Our Privacy Policy

Last Updated: December 1, 2025

PRIVACY POLICY

This Privacy Policy describes how Carats and Cake, Inc. (“Carats and Cake,” “we,” “us,” “our”) collects, uses, and shares data that we receive from you when you visit our website at caratsandcake.com (the “Website”) and otherwise interact with us on a social media platform (together, the “Services”).

Please read this Privacy Policy together with our Terms of Use and all other relevant privacy notices we may provide or post. This Privacy Policy supplements such other notices and does not override them.

If you are an individual located in the European Economic Area (the “EEA”), the United Kingdom (“UK”), or Switzerland, the following GDPR Privacy Notice (see below on this page) applies to you.

A. Personal data we collect

The categories of personal data we collect depend on how you interact with us, our Services, and the requirements of applicable law. For example, we may collect different information from you depending on whether you are a visitor to our Website (“Visitors”), use our Services as a vendor or venue (together, “Vendors”), or request us to be featured as a couple (“Couples”). Please note that the category of “Visitors” includes Vendors and Couples, to the extent such Vendors and Couples utilize our Website. We primarily collect information that you provide to us or that we obtain automatically when you use our Services.

a. Information you provide to us directly

We may collect the following personal data that you provide to us:

• When you use the Services. When you use Services (for example, by submitting a wedding), we typically collect fields such as your first name, last name, email address, state/province, country, and telephone number. If you purchase subscription content through our Services, we or certain of our service providers that help us provide the Services (each, a “Service Provider”) may also collect information necessary to process your payment, such as your credit or debit card number and expiration date.
• Your communications with us. We may collect your name, email address, postal address, and/or telephone number when you request information about our Services, request user or technical support, or otherwise communicate with us. We also collect your preferences in receiving marketing communications from us and may create hashed identifiers derived from email addresses for internal analytics, security, and deliverability purposes;
• Surveys/Questionnaires. We may contact you to participate in surveys or other questionnaires to collect feedback. If you decide to participate, you may be asked to provide certain information, which may include personal data

b. Information we collect automatically

We also automatically collect certain information based on your use of our Services. This data would include your activities on our Website. For example, we, or our third-party partners, may collect:

• Activities. Details of the activities you carry out when using our Services, including visits to our Website. We may also collect your geographic location when you use a location-enabled device with our Services and sensor data from your device that may, for instance, provide data on nearby cell towers and Wi-Fi access spots;
• Technical information. The Internet protocol (IP) address used to connect your computer to the internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system, and platform; and
• Information about your visit to our Website. We collect and process your internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Services. We also collect analytics information through tools such as Google Analytics to understand Website usage and improve functionality; however, we do not use advertising pixels or retargeting technologies.

c. Information we obtain from third parties

Carats and Cake may also obtain information about you from third parties, such as Vendors or Couples that submit a wedding in which you were involved and/or attended. We require that such Vendors and Couples obtain the consent of each Vendor and each party in a Couple prior to submitting their information to us, as well as the consent of wedding guest(s) whose photographs are submitted to us.

B. How we use your information

Carats & Cake collects only the personal data we need in order to offer and support our Services. We may also be required to collect, process, and retain your data in fulfillment of our legal obligations. We use your data for the following business purposes:

a. Provide, monitor, maintain, personalize, optimize, and improve the Services, including research and analytics regarding use of the Services, or to remember you when you leave and return to the Services;

b. Notify you about changes to our Services;

c. Provide you with news, events, promotions, updates, security alerts, and general information about other services that we offer that are similar to those that you have already inquired about, unless you have opted not to receive such information;

d. Allow you to participate in interactive features within our Services when you choose to do so;

e. Provide you with customer support;

f. Carry out our obligations relating to your contracts with us and to provide you with the information and Services that you request from us;

g. Provide you with more relevant content in marketing, promotional, or other communications to which you may be subscribed; and

h. Detect, investigate, and prevent technical issues or activities that may violate our policies or be fraudulent or illegal, including to conduct any related investigations.

i. Use in automated tools, including machine learning models and artificial intelligence systems, to analyze, enhance, and recommend content or improve user experience. These tools may process metadata, user activity, and other inputs to generate content suggestions or personalized experiences. We may also use personal data (such as account information, usage data, and photo metadata) in these automated tools for abuse prevention, improving search relevance, and enhancing our Services. We do not use automated decision-making that produces legal or similarly significant effects without appropriate human involvement.

We may combine information from the Services together and with other information we obtain from our business records or from third party sources.

We are required by law to store some of your data beyond the termination of your relationship with us. After such time, your data will only be accessed or processed as necessary.

We retain personal data only for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, including improving and supporting our Services, complying with legal, tax, and accounting obligations, resolving disputes, and enforcing agreements. When feasible, we anonymize or securely delete personal data that is no longer required.

C. How we disclose your information

Carats & Cake may share data to ensure that we can continue providing you with the Services you have contracted. We may share certain information with:

a. Service providers.

We share data with Service Providers who help us provide the Services (each, a “Service Provider”), including Service Providers located outside the U.S., UK, or EEA. Service Providers help us with things like Website hosting, data analysis, information technology and related infrastructure, customer service, payment processing and email delivery.

b. Third parties authorized by you.

We share data with third parties directly authorized by a user to receive data. The use of data by an authorized third party is subject to the third party’s privacy policy and any agreements you have with the third party. These include third parties who provide a link through our Services, who integrate with our Services, or who otherwise serve as a third-party intermediary. Such third parties may receive detailed information about your use of the Services, and may be able to take actions on your behalf.

c. Successors-in-interest.

We will share data with third parties in the event of any reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings) and, in each case, any due diligence relating thereto.

d. Safety, legal purposes, and law enforcement.

We use and disclose data as we believe necessary: (i) under applicable law; (ii) to enforce our terms and conditions; (iii) to protect our rights, privacy, safety, or property, or the safety or property of yours or others; and (iv) to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.

e. Advertising platforms.

We may share certain information with advertising platforms, such as Google and Facebook, to select and serve relevant adverts to you and others. The information shared may include device-level information and analytics, as discussed in “Information we collect automatically”, or hashed identifiers derived from email addresses.

However, Carats & Cake does not currently engage in advertising on Google, Facebook, or other ad networks, and we do not deploy advertising pixels or retargeting technologies on our Website. Any references to advertising platforms refer only to potential future use and are not reflective of current operational practices.

f. Analytics and search engine providers.

We may share certain information with analytics and search engine providers that assist us in the improvement and optimization of our site.

D. Transfers to and outside the U.S.

Carats & Cake is headquartered in the United States. Personal data that we collect may be transferred to, and stored and processed in, the United States or any other country in which we or our Service Providers maintain facilities. The laws of the United States and other countries regarding personal data may be different from the laws of your state or country. Any such transfers will comply with safeguards as required by relevant law. To the extent permitted by applicable law, by submitting your personal data to us, you agree to this transfer, storing, or processing.

Please review our GDPR Privacy Notice (see below) or contact us at hello@caratsandcake.com if you are a resident of the EEA, the UK, or Switzerland, and would like additional information on our transfer of personal data.

E. Service Providers and Third Parties

Our Services may, from time to time, integrate with or contain links to other websites, mobile applications, or digital properties that are not operated by us, including those of our Service Providers, which you may access either directly, via an authentication process, or otherwise through the Services. For example, we integrate with Stripe to facilitate payments made in connection with our Services. Likewise, other websites, mobile applications, or digital properties may reference or link to our Services. Similarly, if you access the Services through a social networking service (“SNS"), some personal data may be collected and/or made available, depending on the privacy settings that you have set with respect to that SNS. You have the ability to disable the connection between your Account and any SNS accounts that you have linked at any time by accessing the "Settings" section of the Website.

We do not endorse, screen, or approve, and are not responsible for, the privacy practices or content of such other websites, mobile applications, or digital properties. Providing personal data to them, both within or outside of our Website or our Services, is at your own risk.

F. Cookies, Analytics, and Do Not Track Disclosure.

When you use our Services, we and certain of our Service Providers may use cookies and other tracking technologies (collectively, “Cookies”) to customize our Services, content, and user experience, as well as to ensure that our Services are functioning properly. We also may use Cookies to collect information about your online activities over time and across third-party websites or other online services.

We use Cookies primarily for essential functionality, performance measurement, session management, and analytics (such as Google Analytics). We do not use advertising or retargeting Cookies, do not run advertising campaigns, and do not use Meta/Facebook or Google Ads pixels.

Types of Cookies we use include:
• Strictly necessary Cookies
• Performance and analytics Cookies
• Functional Cookies (e.g., for remembering settings)

You may limit or block Cookies by adjusting your browser or device settings.

At this time, our Website does not respond to Do Not Track (“DNT”) signals that can be sent by some browsers, because no DNT standard has been adopted.

Because we do not engage in any sale, sharing, or cross-site targeted advertising practices, browser-based opt-out preference signals (such as Global Privacy Control) do not apply to our current operations.

G. Security of your information

We take steps to ensure that your information is treated securely and in accordance with this Privacy Policy. We also implement reasonable measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration, and destruction. For example, we may use network safeguards such as firewalls and data encryption, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), enforce physical access controls, and authorize access to personal data only for those people who require access to fulfill their job responsibilities. Unfortunately, no method of transmission over the internet or method of electronic storage is 100% secure.

You are responsible for keeping confidential any passwords you use to access our Services. We ask you not to share this password with anyone else and not to use this password for other services or products.

To the fullest extent permitted by applicable law, we do not accept liability for any unauthorized disclosure.

H. Children’s Privacy

Our Services are not intended for anyone under the age of 18. We do not knowingly collect personal data from anyone under the age of 18. If you are a parent or guardian and you believe that your child has provided us with their information, please contact us. If we become aware that a child has provided us with personal data in violation of applicable law, we will delete any personal data we have collected, unless we have a legal obligation to keep it.

I. Marketing communications

We will only use your data for marketing and promotional purposes if you “opt in” to such uses, and you can withdraw this permission at any time. We may combine your personal data to improve the value and specificity of these communications. You have the right to ask us not to contact you for marketing purposes by following the unsubscribe link or the instructions provided in any email we send or by contacting us at hello@caratsandcake.com. Please note that you may not opt out of communications related to a specific request that you have made.

J. Changes to this Privacy Policy

We may update our Privacy Policy from time to time. This version was last updated on the date indicated above and and historic versions are archived and can be obtained by contacting us. Any changes we may make to our Privacy Policy will be posted on this page and, where appropriate, we will notify you of these changes by e-mail. Please check back frequently to see any updates or changes to our Privacy Policy.

K. Contact us

If you have any questions about this Privacy Policy or about the use or disclosure of your personal data, please contact us at hello@caratsandcake.com.

You may also write to us at:

750 Lexington Avenue
9th Floor
New York, NY 10022

L. Your US State Privacy Rights

Certain U.S. state privacy laws (including those in California, Colorado, Connecticut, Virginia, Texas, and others) provide residents with specific rights. Depending on your state of residence, you may have the right to:

• Request access to personal information we hold;
• Request deletion of personal information we collected from you;
• Request correction of inaccurate personal information;
• Request a copy of certain personal information in portable form;
• Limit the use of sensitive personal information where applicable.

We do not sell or share personal information for targeted advertising and do not conduct cross-context behavioral advertising.

To submit a rights request, contact hello@caratsandcake.com. If we deny your request, you may have the right to appeal the decision.

We do not discriminate against individuals who exercise their privacy rights.

GDPR PRIVACY NOTICE

Last updated: December 13, 2021

This General Data Protection Regulation (“GDPR”) privacy notice (this “GDPR Notice”) applies to “personal data” (as such term is defined in the GDPR) we process relating to natural persons located in the EEA, the UK, or Switzerland, or natural persons who are otherwise subject to the protections of the GDPR by us as a “data controller” as set forth herein (collectively, “Covered Individuals,” “you,” or “your”). This GDPR Notice should be read in conjunction with, and is included in, our Privacy Policy (see above). You should also read our Terms of Use prior to using any of our Services. Any capitalized terms or other terms not defined herein shall have the meaning given to them elsewhere in our Privacy Policy, or, if not defined herein, the GDPR. Any references to the GDPR will be construed as also including the GDPR as it is incorporated into UK law, commonly referred to as the “UK GDPR”.

To the extent of any conflict between this GDPR Notice and any other provision of the Privacy Policy, this GDPR Notice shall control only with respect to Covered Individuals and their personal data. If you are located outside of the EEA, the U.K., or Switzerland, please consult our Privacy Policy.

A. Information processed

Information we collect from you or that you provide us directly through an online form on our Website or by email:

• ​Identity data: name;
• Contact data: postal address, email address, website URL, social media profile handles, and telephone number;
• Financial data: payment card details; and
• Special category data: racial or ethnic origin, religious beliefs, sexual orientation.

Information we collect automatically:

• Technical and usage data: internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.

B. Purposes and Legal Bases

Carats and Cake, Inc., a corporation formed in the State of Delaware, is the data controller of personal data of Visitors, Vendors, and Couples, in each case, for the purposes described in the table below (or otherwise described in this GDPR Notice). Please refer to the “How to Contact Us” section of this GDPR Notice for our contact details. Please note that the category of “Visitors” includes Vendors and Couples, to the extent such Vendors or Couples utilize our Website.

Purpose of Processing

a. Provision of the Services: We use Visitors’ information, such as name and contact information, as necessary for the performance and fulfillment of any agreement between us and Visitors in relation to our Services, such as sharing Vendor information[, or in understanding analytics regarding the Services (e.g., most popular features on our Website)].

b. Wedding Photographs: With a Couple’s consent, we may publish a Couple’s wedding photographs, which may depict data about such Couples and their wedding guests, including special category data.

c. Diversity and Inclusion: As part of our diversity and inclusion principles, we provide Couples an opportunity to self-identify as a member of the LGBTQ+ community. We also provide Vendors an opportunity to self-identify as members of certain gender, racial or ethnic groups. With your consent, we may publish such special category data to our Website.

d. Provision of the Services through Third Parties: We may use your information to offer our Services through a number of third party platforms or integrations as necessary for the performance and fulfillment of any agreement between us and Visitors in relation to our Services.

e. Information Security: Our web servers will log Visitors’ IP addresses and other information (e.g., browser information, operating system, request date/time, referral and exiting URL) in order to maintain an audit log of activities performed. It is within our legitimate interests to use this information to track usage of our Services, combat DDoS or other attacks, and remove or defend against malicious Visitors.

f. General Communications: We will answer email inquiries to ensure Visitor, Vendor, and Couple satisfaction, and to further business relationships; it is within our legitimate interests to do so.

g. Marketing Communications: We will send e-mail marketing communications to Visitors, Vendors, and Couples based on their consent (which can be withdrawn at any time) and based on their preferences.

h. General Business Development: We may process the personal data of Visitors, Vendors, and Couples to further business relationships and ensure their satisfaction (e.g., by answering inquiries per General Communications above) in accordance with our legitimate interests.

i. Digital Advertising and Analytics: We utilize digital advertising and web audience measurement pixel technologies, such as [Facebook Custom Audiences, Google AdWords, and Google Analytics], in each case, pursuant to Visitors’ consent, for purposes of targeted advertising and understanding of Visitors’ use of the Website for optimization purposes. [We upload email addresses via digital properties in reliance on your consent.]

j. Compliance with Applicable Law: We will process Visitors’, Vendors’, and Couples’ personal data in complying with applicable law generally. This includes responding to lawful governmental requests and establishing, exercising, or defending legal claims.

k. Other: We may process Visitors’, Vendors’, and Couples’ personal data for other purposes as otherwise disclosed to you (e.g., via “just-in-time” notices).

We only process your personal data when it is lawful for us to do so. We rely on the following lawful grounds to process your personal data:

• Where required, with the consent of Visitors, Vendors, or Couples;
• Performance of a contract to which the Visitor, Vendor, or Couple is party or in order to take steps at the request of the Visitor, Vendor, or Couple prior to entering into a contract;
• Compliance with a legal obligation to which we are subject;
• Legitimate interests pursued by us or by a third party, as noted above.

When processing special category data, as described above, we are required to satisfy a further special category lawful basis (also known as a special category exemption) before it is lawful for us to process such data. As noted above, with a Couple’s consent, we may publish their wedding photographs to our Website and ask Couples whether theirs is an LGBTQ+ wedding. We may also ask Vendors who wish to share their Vendor profile with us whether they self-identify with certain gender, ethnic, or racial groups. These activities may be considered as processing your special category personal data (for example, data concerning your religious beliefs or sexual orientation, including as may be depicted in wedding photographs), and therefore we require your explicit consent before processing such data. You may withdraw your consent at any time.

C. Recipients

When permitted to so in accordance with applicable laws, we may share your personal data with certain recipients and under certain circumstances, including:

• Our personnel (who are subject to confidentiality obligations and understand the importance of processing personal data securely) process Visitors’, Vendors’, and Couples’ personal data for the purposes listed above;
• Service Providers providing us the following kinds services that help us provide our Services to: cloud storage and web hosting providers, technical assistance and security vendors, database management/back-up services, analytics services, digital marketing services (e.g., marketing automation), and customer relationship management/CRM platforms;
• We may be required to disclose personal data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose personal data to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.  In each of these instances, we will only disclose limited personal data where we are compelled to do so and at all times in accordance with applicable laws;
• In the event of a merger, reorganization, dissolution or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, would be transferred to the surviving entity in a merger or the acquiring entity pursuant to our legitimate interests relating thereto. All such transfers shall be subject to our continued commitments with respect to the privacy and confidentiality of such personal data as set forth in this GDPR Notice; and
• With our business partners, which may include partners in our ad network.

D. Retention

We process your personal data for as long as we have a legitimate business relationship with such Visitors, Vendors, and Couples, unless deletion is otherwise requested by you. Carats & Cake may also retain certain personal data for internal analysis purposes.

We will only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected it for (unless deletion is otherwise requested by you) including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. Should you make a data subject request, we will retain the minimum amount of data necessary to keep a record of your request and the actions we took to address it. 

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

E. Your GDPR Rights

The GDPR provides data subjects with certain rights with regards their personal data.  Depending on the circumstances, you may be able to exercise one or more of the following:

1. Right to lodge a complaint: You have the right to lodge a complaint about our data collection and processing actions with the supervisory authority concerned. Contact details for data protection authorities are available here.

2. Individual Rights: You are entitled to certain rights under the GDPR with respect to personal data that we have processed or collected, to the extent we can sufficiently verify your identity. We have listed below how these rights operate in the context of using our Services. You may contact us at hello@caratsandcake.com to request the exercise of these rights, with the subject line “GDPR Notice”. We will make every effort to respond promptly, and in any case within 30 days of your request (unless an extension is necessary, in which case we shall inform you as such within the timeframe required by applicable law).

a. Your right of access. Upon request, Carats & Cake will provide you with information about whether we hold any of your personal data. We will also provide access to a copy of your personal data that we may hold free of charge.

b. Your right of rectification. You may request to review and update your personal data to ensure it is accurate. [You may update or change certain personal data associated with you by contacting us to notify us of the changes by email or through our Website form.]

c. Your right to be forgotten. You may request to have us erase your personal data that we may hold if the data is no longer necessary for the purpose for which it was collected, you withdraw consent and no other legal basis for processing exists, or you believe your fundamental rights to data privacy and protection outweigh our legitimate interest in continuing the processing. We will inform you which of your personal data may be erased without violating our legal obligations.

d. Your right to restrict our processing. You may ask us to stop or suspend using all or some your personal information in certain scenarios (for example, if we have no legal right to keep using it) or to limit our use of it (for example, if your personal information is inaccurate or unlawfully held).

e. Your right to data portability. You have the right to request a copy of your personal data in a downloadable in machine-readable format and to transmit this to another third party without hindrance from us.

f. Your right to object to processing.  You may object to personal data processed pursuant to our legitimate interest. In such case, we will no longer process your personal data unless we can demonstrate appropriate, overriding legitimate grounds for the processing or if needed for the establishment, exercise, or defense of legal claims. You may also object at any time to processing of your personal data for direct marketing purposes by clicking the unsubscribe link within a marketing email. In such case, your personal data will no longer be used for that purpose. Please note that if you opt-out of receiving direct marketing from us, we may still send you important administrative messages via email from which you cannot opt out.

F. Transfer of Personal Data To Outside the EEA or the UK

Your personal data may be transferred and stored outside of the country from which it was collected.  The laws of such countries may not provide for the same levels of protection as the GDPR however, we will take all reasonable steps to ensure that your data is adequately protected in accordance with applicable laws.  Please contact us if you would like further information on this at hello@caratsandcake.com.

G. Updates to this GDPR Notice

If, in the future, we intend to process your personal data for a purpose other than the purpose(s) for which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately within this GDPR Notice, and the “Last Updated” date at the top of this page will be updated accordingly.

H. How to Contact Us

Please contact hello@caratsandcake.com with the subject line “GDPR Notice” for any questions, complaints, or requests regarding this GDPR Notice.