Data Processing
Agreement.

1. Parties

Data Controller: You — the couple or individual who creates a Ki Shadi portal and determines the purposes and means of processing personal data about your guests, vendors, and other participants.

Data Processor: TEK2 Ltd, trading as Ki Shadi, registered in Pakistan. We process personal data on your behalf, strictly in accordance with your instructions and this agreement.

2. Nature and purpose of processing

Ki Shadi processes personal data for the following purposes, on your instruction:

• Issuing and validating invitation tokens for your named guests
• Delivering your private photo gallery, livestream, and group chat to authorised guests
• Facilitating digital gift contributions via Stripe
• Generating audit logs of access events for your review

We process only the categories of personal data you provide: names, email addresses, phone numbers, IP addresses (for token binding), and any content uploaded to the platform by you, your guests, or your vendors.

3. Duration

This agreement is in force from the date your portal is created until the completion of the Burn Sequence for your event. The Burn Sequence initiates automatically seven days after your event date, unless you request an extension (maximum 30 days). After the Burn Sequence completes, we hold no personal data subject to this agreement.

4. Your obligations as data controller

As data controller, you are responsible for:

• Having a lawful basis for processing your guests' personal data (typically, legitimate interest in organising your private event)
• Informing your guests that their contact details will be used to issue a private invitation to your Ki Shadi portal
• Ensuring that any content you upload does not infringe the rights of third parties
• Exercising the data subject rights of your guests when requested (we will support you in doing so)

5. Our obligations as data processor

Ki Shadi commits to:

• Processing personal data only on your documented instructions
• Ensuring that personnel authorised to process personal data are bound by confidentiality obligations
• Implementing appropriate technical and organisational security measures (see our Security page)
• Assisting you in responding to data subject access requests
• Deleting all personal data upon completion of the Burn Sequence
• Notifying you within 72 hours of becoming aware of a personal data breach

6. Sub-processors

We use the following sub-processors. You consent to their use by accepting these terms:

• Microsoft Azure (UK South / South Asia) — cloud infrastructure, storage, and key management
• Stripe (EU) — payment processing and gift escrow
• SendGrid (EU) — transactional email delivery (invitation links, audit log delivery)

We will notify you of any intended change to this list at least 30 days in advance, giving you the opportunity to object before the change takes effect.

7. International transfers

Personal data is stored in the Azure region that corresponds to your chosen jurisdiction (UK South for UK-based couples, South Asia region for South Asia-based couples). We do not transfer personal data outside your chosen region except where required to provide the service (e.g., Stripe payment processing). All transfers are governed by Standard Contractual Clauses.

8. Governing law

This agreement is governed by the laws of Pakistan and, where applicable, the UK GDPR and EU GDPR. For EU-based data controllers, it additionally incorporates the EU Standard Contractual Clauses (Controller-to-Processor) in their current form.

9. Contact

Data protection queries: privacy@ki-shadi.com