Privacy Policy

Last updated: 6 May 2026

This is the privacy policy for Invitee (“the Service”). It explains what personal data we collect, why, how long we keep it, and how you control it. We aim for the data-minimization principle of GDPR and the European Data Protection Board: collect only what we need, keep it only as long as necessary.

1. Who is the data controller

The operator of Invitee acts as the data controller. For data requests (access, export, deletion, rectification) please use the contact form while signed in.

2. What we collect

Email address — when you sign in. Used as your account identifier and to send sign-in links and account notifications.
Invitation content — everything you put in the editor (names, dates, photos, RSVP email, schedule). Stored as JSON in your account.
Published events — once you publish, the same content plus a public slug; rendered for any visitor with the link.
RSVP data — for any guest who responds: their name, optional email, attendance status, optional dietary needs and message. Submitted by guests, visible to the host.
Audit data — on publish, we hash and store the IP address and user-agent. The IP is hashed with SHA-256 (we never store the raw IP).
Sign-in tokens — transient: the SHA-256 of magic-link tokens, used once and expired after 30 minutes.
OAuth identifiers — if you sign in with Google or Facebook, we store the provider, your verified email, and the provider’s user ID for that account.

We do not collect: tracking cookies for advertising, browser fingerprints, location data, contact lists, payment information.

3. Cookies

We use strictly-necessary cookies only:

PHPSESSID — identifies your sign-in session. Set after you click a magic link. Cleared on sign-out or after browser session ends.

No analytics cookies, no advertising cookies, no third-party trackers.

4. How long we keep your data (retention schedule)

Data	Retention	Why
Your account & drafts	While you actively use it	Product utility
Inactive accounts	Deleted after 24 months without sign-in	Data minimization
Published events	Archived 30 days after the event date if no recent edits; image data removed, slug preserved for 12 months	Hosts often want post-event reference
RSVPs	Up to 90 days after the event date, then deleted with the event	Guest privacy
Publish IP hash + user-agent	6 months	Abuse investigation
Magic-link token records	30 days	Already useless; debug aid
Rate-limit counters	2 hours	Auto-cleared
Abuse reports (the report itself)	5 years	Legal evidence; DSA moderation record
Server access logs (Hostinger)	Per Hostinger’s policy	Out of our direct control

You can request immediate deletion of any data using the “Delete my account” button in the studio (signed-in users) or the contact form. We honor erasure requests within 30 days.

5. Who we share data with

We share data with these processors strictly to operate the Service:

Hostinger — web hosting and database. Server location: EU.
Hostinger SMTP — sends sign-in links and account notifications.
Google / Facebook (only if you sign in with them) — verifies your email.

We do not sell, rent, or trade your data. We do not run third-party advertising or analytics that track you.

6. Where data is stored

All data is stored on Hostinger servers within the European Union. We do not transfer personal data outside the EU/EEA.

7. Your rights under GDPR

If you’re in the EU/EEA you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — correct inaccurate data (you can edit most directly in the studio)
Erasure (right to be forgotten) — use the “Delete my account” button or contact us
Portability — export your invitations and RSVPs in a common format (JSON; we’ll send on request)
Restriction — pause processing of your data
Objection — object to specific processing
Withdraw consent — for any processing based on your consent
Lodge a complaint with your national data protection authority (Italy: Garante per la protezione dei dati personali)

To exercise any of these rights, sign in and use the contact form. Standard response time: 30 days.

8. Children

The Service is not intended for users under 16. If you become aware of a user under 16, please report it via the contact form — we will delete the account.

9. Security

All connections forced HTTPS
Sessions are httponly + SameSite=Strict cookies
IP addresses stored only as SHA-256 hashes
Magic-link tokens: random 256-bit, single-use, 30-minute expiry, only the SHA-256 hash is stored
Database access restricted to the application; admin rate-limited (8 attempts / 15 min)

10. Changes

We may update this policy. Material changes are reflected in the “last updated” date above. If you have an account, we’ll email you about substantive changes.

11. Contact

For data requests, questions, or concerns, sign in and use the contact form or see the Terms of Use.