Privacy Policy

1. Data We Collect

Organizers

Account data: name, email, Google account identifier (via Google sign-in with Supabase), and profile image URL if provided by Google.
Event data: title, description, location, date/time, event time zone, RSVP deadline, and recurrence flag (if enabled).

Participants

RSVP details: name, RSVP status (accepted/declined), and (if you are logged in) your account email.
Technical data: IP address, user-agent, and basic logs for fraud/spam prevention and service operation.
Optional account: if you create an account, we associate RSVP history with it.

All Users

Usage analytics (if enabled): page views, feature usage, aggregated funnels (via PostHog).
Device/diagnostics: error logs and performance metrics.
Avoid sensitive data: we do not request special-category data (health, religion, etc.). Don’t include it in events or RSVP notes.
Support communications: content of messages you send to us (e.g., email support requests).
Feedback submissions: information you submit through our feedback form, if you choose to use it.

We collect data directly from you, from your Google account if you sign in, and from organizers when they create events.

2. How We Use Data

Provide and operate the Service (create/manage events, collect/show RSVPs).
Prevent abuse and ensure security (rate limiting, spam detection, troubleshooting).
Communicate with you (service notices, account security, support responses; marketing only with consent).
Provide optional calendar features you request (Google Calendar link or iCal download).
Comply with law (e.g., legal requests, tax or accounting if applicable).

3. GDPR Legal Bases

Activity	Legal Basis
Accounts, events, and RSVPs	Performance of a contract (Art 6(1)(b))
Security, abuse prevention, diagnostics	Legitimate interests (Art 6(1)(f))
Support communications	Contract or legitimate interests (Art 6(1)(b)/(f))
Analytics & non-essential cookies	Consent (Art 6(1)(a))
Legal compliance requests	Legal obligation (Art 6(1)(c))

Where we rely on legitimate interests, we balance those interests against your rights, and you can object at any time.

4. Sharing & Third Parties

With organizers: participant RSVP details are shared with the event organizer.
Event visibility: event pages are accessible to anyone with the event link and include the event title, description, date/time, and location. Organizers control how widely links are shared.
Service providers (subprocessors): we use:
- Supabase (database; auth tokens after Google sign-in)
- Google (sign-in provider via OAuth; Google may set its own cookies on Google domains during sign-in)
- Hetzner Cloud (EU hosting/compute)
- Coolify (self-hosted PaaS/orchestration on our Hetzner infrastructure)
- PostHog (analytics; runs only with consent if enabled)
- Email (SMTP or third-party transactional email, if configured)
Calendar providers: if you choose to add an event to Google Calendar, event details are sent to Google and handled under Google’s own policies.
Feedback tools: if you submit feedback via Google Forms, your submission is processed by Google under its own policies.
Legal: we may disclose information if required by law or to protect users and the Service.
No sale or cross-context behavioral “sharing”: we do not sell personal data.

We may update this list; material changes will be reflected here.

5. Cookies & Local Storage

Essential

Session/auth cookies (after Google sign-in via Supabase) and security cookies. Examples include Supabase auth cookies such as sb-access-token and sb-refresh-token (or project-scoped variants). These are required for core functionality.

Note: During Google sign-in, Google may set cookies on its own domains (e.g., accounts.google.com); we do not control those cookies.

Analytics (Optional)

PostHog may set cookies or use local storage to understand usage and improve the Service. Analytics only run with your consent via our cookie banner. We store your choice in localStorage (key: cookie-consent) and re-request consent after 13 months. You can withdraw consent by clearing that storage or contacting us and we will reset your preferences.

6. Data Retention

Events & RSVPs: kept until the organizer deletes them; inactive/ended events may be archived and auto-deleted after 18 months.
Account data: retained while your account is active; deleted upon request or after 24 months of inactivity.
Logs: typically 12 months for security/diagnostics.
Support communications: retained for as long as needed to resolve your request and for record-keeping, typically up to 24 months.
Analytics: retained for up to 13 months and then deleted or aggregated.
Backups: rolling backups typically 30–35 days before purge.
Cookie consent records: stored for up to 13 monthsin localStorage.

After these periods, data is deleted or irreversibly anonymized unless a longer period is required by law.

7. Security

We implement appropriate technical and organizational measures, including encryption in transit and at rest via our providers, role-based access controls, Supabase Row Level Security (RLS), and monitoring. No method is 100% secure, but we work to protect your information. If a breach poses a high risk to you, we will notify you without undue delay and inform the relevant authority where required.

8. International Transfers

Our primary hosting is in the EU (Hetzner Cloud). Some providers (e.g., Google OAuth, email, or analytics) may process data outside the EEA/UK. Where data is transferred outside the EEA/UK, we rely on safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions. If PostHog is self-hosted on our Hetzner infrastructure, analytics data remains in the EU; if using PostHog Cloud, PostHog’s regional settings and terms apply. You can request a copy of applicable safeguards by contacting us.

9. Your Rights (GDPR)

Access & Portability

Get a copy of your data.

Rectification

Fix inaccurate or incomplete data.

Erasure

Request deletion where applicable.

Restriction & Objection

Limit or object to certain processing.

Withdraw Consent

For analytics/marketing, anytime.

To exercise your rights, contact us at the email below. We may ask you to verify your identity (e.g., via your account email). We respond within one month, and may extend by two months for complex requests.

We do not use automated decision-making with legal or similarly significant effects.

Request Data / Deletion

You may also lodge a complaint with your local Data Protection Authority.

10. Controller vs Processor

We are a Controller for platform-level data (accounts, event data, security logs, analytics if enabled).
We act as a Processor for participant RSVP data we handle on behalf of organizers. Organizers are independent Controllers for the RSVP data they collect and must meet their own obligations (e.g., provide notices, respect deletion requests).
A Data Processing Addendum (DPA) is available for organizers upon request at invit.social@gmail.com.

11. Children’s Privacy

The Service is not intended for children under 16 (or the age of digital consent in their country). Organizers must be 18+. If you believe a child provided us personal data, contact us to delete it.

12. Changes to This Policy

We may update this Privacy Policy as our Service evolves or laws change. Material changes will be communicated via e-mail or in-app notice.

13. Contact Us

Controller contact details:
[Legal Entity Name]
[Registered Address]
[City, Country]

If required, our EU/UK representative is: [Representative Name, Address]. If a DPO is appointed, contact: [DPO Email].

Have a privacy question or request? Reach out:

invit.social@gmail.com

Table of Contents