Legal
Privacy Policy
Last updated: June 4, 2026
Wedding Wonders ("Wedding Wonders," "we," "us," or "our") respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy explains in detail what information we collect, how we collect it, how we use it, with whom we share it, the choices you have about your information, and the steps we take to keep it secure. By accessing or using theweddingwonders.com (the "Site"), creating an account, placing an order, contacting us, or otherwise interacting with us, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Site.
1. Scope of this Policy
This Policy applies to all personal information processed by Wedding Wonders in connection with the Site, our products and services, our marketing communications, our customer support, and any related online or offline interactions. It does not apply to third-party websites, services, or applications that may be linked from the Site, even when they are accessed through links we provide. We encourage you to review the privacy practices of any third party before sharing your information with them.
2. Information We Collect
We collect information that you provide directly to us, information we collect automatically as you interact with the Site, and information we receive from third-party sources such as payment processors, shipping providers, analytics providers, and social media platforms.
2.1 Information you provide
- Account information: name, email address, password, display name, and optional profile details.
- Order and transaction information: billing and shipping addresses, phone number, products purchased, order value, payment method type, and order history. Full payment card numbers are processed by our payment processors and are not stored on our servers.
- Customer support information: the contents of any messages, emails, or contact form submissions you send us, along with any attachments or context you choose to provide.
- Preferences: favorites, saved items, wish lists, wedding date, event location, color palette, style preferences, and any other planning details you choose to share with us.
- Marketing information: your email subscription preferences and your responses to promotions or surveys.
2.2 Information collected automatically
- Device and connection data: IP address, device type, operating system, browser type and version, language settings, screen resolution, time zone, and referring URLs.
- Usage data: pages viewed, products viewed, items added to or removed from cart, search queries, clickstream data, scroll depth, session duration, and timestamps.
- Cookies and similar technologies: we use cookies, local storage, session storage, pixel tags, and similar technologies to operate the Site, remember your preferences, keep you signed in, maintain your cart, measure performance, and tailor your experience.
- Approximate location: derived from IP address for fraud prevention, currency display, and shipping estimates.
2.3 Information from third parties
- Payment processors such as Shopify Payments and Stripe provide us with transaction status, last four digits of cards, card brand, billing ZIP, and fraud signals.
- Shipping carriers provide tracking and delivery information.
- Authentication providers (e.g., Google, Apple) share basic profile information when you choose to sign in with them.
- Analytics and advertising partners may share aggregated or pseudonymous data about how visitors interact with our Site and ads.
3. How We Use Your Information
We use your information for the following purposes, each based on a lawful basis under applicable law (contract, legitimate interests, your consent where required, and compliance with legal obligations):
- To create and maintain your account.
- To process, fulfill, and deliver your orders, including communicating with you about order status, shipping, returns, and exchanges.
- To provide customer support and respond to your questions and requests.
- To operate, maintain, secure, debug, and improve the Site and our services.
- To personalize your experience, including remembering favorites, cart contents, recently viewed items, and recommended products.
- To send you transactional emails (order confirmations, shipping notifications, security alerts) that you cannot opt out of while you have an active account or order.
- To send marketing emails about new collections, promotions, and content where permitted by law, and to honor opt-outs.
- To detect, investigate, and prevent fraud, abuse, security incidents, and other harmful or unlawful activity.
- To comply with legal obligations, respond to lawful requests, enforce our Terms and Conditions, and protect our rights, property, and users.
- To conduct analytics, research, and product development, including analyzing aggregated and de-identified data.
4. Cookies and Tracking Technologies
We use the following categories of cookies and similar technologies: strictly necessary (required for the Site to function, such as authentication and cart state); preference (remembering settings such as theme and currency); analytics (understanding how visitors use the Site so we can improve it); and marketing (measuring the effectiveness of campaigns and, where applicable, tailoring ads).
When you first visit our Site we display a cookie banner asking for your consent to analytics and marketing cookies. Strictly necessary cookies are always on because the Site cannot function without them. You can change your choices at any time using the Cookie settings link in the footer, and you can also refuse or delete cookies through your browser. Where required by law we will not place non-essential cookies until you opt in.
5. How We Share Your Information
We share personal information only in the limited circumstances described below:
- Service providers and sub-processors (see Section 6 for the full list): companies that perform services on our behalf such as hosting and infrastructure, payment processing, fraud detection, order fulfillment, shipping, email delivery, analytics, error monitoring, and customer support. These providers are contractually obligated to use the information only to perform services for us and to protect it consistent with this Policy.
- Shopify: our store is powered by Shopify, which processes order and payment data on our behalf.
- Legal and safety: when we believe in good faith that disclosure is necessary to comply with law, respond to lawful requests by public authorities, enforce our agreements, or protect the rights, property, or safety of Wedding Wonders, our customers, or others.
- Business transfers: in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of business assets, your information may be transferred as part of that transaction, subject to standard confidentiality protections.
- With your consent: for any other purpose disclosed at the time you provide the information or with your subsequent consent.
We do not sell your personal information for money. We do not use or disclose sensitive personal information for purposes that, under applicable US state privacy laws, would require the right to limit.
6. Third-Party Processors
We rely on the following categories of sub-processors to operate Wedding Wonders. Each processor only receives the personal data necessary to deliver its service and is bound by a written data processing agreement.
| Processor | Purpose | Data categories | Region |
|---|---|---|---|
| Shopify, Inc. | E-commerce platform, checkout, payments | Contact, billing, shipping, order data | US / CA |
| Stripe / Shopify Payments | Payment processing, fraud prevention | Payment card metadata, billing, IP | US |
| Supabase (database & auth) | Account, preferences, content storage | Account, favorites, planning data | US |
| Cloudflare | Hosting, CDN, DDoS and bot protection | IP, device, request metadata | Global edge |
| Google (Search Console, OAuth) | SEO analytics, optional sign-in | Search queries, basic profile | US |
| Shipping carriers (USPS, UPS, FedEx, etc.) | Order delivery and tracking | Name, address, phone | US |
| Email delivery providers | Transactional and marketing email | Email address, message metadata | US / EU |
This list may change as we add or replace providers. Contact us for an up-to-date list of sub-processors handling your personal data.
7. Data Retention
We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, including to provide our services, comply with legal, tax, and accounting obligations, resolve disputes, and enforce our agreements. When information is no longer required, we delete it or irreversibly anonymize it.
The specific retention periods we apply are:
| Data category | Retention period |
|---|---|
| Account profile (name, email, preferences) | Life of the account + 12 months after deletion request |
| Order, invoice, and tax records | 7 years after the transaction (tax & accounting laws) |
| Payment metadata (last 4, brand, billing ZIP) | 7 years; full card numbers are never stored by us |
| Customer support tickets and correspondence | 3 years after the ticket is closed |
| Favorites, wish lists, planning data | Life of the account; deleted with the account |
| Marketing email subscription state | Until you unsubscribe; suppression list kept indefinitely to honor opt-outs |
| Analytics and usage logs | Up to 26 months in identifiable form, then aggregated |
| Security, fraud, and audit logs | Up to 24 months |
| Cookie consent record | 12 months, after which we ask again |
| Backups | Up to 90 days; deletion requests propagate as backups are rotated |
We may retain data longer where required by law or where necessary to defend or pursue legal claims; in that case we minimize the data and restrict access.
8. Data Security
We use a combination of administrative, technical, and physical safeguards designed to protect your information, including encryption in transit (HTTPS/TLS), encryption at rest for sensitive fields, hashed passwords, role-based access controls, row-level security in our database, network firewalls, and continuous monitoring. No security measures are perfect, however, and we cannot guarantee the absolute security of your information. You are responsible for keeping your account credentials confidential and for notifying us immediately of any unauthorized access.
9. Your Privacy Rights
Depending on where you live, you have certain rights regarding your personal information. We honor verified requests regardless of jurisdiction where it is practical to do so.
9.1 Rights for residents of the EEA, UK, and Switzerland (GDPR / UK GDPR)
- Right of access — confirm whether we process your personal data and request a copy.
- Right to rectification — correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — request deletion when the data is no longer necessary, you withdraw consent, you object and there is no overriding legitimate ground, or processing is unlawful.
- Right to restriction — limit how we process your data in defined circumstances.
- Right to data portability — receive your data in a structured, commonly used, machine-readable format (JSON or CSV) and have it transmitted to another controller where technically feasible.
- Right to object — object to processing based on legitimate interests or for direct marketing at any time.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Rights related to automated decision-making — we do not make decisions producing legal or similarly significant effects based solely on automated processing.
- Right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, your national DPA in the EEA, the FDPIC in Switzerland).
Our lawful bases for processing are: contract (creating your account and fulfilling orders), legal obligation (tax, accounting, fraud prevention), legitimate interests (securing the Site, improving our services, limited direct marketing to existing customers), and consent (non-essential cookies and certain marketing communications).
9.2 Rights for California residents (CCPA / CPRA)
- Right to know — request the categories and specific pieces of personal information we collected, the sources, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.
- Right to delete — request deletion of personal information we collected from you, subject to legal exceptions.
- Right to correct — request correction of inaccurate personal information.
- Right to opt out of sale or sharing — we do not sell personal information for money, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the CPRA. We honor Global Privacy Control (GPC) signals as a valid opt-out.
- Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes that would trigger this right.
- Right to non-discrimination — we will not deny service, charge different prices, or provide a different level of quality because you exercised a privacy right.
- Authorized agents — you may designate an authorized agent in writing to submit a request on your behalf; we will verify both the agent and the underlying request.
Residents of Colorado, Connecticut, Utah, Virginia, Texas, Oregon, Montana, and other US states with comprehensive privacy laws have substantially similar rights, including the right to appeal a denial of a privacy request. To appeal, reply to our response and we will re-review within the time required by law.
9.3 How to submit a request (access, export, deletion, correction)
- Send an email to mjweddingwonders@gmail.com with the subject line "Privacy Request".
- Tell us which right you want to exercise (access, export, delete, correct, opt out, restrict, object, or withdraw consent) and the email address associated with your account.
- We will verify your identity using information already associated with your account (and may ask for additional verification for deletion or export requests).
- We will respond within 30 days for GDPR/UK GDPR requests and within 45 days for US state requests, extendable once where reasonably necessary with notice to you.
- For data export, we provide your data in a portable JSON or CSV file. For deletion, we delete or anonymize your data and instruct our processors to do the same, subject to the retention exceptions in Section 7 (e.g., tax records).
- There is no charge for reasonable requests. We may charge a reasonable fee or refuse manifestly unfounded or excessive requests as permitted by law.
10. Marketing Choices
You can opt out of marketing emails at any time by clicking the unsubscribe link at the bottom of any marketing message or by emailing us. You can change your cookie choices at any time using the Cookie settings link in the footer. Even if you opt out of marketing, we may still send you transactional or service messages related to your orders, account, or support requests.
11. International Data Transfers
We are based in the United States and may store and process your information in the United States and other countries that may have data protection laws different from those in your country. Where required, we use appropriate safeguards such as Standard Contractual Clauses to protect transferred information.
12. Children's Privacy
The Site is intended for adults and is not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.
13. Third-Party Links and Services
The Site may contain links to third-party websites, plugins, and services. Clicking those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third parties and are not responsible for their privacy statements.
14. Do Not Track and Global Privacy Control
Some browsers offer a "Do Not Track" signal. Because there is no industry-wide standard for honoring DNT signals, our Site does not currently respond to them. We do honor the Global Privacy Control (GPC) signal where required by applicable law.
15. Sensitive Personal Information
"Sensitive personal information" (as defined under the CPRA and similar US state laws) includes categories such as government identifiers, precise geolocation, account log-in credentials in combination with required credentials, racial or ethnic origin, religious beliefs, contents of mail/email/SMS not directed to us, genetic data, biometric identifiers, health information, and information about sex life or sexual orientation. We do not intentionally collect, process, share, or sell sensitive personal information for any purpose that, under applicable law, would trigger the right to limit. If you voluntarily provide such information (for example, in a customer-support message), we use it solely to handle your request and delete or anonymize it as soon as reasonably practicable.
16. Automated Decision-Making, Profiling, and AI Features
We use limited automated processing — for example, automated fraud-screening signals from our payment processors, spam/abuse filtering, AI-assisted search to help match your query to relevant products, and recommendation rules based on what you have viewed or favorited. None of these systems makes decisions that produce legal or similarly significant effects about you solely by automated means. If a transaction is declined for fraud reasons, a human can review the decision on request. Where we use AI features, we may send minimal data (such as your search query and product titles) to AI service providers under contractual confidentiality and data-protection obligations; we do not authorize them to use your data to train their general-purpose models.
17. Pixels, SDKs, and Cross-Device Tracking
In addition to cookies, we may use web beacons, tracking pixels, conversion tags, software development kits (SDKs), and similar technologies, including those provided by advertising and analytics partners. Where required by law, these technologies are loaded only after you opt in via our cookie banner. You can disable them at any time through the Cookie settings link in the footer, by clearing your browser storage, or by using the opt-out tools provided by the relevant advertising network (for example, the Digital Advertising Alliance at optout.aboutads.info and the Network Advertising Initiative at optout.networkadvertising.org). We do not attempt to link browsing behavior across devices without an account-based identifier you have provided.
18. California "Shine the Light" and Notice at Collection
California Civil Code § 1798.83 permits California residents to request, once per calendar year, a list of categories of personal information disclosed to third parties for their direct-marketing purposes during the prior calendar year. We do not share personal information with third parties for their own direct-marketing purposes. To make such a request, contact us using the details in Section 23.
Notice at Collection (California). The categories of personal information we collect, the purposes for which we use them, the categories of third parties to whom we disclose them, and the retention periods are described in Sections 2, 3, 5, 6, and 7 of this Policy. We do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA.
19. Nevada Residents
Nevada residents have the right under Nevada Revised Statutes Chapter 603A to direct a business not to sell certain personal information. We do not sell personal information as defined under Nevada law. If this changes, we will update this Policy. Nevada residents may submit a verified opt-out request by contacting us using the details in Section 23.
20. Data Breach Notification
In the event of a personal data breach that creates a risk to your rights and freedoms, we will notify the relevant supervisory authority and affected individuals as required by applicable law (including the GDPR, UK GDPR, and US state breach-notification statutes). Notification will include the nature of the breach, categories and approximate number of records affected, likely consequences, measures taken or proposed, and contact information for further inquiries.
21. EU / UK Representative and Data Controller
For the purposes of the GDPR and UK GDPR, the data controller responsible for your personal information is Wedding Wonders, reachable at the contact details in Section 23. If we are required to appoint an EU or UK representative under Article 27 GDPR, we will publish their contact details here. In the meantime, EU and UK residents may also contact us directly at the address in Section 23, and may lodge a complaint with their local supervisory authority.
22. Accessibility and Severability
We are committed to making this Privacy Policy accessible to all users. If you require this Policy in an alternative format, please contact us. If any provision of this Policy is held invalid or unenforceable, the remaining provisions will continue in full force and effect, and the invalid provision will be enforced to the maximum extent permitted by law.
23. Changes to this Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. If the changes are material, we will provide a more prominent notice (such as by email or by an on-Site notice). Your continued use of the Site after changes become effective constitutes your acceptance of the revised Policy.
24. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at mjweddingwonders@gmail.com.