Novia
Novia

Legal

Privacy Policy

Last updated: 10 May 2026

This policy describes how Novia (“we”, “us”) collects, uses, and protects your personal information when you use novia.wedding. We comply with the South African Protection of Personal Information Act, 2013 (“POPIA”) and the Consumer Protection Act, 2008 (“CPA”).

1. Information we collect

When you use Novia, we collect:

  • Account information: name, email address, role (couple or vendor).
  • Wedding details: location preference, guest count, budget, style, date, free-text notes you submit through the Dream Builder.
  • Communication: enquiries, messages, and quote responses between you and vendors.
  • Payment metadata: invoice and milestone status, Paystack transaction references. We never store full card details — that lives only with Paystack.
  • Vendor business data: business name, portfolio photos, pricing, banking details (for payouts).
  • Guest list data (if you upload one): names, email, dietary preferences, RSVP responses.
  • Usage data: aggregate page views via Plausible Analytics (no cookies, no individual tracking).

2. Lawful basis for processing

POPIA §11 requires a lawful basis for each processing activity:

  • Performance of contract: matching, quoting, payment processing, dispute handling, escrow release. Without this data we cannot deliver the platform.
  • Consent: marketing emails (separate opt-in at signup), portfolio use of your wedding photos by vendors (separate opt-in at quote acceptance).
  • Legitimate interest: aggregated analytics, fraud prevention, platform security and improvement.
  • Legal obligation: retention of financial records for SARS tax law (5 years), retention of consumer reviews (CPA §54).

3. How we use your information

  • Match you with suitable venues and vendors based on your preferences
  • Facilitate communication between couples and vendors
  • Process payments through our secure payment partner (Paystack)
  • Send transactional updates about your bookings (always sent — no opt-out)
  • Send marketing tips and platform updates (only if you opt in)
  • Improve our platform via aggregate, anonymised analytics

4. Third-party processors

We share your data with the following operators under POPIA-compliant data-processing agreements:

  • Supabase (data hosting + database) — see §5 on cross-border transfer
  • Paystack — payment processing and escrow
  • Resend — transactional and marketing emails
  • Anthropic (Claude) — AI matching, sales-pipeline drafting, blog assistant; no personally identifiable couple data is sent during matching beyond your free-text brief
  • Replicate — AI-generated blog hero images (no user data sent)
  • Higgsfield — AI-generated marketing imagery (no user data sent)
  • Plausible Analytics — aggregate, cookieless usage statistics
  • Sentry — error tracking; we have sendDefaultPii: false set so request bodies, cookies, and headers are not included in error events
  • Vercel — application hosting and CDN
  • Serper.dev — Google Search proxy used by our internal sales pipeline (vendor discovery only; no couple data)

We do not sell your personal information. Vendors only see enquiry details and quote-related communication that you direct to them.

5. Cross-border data transfer

Our database (Supabase) is hosted in the European Union. Sentry is hosted in the EU; Paystack data is processed in South Africa and Nigeria. Other operators may host data in the United States. By using Novia you consent to these cross-border transfers under POPIA §72(1)(c). We enter into data-processing agreements with each operator that bind them to standards substantially equivalent to POPIA. You may request a copy of the relevant DPA at hello@novia.wedding.

6. Data retention

  • Active account data: retained while your account exists.
  • Financial records (invoices, payments, payouts, disputes): 5 years post-transaction, per SARS requirements. After deletion of your account, these rows remain anonymised.
  • Reviews: retained indefinitely per CPA §54. Reviewer name is anonymised on account deletion; review text remains public.
  • Wedding planning data (guest list, checklist, designs, photos): deleted within 30 days of account closure.
  • System and error logs: 90 days, then permanently deleted.
  • Email logs at Resend: per Resend’s retention (typically 30 days). The full email content is also stored in your Novia dashboard until you delete your account.

7. Your rights under POPIA

You have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Request deletion (right to erasure) — self-serve at your account privacy page or by emailing us
  • Withdraw consent for marketing emails at any time (one-click unsubscribe in every marketing email)
  • Object to processing based on legitimate interest
  • Data portability — export your data at any time
  • Lodge a complaint with the Information Regulator (South Africa) at inforegulator.org.za

8. Cookies and tracking

Novia uses Plausible Analytics for usage statistics. Plausible is privacy-first and does not use cookies, fingerprinting, or any cross-site tracking. We therefore do not show a cookie consent banner — there are no non-essential cookies to consent to. We use only functional cookies required for authentication and currency preference. If we ever introduce additional tracking, we will obtain explicit consent before doing so and update this policy.

9. Marketing communications

You will only receive marketing emails (planning tips, vendor highlights, Novia updates) if you opted in at signup or in your account settings. Every marketing email contains a one-click unsubscribe link in the footer plus an inbox-level “Unsubscribe” option (RFC 8058). Transactional emails (booking confirmations, payment receipts, dispute notifications) are sent regardless of marketing preferences because they are essential to delivering the service.

10. Guest data

When you upload a guest list, you are responsible for obtaining consent from your guests (or their parents/guardians if any are minors) before sharing their names, email addresses, and dietary preferences with Novia. On your request we will delete the guest list; however, messages and RSVPs already sent by guests remain as those are the guests’ own data.

11. Data security

We use industry-standard security measures including encrypted connections (TLS 1.2+), encrypted data at rest, role-based access, multi-factor authentication for admins, audit logging of sensitive actions, and trusted infrastructure providers (Vercel, Supabase, Paystack). Card details are never stored on our infrastructure — Paystack is PCI-DSS Level 1 certified.

12. Information Officer & complaints

Novia is currently a small operator. Daan van Rees acts as our point of contact for POPIA enquiries under §55. Reach out to hello@novia.wedding with any privacy question or complaint and we’ll respond within 7 working days. If we cannot resolve your concern, you may complain to the Information Regulator at inforegulator.org.za.

13. Changes to this policy

We may update this policy as the platform evolves. Material changes (e.g. new categories of data, new processors, changes to retention) will be communicated by email at least 14 days before they take effect. The “Last updated” date at the top reflects the most recent change.

14. Contact

hello@novia.wedding
Novia · Cape Town, South Africa