Privacy Policy

Welcome to Anvaya (“we,” “our,” or “us”). Anvaya is operated by Automorphism LLC, doing business as Anvaya, a company registered in the United States. We provide a wedding planning platform available at anvaya.love, including subdomain-based wedding websites, guest management, budget tracking, vendor management, and AI assistant integrations via the Model Context Protocol (MCP).

For the purposes of the EU General Data Protection Regulation (“GDPR”) and the UK Data Protection Act 2018, Automorphism LLC is the data controller for personal data we collect directly through the platform. Where couples add guest data, the couple acts as data controller and Anvaya acts as data processor (see Section 8).

At our current scale, we are not required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR. If this changes, we will update this policy accordingly.

You can reach us regarding any privacy matter at: privacy@anvaya.love

The following table describes the categories of personal information we collect, organized according to the categories defined in the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). For each category, we indicate specific data elements, whether we collect them, and the source.

Categories we do NOT collect: We do not collect Category C (characteristics of protected classifications), Category E (biometric information), Category H (audio, electronic, visual, thermal, olfactory, or similar information beyond user-uploaded photos), Category I (professional or employment-related information), or Category J (non-public education information).

We collect personal information from the following sources:

• Directly from you: When you create an account, set up a wedding, add events, manage guests, track budgets, or upload content.
• From couples (on behalf of guests): When a couple adds guest information such as names, email addresses, phone numbers, dietary preferences, and RSVP details. In this scenario, the couple is the data controller and Anvaya is the data processor (see Section 8 for the full Article 14 notice).
• Automatically: We collect analytics data (page views, feature usage, session information) through PostHog, subject to your consent preferences. We also collect IP addresses and basic request metadata through our infrastructure providers.
• From third-party authentication providers: If you sign in via Google OAuth, we receive the profile information you authorize (typically name and email address).

We process your personal information for the purposes described below. For users in the EU/UK, we also identify the lawful basis under GDPR Article 6(1) for each purpose.

We use cookies and similar technologies organized into the following tiers:

We do not sell or share personal information for cross-context behavioral advertising. As defined under the CCPA/CPRA, we have not sold or shared personal information in the preceding 12 months, nor do we have actual knowledge that we sell or share personal information of consumers under 16 years of age.

Your data is disclosed only in the following limited circumstances:

• AI Assistants (OAuth): When you explicitly authorize an AI assistant (ChatGPT, Claude, Cursor, etc.) via OAuth 2.1, that assistant can access your wedding data within the scopes you granted (wedding:read and/or wedding:write). You may revoke access at any time. Data flows directly between your account and the connected assistant; we do not control how the third-party assistant processes data once received.
• Wedding Collaborators: Members you invite to your wedding planning team can access shared wedding data according to their assigned role (Couple Primary, Family Admin, Family Contributor, or Guest).
• Service Providers (Sub-Processors): We use infrastructure and service providers to operate the platform. These providers process data on our behalf under contractual data processing agreements. See Section 7 for the full list.
• Legal Requirements: We may disclose information if required by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

We use the following third-party service providers (sub-processors) to operate the platform. Each operates under appropriate data processing agreements.

This section constitutes a notice under Article 14 of the GDPR for guests whose personal data is added to the platform by a couple (the data subject did not provide the data directly to Anvaya).

Wedding planning may involve culturally sensitive information, such as dietary restrictions (e.g., vegetarian, halal, kosher), ceremony types (e.g., Hindu, Sikh, Muslim, Christian, interfaith), religious customs, and cultural preferences. This data is:

• Optional — provided entirely at your discretion
• Purpose-limited — used solely for wedding planning features such as meal planning, ceremony scheduling, and event management
• Not profiled — never used for advertising, behavioral profiling, or analytics
• Deletable — you may remove this data at any time through your dashboard

Where such data constitutes special category data under GDPR Article 9 (e.g., data revealing religious beliefs), our lawful basis for processing is your explicit consent (Art. 9(2)(a)), which you provide by voluntarily entering this information.

Anvaya offers an AI-powered feature that extracts structured vendor information from emails and uploaded documents. This feature works as follows:

• User-initiated only: Extraction is triggered only by your explicit action — forwarding a vendor email to your Anvaya address or uploading a document through the dashboard.
• AI model: We use OpenAI's gpt-5.4-mini model via the OpenAI API to extract vendor details such as names, contact information, pricing, and service descriptions.
• No raw data retained: Raw email or document content is not persisted after extraction is complete. Only the structured extracted data (vendor name, contact details, pricing) is stored in your wedding account.
• OpenAI API policy: Under OpenAI's API data usage policy, API inputs and outputs are not used for model training. OpenAI retains API data for up to 30 days for abuse monitoring, after which it is deleted.

Extracted data is stored in your wedding account and can be reviewed, edited, accepted, or dismissed at any time.

Anvaya is based in the United States, and your personal data is stored and processed on infrastructure located in the United States (AWS for database hosting, Cloudflare for edge compute and storage). When you use Anvaya from outside the United States, your data is transferred to the US for processing.

You may request a copy of the safeguard documentation applicable to your data by contacting us at privacy@anvaya.love.

We retain your data according to the following schedule:

• OAuth Access Tokens: Expire after 1 hour. Stored as SHA-256 cryptographic hashes only.
• OAuth Refresh Tokens: Expire after 30 days. Rotated on each use; previous tokens are immediately revoked.
• OAuth Authorization Codes: Expire after 10 minutes and are single-use.
• Wedding Data: Retained until you delete specific data or your entire wedding. All wedding data (events, guests, budget, vendors, tasks, website content) is permanently deleted when the wedding is removed.
• Account Data: Retained for the lifetime of your account. Upon account deletion, all associated data (including all weddings) is permanently removed.
• Backup Data: Database backups follow a 7-day rotation. After deletion of your data from the live database, it may persist in backups for up to 7 days before being overwritten.
• Analytics Data: Retained per PostHog's data retention policy. We do not control PostHog's retention schedule independently, but analytics data is anonymized and not linked to your account after deletion.

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018:

• Right of Access (Art. 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to receive a copy of that data along with information about how it is used.
• Right to Rectification (Art. 16): You have the right to have inaccurate personal data corrected and incomplete data completed.
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, you withdraw consent, or the data has been unlawfully processed.
• Right to Restriction of Processing (Art. 18): You have the right to request that we limit the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• Right to Object (Art. 21): You have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to Withdraw Consent (Art. 7(3)): Where processing is based on your consent (e.g., analytics cookies), you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your data.
• Right to Delete: You may request deletion of the personal information we have collected from you, subject to certain exceptions (e.g., legal obligations).
• Right to Correct: You may request correction of inaccurate personal information we hold about you.
• Right to Opt-Out of Sale/Sharing: We do not sell personal information and do not share personal information for cross-context behavioral advertising. Therefore, there is no need to opt out, but you retain this right should our practices change.
• Right to Limit Use of Sensitive Personal Information: We use sensitive personal information (such as dietary restrictions indicating religious beliefs) only for the purposes of providing our wedding planning services. You may request that we limit our use to these purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different pricing, quality, or service levels for exercising your rights.

We honor the Global Privacy Control (GPC) signal. When we detect a GPC signal from your browser, we will:

• Automatically disable analytics and non-essential tracking cookies for your session
• Treat the signal as a valid opt-out request under applicable privacy laws, including the CCPA/CPRA
• Display a visible confirmation that your GPC preference has been recognized

You do not need to take any additional action beyond enabling GPC in your browser. For more information about GPC, visit globalprivacycontrol.org.

Anvaya does not make automated decisions that produce legal effects or similarly significantly affect you. Specifically:

• AI vendor extraction is entirely user-initiated. You trigger the extraction by forwarding an email or uploading a document. Extracted data is presented as a draft for your review — you decide whether to accept, edit, or dismiss it.
• Wedding readiness score is an informational metric that summarizes your planning progress (e.g., whether events have dates, guests are assigned, RSVPs are collected). It is calculated algorithmically from your wedding data and is displayed for your convenience only. It does not affect your access to features, pricing, or service levels.

Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not engage in such processing.

Anvaya is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@anvaya.love.

We implement appropriate technical and organizational measures to protect your personal information, including:

• Token security: OAuth tokens stored as SHA-256 cryptographic hashes; refresh tokens rotated on each use with immediate revocation of previous tokens
• PKCE: Proof Key for Code Exchange (S256 method) required for all OAuth authorization flows to prevent code interception attacks
• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security)
• Role-based access control (RBAC): Wedding data is protected by a four-tier role hierarchy (Couple Primary, Family Admin, Family Contributor, Guest) with granular permission checks on every server action
• Content Security Policy (CSP): HTTP security headers restrict the sources from which scripts, styles, and other resources can be loaded
• Input masking in session recording: When analytics session replay is enabled (with consent), sensitive form fields are masked to prevent personal data from being captured in recordings

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously review and improve our security practices.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated policy on this page with a revised “Last updated” date
• Notify you via email or through a prominent notice on the platform if the changes are significant

We encourage you to review this page periodically. Your continued use of Anvaya after a revised policy is posted constitutes your acceptance of the changes, except where consent is required under applicable law, in which case we will seek your consent before applying the changes to your data.

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about how your data is handled, please contact us: