Privacy Policy

Link VRM is a vendor relationship manager for wedding professionals. A wedding vendor (photographer, planner, florist, DJ, venue, and so on) sends a shareable link to the couple they worked with, the couple lists every other vendor at their wedding, and the vendor gets a tidy directory of who worked alongside them. This policy explains what personal information we collect along the way, why we collect it, and what choices you have.

If you only want the headlines: we collect what we need to run the service and nothing else; we don't sell personal information; we use a small number of US-based service providers to host and process data; and you can email us anytime at privacy@linkvrm.com to access, correct, or ask us to delete information about you.

Link VRM is operated by Zed Wedding Group Inc., an Ontario corporation with a registered address at 2653 Don Street, Ottawa, ON, K2B 6Y2, Canada. In this policy, “we”, “us”, and “Link VRM” refer to that company. We are the organization accountable for the personal information described here under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and, where it applies, the controller under the EU General Data Protection Regulation (GDPR).

This policy covers three groups of people:

• Account holders. Wedding professionals (and the team members they invite) who create a Link VRM account and use the app.
• Couples. People who fill out a vendor list using a link shared with them by an account holder. Couples do not create an account.
• Vendors named in a wedding. Wedding professionals whose name and contact details appear in our vendor directory because a couple listed them when filling out the form. These vendors may or may not have a Link VRM account of their own.

From account holders we collect: name, email address, password (stored only as a salted hash), organization name and category, optional Instagram handle, optional uploaded branding (logo, colors, signature), and the content you create in the app (weddings, vendor records, automation templates, message history).

From coupleswe collect: the names you enter for yourselves, and for each vendor you list — name, vendor category, and any contact details you choose to add (Instagram handle, email, phone, website). You don't create an account, so we don't collect a password or a profile.

About vendors named in a wedding we hold whatever the couple entered: typically a business name plus one or two contact handles. This information becomes part of our vendor directory and is reused when other couples mention the same vendor in the future, so that the next wedding vendor who works with that vendor sees a complete record instead of a stub.

Automatically, when anyone uses the site we collect technical information needed to run the service safely: IP address, browser and device type, pages visited, and application errors. This is used for security, debugging, and basic uptime monitoring. We do not use third-party advertising trackers, and we do not run analytics that profile individual visitors.

We use personal information to:

• Run the service the account holder signed up for — including generating shareable couple forms, building the IG tag list, sending transactional emails (account confirmations, invites), and powering the comms automations the account holder turns on.
• Maintain the cross-organization vendor directory so future collaborators are easier to recognize and tag.
• Keep the service secure (rate-limiting, abuse prevention, fraud checks).
• Improve the product. We look at aggregated, non-identifying usage patterns; we don't use the content of your weddings or vendor lists to train external models.
• Comply with legal obligations (for example, retaining proof of consent under Canada's Anti-Spam Legislation, or responding to lawful requests).

Under PIPEDA, we rely on a combination of express and implied consent. When you create an account, you agree to our Terms and this Policy. When a couple fills out a form a vendor shared with them, the act of submitting it constitutes consent to share what they entered with that vendor.

Where GDPR applies, we rely on:

• Performance of a contract (Article 6(1)(b)) — for everything we need to do to give an account holder the service.
• Legitimate interests(Article 6(1)(f)) — for keeping the vendor directory, securing the service, and maintaining the records described above. We've assessed these interests against the rights of the individuals involved and consider them proportionate to the limited business-contact information we keep.
• Consent(Article 6(1)(a)) — for optional marketing emails (we don't currently send any) and for anything else where we ask you to opt in.
• Legal obligation (Article 6(1)(c)) — when the law requires us to retain or disclose information.

The couple form is the most sensitive part of the product because a couple is submitting information about other people— the vendors at their wedding. We've designed the flow so that a couple only ever lists vendors they hired or worked with at their own wedding, and the information requested is the kind of business-contact detail that vendors publish on their own websites (business name, Instagram handle, public email). If a vendor named in our directory wants their information corrected or removed, they can email us at privacy@linkvrm.com and we'll handle it — see the “Your rights” section below.

We don't sell personal information and we don't share it for anyone else's marketing. We do use a small number of service providers to operate the platform, and they only process information on our instructions:

• Supabase (US West region) — hosts our database and authentication.
• Vercel (US) — hosts the Link VRM web application.
• Resend (US) — sends transactional and automated email on our behalf.
• Sentry (US) — records application errors and performance traces so we can debug issues.

Each of these providers is contractually committed to protecting the personal information we share with them. We share information with them only to the extent necessary to run the service, and we review the list periodically. We'll also share information if we're legally required to do so (court order, lawful request from a regulator), or to protect the safety of users or the public.

All of the service providers listed above process personal information in the United States. This means that personal information collected through Link VRM — including data submitted by users in Canada or the European Economic Area — is transferred to and stored on servers located in the US, where it may be subject to US law, including lawful access requests by US authorities. We chose these providers because they meet our requirements for security, reliability, and customer-data protection, and we rely on standard contractual safeguards (including the EU Standard Contractual Clauses, where applicable) for transfers out of the EEA. If you would prefer we not transfer your information abroad, you cannot use Link VRM at this time.

Wedding records and vendor directory entries are kept indefinitely. We do this because a wedding involves multiple vendors, and other vendors at the same wedding may be current or future Link VRM account holders — removing the record would also remove their ability to see who they worked with. Vendor directory entries serve the same cross-organization purpose, so they remain part of the directory even if the account that originally added them closes.

When an account holder closes their account, we delete the account-specific information within 90 days: the organization settings, branding, signature, team-member records, and contact details for the account. The weddings and vendor entries that account contributed stay in the system as described above, but the link back to the closed account is removed.

Email logs (delivery, open, bounce, and complaint events) are kept for three years, in line with the record-keeping expectations of Canada's Anti-Spam Legislation. Webhook delivery records are kept for 30 days when successful and one year when failed. Application error and access logs are kept for the period set by each service provider — typically 30 to 90 days.

Under PIPEDA you have the right to ask us what personal information we hold about you, request that we correct it if it's wrong, and challenge our handling of it. If you're in the EEA or the UK, GDPR adds rights to erasure, restriction of processing, data portability, and to object to processing based on our legitimate interests.

To exercise any of these rights, email privacy@linkvrm.com. We'll respond within 30 days. If you're a vendor named in our directory and you want to be removed, please tell us the business name and any handles you use so we can find your entries. If we have to keep something for a legal reason (for example, our obligation to retain proof of email consent), we'll tell you and explain why.

If you're not happy with how we've handled your request, you can contact the Office of the Privacy Commissioner of Canada (priv.gc.ca), Ontario's Information and Privacy Commissioner (ipc.on.ca), or — if you're in the EEA — your local supervisory authority.

We encrypt data in transit (HTTPS everywhere) and at rest in our hosted database. Passwords are stored only as salted hashes — we never see them in plain text. Access to the production system is limited to people who need it; production database access is audited. We use a row-level security model in our database so that one organization's data is segregated from another's at the storage layer, not just the application layer.

No system is perfectly secure, but we treat security incidents seriously. If a breach affects your personal information in a way that poses a real risk of significant harm, we'll notify you and the appropriate regulator as required by law.

Link VRM uses only strictly-necessary cookies — the ones required to keep you signed in and to keep our forms working safely. We don't use third-party advertising or tracking cookies, and we don't set marketing pixels. Because every cookie we set is necessary for the service to function, we don't show a consent banner; if that changes (for example, if we add product analytics later), we'll update this policy and ask for consent at that point.

Link VRM is not intended for anyone under 13. We don't knowingly collect personal information from children under 13. If you believe a child has submitted information through our service, please contact us and we'll remove it.

We'll update this policy as the service changes. When we make material changes, we'll update the “Last updated” date at the top, and we'll let active account holders know by email or in-app notice. The current version always lives at this URL.

Privacy questions, requests, and complaints: privacy@linkvrm.com.

Postal mail:
Zed Wedding Group Inc.
2653 Don Street
Ottawa, ON, K2B 6Y2, Canada

See also our Terms of Service.