Wedorable
Sign InGet Started

Security & Data Handling

March 20, 2026

Our Commitment

At Wedorable, we take the security of your personal data and wedding information seriously. This page describes the technical and organizational measures we implement to protect your data.

Encryption

Data in Transit

All communication between your browser and Wedorable is encrypted using HTTPS with TLS (Transport Layer Security). This ensures that data cannot be intercepted or read by third parties during transmission.

Data at Rest

  • Database: Our PostgreSQL database is hosted on managed infrastructure with encryption at rest
  • File Storage: Photos and uploaded files are stored on AWS S3 with server-side encryption (SSE-S3)
  • Backups: Database backups are encrypted

Authentication

We use Firebase Authentication (by Google) to manage user accounts. Firebase provides:

  • Industry-standard password hashing (bcrypt/scrypt)
  • Secure session token management
  • Email verification and password reset flows
  • Protection against brute-force attacks

We do not store raw passwords on our servers.

Access Control

Per-Wedding Data Isolation

Each wedding's data is isolated and accessible only to the wedding's owner:

  • Guest lists, photos, schedules, expenses, and all wedding data are scoped to the wedding owner's account
  • API endpoints verify authentication and ownership on every request
  • Guest-facing features (public wedding pages, RSVP, photo uploads) use separate access mechanisms (wedding slugs and camera access tokens)

Photo Access

  • Photos are stored on AWS S3 with restricted access
  • Access is granted via time-limited presigned URLs that expire
  • Photos are delivered through CloudFront CDN for performance
  • Wedding organizers can moderate (approve/reject) guest-uploaded photos

Email Security

Wedding invitations and transactional emails are sent via Mailgun:

  • Emails are sent through authenticated SMTP with DKIM signing
  • We do not include sensitive data in email content beyond what's necessary
  • Email delivery logs are retained per Mailgun's data retention policies

Payment Security

All payment processing is handled by Paddle as our Merchant of Record:

  • We never see or store your credit card numbers
  • Paddle is PCI-DSS compliant
  • Payment data is processed entirely by Paddle's secure infrastructure

Infrastructure

  • Hosting: Vercel (enterprise-grade infrastructure with automatic scaling)
  • Database: Managed PostgreSQL with automated backups
  • File Storage: AWS S3 (99.999999999% durability)
  • CDN: CloudFront with HTTPS-only delivery
  • Background Jobs: Inngest (secure webhook-based job processing)

Vulnerability Reporting

If you discover a security vulnerability in Wedorable, please report it responsibly:

Email: support@wedorable.love Subject: Security Vulnerability Report

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact

We commit to:

  • Acknowledging your report within 48 hours
  • Keeping you informed about the resolution
  • Not taking legal action against good-faith security researchers

What We Do NOT Do

  • We do not sell your data
  • We do not use your photos for marketing without consent
  • We do not share data with advertisers
  • We do not use third-party tracking cookies
  • We do not store payment card information

Incident Response

In the unlikely event of a data breach:

  • We will notify affected users within 72 hours as required by GDPR
  • We will report the breach to the relevant data protection authority
  • We will provide clear information about what data was affected and what steps to take

Further Information

For more details about how we handle your data, see our Privacy Policy.

For questions about security:

Email: support@wedorable.love