Introduction
companion-co Pte Ltd, a company registered in Singapore ("we", "us", or "our"), operates Aven, a shared wedding planning workspace for couples, at https://aven.wedding.
This Privacy Policy explains how we collect, use, store, disclose, and protect personal data when you use our website and services. It applies to all users of Aven.
This policy is intended to align with the Personal Data Protection Act 2012 (PDPA) of Singapore. By using Aven, you acknowledge that you have read this Privacy Policy.
Information We Collect
We collect information you provide directly and information generated through your use of the service:
- Account information from Google sign-in, such as your name, email address, profile photo, and Google account identifier.
- Google Calendar data when you choose to connect Google Calendar, including your calendar list, calendar events within the dashboard date window, and the Google Calendar event identifiers we create when you sync a booking.
- Workspace content you and your partner create, including tasks, comments, budget entries, guest lists, RSVP responses, seating plans, and file uploads.
- Invitation and referral activity, such as tokens used to join a workspace or arrive via a referral link.
- Technical and usage data, such as device type, browser, IP address, and pages or features accessed.
Google User Data
Aven uses Google OAuth to sign you in and, if you choose, to connect Google Calendar. This section describes how we access, use, store, and share Google user data.
We access Google user data only after you initiate sign-in or explicitly choose to connect Google Calendar. We do not use Google user data for advertising, creditworthiness decisions, or to train generalised artificial intelligence or machine learning models.
- Sign-in (openid, email, profile): When you choose Continue with Google on our login page, we receive your name, email address, profile photo, and Google account identifier. We use this information to authenticate you, create or update your Aven account, and display your profile within your workspace.
- Google Calendar — read access (calendar.readonly): If you connect Google Calendar, we list your calendars so you can choose one, and we read events from the calendar you select to display them on your dashboard (approximately 30 days in the past and 365 days in the future). This calendar data is shown only to you. We do not share your Google Calendar events with other workspace members or with third parties for their own purposes.
- Google Calendar — write access (calendar.events): If you choose Add to Google Calendar or update or remove a synced booking, we create, update, or delete events only in the calendar you selected and only for bookings you initiate in Aven. We store the Google calendar ID and event ID needed to keep that booking in sync.
- Storage: Your Google account identifier and profile fields from sign-in are stored in our database (Supabase). Google OAuth access and refresh tokens are stored in your authenticated server-side session and are used only to call Google APIs on your behalf while you remain signed in. Google Calendar sync mappings are stored in our database and linked to your user account.
- Sharing: We do not sell Google user data. We do not transfer Google user data to third parties except our infrastructure providers (hosting and database services) that process data on our behalf to operate Aven, and only as needed to provide the service.
- Retention: We retain Google sign-in profile data while your account is active. Google OAuth tokens remain in your session until they expire, are refreshed, or you sign out. Calendar sync mappings are retained while the related booking exists or until you delete the sync.
- Revoking access: You may revoke Aven's access to your Google account at any time through your Google Account permissions settings at https://myaccount.google.com/permissions. You may also sign out of Aven. Revoking access may limit or disable Google sign-in and Google Calendar features.
How We Use Your Information
We use personal data to operate, maintain, and improve Aven. Specifically, we use it to:
- Authenticate you and provide access to your workspace.
- Enable collaboration between workspace members.
- Store and display the wedding planning content you choose to save.
- Sync wedding bookings to Google Calendar when you request it.
- Send service-related communications, such as workspace invitations or account notices.
- Monitor security, prevent abuse, and troubleshoot issues.
- Understand product usage so we can improve features and reliability.
Legal Basis Under PDPA
Under the PDPA, we process personal data based on one or more of the following, as applicable:
- Your consent, including when you sign in with Google, connect Google Calendar, or accept an invitation.
- Performance of a contract or steps taken at your request before entering a contract, such as providing the service you signed up for.
- Legitimate interests, such as securing our platform and improving the product, where those interests are not overridden by your rights.
- Compliance with applicable legal obligations.
Third-Party Services
Aven relies on trusted third-party providers to deliver the service. These providers may process personal data on our behalf:
- Google — for OAuth sign-in and, when you opt in, Google Calendar access through the Google Calendar API.
- Supabase — for database, authentication support, and file storage.
- Vercel — for application hosting and delivery.
Data Retention
We retain personal data for as long as your account or workspace remains active and as needed to provide the service, comply with legal obligations, resolve disputes, and enforce our agreements.
If you request deletion of your account or specific personal data, we will take reasonable steps to remove or anonymise it, subject to legal retention requirements and legitimate business needs such as backup recovery windows.
Your Rights
Subject to the PDPA and applicable law, you may have the right to:
- Request access to personal data we hold about you.
- Request correction of inaccurate or incomplete personal data.
- Withdraw consent where processing is based on consent, understanding that this may affect your ability to use certain features.
- Request deletion of personal data in certain circumstances.
International Transfers
Our service providers may process or store data outside of Singapore. Where personal data is transferred overseas, we take reasonable steps to ensure that recipients provide a standard of protection comparable to that under the PDPA, such as through contractual safeguards where appropriate.
Security
We implement reasonable administrative, technical, and organisational measures designed to protect personal data against unauthorised access, loss, misuse, or alteration. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time, including when we change how Aven accesses, uses, stores, or shares Google user data or other personal data.
When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of Aven after changes take effect constitutes acceptance of the revised Privacy Policy.
Contact Us
If you have questions about this Privacy Policy, our use of Google user data, or wish to exercise your data protection rights, contact companion-co Pte Ltd at admin@companion-co.com.