Privacy Policy

Luxe & Loved Pty Ltd (we, us, our) operates the Luxe & Loved website and platform at luxeandloved.com.au (the Platform). We are an Australian wedding vendor directory that connects engaged couples with wedding service providers across Australia.

We are committed to protecting the privacy of everyone who uses our Platform — whether you are a couple planning your wedding, a vendor listing your business, or simply browsing. This Privacy Policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in that Act.

By using the Platform, creating an account, or submitting any information to us, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal information as described herein.

The personal information we collect depends on how you interact with the Platform. We collect only what is reasonably necessary for the purposes described in this Policy.

Account information (all users)

• Full name and email address
• Password (stored as a one-way cryptographic hash — we cannot read your password)
• Profile image (if provided or imported from Google sign-in)
• Account role (couple or vendor)
• Date your account was created

Couple planning profile

• Partner names and wedding date
• Wedding location and approximate budget
• Colour palette preferences, mood board image URLs, and planning notes
• Vendors you have saved or sent enquiries to

Vendor listing information

• Business name, tagline, and description
• Service category (e.g. photography, florals, venues)
• Operating state and city
• Pricing information, style tags, and coverage details
• Hero image, portfolio images, and promotional video
• Contact email address, phone number, website, and Instagram handle
• Stripe customer and subscription identifiers
• Membership tier and expiry date

Enquiry information

• Name, email address, and phone number of the enquiring party
• Wedding date and location
• The message sent to the vendor

Payment information

We do not store credit card numbers, CVV codes, or full card details on our servers. All payment information is processed and stored by Stripe, Inc., our third-party payment processor. We only receive and store limited payment metadata such as invoice identifiers, amounts, payment status, and subscription periods.

Technical and usage information

• IP address and general geographic location derived from it
• Browser type, operating system, and device type
• Pages visited, time spent, and navigation paths on the Platform
• Referring website or link
• Session and authentication tokens stored in cookies

We collect personal information through several means:

• Directly from you — when you create an account, complete your profile, submit a vendor listing, send an enquiry, or contact us via the contact form.
• Google OAuth — if you choose to sign in using your Google account, we receive your name, email address, and profile image from Google. We do not receive your Google password.
• Stripe — when you purchase a vendor membership, Stripe shares limited transaction metadata with us (invoice ID, amount, status). Your card details go directly to Stripe and are never transmitted to our servers.
• Cloudinary — when you upload images, those files are stored on Cloudinary's content delivery network. Cloudinary may process metadata associated with uploaded files.
• Automatically via cookies and server logs — when you browse the Platform, our web server and analytics tools automatically collect technical information as described in Section 7.

We use personal information only for purposes that are directly related to, and reasonably expected given, the reason it was collected. Our primary purposes include:

Providing the Platform and its features

• Creating and managing your account
• Displaying vendor listings in search results and directory pages
• Routing enquiries from couples to the appropriate vendor
• Processing vendor membership payments and managing subscription status
• Notifying you of status changes to your listing (e.g. activation, review outcomes)

Communications

• Sending transactional emails (account registration, password reset, enquiry confirmations, payment receipts, listing status updates)
• Responding to contact form submissions and support requests
• Sending administrative notices about changes to the Platform or these policies

Platform improvement and security

• Analysing usage patterns to improve navigation, features, and content
• Detecting and preventing fraud, abuse, and unauthorised access
• Troubleshooting technical issues and bugs
• Maintaining audit logs for security purposes

Legal and compliance

• Complying with applicable Australian laws and regulations
• Enforcing our Terms of Use and other policies
• Responding to lawful requests from government authorities or courts

We may disclose personal information to third parties in the following circumstances:

• With your consent — for example, when a couple sends an enquiry, their name, email, and message are shared with the relevant vendor.
• Service providers — we engage trusted third-party service providers who process data on our behalf (see Section 6). These providers are bound by confidentiality obligations and may only use your data to provide services to us.
• Legal requirements — we may disclose information where required to do so by law, regulation, court order, or in response to a lawful request by government or law enforcement authorities.
• Business transfers — in the event of a merger, acquisition, sale of assets, or other business restructure, personal information may be transferred to a successor entity, subject to the same privacy protections.
• Protection of rights — we may disclose information where we reasonably believe it is necessary to protect our legal rights, the safety of our users, or the integrity of the Platform.

In all cases, we take reasonable steps to ensure that third parties handle personal information in accordance with the Australian Privacy Principles.

We use the following third-party services to operate the Platform. Each has its own privacy policy which we encourage you to review:

Stripe (Payment Processing)

Stripe, Inc. processes all vendor membership payments. When you provide payment details, they are submitted directly to Stripe via an encrypted connection and are governed by Stripe's Privacy Policy. We receive only non-sensitive payment metadata from Stripe. Stripe is certified to the PCI Data Security Standard.

Cloudinary (Media Storage and Delivery)

Cloudinary is used to store and serve all vendor images and portfolio photography uploaded to the Platform. Images uploaded by vendors are stored on Cloudinary's global CDN and may be processed (resized, optimised) to improve performance.

Resend (Transactional Email)

Resend is our transactional email delivery service. When we send you emails (account confirmations, enquiry notifications, password resets, and similar), those emails are delivered via Resend's infrastructure. Resend processes your email address and the content of emails on our behalf.

Supabase / PostgreSQL (Database Hosting)

Our primary database is hosted on Supabase (backed by PostgreSQL). Your account data, listing information, enquiries, and payment records are stored on Supabase's servers, which are hosted on Amazon Web Services infrastructure in the Asia-Pacific region.

Google (Authentication)

We offer the option to sign in using your Google account via Google OAuth 2.0. If you choose this option, Google shares your name, email address, and profile photo with us. Your use of Google sign-in is also governed by Google's Privacy Policy.

Sanity (Content Management)

Our editorial content (Journal articles, Real Weddings) is managed through Sanity.io. This service does not process personal information about general users of the Platform.

Vercel (Hosting and Edge Infrastructure)

The Platform is hosted on Vercel's edge infrastructure. Vercel processes incoming requests and may log IP addresses and request metadata for security and performance purposes.

What are cookies?

Cookies are small text files placed on your device when you visit a website. They help the website remember information about your visit, such as your login status and preferences.

Cookies we use

• Session cookies — essential cookies that maintain your login state while you are using the Platform. These are deleted when you close your browser.
• Authentication cookies — secure, HTTP-only cookies set by our authentication system (NextAuth.js) to keep you signed in across browser sessions, if you have opted for persistent sign-in.
• Preference cookies — used to remember small preferences (such as recently viewed categories) to improve your browsing experience.

What we do not do

We do not use third-party advertising cookies, social media tracking pixels, or behavioural advertising technologies on the Platform.

Managing cookies

You can configure your browser to refuse cookies or to alert you when cookies are being sent. However, if you disable essential cookies, some features of the Platform (including staying signed in) will not function correctly.

We take reasonable technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, and destruction. These measures include:

• Transport Layer Security (TLS/HTTPS) encryption for all data transmitted between your browser and our servers
• One-way cryptographic hashing of passwords using bcrypt (we cannot recover your plain-text password)
• Role-based access controls — only authorised personnel can access the admin dashboard and user data
• Secure HTTP-only cookies for authentication tokens, reducing exposure to client-side script attacks
• Regular dependency updates and security patch management
• Payment card data never stored on our servers — handled exclusively by Stripe

While we take reasonable precautions, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee the absolute security of your information and encourage you to use a strong, unique password for your account.

In the event of a data breach that is likely to result in serious harm, we will comply with our mandatory data breach notification obligations under the Privacy Act 1988 (Cth), including notifying the Office of the Australian Information Commissioner (OAIC) and affected individuals where required.

We retain personal information only for as long as reasonably necessary to fulfil the purposes for which it was collected, or as required by law.

• Active accounts — personal information is retained for the duration of your account and for a reasonable period thereafter in case you wish to reactivate your account.
• Deleted accounts — when you request deletion of your account, we will delete or de-identify your personal information within 30 days, subject to the exceptions below.
• Financial records — payment records and transaction history are retained for a minimum of 7 years to comply with Australian taxation and accounting laws.
• Enquiry records — enquiries sent through the Platform are retained for 2 years from the date they were submitted.
• Legal holds — we may retain certain information for longer periods where required for legal proceedings, regulatory compliance, or the defence of legal claims.

Under the Australian Privacy Principles, you have the following rights regarding your personal information:

Access

You have the right to request access to the personal information we hold about you. You can access and update much of your information directly through your account settings. For a more comprehensive access request, please contact us using the details in Section 15.

Correction

If you believe that personal information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you may request that we correct it. Where possible, please update your information directly through your account. We will take reasonable steps to correct information upon request.

Deletion

You may request deletion of your account and associated personal information. We will action such requests within 30 days, subject to any legal retention obligations.

Anonymity

Where it is lawful and practicable, you may interact with us anonymously or by using a pseudonym. However, creating a Luxe & Loved account requires a verifiable email address.

Opting out of communications

You may opt out of non-essential communications at any time. Note that transactional emails (such as password resets, enquiry confirmations, and account security alerts) cannot be disabled as they are integral to the safe operation of your account.

Some of our third-party service providers are based outside Australia or store data on servers located outside Australia. These include:

• Stripe, Inc. — United States (with global data centres)
• Cloudinary Ltd — United States (with CDN nodes globally)
• Resend, Inc. — United States
• Vercel, Inc. — United States (with edge nodes globally including Australia)
• Sanity AS — Norway (EU data centre options available)

Where we disclose personal information to overseas recipients, we take reasonable steps to ensure that those recipients handle your information in a way that is consistent with the Australian Privacy Principles. By using the Platform, you consent to the transfer of your information to these overseas service providers for the purposes described in this Policy.

The Platform is not directed at children under the age of 18. We do not knowingly collect personal information from individuals under 18. If you are under 18, please do not create an account or submit personal information to us without the consent of a parent or legal guardian.

If we become aware that we have inadvertently collected personal information from a person under 18, we will take prompt steps to delete that information. If you believe we hold such information, please contact us.

The Platform may contain links to third-party websites, including the websites of vendors listed in our directory. These websites are operated by independent parties and are not governed by this Privacy Policy. We are not responsible for the privacy practices of any third-party website. We encourage you to review the privacy policies of any website you visit via links from our Platform.

We may update this Privacy Policy from time to time to reflect changes to our practices, legal requirements, or the services we offer. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or via a prominent notice on the Platform.

Your continued use of the Platform following notification of changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically.

Contact us

For any privacy-related enquiries, requests to access or correct your information, or to lodge a complaint about how we have handled your personal information, please contact our Privacy Officer:

We will acknowledge your request within 5 business days and aim to resolve it within 30 days. If your concern relates to a data breach, we will prioritise your inquiry.

Complaints to the OAIC

If you are not satisfied with our response to a privacy complaint, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: oaic.gov.au
• Phone: 1300 363 992
• Post: GPO Box 5218, Sydney NSW 2001

The OAIC has jurisdiction to investigate and resolve complaints about privacy breaches by entities bound by the Privacy Act 1988.