Skip to content
My Wedding Office logo My Wedding Office

My Wedding Office

Data Processing Addendum

Effective date
April 29, 2026
Last updated
April 29, 2026
Version
2.0
Contact
contact@myweddingoffice.com

This Data Processing Addendum (“DPA”) forms part of the Terms of Service where My Wedding Office processes personal data on behalf of a business user as processor. It is not a substitute for legal advice and describes the processing model for the Services.

1. Parties and Scope

This DPA applies when My Wedding Office processes personal data on behalf of a business user in connection with the Services. It covers customer, lead, couple, guest, contact, message, document, and other third-party data that the user enters, imports, syncs, or stores in the Services.

This DPA does not cover data for which My Wedding Office acts as controller, such as user account data, billing, security, customer support, service communications, product analytics, and operating the website. Those rules are described in the Privacy Policy.

2. Definitions

“Controller”, “processor”, “personal data”, “personal data breach”, “subprocessor”, and “processing” have the meanings given by applicable data protection law, including the GDPR where it applies.

“Business user” means a person or company using My Wedding Office for business or professional purposes. “Services” means the website, app, integrations, browser extension, email, documents, reviews, AI, e-sign, and related MWO features.

3. Roles

The business user is the controller of personal data about their customers, leads, contacts, couples, guests, messages, documents, and other data entered into the Services.

My Wedding Office acts as processor to the extent it processes that data on behalf of the business user and according to the user’s documented instructions.

4. Subject Matter of Processing

The subject matter is handling data entered, imported, synced, or generated in the Services as needed to provide, maintain, secure, and develop My Wedding Office.

Processing may include hosting, storage, synchronization, display, sending, organization, analysis, draft generation, export, deletion, event logging, and other technical operations needed for configured features.

5. Duration of Processing

Processing lasts for the period in which the user uses the Services and for a limited period after use ends, according to account settings, retention periods, backup cycles, legal duties, security, billing, and dispute handling.

6. Nature and Purpose of Processing

The purpose is to allow the user to manage leads, customers, communications, calendar, documents, reviews, booking processes, AI features, electronic document signing, Google/Meta integrations, and other features available in the Services.

The scope of operations depends on user configuration, selected plan, connected integrations, OAuth permissions, provider availability, and features enabled at a given time.

7. Categories of Personal Data

  • identification data, such as name, profile name, or company name;
  • contact data, such as email address, phone number, address, or source link;
  • business data, such as service, package, budget, lead status, pipeline stage, tasks, and notes;
  • event and wedding data, such as date, venue, event type, preferences, and participants;
  • communication data, such as sender, recipients, subject, message body, attachments, statuses, and thread metadata;
  • calendar data, such as events, participants, dates, descriptions, and sync metadata;
  • document, contract, proposal, signer, signature status, and e-sign audit log data;
  • review data, review requests, replies, ratings, public or internal content, and action history;
  • visible content and metadata saved by the user from supported platforms, such as posts, comments, group names, and source links;
  • technical data, such as account, workspace, device, session identifiers, logs, IP address, usage events, errors, and diagnostics;
  • AI feature inputs and outputs as needed to perform the selected feature;
  • other data submitted by the user to the Services.

8. Categories of Data Subjects

  • business users and their team members;
  • the user’s customers, leads, and prospects;
  • couples, engaged people, guests, and event participants;
  • business contacts, vendors, and people mentioned in notes, documents, or messages;
  • senders, recipients, and people mentioned in email or communications;
  • document signers or people named in documents;
  • people who publish visible posts, comments, or reviews saved by the user;
  • people whose data the user enters, imports, or syncs with the Services.

9. Processor Obligations

  • process data only on documented user instructions unless law requires otherwise;
  • use appropriate technical and organizational measures considering data type, risk, and Service configuration;
  • ensure confidentiality of people authorized to process data;
  • assist the user with data subject rights where technically possible and proportionate;
  • assist with breaches and security duties to the extent required by law and possible in the context of the Services;
  • use subprocessors according to this DPA;
  • after the Services end, delete or return data according to retention rules unless law requires continued storage.

10. Controller Obligations

  • have an appropriate legal basis for data processed in the Services;
  • provide required privacy notices to customers, leads, couples, guests, contacts, and other people;
  • obtain required consents, authorizations, or legal bases for communications, integrations, reviews, documents, and signatures;
  • configure Services, roles, integrations, and data scope according to law and the user’s own obligations;
  • not submit data that the user should not process in MWO;
  • control users, roles, passwords, devices, and connected Google, Meta/Facebook, email, e-sign, and payment accounts.

11. Confidentiality

We limit access to personal data to people who need it to provide, maintain, secure, or support the Services. People authorized to process data are bound by confidentiality through contract, professional obligation, or appropriate internal rules.

12. Security Measures

We use appropriate technical and organizational measures intended to protect personal data. They may include TLS encryption in transit, access control, limited access to tokens and secrets, event logging, error monitoring, backups, environment separation, response processes, and redaction of secrets in logs where technically possible. Practical details are described on the Security & Privacy page.

This does not guarantee complete security, end-to-end encryption, or absence of risk. Measures depend on data type, feature configuration, providers, and current risk.

13. Subprocessors

The user gives general authorization to use subprocessors needed to provide the Services. The current list of main subprocessors is available on the Subprocessors page.

My Wedding Office remains responsible for requiring subprocessors to protect data appropriately for the services assigned to them, to the extent required by applicable law.

14. International Transfers

Some providers, subprocessors, or integration partners may process data outside the European Economic Area. In such cases, we use appropriate safeguards required by applicable law, such as standard contractual clauses, adequacy decisions, additional security measures, or other lawful mechanisms.

15. Data Subject Requests

If we receive a data subject request concerning data processed on behalf of the user, we may direct the person to the user unless law requires another action. Where technically possible and reasonable, we will assist the user with handling such requests.

16. Breach Notification

If My Wedding Office becomes aware of a personal data breach involving data processed on behalf of the user, we will inform the user without undue delay and provide available information needed for the user to assess and meet legal duties.

17. Deletion or Return of Data

After use of the Services ends, My Wedding Office will delete or make export available where technically possible, subject to retention periods, backups, legal duties, security, and dispute handling. Additional information is described on the Data Deletion & Export page.

18. Audits and Information

On reasonable request, we will provide information needed to demonstrate DPA compliance. Audits should be proportionate, noticed, non-disruptive to the Services, and must not compromise security, other customers’ privacy, trade secrets, or subprocessor confidentiality.

19. End of Services

After the Services end, the user may lose access to some or all features. The user should export data needed for business operations before account closure or subscription termination where export functionality is available or where export is agreed with us in a reasonable scope.

20. Order of Precedence

For processing personal data on behalf of the user, this DPA controls over conflicting provisions in the Terms. Otherwise, the Terms, Privacy Policy, and other documents referenced in the Services apply. DPA questions can be sent to the contact address listed above.