Legal

Privacy Policy

Effective 1 April 2026  ·  Last updated 14 March 2026

1. Overview

Forever After ("we", "us", or "our") operates 4ever-after.com (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under applicable law, including the UK GDPR and the Data Protection Act 2018.

By using the Service you agree to this policy. If you do not agree, please do not use the Service.

2. Data We Collect

2.1 Couples (account holders)

  • Name(s) and email address — collected at sign-up to create and manage your account.
  • Wedding date and venue details — provided by you when building your invitation.
  • Uploaded images — hero photos and thank-you photos you upload.
  • Payment information — handled entirely by Stripe; we never store card details.
  • Support messages — if you contact us via the in-app support feature.

2.2 Guests

  • Name and email address — submitted when a guest RSVPs.
  • RSVP response, meal preference, dietary requirements, and plus-one details — submitted via the RSVP form.
  • Message to the couple — optional, submitted via the RSVP form.

2.3 Waitlist & access requests

If you join our waitlist or submit a "Request access" form, we collect your name, email address, wedding date, and any optional message you provide.

2.4 Technical data

  • IP address — used for rate-limiting abuse and server-side logging.
  • Session token — stored in an HttpOnly cookie to keep you signed in.
  • Basic server logs — request paths and timestamps, retained for up to 30 days.

3. How We Use Your Data

  • To provide and operate the Service — creating your invitation, storing RSVPs, sending confirmation emails.
  • To communicate with you — sign-in magic links, RSVP confirmations, thank-you email delivery, and support replies.
  • To process payments — we pass billing details to Stripe; we store only the outcome (paid / unpaid) and Stripe session ID.
  • To prevent abuse — rate-limiting, honeypot fields, and server-side validation.
  • To improve the Service — aggregate, anonymised usage patterns (no third-party analytics).

5. Who We Share Data With

We do not sell your personal data. We share it only with the following sub-processors, strictly to deliver the Service:

  • Stripe — payment processing (card data never touches our servers).
  • Brevo (Sendinblue) — transactional email delivery (magic links, RSVP confirmations, thank-you emails).
  • Hetzner / VPS provider — cloud hosting where the Service runs.

All sub-processors are contractually bound to process data only on our instructions and in accordance with applicable data protection law.

6. Data Retention

Your invitation data — including guest lists, RSVP responses, and uploaded images — is retained for up to 12 months after your wedding date, then permanently deleted. See Section 6 of our Terms of Service for full details.

Waitlist entries and access requests are retained until the waitlist programme ends or you request deletion, whichever comes first.

Server logs are retained for up to 30 days. Payment records are retained as required by applicable financial regulations (typically 7 years).

7. Your Rights

Under UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data (subject to legal holds).
  • Restriction — ask us to stop processing your data in certain circumstances.
  • Portability — receive your data in a machine-readable format.
  • Object — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

We use one first-party cookie: a session cookie (authjs.session-tokenor similar) to keep you signed in. It is HttpOnly, Secure, and set with SameSite=Lax.

We also set a short-lived fa_preview cookie to remember preview-mode access. We do not use any third-party tracking cookies or advertising cookies.

9. Security

We apply industry-standard security measures: HTTPS everywhere, HSTS, bcrypt password hashing, Stripe webhook signature verification, magic-link authentication, TOTP for administrative access, upload type validation, and rate-limiting on public-facing endpoints.

No transmission over the internet is 100% secure. While we take every reasonable precaution, we cannot guarantee absolute security.

10. Children

The Service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe we have done so in error, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or via a prominent notice on the Service at least 14 days before they take effect.

12. Contact

Questions, requests, or concerns about this policy? Please reach out:

Forever After
Email: [email protected]
Website: 4ever-after.com

Terms of Service →Back to home