VARUMO

Legal

Privacy Policy

Plain English explanation of what we collect, why, who we share it with, and how to ask us to delete it. No tracking pixels, no third-party ad networks, no AI-training pipelines.

Effective: 2026-05-06

The short version

  • We collect what we need to run your invitation site — your account, your site's content, the payments you make, and the RSVPs your guests submit.
  • We share that with the smallest set of vendors required: Supabase (database + auth), Razorpay (payments), our email provider (transactional emails). Each is bound by their own contract not to misuse it.
  • We don't sell anything. We don't run ads. We don't train AI models on your content.
  • You can delete your account or any individual site any time — that wipes the data from our active database. Backups are purged within 30 days.

1. Information we collect

You give us, when you sign up

  • Email address.
  • Name (so the dashboard says "Welcome back, X" instead of just an email).
  • Password (stored only as a one-way bcrypt hash, or handled entirely by Supabase Auth — we never see the plain text).

You give us, when you build a site

  • Bride / groom (or partner) names, wedding date, venue, story.
  • Photos you upload.
  • Optional: hashtag, dress code, livestream URL, registry links, FAQ, hotel info, custom links.
  • The template you picked.

Your guests give us, when they RSVP

  • Their name, email, optional phone, party size, message, dietary preferences.
  • This data is shown to you (the site owner) and to admins for support purposes only.

Automatically

  • IP address (for rate-limiting and abuse detection — not stored beyond 30 days).
  • A counter of how many people have visited your public site.
  • Standard server logs — request paths, response codes, timestamps. Used for debugging; rotated within 30 days.

2. Why we collect it

  • To run your account and build your site (the obvious one).
  • To take payments and issue receipts.
  • To email you transactional notifications you've asked for — payment confirmation, RSVP digest, plan-expiring reminder.
  • To prevent abuse — if someone tries to brute-force a coupon code, the IP-rate-limit kicks in.
  • To improve the product — aggregated, anonymous metrics like "how many people use the dark templates vs light".

3. Who we share it with

The minimum set of vendors needed:

  • Supabase hosts our Postgres database and handles authentication. Their privacy policy: supabase.com/privacy.
  • Razorpay processes payments. We send them: amount, plan id, customer email, customer name, customer phone (so they can contact you about a failed transaction). Their policy: razorpay.com/privacy.
  • Our email provider (currently configured per environment — see admin settings) sends transactional email on our behalf.
  • Cloudflare / our hosting provider see request metadata (IP, headers) the same way every web host does.

We do not share data with advertising networks, data brokers, or AI training pipelines. We will share data with law enforcement only when compelled by a valid court order from a jurisdiction we operate in.

4. Cookies

See the Cookie Policy. Short version: only essential cookies (your session, CSRF token). No analytics or ad cookies.

5. How long we keep it

  • Account data: until you delete the account.
  • Site content: until you delete the site, OR 15 days after the plan expires (the grace window), whichever is sooner.
  • Drafts: 30 days of inactivity, then auto-purged.
  • Payment records: 7 years (we have to, for tax and audit reasons).
  • Server logs: 30 days.
  • Backups: rotated weekly, oldest backup is 30 days old.

6. Your rights

You can:

  • See everything we have on you — email info@varumo.com and we'll send a JSON export within 7 days.
  • Correct anything that's wrong — most fields are editable from the dashboard.
  • Delete your account — from the dashboard, or by emailing us. Within 30 days of deletion, all of your data is purged from active systems and backups.
  • Object to processing or withdraw consent — same email address.
  • Lodge a complaint with the data-protection authority in your country if you believe we've handled your data improperly. In India that's the body designated under the DPDP Act 2023.

7. Children

Varumo isn't designed for children under 13 and we don't knowingly collect their data. If you believe a child has signed up, email us and we'll delete the account.

8. Cross-border data

Our database is hosted in Singapore (Supabase ap-southeast-1). If you access varumo.com from outside Singapore, your data crosses borders to get there. We rely on standard contractual clauses with Supabase for that transfer.

9. Security

We follow standard security practices: HTTPS everywhere, bcrypt for passwords (or delegating to Supabase Auth which does the same with Argon2), HMAC-signed payment verification, content sanitisation on URLs users paste, rate limits on signup / RSVP / coupon endpoints, secure HTTP headers (CSP-adjacent set, no X-Frame-Options conflict, nosniff, strict referrer).

Despite all that, no system is impenetrable. If we have a breach affecting your data, we'll email you within 72 hours of confirming it, and post a notice on the site.

10. Changes to this policy

Material changes are emailed to all active users at least 14 days before they take effect. Cosmetic changes (typo fixes, clarifications) get a quiet update with a new effective date.

11. Contact

Privacy questions go to info@varumo.com. Mention "privacy" in the subject line so we route it correctly.

Need a printable copy? Just print this page — it's plain HTML. Have a question we should answer here? Email info@varumo.com.