Logo

Privacy Policy

Last updated: October 23, 2025

We respect your privacy. This policy explains what we collect, why we collect it, how we use it, and the choices you have. It covers both organizers and participants.

Table of Contents

1. Data We Collect

Organizers

  • Account data: name, email, Google account identifier (via Google sign-in with Supabase).
  • Event data: title, description, date/time, location, visibility settings (link-only, passcode), custom questions.
  • Invitee lists (optional): names/emails you upload or enter for invitations.
  • Support & billing (if applicable): correspondence, subscription status (we do not store card numbers).

Participants

  • RSVP details: name or nickname, RSVP status (yes/no/maybe), guests count, optional comments/answers to organizer questions.
  • Technical data: IP address, user-agent, and basic logs for fraud/spam prevention and service operation.
  • Optional account: if you create an account, we associate RSVP history with it.

All Users

  • Usage analytics (if enabled): page views, feature usage, aggregated funnels (via PostHog).
  • Device/diagnostics: coarse location inferred from IP, error logs, performance metrics.
  • Avoid sensitive data: we do not request special-category data (health, religion, etc.). Don’t include it in events or RSVP notes.

2. How We Use Data

  • Provide and improve the Service (create/manage events, collect/show RSVPs, send transactional emails).
  • Prevent abuse and ensure security (rate limiting, spam detection, troubleshooting).
  • Communicate with you (service notices, account security; marketing only with consent).
  • Comply with law (e.g., legal requests, tax or accounting if applicable).

4. Sharing & Third Parties

  • With organizers: participant RSVP details are shared with the event organizer and, if enabled by the organizer, may be visible to invitees.
  • Service providers (subprocessors): we use:
    • Supabase (database; auth tokens after Google sign-in)
    • Google (sign-in provider via OAuth; Google may set its own cookies on Google domains during sign-in)
    • Hetzner Cloud (EU hosting/compute)
    • Coolify (self-hosted PaaS/orchestration on our Hetzner infrastructure)
    • PostHog (analytics; runs only with consent if enabled)
    • Email (SMTP or third-party transactional email, if configured)
  • Legal: we may disclose information if required by law or to protect users and the Service.
  • No sale or cross-context behavioral “sharing”: we do not sell personal data.

We may update this list; material changes will be reflected here.

5. Cookies & Local Storage

Essential

Session/auth cookies (after Google sign-in via Supabase), RSVP tokens to let you update your response, and security cookies. Examples include Supabase auth cookies such as sb-access-token and sb-refresh-token (or project-scoped variants), plus an event-scoped rsvp_token if used. These are required for core functionality.

Note: During Google sign-in, Google may set cookies on its own domains (e.g., accounts.google.com); we do not control those cookies.

Analytics (Optional)

PostHog may set cookies or use local storage to understand usage and improve the Service. Analytics only run with your consent via our cookie banner. You can change preferences anytime.

6. Data Retention

  • Events & RSVPs: kept until the organizer deletes them; inactive/ended events may be archived and auto-deleted after 18 months.
  • Account data: retained while your account is active; deleted upon request or after 24 months of inactivity.
  • Logs: typically 12 months for security/diagnostics.
  • Backups: rolling backups typically 30–35 days before purge.
  • Cookie consent records: stored for up to 13 months.

After these periods, data is deleted or irreversibly anonymized unless a longer period is required by law.

7. Security

We implement appropriate technical and organizational measures, including encryption at rest/in transit via our providers, access controls, and monitoring. No method is 100% secure, but we work to protect your information. If a breach poses a high risk to you, we will notify you without undue delay and inform the relevant authority where required.

8. International Transfers

Our primary hosting is in the EU (Hetzner Cloud). Some providers (e.g., email or analytics) may process data outside your country depending on configuration. Where data is transferred outside the EEA/UK, we rely on safeguards such as Standard Contractual Clauses (SCCs) or equivalent. If PostHog is self-hosted on our Hetzner infrastructure, analytics data remains in the EU; if using PostHog Cloud, PostHog’s regional settings and terms apply. Google, as your sign-in provider, may process limited account information per its own policies.

9. Your Rights (GDPR & CCPA)

Access & Portability

Get a copy of your data.

Rectification

Fix inaccurate or incomplete data.

Erasure

Request deletion where applicable.

Restriction & Objection

Limit or object to certain processing.

Withdraw Consent

For analytics/marketing, anytime.

CCPA Requests

Right to know, delete, and non-discrimination.

We do not sell or “share” personal information as defined by the CCPA. To exercise rights or appeal a decision, contact us.

Request Data / DeletionDo Not Sell or Share (CCPA)

You may also lodge a complaint with your local Data Protection Authority.

10. Controller vs Processor

  • We are a Controller for platform-level data (accounts, security logs, analytics if enabled).
  • We act as a Processor for participant RSVP data we handle on behalf of organizers. Organizers are independent Controllers for the invitee data they collect and must meet their own obligations (e.g., provide notices, respect deletion requests).
  • A Data Processing Addendum (DPA) is available for organizers upon request.

11. Children’s Privacy

The Service is not intended for children under 16. Organizers must be 18+. If you believe a child provided us personal data, contact us to delete it.

12. Changes to This Policy

We may update this Privacy Policy as our Service evolves or laws change. Material changes will be communicated via e-mail or in-app notice.

13. Contact Us

Have a privacy question or request? Reach out:

privacy@rsvpevents.applegal@rsvpevents.app
This Privacy Policy is effective as of October 23, 2025