1. Who We Are

Phera ("Phera," "we," "us") is a wedding logistics platform operated by Ghumaan Ventures LLC, a Delaware limited liability company. We provide tools for couples to manage guest lists, send invitations and updates over WhatsApp, coordinate travel and accommodations, run AI-assisted guest concierge, and track vendor conversations. We process personal data in the United States, India, and Thailand and aim to comply with applicable data-protection laws in these jurisdictions, including the EU/UK GDPR, the California Consumer Privacy Act / CPRA (CCPA), and India's Digital Personal Data Protection Act, 2023 (DPDPA).

2. Roles — Controller vs. Processor

When you (the couple, planner, or admin) sign up and use Phera for your own wedding, we act as a controller of your account information.

When you upload guest data (names, phone numbers, emails, dietary needs, travel info, passport names, etc.), we act as a processor on your behalf. You are the controller of your guests' personal data and you warrant that you have a lawful basis (consent, legitimate interest, or another permitted basis under applicable law) to share it with us. Our Data Processing Addendum at /legal/dpa governs this relationship.

3. Information We Collect

From the couple / admin:

• Account details — name, email, phone number, password hash, profile photo.
• Wedding details — event dates, venues, schedule, FAQs, registry items, photos, design preferences.
• Billing details — billing address and last 4 of payment method (full card data stays with Stripe; see Section 6).
• Communications with us — support emails, chat transcripts.

From guests (entered by the couple, or directly by guests via RSVP/PIN):

• Contact data — name, phone, email.
• RSVP, dietary, plus-one info, party-size info, and tags.
• Travel data — flight numbers, arrival/departure times, airline, accommodation.
• Sensitive logistics data — passport-name spelling, visa status, emergency contacts, language preferences, accessibility needs. Treated with stricter access controls.
• Inbound WhatsApp messages and voice notes guests send to our Concierge number.

From vendors (where Vendor Coordinator is enabled):

• WhatsApp group messages addressed to or about the wedding (text, voice, images), captured via Whapi.Cloud.

Automatically collected:

• Device, browser, and IP address.
• Pages visited, features used, and time spent (Vercel Analytics; aggregated, no third-party cookies).
• Crash and error telemetry (Sentry; may include redacted request data).
• Auth session cookies (first-party, essential).

4. How We Use Your Information

• Provide the Service — render the wedding website, deliver RSVPs, send WhatsApp templates that the couple authors, route Concierge replies, assign rooms / shuttles, surface AI-generated summaries.
• AI processing — guest WhatsApp messages and voice notes are sent to large-language-model providers (Anthropic, Groq) and a speech-to-text provider (OpenAI Whisper via Groq) to generate Concierge replies and summaries. Inputs and outputs are retained per Section 8. We do not allow these providers to train their models on your data.
• Notifications — transactional emails (account, billing, RSVP receipts) and, where opted in, marketing emails.
• Payments — process subscriptions and refunds via Stripe.
• Security & abuse prevention — rate limiting, fraud detection, audit logging.
• Improvement — aggregated, de-identified usage analysis.
• Legal compliance — respond to lawful requests, enforce our Terms.

Lawful bases (EU/UK GDPR): performance of contract (Service delivery, billing); legitimate interests (security, product improvement, service-related communication to admins); consent (marketing emails, WhatsApp messages to guests, voice transcription); legal obligation (tax records, lawful requests).

5. Automated Decision-Making

Phera schedules automated WhatsApp messages (save-the-dates, RSVP reminders, travel collection, day-before nudges) based on a guest's outreach status and the wedding timeline. Our AI Concierge generates draft and live replies to guest questions. These do not produce decisions with legal or similarly significant effects on individuals. You can pause automation per wedding from the admin dashboard, and guests can opt out of WhatsApp at any time by replying STOP.

6. Sub-Processors and Third Parties

We rely on the sub-processors listed at /legal/sub-processors. The list is updated when we add or remove a vendor. The current categories are:

• Hosting & database — Supabase (Postgres, Auth, Storage), Vercel (web hosting + analytics).
• Messaging — Meta WhatsApp Business Cloud API (guest-facing), Whapi.Cloud (vendor-facing groups).
• AI — Anthropic (Claude), Groq (LLM + Whisper), OpenAI (LLM + Whisper, where used). Data is sent only to fulfill the Service. Training opt-out is enforced contractually.
• Payments — Stripe (card data, subscription state). Phera does not see or store full card numbers.
• Email — Resend (transactional +, where opted in, marketing).
• Monitoring — Sentry (errors and traces; PII scrubbed where possible).

We do not sell your personal information. We do not share guest contact data with advertisers.

7. International Data Transfers

Phera and most of its sub-processors are based in the United States. Personal data is transferred from India and the EU/UK to the United States. We rely on the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, and on appropriate safeguards permitted under DPDPA Section 16. Where a sub-processor processes data in another country (e.g. Whapi.Cloud in the EU), the same protections flow through.

8. Data Retention

We keep personal data only as long as needed for the purposes described above. Default retention:

Couples may shorten retention or trigger early erasure from the dashboard or by emailing privacy@phera.io. Some records (tax, fraud, legal hold) may be retained beyond the windows above where required by law.

9. Security

We use industry-standard safeguards: TLS in transit, encryption at rest, Row-Level Security in Postgres, principle-of-least-privilege access, MFA on admin accounts, secret rotation, audit logging, and 24/7 error monitoring. We do not transmit raw passwords. Despite these measures, no system is perfectly secure.

Breach notification: if we become aware of a personal-data breach affecting your information, we will notify the relevant supervisory authority (and you, where required) without undue delay and within 72 hours of becoming aware, in line with GDPR Article 33 and DPDPA Section 8(6).

10. Your Rights

Depending on where you live, you have some or all of the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Correction — fix inaccurate or incomplete data.
• Deletion / erasure — ask us to delete data we no longer need to keep.
• Portability — receive your data in a machine-readable format.
• Restriction or objection — limit certain processing, including direct marketing.
• Withdraw consent — at any time, without affecting prior lawful processing.
• Lodge a complaint — with your local supervisory authority (e.g. EDPB member, ICO in the UK, Data Protection Board of India).

To exercise any of these rights, email privacy@phera.io. We respond within 30 days. Where you are a guest of a Phera couple, we may forward part of the request to that couple as the controller.

11. California / U.S. State Rights

California residents (CCPA / CPRA) and residents of other U.S. states with comprehensive privacy laws (Colorado, Connecticut, Texas, Virginia, etc.) have the rights listed in Section 10. We do not "sell" or "share" personal information for cross-context behavioral advertising, and we honor Global Privacy Control (GPC) signals. To submit a request, email privacy@phera.io. You may use an authorized agent to act on your behalf with appropriate verification. We will not discriminate against you for exercising any of these rights.

12. India / DPDPA

Phera complies with the Digital Personal Data Protection Act, 2023. Data Principals (individuals whose data we hold) have the rights in Section 10 plus the right to nominate another individual to exercise rights upon death or incapacity. Our designated Grievance Officer is reachable at privacy@phera.io; we will acknowledge complaints within 7 working days and resolve within 30 days. Data of children under 18 is collected only with verifiable parental consent; we do not undertake tracking, behavioral monitoring, or targeted advertising directed at children.

13. Children

Phera is not directed to children under 13 (United States, COPPA) or under 18 (India, DPDPA). We do not knowingly collect personal information from such individuals. If you believe a child has provided us personal data, contact us and we will delete it.

14. Cookies and Tracking

Phera uses essential first-party cookies for authentication and load balancing. We use Vercel Analytics for aggregated, cookie-less page-view analytics. We do not use cross-site tracking pixels, advertising cookies, or session-replay tools. We honor Do Not Track and Global Privacy Control signals where they apply.

15. WhatsApp Messaging & Opt-Out

Guests are messaged on WhatsApp only after the host has imported them and only via templates that the host approves. Guests can opt out at any time by replying STOP to the Phera WhatsApp number; the opt-out is recorded in our whatsapp_opt_ins registry and propagated to all sub-processors. Couples may also remove a guest from outreach at any time from the admin dashboard.

16. Changes to This Policy

We will post material changes to this policy here and update the "Last Updated" date above. For material changes affecting how we use already-collected data, we will email account admins at least 14 days before the change takes effect.

17. Contact

Questions, requests, or complaints — including DPDPA grievances — go to:

Ghumaan Ventures LLC
Privacy & Grievance Officer
Email: privacy@phera.io