Legal

Privacy Policy

Last updated: June 30, 2025

1. Overview

Celebra ("we", "our", "us") operates the Celebra platform at celebra.in — a marketplace connecting customers with event service vendors across India. This Privacy Policy explains what personal data we collect, how we use it, and the rights you have over it.

By using Celebra — whether as a customer or a registered vendor — you agree to the practices described in this policy. If you do not agree, please discontinue use of the platform.

2. Data We Collect

We collect the following categories of data, depending on how you use Celebra:

All Users (Customers & Vendors)
Email addressCollected during login via OTP. Used for authentication only.
Session tokenA SHA-256 hashed token stored in a secure httpOnly cookie. Expires in 30 days.
IP addressLogged by our hosting infrastructure (Vercel) for security and abuse prevention.
Usage dataPages visited, search queries, vendors viewed. Used to improve the platform.
Registered Vendors (Additional)
Business nameDisplayed publicly on your vendor profile.
Phone numberDisplayed publicly so customers can contact you directly.
Business locationCity and state shown on your profile for discoverability.
Service descriptionYour business story, services offered, and pricing range.
Photos / cover imageUploaded to Supabase Storage and displayed on your public profile.
Instagram handleOptional. Displayed on your profile if provided.
Customer Activity
Saved vendorsVendors you bookmark. Linked to your account.
Contact historyRecord of vendors you have contacted. Visible only to you.
Reviews writtenStored with your display name and rating. Visible publicly.

We do not collect payment information, Aadhaar, PAN, or any government ID. We do not use passwords — authentication is entirely OTP-based.

3. How We Use Your Data

  • Authentication: Your email is used solely to send a one-time password (OTP) and verify your identity. We do not share it with vendors or third parties for marketing.
  • Platform functionality: Your saved vendors, contact history, and reviews are used to power features of your account dashboard.
  • Vendor discoverability: Vendor profile data (business name, city, category, phone, photos) is shown publicly to help customers find the right vendor.
  • Service communications: We may email you to notify you of application status (vendors), OTP codes, or important policy changes. We do not send promotional emails without your consent.
  • Platform improvement: Aggregated, anonymised usage data is used to understand how the platform is used and improve it.
  • Safety & compliance: We may use data to investigate abuse, enforce our Terms & Conditions, and comply with applicable law.

4. Vendor Data — How It Is Handled

When you register as a vendor on Celebra, your business profile is stored in our database and displayed publicly once approved by our team. Here is specifically how vendor data is handled:

  • Public profile data (business name, category, city, phone, description, services, pricing, photos) is visible to all visitors of Celebra without requiring them to log in.
  • Photos are stored in Supabase Storage under a vendor-specific folder. Each vendor can upload up to 20 gallery images and one cover image.
  • Lead records — when a customer clicks "Call" or "WhatsApp" on your profile, a lead event is recorded and visible to you in your Vendor Dashboard. No customer personal data is shared with you from this action beyond what the customer chooses to share directly.
  • Reviews are permanently associated with your profile. You may reply to reviews through your dashboard. Reviews are visible publicly.
  • Profile deletion: If you delete your business profile from the dashboard, all associated data — photos, leads, and profile details — is permanently removed. Reviews may be retained in anonymised form for platform integrity.
  • Data removal request: You may also submit a formal data removal or update request if you no longer have access to your account.

5. Customer / User Data — How It Is Handled

  • Email: Stored in our database linked to your account. Not shared with vendors. Used only for authentication (OTP) and essential platform communications.
  • Session: Your login session is stored as a hashed token in a secure httpOnly cookie. It cannot be accessed by JavaScript. Sessions expire after 30 days of inactivity.
  • Saved vendors & contact history: Stored in your account and visible only to you. Not shared with vendors or third parties.
  • Reviews: Your written reviews are public and attributed to your account. You may delete your account to request removal, but historical reviews may be retained in anonymised form.
  • Account deletion: You may delete your account from your profile settings. This removes your email, session data, saved vendors, and contact history. Alternatively, email us at support@celebra.in to request manual deletion.

6. Third-Party Services

Celebra uses the following third-party services that may process your data:

SupabaseOur database and file storage provider. Data is stored on Supabase-managed PostgreSQL servers. See supabase.com/privacy.
VercelOur hosting and deployment platform. Handles server infrastructure and edge CDN. See vercel.com/legal/privacy-policy.
Gmail (Google SMTP)Used to send OTP emails and transactional notifications via Nodemailer. Your email address is transmitted to Google's SMTP servers to deliver the email. See policies.google.com/privacy.

We do not sell your data to any third party. We do not use advertising networks or tracking pixels. We do not share your email with any marketing service.

7. Data Retention

Session tokensDeleted automatically after 30 days of inactivity, or immediately on logout.
OTP codesExpire after 5 minutes and are deleted from the database once used or expired.
User accountsRetained until you delete your account. Email us at support@celebra.in for deletion requests.
Vendor profilesRetained until the vendor deletes the profile from the dashboard or submits a removal request.
Vendor photosDeleted from Supabase Storage when the associated vendor profile or image is removed.
ReviewsRetained for platform integrity. May be anonymised if the associated account is deleted.
Leads & contact eventsRetained for the vendor's analytics. Deleted when the vendor profile is deleted.

8. Your Rights

You have the following rights with respect to your personal data:

  • Access: Request a copy of the data we hold about you.
  • Correction: Update inaccurate or incomplete data (via your account settings or by emailing us).
  • Deletion: Request deletion of your account and associated personal data.
  • Portability: Request your data in a structured, machine-readable format.
  • Withdrawal of consent: Stop using the platform at any time. You may also email us to have your data removed.

Vendors specifically may submit a profile update or removal request here.

To exercise any of these rights, email us at support@celebra.in. We will respond within 7 business days.

9. Security

We take security seriously and have implemented the following measures:

  • Passwords are never stored — authentication is exclusively OTP-based.
  • Session tokens are hashed using SHA-256 before storage.
  • Sessions are stored in httpOnly, Secure cookies inaccessible to JavaScript.
  • All Supabase tables have Row Level Security (RLS) enabled.
  • HTTP headers include Content-Security-Policy, X-Frame-Options: DENY, HSTS, and Referrer-Policy.
  • OTP codes expire in 5 minutes and are rate-limited to 3 sends per 10 minutes.

Despite these measures, no system is 100% secure. In the event of a data breach, we will notify affected users within 72 hours via email.

10. Children's Privacy

Celebra is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has created an account, please contact us at support@celebra.in and we will delete the account promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify registered users via email. Continued use of the platform after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy, contact us at:

Celebra Support

Email: support@celebra.in

Platform: celebra.in

Vendors may also use our Vendor Data Request form for profile update or removal requests.