1. Parties and Scope
This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer," "Controller") and Pinnacle Weddings ("Processor").
It applies when Customer uses the Service to process personal data of wedding guests, vendors, or other individuals ("Personal Data") where Customer is the data controller and Pinnacle processes Personal Data on Customer's behalf.
2. Processing Instructions
Pinnacle will process Personal Data only on documented instructions from Customer, including through Customer's use of Service features (guest lists, RSVP, exports, emails, etc.), unless required by law.
Customer instructs Pinnacle to process Personal Data to provide the Service as described in the Terms and Privacy Policy.
3. Details of Processing
Subject matter
Wedding planning and guest management via the Service.
Duration
For the term of Customer's account plus retention periods in the Privacy Policy.
Categories of data subjects
- Wedding guests
- Vendors and service providers
- Customer and authorized users
Categories of Personal Data
- Contact and identity data
- RSVP and event preferences
- Health-related dietary/allergy information (if provided)
- Vendor contract and business contact data
Processing operations
- Storage
- Organization
- Retrieval
- Display
- Export
- Transactional email delivery
4. Confidentiality and Security
Pinnacle ensures personnel authorized to process Personal Data are bound by confidentiality obligations.
Pinnacle implements appropriate technical and organizational measures as described in the Privacy Policy, including access controls and encryption in transit.
5. Sub-processors
Customer authorizes Pinnacle to engage sub-processors to provide the Service. Current sub-processors include:
Pinnacle will notify Customer of material changes to sub-processors via email or in-app notice. Customer may object on reasonable grounds relating to data protection.
- Supabase — database, authentication, file storage
- Stripe — payment processing (account holder billing data)
- Vercel — application hosting
- Resend — transactional email (when enabled)
6. Data Subject Requests
Pinnacle will assist Customer in responding to data subject requests (access, deletion, etc.) where technically feasible, taking into account the nature of processing.
Customer is responsible for responding to guest requests and may use Service tools to export, correct, or delete guest records.
7. Security Incidents
Pinnacle will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer's data, and will provide information reasonably required for Customer to meet regulatory obligations.
8. Return and Deletion
Upon termination of the Service, Customer may export data before account closure. Pinnacle will delete Customer Personal Data within 90 days of termination, subject to legal retention requirements.
9. Audits
Upon reasonable request, Pinnacle will provide information necessary to demonstrate compliance with this DPA. Customer may not audit Pinnacle more than once per year except where required by law or following a material breach.
10. International Transfers
Where Personal Data is transferred outside the EEA/UK, Pinnacle will ensure appropriate safeguards such as Standard Contractual Clauses where required.
11. Contact
Data protection inquiries: hello@pinnacleweddings.com
