What we collect, what we don't.

We collect only what we need to run Melaa, and we name each thing plainly.

• Account data. Email, display name, and (if you choose) a password. Used to sign you in and save your shortlist across devices.
• Shortlist + wishlist data. The vendors you save, the notes you write, the answers you enter on the wishlist form. Stored in your browser (localStorage) and, if you sign in, on our server so it syncs across your devices.
• Wedding details you submit. Date, tradition, ceremony list, guest count, budget, city. Sent only to the vendors you pick when you send a wishlist.
• Contact-form messages. What you send to hello@, vendors@, privacy@. Read and replied to by a real person on the team.
• Analytics. Page views, referrers, session length, rough geolocation (city-level). Collected via Google Analytics 4. Used to understand traffic, not to profile individuals.

• Your phone number, unless you put it in a wishlist yourself.
• Your home address.
• Your credit card (vendors pay us; families don't).
• Fingerprinting-level browser data. No canvas fingerprint, no audio context probing.
• Data about your other browsing.

• Vendors you pick. When you send a wishlist, your answers go directly to each vendor\u2019s inbox. They see your name and email so they can reply. They don\u2019t see anything else.
• Nobody else. We don\u2019t sell leads. We don\u2019t run per-lead auctions. We don\u2019t share your email with “partners.”
• Infrastructure providers. Data is stored with Supabase (PostgreSQL + Auth, hosted in North America), Vercel (serving pages), Resend (transactional email). Each signs standard data-processing addenda.

• Your account until you delete it.
• Shortlists and wishlists until you delete them, or 18 months of inactivity.
• Vendor profiles as long as they\u2019re active (plus audit logs for 12 months after deactivation).
• Analytics data up to 26 months (Google Analytics default), then anonymised.

As a Canadian resident (or a visitor from anywhere else), you can ask us to:

• Show you the data we hold about you.
• Correct anything that\u2019s wrong.
• Delete your account and all associated data (we delete within 30 days).
• Export your data (we\u2019ll send a JSON file).
• Opt out of analytics (use browser Do-Not-Track; we respect it).

To exercise any of these, email privacy@melaa.ca — read by a real person, replied to within 7 days, usually the same day.

We use three kinds of cookies:

• Authentication. Keeps you signed in (Supabase session cookie).
• Preference. Remembers your shortlist if you're signed out (localStorage, not a cookie technically).
• Analytics. Google Analytics (_ga, _ga_*). You can block these with a browser extension or a browser-level “block third-party cookies” setting.

Melaa is for adults planning weddings. We do not knowingly collect data from anyone under 13. If you believe a child has submitted data, email privacy@melaa.caand we\u2019ll delete it immediately.

If we materially change this policy, we\u2019ll email everyone with an active account and post a dated notice on this page for 60 days. Last updated date is at the top.

For anything privacy-related: privacy@melaa.ca. For everything else: hello@melaa.ca. Operator is Melaa Co., based in Brampton, Ontario, Canada.