How we handle your data

Setnayan’s Data Protection Officer is reachable at dpo@setnayan.com. Reach the DPO for requests under RA 10173 (access, correction, blocking, erasure, complaints, NPC inquiries). We respond within 15 business days.

Setnayan is currently operating in a closed pilot phase (approximately 5–20 households). During pilot, the Personal Information Controller is the platform owner under personal name (DTI Business Name and BIR registration pending; targeted before public launch on December 1, 2026). NPC registration will be filed under the registered business entity at that time. The DPO function during pilot is held by the platform owner directly.

Cross-border data transfers — Singapore (Supabase), United States (Cloudflare R2 PH-region buckets), United States (Anthropic Console for Setnayan AI), United States (Persona for vendor verification), and United States (Google LLC, when you connect the optional Google Drive or YouTube integrations) — are subject to RA 10173 § 21 and the provider’s adequacy commitments.

• Account info — email, password (hashed), display name, optional phone + profile photo URL
• Event data you create — guest lists, vendor records, budget items, schedule, mood-board palettes
• Messages you send via the in-app chat
• Payment metadata — order amounts, reference codes, channel, your screenshot if you upload one
• Anonymized product analytics — page views, button clicks, funnel events (via PostHog · no personal identifiers · opt-out available in your profile)
• Error reports — uncaught exceptions + their stack traces sent to Sentry so we can fix bugs; no message bodies, payment details, or guest data are included
• Automatic — IP address (truncated to first 3 octets for QR scan events), browser user-agent, timestamps

• Face biometrics or any other biometric data
• Location beyond the city-level information vendors choose to share
• Advertising identifiers, third-party cookies, or cross-site tracking signals

When you chat with a Setnayan vendor, the vendor sees only your event display name and date — never your email or personal name unless you choose to share. This is a load-bearing product rule.

If a host opts in, the event’s summary page at setnayan.com/{event-slug} transitions from invitation and day-of mode into a public editorial article 30 days after the event date. The page becomes publicly indexable on setnayan.com/realstories and discoverable by search engines.

Eight safeguards apply under RA 10173 § 16(e) right to object:

1. Onboarding-time consent during signup with explicit T+30d disclosure.
2. Phase 4 starts at T+1d in archive mode (public via slug only).
3. Index inclusion auto-activates at T+30d unless the host opts out.
4. Reminder email at T+27d (“Your wedding goes public in 3 days — preview and edit, or keep it private”).
5. One-click opt-out from /dashboard/{eventId}/privacy removes the page from the index immediately.
6. Pseudonymization option (full names, initials only, or pseudonym).
7. Private-always field allowlist — guest list, RSVP data, budget figures, vendor chat history, day-of broadcast video, and raw photo feed never reach the public Summary.
8. Right to redact any field, photo, vendor credit, or whole page at any time.

Per CLAUDE.md decision-log 2026-05-19 row 426.

• Right to access: download a JSON archive of your data anytime from your profile.
• Right to erasure: the same profile page has a soft-delete action (type DELETE to confirm). Soft-deleted accounts are retained for 30 days for restoration by you, then become irreversibly deleted.
• Right to rectification: edit your personal info on the profile page.
• Right to object: reach us at the help center to opt out of specific processing.

Couples who purchase a Panood SKU (live wedding broadcast) connect their own YouTube channel to Setnayan so the live ceremony can stream to their channel and embed on the event landing page. The connection uses Google’s standard OAuth sign-in. You can revoke it at any time from your Google Account permissions.

• Scopes requested. Only .../auth/youtube (create and manage live broadcasts on your channel), .../auth/youtube.upload (upload videos · used by V1.5+ AI Edited Highlight), .../auth/userinfo.email, and .../auth/userinfo.profile. We never request read access to your subscribers, comments, view history, watch history, search history, or any YouTube data unrelated to the broadcast we created for your event.
• What we receive from Google. A refresh token tied to your YouTube channel, your channel name and ID, an access token (typically valid 1 hour), and the broadcast IDs we create on your behalf. We do not receive your Google password.
• How we use it. The refresh token is read by our broadcaster orchestration service only during your event window, to (a) create the YouTube live broadcast for your event, (b) push the selected camera feed to YouTube’s ingest endpoint while you are live, and (c) embed the resulting public broadcast in your Setnayan event landing page. We do not browse, modify, or delete any other content on your YouTube channel.
• Storage + scope. Tokens and the channel ID are stored in oauth_grants in our Supabase database (Singapore region · encrypted at rest), scoped to one specific Setnayan event. They are never shared with vendors, other couples, or third parties.
• Limited Use commitment. Setnayan’s use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. We never use your YouTube data for advertising, never sell or transfer it, and never use it to train AI or ML models.
• Retention. Grants are kept until the earlier of (a) you revoke them from your Google account or from your Setnayan profile, (b) you delete your Setnayan account, or (c) 30 days after the event ends. Refresh tokens past their expiry are purged automatically.
• Revoking access. Two paths, either works immediately:
  • In Setnayan, open the Panood page and click Disconnect YouTube. We soft-revoke the grant locally.
  • In your Google account, go to Security → Third-party apps with account access and remove Setnayan. We honor the revocation on the next broadcast attempt.
• Broadcasts on your YouTube channel. Once a broadcast is created on your channel, the recording is owned by you. Edit or delete it from YouTube Studio like any other video — Setnayan cannot delete videos on your behalf after the broadcast ends. Your use of YouTube is also governed by YouTube’s Terms of Service and the Google Privacy Policy.

Couples who use Photo Delivery (vendor-released final wedding photos) or Papic (the V1.5+ camera mesh) connect a Google Drive account so Setnayan can write photos and videos into that Drive on the couple’s behalf. The connection uses Google’s standard OAuth sign-in. You can revoke it at any time from your Google Account permissions.

• Scope requested. Only .../auth/drive.file — a narrow scope that restricts Setnayan to ONLY files and folders the Setnayan app itself creates in the Drive. We cannot see, read, edit, or delete any other files, folders, photos, or documents you already have in the Drive. We also never request .../auth/drive (full Drive access), .../auth/drive.readonly, or any other Drive scope.
• What we receive from Google. A refresh token tied to the connected Drive account, the email address used to sign in, an access token (typically valid 1 hour), and the file/folder IDs of the items Setnayan creates. We do not receive your Google password and do not enumerate or index your existing Drive contents.
• How we use it. For Photo Delivery (0009), we create one folder per event named after the wedding (for example, “Setnayan · Maria & Juan Wedding · 2026-10-24”) and the vendor’s release action writes the finalized photo set into that folder. For Papic (V1.5+), the camera-mesh capture pipeline writes event-day photos into a bootstrapped folder structure inside the same Drive. We never browse, modify, or delete any file we did not create.
• Storage + scope. Tokens and the connected email + folder IDs are stored in oauth_grants in our Supabase database (Singapore region · encrypted at rest), scoped to one specific Setnayan event. They are never shared with vendors, other couples, or third parties.
• Limited Use commitment. Setnayan’s use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. We never use your Drive data for advertising, never sell or transfer it, and never use it to train AI or ML models.
• Retention. Grants are kept until the earlier of (a) you revoke them from your Google account or from your Setnayan profile, (b) you delete your Setnayan account, or (c) 30 days after the event ends. Refresh tokens past their expiry are purged automatically. The files Setnayan wrote to your Drive are not deleted by Setnayan when the grant ends — they remain in your Drive under your sole control.
• Revoking access. Two paths, either works immediately:
  • In Setnayan, open the Photo Delivery or Papic page for your event and click Disconnect Google Drive. We soft-revoke the grant locally.
  • In your Google account, go to Security → Third-party apps with account access and remove Setnayan. We honor the revocation on the next write attempt.
• Files in your Drive. Once a file is written to your Drive, it is owned by the Drive account that authorized the grant. Move, share, or delete it from drive.google.com like any other file — Setnayan cannot delete files on your behalf after the grant is revoked. Your use of Google Drive is also governed by the Google Privacy Policy.

• Supabase (database + auth · Singapore region)
• Vercel (web hosting)
• Cloudflare (CDN + R2 object storage · APAC region)
• Resend (transactional email)
• Sentry (server-side error monitoring · stack traces only)
• PostHog Cloud (product analytics — opt-out available in your profile)
• Google (YouTube Data API — only for couples who purchase Panood and explicitly connect their YouTube channel via OAuth; Google Drive API — only for couples who use Photo Delivery or Papic and explicitly connect a Drive account via OAuth)

For privacy questions or RA 10173 requests, message us via the help center with subject “Privacy”. We’ll respond within one business day.