Legal
Adoure · Last updated: 31 May 2026
The short version: We collect personal information to run the Adoure platform. We use it only to provide the service. We do not sell your data, share it with advertisers, or use it to manipulate vendor rankings. You have meaningful rights over your data, and we take our obligations under UK GDPR seriously.
Adoure ("we", "us", "our") is the data controller for personal data collected through the Adoure wedding marketplace at adoure.co.uk (the "Platform").
As data controller, we are responsible for deciding how and why personal data about you is processed. This Privacy Policy explains what data we collect, why we collect it, how we use it, who we share it with, and what rights you have.
The data we collect depends on how you use the Platform. We collect it directly from you, automatically through your use of the Platform, and (in limited circumstances) from third parties.
| Account registration | Email address, password (stored as a bcrypt hash — we never see your plaintext password), name or business name, account type (Couple or Vendor) |
| Couple profile | Partner names, wedding date, venue name, guest count, postcode |
| Vendor profile | Business name, category, service description, location, postcode, pricing information, portfolio images and videos, years of experience, social media handles, website URL |
| Messages | Content of messages sent through the Platform between Couples and Vendors |
| Reviews | Text content and numerical scores you submit as part of a review, associated with the relevant Booking |
| Payments | Payment is processed by Stripe. We receive a Stripe customer ID, payment intent IDs, and transaction status. We do not store card numbers, CVV codes, or full bank account details. |
| Support communications | Content of emails or messages you send to our support team at hello@adoure.co.uk |
| Identity verification (Vendors) | Business identity information submitted as part of the vendor application and verification process |
| MFA setup | Time-based one-time password (TOTP) secret key, generated for your account if you enable two-factor authentication. Backup codes stored as hashes. |
| Log data | IP address, browser type, operating system, referring URLs, pages visited, time and date of access |
| Session data | Authentication session tokens managed by NextAuth |
| Usage data | Features used, search queries entered on the Platform, vendor profiles viewed, response times |
| Cookies | See Section 9 for full details of the cookies we set |
| Stripe | Transaction confirmations, payment method status, dispute notifications |
| Social media (Vendors only, optional) | If you connect an Instagram, TikTok, Pinterest, Facebook, or YouTube account, we receive your handle, follower count, and the access token required to display your content on your profile |
We use personal data only for the purposes described below. We never use personal data for automated decision-making that has a legal or similarly significant effect on you.
| Providing the Platform | Creating and managing your account; displaying your profile (Vendors) or enabling discovery (Couples); facilitating messaging, bookings, and contracts between Couples and Vendors; processing payments via Stripe; displaying the Adoure Mark and certified reviews. |
| Certifying reviews | Verifying that a review was submitted by a Couple who had a genuine confirmed Booking with the relevant Vendor, by cross-referencing the review against Booking records. |
| Onboarding communications | Sending you a series of helpful onboarding emails after you register, to help you get the most from the Platform. You can unsubscribe from these at any time. |
| Transactional notifications | Sending emails about your account activity — booking confirmations, payment reminders, dispute updates, review requests after your wedding. These are service emails and cannot be opted out of while you hold an account. |
| Security and fraud prevention | Monitoring for suspicious activity, enforcing multi-factor authentication, detecting and preventing fraud, protecting users from harm. |
| Platform improvement | Understanding how the Platform is used in aggregate; identifying bugs and performance issues; improving features. This uses anonymised or aggregated data wherever possible. |
| Legal compliance | Complying with our obligations under UK GDPR, the Data Protection Act 2018, PECR, consumer protection law, and any other applicable legislation; responding to lawful requests from regulators or law enforcement. |
| Dispute resolution | Maintaining records of Bookings, communications, and reviews to support the Client Assurance Programme and any dispute process. |
UK GDPR requires that we have a lawful basis for processing personal data. We rely on the following bases:
| Performance of a contract (Article 6(1)(b)) | Processing necessary to provide the service you signed up for — creating your account, facilitating Bookings, processing payments, sending transactional emails. This is the primary basis for most processing. |
| Legitimate interests (Article 6(1)(f)) | Processing we carry out where we have a legitimate business interest that is not overridden by your rights — for example: security monitoring and fraud prevention; sending Vendors personalised onboarding guidance; improving the Platform based on usage patterns; maintaining accurate Booking records for dispute resolution purposes. |
| Legal obligation (Article 6(1)(c)) | Processing required to comply with UK law — for example, responding to lawful requests from regulators or law enforcement, retaining certain financial records as required by HMRC. |
| Consent (Article 6(1)(a)) | Where we rely on consent — for example, for non-essential analytics cookies, or for any future marketing communications — we will ask for it clearly and separately. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. |
We do not sell personal data. We do not share it with advertisers. We share it only as described below.
We share personal data with the following trusted service providers who process it on our behalf and under our instructions, subject to contractual data processing agreements:
| Stripe, Inc. | Payment processing. Receives billing details, transaction data, and customer identity information. Stripe operates under its own privacy policy and PCI-DSS certification. Stripe is a certified data processor under UK GDPR. |
| Resend | Transactional email delivery. Receives email addresses and email content for the purpose of sending account notifications and onboarding emails. |
| Cloudinary | Cloud media storage and delivery. Stores and serves profile images and portfolio images uploaded to the Platform by Vendors. |
| Vercel | Platform hosting and server infrastructure. Processes request data as part of serving the application. |
| Supabase (PostgreSQL) | Database hosting. All personal data stored in the Platform database is held on Supabase infrastructure. |
When a Couple sends an Enquiry or Booking to a Vendor through the Platform, the following information is shared with the relevant Vendor: the Couple's name, their wedding date, their venue (if provided), and the content of their message. Vendors receive this information only for the purpose of responding to and fulfilling Bookings. Vendors are independently responsible as data controllers for how they handle personal data they receive about Couples.
We may disclose personal data to law enforcement, regulatory bodies, or legal advisers where required by law, court order, or where we reasonably believe disclosure is necessary to protect the rights, property, or safety of Adoure, our users, or others.
If Adoure is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. If this occurs, we will notify you via email and/or a prominent notice on the Platform, and the acquiring entity will be bound by obligations consistent with this Privacy Policy.
The United Kingdom is not a member of the European Economic Area. Data transfers between the UK and other countries are governed by the UK GDPR and any adequacy decisions or appropriate safeguards issued by the UK Information Commissioner's Office (ICO).
Several of our service providers are based in or operate infrastructure in the United States, including Stripe, Resend, and Cloudinary. These transfers are protected by contractual mechanisms, including UK-approved Standard Contractual Clauses (SCCs) or the UK-US Data Bridge, where applicable. You can request details of the specific safeguards in place for any transfer by contacting us at privacy@adoure.co.uk.
Our primary database (Supabase) operates infrastructure in the European Union (Ireland), which the UK has deemed adequately protective under a UK adequacy regulation.
We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law.
| Active accounts | For the duration of your account, plus a reasonable period after closure to resolve any disputes or comply with legal obligations. |
| Archived accounts (closed by you, or removed by an admin) | When an account is closed it is archived rather than erased straight away. We retain the account and its data for a recovery window of 90 days, during which it can be reinstated, after which it is permanently and automatically erased. You can ask us to erase your data sooner under your right to erasure (see section 9). |
| Booking and payment records | 7 years from the transaction date, in accordance with HMRC record-keeping requirements for financial records. |
| Messages and communications | For the duration of your account, and for 2 years after account closure in case of dispute. |
| Certified reviews | Indefinitely, as they form the permanent record of the Adoure Mark and are essential to the integrity of the platform. |
| Support emails | 2 years from the date of the communication, unless a legal matter requires longer retention. |
| Analytics data (if applicable) | Aggregated or anonymised after 26 months. |
| MFA secrets and backup codes | For the duration of your account. Deleted immediately upon account closure or MFA disable. |
| Closed accounts | We retain a minimal record (account reference, closure date, reason if a ban) for 6 years to prevent re-registration in breach of our terms and to satisfy legal obligations. |
When data is no longer required, we securely delete or irreversibly anonymise it.
We take the security of personal data seriously and implement appropriate technical and organisational measures to protect it:
Despite these measures, no system is entirely secure. If you have reason to believe your account has been compromised, please contact us immediately at hello@adoure.co.uk.
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and report the breach to the ICO within 72 hours where required.
These are necessary for the Platform to function and cannot be switched off. They include:
| Session / authentication cookies | Set by NextAuth to maintain your login session securely. Expire when you close your browser or after a fixed period of inactivity. |
| CSRF protection tokens | Protect against cross-site request forgery attacks. |
| Cookie consent record | Stores your cookie preferences so we do not ask again. |
| Stripe | Stripe sets cookies required for secure payment processing. These are governed by Stripe's own cookie and privacy policies. |
With your consent, we use analytics cookies to understand how the Platform is used and to improve it. These cookies collect information in an aggregated, anonymised form and do not identify you personally.
You can update your cookie preferences at any time by clicking the cookie icon at the bottom of any page, or by clearing cookies and revisiting the Platform. You can also control cookies through your browser settings — note that disabling essential cookies will prevent the Platform from working correctly.
For more information about cookies, visit allaboutcookies.org.
The Platform is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@adoure.co.uk and we will delete it promptly.
Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights in relation to your personal data. Most of these rights can be exercised through your account settings or by contacting us directly.
| Right of access | You have the right to request a copy of the personal data we hold about you (a "subject access request"). We will provide this within one calendar month of receipt. |
| Right to rectification | If we hold inaccurate or incomplete personal data about you, you have the right to have it corrected. You can update most of your profile data directly in your account settings. |
| Right to erasure ("right to be forgotten") | You may request that we delete your personal data. We will comply unless we are required to retain it for legal reasons (for example, financial records, or to resolve an ongoing dispute). Closing your account archives it for a 90-day recovery window and then erases it automatically; if you want your data erased sooner, contact us and we will action your request without undue delay. Note: any reviews you have left for a supplier are anonymised rather than deleted — your name is removed, but the scores remain, because they form part of that supplier’s public merit-based rating which other couples rely on. |
| Right to restriction of processing | You may ask us to restrict processing of your personal data in certain circumstances — for example, while you contest the accuracy of data we hold. |
| Right to data portability | For data you provided to us and which we process on the basis of contract or consent, you have the right to receive it in a structured, commonly used, machine-readable format (such as JSON or CSV). |
| Right to object | You have the right to object to processing based on legitimate interests. We will cease that processing unless we have compelling legitimate grounds that override your interests, or unless the processing is necessary for legal claims. |
| Rights related to automated decision-making | We do not carry out automated decision-making that has a legal or similarly significant effect on you. The Adoure Mark is a calculated metric, not an automated decision about an individual person. |
| Right to withdraw consent | Where we process data based on your consent, you may withdraw consent at any time. This does not affect the lawfulness of processing carried out before withdrawal. |
To exercise any of the rights described in Section 11, contact us at:
We will respond within one calendar month of receiving your request. If your request is complex or numerous, we may extend this period by a further two months — we will notify you of any extension within the first month.
We may ask you to verify your identity before processing a request, to protect against unauthorised access to personal data.
We do not charge a fee for processing rights requests unless they are manifestly unfounded or excessive.
If you are unhappy with how we have handled your personal data, please contact us first at privacy@adoure.co.uk and we will do our best to resolve the issue.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO), which is the supervisory authority for data protection in the United Kingdom.
We may update this Privacy Policy from time to time. If we make material changes — changes that affect your rights or how we use your data in a significant way — we will notify you by email and/or a prominent notice on the Platform at least 14 days before the change takes effect.
The date of the most recent update is shown at the top of this page. Your continued use of the Platform after the effective date of any update constitutes acceptance of the revised Policy.
This Privacy Policy was last updated on 31 May 2026. Questions? privacy@adoure.co.uk