Privacy Policy

1. Who We Are

Kadly is operated by Irfan Rafiq trading as Kadly, ABN: 99 818 138 075, New South Wales, Australia. We are the data controller for personal information collected through kadly.co.

Contact for privacy matters: privacy@kadly.co

Note: Kadly is in the process of incorporation under NexArah Sdn Bhd (Malaysia, pending). Any future entity transfer will be communicated with 30 days notice.

2. What We Collect

From card owners (you)

• Email address — required for login and notifications.
• Card content — bride/groom names, wedding date, venue, personal message, photos, story events. This is the invitation you create.
• Payment information — processed directly by Stripe. We receive a transaction reference, last 4 digits of your card, and billing country. We never see or store full card numbers.
• Usage data — pages visited, features used, errors (anonymised). We use Plausible Analytics which is cookie-free.

From guests (RSVP submitters)

• Name (required)
• Email address (optional)
• Phone number (optional)
• Attendance response, guest count, message, dietary requirements
• IP address — hashed immediately and used only for rate-limiting (preventing spam RSVPs). The hash is not reversible.
• Guests consent to this data collection at the time of RSVP submission.

Automatically collected

• Browser type and device type (for rendering the invitation correctly)
• Country (from IP, for timezone detection — IP itself is not stored)

3. Why We Collect It

4. Who Sees Your Data

We use the following third-party processors. Each is bound by data processing agreements:

• Stripe (payments) — PCI-DSS Level 1, SOC 2 certified. Data processed in the US and EU. Stripe Privacy Policy
• Supabase (database, auth, file storage) — SOC 2 Type 2 certified. Primary region: Tokyo, Japan (ap-northeast-1). Supabase Privacy Policy
• Cloudinary (image hosting and CDN) — SOC 2 certified. Images distributed globally via CDN. Cloudinary Privacy Policy
• Vercel (web hosting) — SOC 2 Type 2 certified. Edge functions may run globally. Vercel Privacy Policy
• Resend (transactional email) — GDPR DPA signed. Used to send login links and expiry reminders. Resend Privacy Policy
• Google (Gemini API) — AI image processing for the AI Photo Restyle feature only. Your uploaded photos are processed and then discarded; not used to train models. Only activated when you purchase the add-on. Gemini API Terms
• Plausible Analytics — cookie-free, GDPR-compliant, anonymised traffic analytics. No personal data is shared. Plausible Privacy Policy

We never sell your data. We never share guest contact details with third parties for marketing purposes.

5. International Data Transfers

Our primary database is hosted in Tokyo, Japan (Supabase on AWS ap-northeast-1). Some processors (Stripe, Vercel) may process data in the United States. These transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, and equivalent safeguards where required by Malaysian PDPA and Indonesian UU PDP.

6. Guest Data

You (the card owner) are the data controller for RSVP data collected through your Kadly invitation. Kadly is your data processor. You must comply with applicable privacy laws when using guest data.

• Guest data is visible only to you (the card owner) in your dashboard.
• We do not contact guests directly, except to display the invitation you've created.
• Guests can request deletion of their RSVP by emailing privacy@kadly.co with the card URL and their name.
• Guest data is deleted when you delete your card or account, or after the retention period below.

7. Data Retention

8. Your Rights

Depending on your jurisdiction, you have the following rights:

• Access — request a copy of your personal data.
• Correction — update inaccurate information (most editable in-app).
• Deletion — delete your account and cards from your dashboard. To request full erasure: privacy@kadly.co.
• Portability — export your cards and RSVPs as JSON from your dashboard.
• Object to processing — email privacy@kadly.co.
• Withdraw marketing consent — unsubscribe link in every marketing email.
• Lodge a complaint — with the OAIC (Australia) at oaic.gov.au, your local EU Data Protection Authority, or the relevant authority in Malaysia or Indonesia.

We respond to all rights requests within 30 days.

9. Security

• All data transmitted over TLS 1.3 (HTTPS).
• Passwords are never stored — we use passwordless magic link and Google OAuth only.
• Row-Level Security (RLS) in Supabase ensures your data cannot be accessed by other users.
• Stripe handles all payment data — we never store card numbers.
• 2FA available via Google Sign-In.
• Database backups taken daily, retained 7 days.

10. Cookies

Kadly uses strictly necessary session cookies only — required for login to function. We do not use advertising cookies, tracking pixels, or third-party marketing cookies. Our analytics (Plausible) are completely cookie-free.

You may disable cookies in your browser, but this will prevent you from logging in.

11. Children

Kadly is intended for users aged 18 and over. We do not knowingly collect personal data from minors. If you believe we have collected data from a minor, contact privacy@kadly.co and we will delete it promptly.

12. Changes to This Policy

We will notify you of material changes by email at least 14 days before they take effect.

13. Contact

Privacy enquiries: privacy@kadly.co
Data deletion requests: privacy@kadly.co
Operator: Irfan Rafiq trading as Kadly, New South Wales, Australia
Australian privacy complaints: OAIC — oaic.gov.au