Privacy Policy

The Guest Log ("we", "us", "our") is a photo and media sharing service for weddings and events, operated from Singapore. Our contact email is privacy@theguestlog.com.

This policy explains what personal data we collect, how we use it, and your rights. We comply with the Singapore Personal Data Protection Act 2012 (PDPA) and take steps to meet GDPR requirements for users in the European Economic Area.

From guests:

• Mobile phone number — for OTP identity verification only
• Display name — entered voluntarily after verification
• Uploaded content — photos, videos, voice recordings, and written notes you choose to share
• Upload metadata — timestamp, file type, file size, and your chosen visibility setting (public or private)

From event organisers:

• Email address and name — used to create and manage your account
• Payment details — processed by Stripe; we do not store card numbers
• Event configuration data — event name, date, settings

• To send and verify OTP codes (via Twilio, WhatsApp or SMS)
• To display your uploads in the event gallery
• To allow the event organiser to manage and download media
• To process payments (via Stripe)
• To send transactional emails to organisers (event creation, storage warnings)
• To comply with our legal obligations

We do not sell personal data, use it for advertising, or share it with third parties other than those listed in Section 5.

For guests: your explicit consent, given when you check the consent box during OTP verification.

For organisers: the performance of a contract (your plan purchase) and our legitimate interests in operating the service.

We use the following sub-processors to operate The Guest Log:

• Cloudflare R2 — media file storage (Singapore region)
• Supabase — database (AWS ap-southeast-1)
• Twilio — OTP delivery via WhatsApp and SMS
• Stripe — payment processing
• Resend — transactional email to organisers

Each provider has its own privacy policy and is bound by data processing agreements with us.

Guest phone numbers are pseudonymised after OTP verification is complete; the raw number is not stored in our database.

Uploaded media is retained for the duration of your plan: 6 months (one-time), 1 year (Pro), or 2 years (Agency). After expiry, media is permanently deleted from storage.

Organiser account data is retained until the account is deleted. Billing records may be retained longer to meet legal and accounting requirements.

Under the PDPA (and GDPR where applicable), you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your data ("right to be forgotten")
• Withdraw consent at any time (this does not affect lawfulness of prior processing)
• Lodge a complaint with the Personal Data Protection Commission (PDPC) or your local data protection authority

To exercise any of these rights, email privacy@theguestlog.com with your request. We will respond within 30 days.

The Guest Log uses a single session cookie to maintain your verified guest session during an event. We do not use advertising or analytics cookies. We do not use third-party tracking pixels.

The Guest Log is not directed at children under 13. If you believe a child has submitted personal data without parental consent, please contact us and we will delete it promptly.

We may update this policy from time to time. Material changes will be communicated to organiser account holders by email. Continued use of The Guest Log after changes take effect constitutes acceptance of the updated policy.

For privacy-related questions or requests, contact us at privacy@theguestlog.com.