

6. Do Not Sell or Share / targeted advertising opt-out

California (CPRA) and other U.S. privacy laws grant residents the right to opt out of the “sale” or “sharing” of personal information for targeted advertising. We do not exchange your information for money, but analytics integrations could be considered “sharing” under those laws. You can opt out at any time by using the upcoming cookie preferences link in the footer or by emailing privacy@itsayes.io. Opt-out requests will apply to the browser/device you use and any authenticated profile we can link to your account.

7. Data retention and security

We retain planning content for as long as your workspace remains active so you can access historical tasks and files. Account metadata and audit logs may persist for up to 24 months after cancellation to comply with legal obligations and to defend against fraud or abuse. Support conversations are stored for up to 18 months unless you request earlier deletion.

Data is encrypted in transit and at rest within Supabase and Vercel-managed infrastructure located in the United States. Access is limited to the founder and trusted contractors under NDA. If we learn of a security incident, we will notify affected users and regulators as required.

8. Your rights

Depending on where you live, you may have the right to request access, correction, deletion, portability, or to limit how we use your personal information. You can exercise these rights by contacting privacy@itsayes.io or by using self-serve settings as they become available. We will verify your identity before fulfilling requests and respond within the timelines required by applicable laws (such as 45 days for California residents).

9. Children

ItsaYes is intended for users who are 16 or older. We do not knowingly collect personal information from children under 16. If you believe a child has provided data, please contact us and we will delete it.

10. Updates to this policy

We may revise this policy as the product evolves or as laws change. The “last updated” date at the top will reflect the latest version. Material changes will be announced on our site or via email.

11. Contact

Reach us at privacy@itsayes.io for privacy questions, opt-out requests, or data-subject rights inquiries.