1. Privacy at a Glance
General Information
The following information provides an overview of what happens to your personal data when you use mi-boda.com. Personal data is any data that can be used to identify you personally.
Who is responsible?
The party responsible for processing your personal data within the meaning of data protection laws (e.g. the GDPR) is:
Mi Boda GmbH
Gluckstraße 57
22081 Hamburg
Phone: +49 152 23208387
Email: mail@mi-boda.com
How do we collect your personal data?
"Personal data" is any information relating to an identified or identifiable natural person. This includes, in particular, your name, address, email or IP address, and usage behavior.
Direct collection of data from website users pursuant to Art. 13 GDPR:
Your data is collected when you provide it to us (e.g. when registering, creating an invitation, or submitting a vendor inquiry). Other data is collected automatically when you visit the website by our IT systems (e.g. browser type, IP address, time of access).
Collection of data from third parties pursuant to Art. 14 GDPR:
Publicly available information about vendors is collected from publicly accessible sources. In particular, we use business profiles on Google Maps as well as social media profiles on Instagram and Facebook.
What do we use your data for?
- Provision and operation of the platform
- Creation and management of digital wedding invitations
- Management of guest lists and responses
- Facilitation of vendor inquiries
- Payment processing
- Improvement of our service
- Customer support
- Sending email notifications (transactional and, with consent, marketing as well)
- Creation and operation of a digital vendor directory on the platform (profiles of individual vendors and summaries of user reviews)
What rights do you have?
You have the right, at any time, to information, rectification, erasure, restriction of processing, data portability, and objection. Details can be found in Section 6.
2. Data Processing When Using Our Website
You can generally visit our website without registering or signing in. When you visit our website, we collect, for technical reasons, the information that is transmitted by your browser to our website's server. When you visit our website, we collect:
- IP address
- requesting provider
- date and time of the server request
- name of the file and URL/address you accessed
- access status/HTTP status code
- amount of data transferred
- referrer URL (the previously visited website)
- browser
- operating system and its interface
- language and version of the browser software
Insofar as the above information relates to a person, the legal basis for its processing is our legitimate interest in providing our website pursuant to Art. 6 para. 1 lit. f) GDPR. Without processing the information mentioned, it is technically impossible to provide the website.
3. Data Processing from Publicly Accessible Third-Party Sources
We collect data about vendors from third parties pursuant to Art. 14 GDPR. For this purpose, we use the following publicly accessible sources:
- Your Google Business Profile from Google Maps, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
- Your Facebook and/or Instagram profiles, provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.
We use this data for the following purposes:
- Creation and operation of a digital vendor directory on the website of Mi Boda GmbH (https://mi-boda.com/dienstleister)
- Creation of a profile for each individual vendor in the directory on the website of Mi Boda GmbH
- Provision and operation of the platform
- Facilitation of user inquiries to verified vendors
In doing so, we process the following categories of personal data:
- Name
- Address
- Phone number
- Vendor domain
- Job title
Your data is collected on the basis of Art. 6 para. 1 lit. f) GDPR. The processing is necessary to safeguard the legitimate interests of Mi Boda GmbH. The vendor's interest in protecting personal business data is outweighed by the economic interest of Mi Boda GmbH in building a digital vendor directory for the wedding industry.
4. Hosting and Infrastructure
4.1 DigitalOcean
Our platform is hosted by DigitalOcean, LLC, 101 Avenue of the Americas, 10th Floor, New York, NY 10013, USA ("DigitalOcean").
The recipient of the data is DigitalOcean under the data processing agreement.
A transfer of your data to the USA is possible due to certification under the EU-US Data Privacy Framework. This is an agreement between the EU and the USA intended to ensure compliance with EU data protection standards for data processing in the USA. Every company certified under the EU-US Data Privacy Framework commits to complying with these data protection standards.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in reliable hosting).
Privacy policy: https://www.digitalocean.com/legal/privacy-policy
4.2 Hetzner
Parts of our infrastructure are operated by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen ("Hetzner").
The recipient of the data is Hetzner under the data processing agreement.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in reliable hosting).
Privacy policy: https://www.hetzner.com/de/legal/privacy-policy/
4.3 Cloudflare (CDN and Security)
We use Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA ("Cloudflare") as a Content Delivery Network (CDN) and for security functions. Cloudflare routes data traffic through its global network and may process cookies as well as technical data (e.g. IP address) in the process.
The recipient of the data is Cloudflare under the data processing agreement.
A transfer of your data to the USA is possible due to certification under the EU-US Data Privacy Framework.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in the secure and fast provision of data).
Privacy policy: https://www.cloudflare.com/privacypolicy/
4.4 Amazon Web Services (AWS S3)
User uploads (e.g. images for invitations or vendor profiles) are stored on Amazon Web Services (AWS) S3. The provider is Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg ("Amazon").
The recipient of the data is Amazon under the data processing agreement.
A transfer of your data to the USA is possible due to certification under the EU-US Data Privacy Framework.
Legal basis: Art. 6 para. 1 lit. b GDPR (necessity for the performance of a contract) and Art. 6 para. 1 lit. f GDPR (legitimate interest in scalable storage).
Privacy policy: https://aws.amazon.com/de/privacy/
5. Data Collection on the Platform
5.1 Cookies
We use cookies when you visit our website. Cookies are small text files that may be stored on your end device (e.g. computer, tablet, or mobile phone) by your browser when you visit a website, and which we or a third party can read.
You can prevent the use of cookies by adjusting your browser software settings accordingly. However, this may mean that certain areas of the websites or services do not function as intended. We use cookies in order to operate our services and improve their functionality.
Technically necessary cookies (e.g. session cookies, CSRF token) are set on the basis of Art. 6 para. 1 lit. f GDPR. For cookies that are not technically necessary (e.g. analytics cookies), we obtain your consent pursuant to Art. 6 para. 1 lit. a GDPR and Section 25 para. 1 TDDDG.
We use the following cookies:
- Session cookie: Technically necessary for signing in and using the platform
- Cookie consent cookie (
mi_boda_cookie_consent): Stores your cookie settings (365 days) - CSRF token: Security cookie to protect against cross-site request forgery
5.2 Server Log Files
Our hosting provider automatically collects:
- Browser type and version
- Operating system
- Referrer URL
- IP address (anonymized)
- Time of the request
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in the technically error-free operation of the website).
5.3 Usage Analysis and Interaction Tracking
To improve our platform and to evaluate the use of the vendor directory, we collect anonymized interaction data. This includes:
- Views of vendor profiles
- Clicks on contact details (website, email, phone)
- Interactions with the image gallery
- Search queries in the directory
- Adding and removing favorites
This data is linked to a session ID (no permanent user identification) and is not passed on to third parties. Known bots and crawlers are automatically excluded. The data is used exclusively to improve our platform and for the anonymized evaluation of directory usage.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in improving our service).
5.4 Registration
When you register, we collect:
- Email address
- First names (of both partners)
- Password (stored encrypted)
- Registration source and time
Legal basis: Art. 6 para. 1 lit. a GDPR (consent).
5.5 Social Login
Alternatively, you can sign in via the following services:
Google Sign-In: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. We receive your name and email address. DPF-certified. Privacy policy: https://policies.google.com/privacy
Apple Sign-In: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA. We receive your name and email address (with Apple, you can hide your email address). Privacy policy: https://www.apple.com/de/privacy/
Facebook Login: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. We receive your name and email address. DPF-certified. Privacy policy: https://www.facebook.com/privacy/policy/
Legal basis: Art. 6 para. 1 lit. a GDPR (consent). The use of social login is voluntary.
5.6 Wedding Invitations and Guest Management
When you create an invitation, we process:
- Names of the hosts
- Wedding date and location
- Design selection and personalized texts
- Uploaded images
- Guest data (names, RSVP status, meal preferences, answers to individual questions)
Legal basis: Art. 6 para. 1 lit. b GDPR (necessity for the performance of a contract).
The guest data is used exclusively within the scope of invitation management and is not passed on to third parties. When an account is deleted, all guest data is also deleted.
5.7 Vendor Inquiries
When you submit an inquiry to a vendor, we collect:
- First names of both partners
- Email address
- Phone number (optional)
- Message
- Wedding date (optional)
This data is forwarded to the requested vendor. Legal basis: Art. 6 para. 1 lit. b GDPR (initiation of a contract).
5.8 Vendor Verification
When verifying a vendor profile, we collect:
- Name of the contact person
- Email address
- Where applicable, a verification document (e.g. business registration)
Legal basis: Art. 6 para. 1 lit. a GDPR (consent).
6. Your Rights
6.1 Right of Access (Art. 15 GDPR)
You have the right to obtain information about the personal data we have stored about you.
6.2 Right to Rectification (Art. 16 GDPR)
Should the data we have stored about you be incorrect and/or incomplete, you naturally have the right to have it corrected and/or completed.
6.3 Right to Erasure (Art. 17 GDPR)
You have the right to request the erasure of your data, provided that no statutory retention obligations stand in the way. You can delete your user account at any time via your account settings.
6.4 Right to Restriction of Processing (Art. 18 GDPR)
You have the right to request the restriction of the processing of your data if you contest its accuracy, the processing is unlawful, or we no longer need the data.
6.5 Right to Data Portability (Art. 20 GDPR)
Under Art. 20 GDPR, you have a right to data portability.
6.6 Right to Object (Art. 21 GDPR)
You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you, provided that the processing is carried out on the basis of legitimate interest (Art. 6 para. 1 lit. f GDPR). If you exercise this objection, we will no longer process the personal data concerned with effect for the future. If you object to direct marketing, your data will no longer be processed for this purpose. However, if we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing serves to assert, exercise, or defend legal claims on our part, then in this case we must reject your request.
6.7 Withdrawal of Consent
You can withdraw consent you have given to the processing of personal data at any time vis-à-vis us. Please note that the withdrawal only takes effect for the future. Processing that took place before the withdrawal is not affected by it.
6.8 Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is the Hamburg Commissioner for Data Protection and Freedom of Information (Hamburgische Beauftragte für Datenschutz und Informationsfreiheit), Ludwig-Erhard-Str. 22, 20459 Hamburg; email: mailbox@datenschutz.hamburg.de; phone: 04042854 – 4040.
7. Analysis and Tracking
7.1 Google Analytics 4
We use Google Analytics 4, a web analytics service of Google LLC, on our website. The responsible entity for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").
You can find more information about the terms of use of Google Analytics and about data protection at Google at https://marketingplatform.google.com/about/analytics/terms/de/ and at https://policies.google.com/?hl=de.
Type and purpose of processing: Google Analytics uses cookies that enable an analysis of your use of our websites. The information generated by the cookies about your use of this website is generally transmitted to a Google server (possibly also in the USA) and stored there.
With Google Analytics 4, the anonymization of IP addresses is activated by default. Due to IP anonymization, your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics is not merged with other Google data. During your website visit, your usage behavior is recorded in the form of "events". Events can include, for example, page views, the start of sessions, and websites visited. In addition, your approximate location (region), the date and time of your visit, your anonymized IP address, technical information about your browser/device (resolution, etc.), and the referrer URL are recorded.
Purposes of processing: On behalf of the operator of this website, Google will use this information to evaluate your pseudonymous use of the website and to compile reports on website activity. The reports provided by Google Analytics serve to analyze the performance of our website.
Recipient: The recipient of the data is Google Ireland as a contractor under a concluded data processing agreement. Google US acts exclusively as a "sub-processor" for Google Ireland in this context.
Transfer to third countries: Google LLC is certified under the EU-US Privacy Framework.
The legal basis for this data processing is your consent pursuant to Art. 6 para. 1 sent. 1 lit. a GDPR and Section 25 para. 1 sent. 1 TDDDG.
You can prevent collection by Google Analytics: Download browser plug-in.
7.2 Microsoft Clarity
We use Microsoft Clarity, a web analytics service of Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland ("Microsoft").
Type and purpose of processing: Microsoft Clarity uses cookies and similar technologies to analyze usage behavior on our platform. The following data is collected:
- Mouse movements, clicks, and scrolling behavior (heatmaps)
- Session recordings
- Pages visited and time spent
- Device information (browser, operating system, screen resolution)
- IP address (anonymized)
Personal entries in forms are automatically masked by Microsoft Clarity. The data is processed in a pseudonymized form and serves to analyze and improve the user-friendliness of our platform.
Recipient: The recipient of the data is Microsoft under the terms of use of Microsoft Clarity. Microsoft may link the collected data with Bing data.
Transfer to third countries: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA, is certified under the EU-US Data Privacy Framework.
The legal basis for this data processing is your consent pursuant to Art. 6 para. 1 sent. 1 lit. a GDPR and Section 25 para. 1 sent. 1 TDDDG.
Privacy policy: https://privacy.microsoft.com/de-de/privacystatement
8. AI Services
8.1 OpenAI
We use the API of OpenAI, L.L.C., 3180 18th St, San Francisco, CA 94110, USA.
Type and purpose of processing:
- AI-assisted text suggestions for wedding invitations
- Creation of description texts for vendor profiles
- Processing of search queries in the vendor directory
- Summarizing Google user reviews
In doing so, no personal data of users is generally transmitted to OpenAI, and anonymized context information (e.g. a vendor's category) is processed.
If information about vendors constitutes personal data, data collection is permissible on the basis of Art. 6 para. 1 lit. f) GDPR for the safeguarding of legitimate interests, since business contact data has little bearing on the privacy of the data subjects. The legitimate interest lies in building the directory for wedding services and improving the content of the website.
Privacy policy: https://openai.com/privacy
8.2 Google Gemini
We use Google Gemini, provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"), for the creation of vendor descriptions and the enrichment of vendor profile data (e.g. contact details, social media links).
In doing so, no personal data of users is generally transmitted to Google via Gemini. If information about vendors does constitute personal data, data collection is permissible on the basis of Art. 6 para. 1 lit. f) GDPR for the safeguarding of legitimate interests, since business contact data has little bearing on the privacy of the data subjects. The legitimate interest lies in building the directory for wedding services and improving the content of the website.
Privacy policy: https://policies.google.com/privacy
9. Payment Processing
Payment processing is carried out via Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.
When you make a purchase, your payment data (e.g. credit card number, name) is processed directly by Stripe. We do not store any complete payment data – only a Stripe customer ID and transaction information (amount, date, status).
Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract).
Privacy policy: https://stripe.com/de/privacy
10. Email Communication
10.1 Transactional Emails
We send necessary emails such as registration confirmations, password resets, payment confirmations, and notifications about guest responses. These emails are required for the operation of the platform.
Legal basis: Art. 6 para. 1 lit. b GDPR (necessity for the performance of a contract).
10.2 Marketing Emails and Newsletter
With your consent, we send you marketing emails with wedding planning tips and product updates. You can unsubscribe from these at any time via the unsubscribe link in each email or in your account settings.
Legal basis: Art. 6 para. 1 lit. a GDPR (consent).
10.3 Mailcoach
For sending marketing emails, we use Mailcoach by Spatie BVBA, Kruikstraat 22, 2018 Antwerp, Belgium ("Mailcoach"). In doing so, your email address and name are processed.
The recipient of the data is Mailcoach under a concluded data processing agreement.
Legal basis: Art. 6 para. 1 lit. a GDPR (consent).
11. Customer Support
For customer support, we use Smartsupp.com, s.r.o., Šumavská 524/31, 602 00 Brno, Czech Republic ("Smartsupp"). Smartsupp enables live chat on our platform. When using the chat, your message, email address (if signed in), and technical data (browser, device) are processed.
The recipient of the data is Smartsupp under a concluded data processing agreement.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient customer support). The data processing takes place within the EU.
Privacy policy: https://www.smartsupp.com/privacy
12. Bot Protection
Cloudflare Turnstile
The Cloudflare Turnstile plugin of Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA is used on the website. The service serves to protect the forms against abusive automated use (e.g. spam, bots) and supports the stability and security of the website.
To protect our forms (e.g. vendor inquiries, profile claims), we use Cloudflare Turnstile as a CAPTCHA alternative. In doing so, technical data (IP address, browser information) is transmitted to Cloudflare.
The legal basis for the use is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in protecting our website against abusive automated use as well as in ensuring IT security.
A transfer of your data to the USA is possible due to certification under the EU-US Data Privacy Framework.
Privacy policy: https://www.cloudflare.com/de-de/privacypolicy/
13. Error Monitoring
Laravel Nightwatch
To detect and resolve technical errors, we use Laravel Nightwatch by Laravel LLC, USA ("Nightwatch"). When errors occur, Nightwatch collects technical information (e.g. error type, affected URL, browser). Personal data is anonymized wherever possible.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in the error-free operation of the website).
Privacy policy: https://nightwatch.laravel.com/privacy
14. Plugins and Tools
14.1 Google Fonts (local)
We use Google Fonts to display fonts. The fonts are installed locally on our server. No connection to Google servers takes place.
14.2 Google Maps
On vendor profile pages, we embed static maps from Google Maps, provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). In doing so, your IP address may be transmitted to Google.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in displaying location information).
A transfer of your data to the USA is possible due to certification under the EU-US Data Privacy Framework.
Privacy policy: https://policies.google.com/privacy
15. Retention Period
We process and store personal data for as long as is necessary for the fulfillment of our contractual and statutory obligations. If the data is no longer necessary for the fulfillment of contractual and/or statutory obligations, it is regularly deleted, unless its – temporary – further processing is necessary for the following purposes:
- Fulfillment of commercial and tax retention obligations, which may arise, for example, from: the German Commercial Code (HGB) and the German Fiscal Code (AO). The retention or documentation periods specified there are generally two to ten years. As soon as a limited tax retention obligation applies, the retention period is 8 years, beginning with the year in which the financial year (FY) ends at Mi Boda GmbH.
- Preservation of evidence within the scope of the statutory limitation provisions. Pursuant to Sections 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period we have set being 3 years from the end of the calendar year.
After that, the relevant data is routinely blocked or deleted or anonymized in accordance with the statutory provisions. Personal data is otherwise deleted as soon as the purpose of the processing no longer applies.
16. SSL/TLS Encryption
This platform uses SSL or TLS encryption. You can recognize an encrypted connection by the "https://" in the address bar and the padlock symbol in your browser.
17. Changes to This Privacy Policy
We reserve the right to adapt this privacy policy if this becomes necessary due to changes in the legal situation, technical developments, or changes to our data processing. The current version published on this website applies in each case.
Last updated: May 8, 2026