The purpose of this Privacy Policy (the “Policy”) is to provide the data subject with information about which personal data relating to natural persons are processed when the website operator provides its services, for what purposes and for how long the operator processes such personal data in accordance with applicable legal regulations, to whom and for what reason the data may be disclosed, and to inform the data subject about the rights they have in connection with the processing of their personal data.
This Policy is effective as of 1 January 2025 and is issued in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).

1. Controller and Contact Details for GDPR Matters

The controller of personal data is WeMarry s.r.o., Company ID No. 22269347, with its registered office at Hořanská 1510/1, Žižkov, 130 00 Prague 3 (the “Controller”). Any questions regarding the processing of personal data may be sent to the Controller’s registered office address or to the email address info@wemarry.io.

2. Scope of Processing and Categories of Personal Data Processed

Personal data are processed to the extent provided by the data subject to the Controller in connection with the conclusion of a contractual or other legal relationship with the Controller, or data collected by the Controller in another manner and processed in accordance with applicable legal regulations or for the fulfilment of the Controller’s legal obligations. The Controller processes the following categories of personal data:

  1. first name and surname, including academic title (if applicable),
  2. business name,
  3. Company ID No. (IČO), VAT No. (DIČ),
  4. permanent residence address,
  5. registered office or place of business,
  6. delivery address,
  7. contact email address,
  8. contact telephone number,
  9. job position and/or role within a company,
  10. bank account details,
  11. profile photograph,
  12. biographical information,
  13. information regarding the date and location of the wedding,
  14. personal preferences,
  15. records of behaviour on websites operated by the Controller obtained from cookies, if cookies are enabled in the web browser.

3. Purpose of Personal Data Processing

3.1 Processing for Contract Performance, Legal Obligations, and the Controller’s Legitimate Interests

Providing personal data necessary for the performance of a contract, fulfilment of the Controller’s legal obligations, and protection of the Controller’s legitimate interests is mandatory. Without providing such data, the services cannot be delivered. The Controller does not require the data subject’s consent for processing personal data for these purposes.

The specific purposes of processing include in particular:

  1. processes related to identifying and potentially contacting the user (contract performance),
  2. provision of services (contract performance),
  3. invoicing for services and issuing tax documents (contract performance),
  4. fulfilment of statutory tax obligations (legal obligation),
  5. recovery of receivables and other customer disputes (legitimate interest),
  6. debtor records (legitimate interest).

Personal data for these activities are processed to the extent necessary to achieve these purposes and for the period required to fulfil them, or for the period directly stipulated by legal regulations. After this period, the personal data are deleted or anonymised. Basic retention periods are listed in Article 5 of this Policy.

3.2 Processing of Customer Data with Consent for Marketing and Commercial Purposes

With the data subject’s consent, the Controller processes personal data for marketing and commercial purposes in order to create suitable product and service offers and to contact the customer, exclusively via electronic communication using the contact email address.
Providing consent for marketing and commercial purposes is voluntary and may be withdrawn at any time. The consent remains valid for 5 years from the date of its granting, or for the duration of the use of the Controller’s services and the following 5 years, or until it is withdrawn.
All categories of data listed in Article 2 of this Policy may be processed for marketing and commercial purposes based on consent. Withdrawal of consent does not affect the processing of personal data by the Controller for other purposes and on other legal grounds in accordance with this Policy.

3.3 Processing of Cookies from Websites Operated by the Controller

If the data subject has cookies enabled in their web browser, the Controller processes records of behaviour obtained from cookies placed on websites operated by the Controller for the purpose of ensuring better operation of the Controller’s websites or for the Controller’s online advertising.
If consent for marketing and commercial purposes has been granted, these data are processed together with other personal data for this purpose.

4. Method of Processing and Protection of Personal Data

Personal data are processed by the Controller. Processing takes place at the Controller’s premises and registered office by authorised employees of the Controller or by processors. Personal data may be processed using IT systems or manually in the case of personal data in paper form, while complying with all security principles for the management and processing of personal data.
For this purpose, the Controller has adopted technical and organisational measures to ensure the protection of personal data, in particular measures preventing unauthorised or accidental access to personal data, their alteration, destruction or loss, unauthorised transfers, unauthorised processing, or other misuse of personal data.
All entities to whom personal data may be made accessible respect the right of data subjects to privacy and are obliged to act in accordance with applicable legal regulations concerning the protection of personal data.
No automated decision-making, including profiling within the meaning of Article 22 GDPR, is carried out by the Controller when processing personal data.

5. Personal Data Retention Period

Personal data are processed for the period necessary for the purposes for which they are processed, in accordance with the retention periods specified in the relevant contracts, in the Controller’s filing and shredding rules, or in applicable legal regulations.
The retention periods are as follows:

  1. For customers of the services, the Controller is entitled—provided that all obligations towards the Controller have been fulfilled—to process their basic personal, identification, and contact details, service-related data, and communication records with the Controller for 4 years from the termination of the last contract with the Controller.
  2. In the case of negotiations between the Controller and a potential customer regarding the conclusion of a contract that did not result in a contract being concluded, the Controller is entitled to process the provided personal data for 6 months from the end of the pre-contractual negotiations.
  3. Tax documents issued by the Controller are archived for 10 years from the end of the tax period in which the taxable supply occurred, in accordance with Section 35 of Act No. 235/2004 Coll., on Value Added Tax. For the purpose of proving the legal basis for issuing invoices, customer contracts are also archived for 10 years from the date of termination of the contract.

6. Categories of Personal Data Recipients

In fulfilling its contractual obligations and duties, the Controller uses the professional and specialised services of other entities. If these service providers process personal data transferred by the Controller, they act as processors and process personal data only in accordance with the Controller’s instructions and may not use them for any other purpose.
These entities include in particular: payment gateway providers, legal service providers (lawyers), accountants, auditors, IT system administrators, online advertising providers, commercial agents. Each such entity is carefully selected by the Controller, and a data processing agreement is concluded with each of them, setting out strict obligations regarding the protection and security of personal data.

7. Rights of Data Subjects

In accordance with the GDPR, the data subject has the rights listed below. Where these rights relate to the Controller, the data subject may exercise them using the contact details provided in Article 1 of this Policy.  

7.1 Right of Access to Personal Data

Under Article 15 GDPR, the data subject has the right to access personal data, including the right to obtain confirmation from the Controller as to whether personal data concerning them are being processed, and, if so, to access such personal data and the following information:

  1. the purposes of processing,
  2. the categories of personal data concerned,
  3. the recipients to whom the personal data have been or will be disclosed,
  4. the envisaged period for which the personal data will be stored,
  5. the existence of the right to request rectification or erasure of personal data, restriction of processing, or to object to processing,
  6. the right to lodge a complaint with a supervisory authority,
  7. any available information about the source of the personal data, if not obtained from the data subject,
  8. the existence of automated decision‑making, including profiling,
  9. appropriate safeguards relating to the transfer of data outside the EU.

If the rights and freedoms of others are not adversely affected, the data subject also has the right to obtain a copy of the personal data processed. In the case of repeated requests, the Controller may charge a reasonable fee for providing such a copy.

7.2 Right to Rectification

Under Article 16 GDPR, the data subject has the right to request the rectification of inaccurate personal data or the completion of incomplete personal data processed by the Controller.
The data subject is obliged to notify the Controller of any changes to their personal data and to provide proof of such changes. The data subject must also cooperate with the Controller if it is found that the personal data processed are inaccurate.  

7.3 Right to Erasure

Under Article 17 GDPR, the data subject has the right to request the erasure of personal data concerning them, unless the Controller demonstrates legitimate grounds for their continued processing.

7.4 Right to Restriction of Processing

Under Article 18 GDPR, the data subject has the right to request the restriction of processing until a submitted request or objection is resolved, in particular if: the accuracy of the personal data is contested,
the reasons for processing are disputed, or an objection to processing has been lodged. Where processing is restricted, the personal data may—except for storage—be processed only: with the data subject’s consent, for the establishment, exercise, or defence of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the EU or a Member State.

7.5 Controller’s Notification Obligation Regarding Rectification, Erasure, or Restriction

Under Article 19 GDPR, the Controller is obliged to notify each recipient to whom personal data have been disclosed of any rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort. Upon request, the Controller shall inform the data subject about such recipients.  

7.6 Right to Data Portability

Under Article 20 GDPR, the data subject has the right to receive personal data concerning them, which they have provided to the Controller, in a structured, commonly used, and machine‑readable format, and the right to request that the Controller transmit those data to another controller, provided that: the processing is based on a contract or consent, and the processing is carried out by automated means. This right may not be exercised if it would adversely affect the rights and freedoms of others.

7.7 Right to Object to Processing

Under Article 21 GDPR, the data subject has the right to object to the processing of their personal data based on the Controller’s legitimate interests. If the Controller does not demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, the Controller shall cease processing the data without delay.

7.8 Right to Withdraw Consent

Consent to the processing of personal data for marketing and commercial purposes may be withdrawn at any time. Withdrawal must be made by an explicit, clear, and unambiguous statement.
The processing of cookie data may be prevented by adjusting the settings of the web browser.

7.9 Right to Be Informed of a Personal Data Breach

Under Article 34 GDPR, the data subject has the right to be informed by the Controller without undue delay of any personal data breach likely to result in a high risk to the rights and freedoms of natural persons.  

7.10 Right to Lodge a Complaint with the Supervisory Authority

The data subject has the right to lodge a complaint with the Office for Personal Data Protection (

http://www.uoou.cz/

www.uoou.cz) if they discover or believe that the Controller or a processor is processing their personal data in violation of the protection of private and personal life or in violation of applicable legal regulations.