Last Updated: December 6, 2025
Introduction
InviteDay ("we," "our," or "the app") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal information when you use our mobile application.
Information We Collect
1. Information You Provide
- Event Data: When you create an event invite, you provide event information including title, date, time, location, and description.
- RSVP Responses: When recipients respond to invites, we collect their names and response status (yes, maybe, no).
- Short Link Data: We generate and store short links for easy event sharing.
2. Automatically Collected Information
- Subscription Information: We collect information about your subscription status through RevenueCat to manage future Pro subscription features.
- Usage Data: Basic app usage data to improve the service (planned for future updates).
How We Use Your Information
We use your information to:
- Create and host event invite pages
- Track and display RSVP responses in real-time
- Generate shareable short links for events
- Manage your subscription (future feature)
- Provide customer support
- Improve the app experience
Data Encryption & Security
π Bank-Level Encryption
Your RSVP data is protected with industry-standard encryption:
- AES-256-GCM Encryption: All RSVP responses (names, emails, dietary preferences) are encrypted on your device before being sent to our servers.
- Zero-Knowledge Architecture: Only you, the event creator, can decrypt and read RSVP responses. Our servers store encrypted data but cannot read it.
- Client-Side Key Derivation: Encryption keys are generated on your iPhone/iPad using PBKDF2 (100,000 iterations) and never leave your device.
- Transport Security: All communications use HTTPS/TLS 1.3 encryption.
What this means for you: Invited guests cannot see other people's RSVP responses. Only you, the event creator, can view who has responded to your event.
Automatic Data Deletion
ποΈ Privacy-First: 7-Day Auto-Delete
To protect your privacy and comply with GDPR data minimization principles, we automatically delete event data from our cloud database 7 days after your event ends.
What Gets Deleted:
- All RSVP responses (encrypted and metadata)
- Event details (title, description, location, dates)
- Short links (invite URLs stop working)
What Stays on Your Phone:
- Your event history and RSVP stats remain cached locally in the InviteDay app
- You can still view past events for your records
- Cached data is labeled "(Cached)" in the app
After Deletion:
- β Invite links return a "Event has ended" page
- β No one can RSVP to expired events
- β RSVP data is permanently deleted from our servers
- β Only you retain access to historical stats on your device
Cleanup Schedule: Automatic deletion runs daily at 3:00 AM UTC using a secure database function.
Third-Party Services
Supabase (Backend Infrastructure)
We use Supabase to store and manage:
- Event data (titles, dates, locations, descriptions)
- Encrypted RSVP responses (server cannot decrypt)
- Short link mappings
- All communications use HTTPS encryption
- Data Location: EU-hosted servers (Frankfurt, Germany)
- Supabase Privacy Policy: https://supabase.com/privacy
RevenueCat (Subscription Management)
We use RevenueCat to manage in-app subscriptions (planned feature):
- Processes your purchase information and subscription status
- RevenueCat Privacy Policy: https://www.revenuecat.com/privacy
- RevenueCat DPA: https://www.revenuecat.com/dpa
Data Storage and Retention
- Local Storage: Your created events are stored locally on your device using SwiftData (encrypted by iOS).
- Cloud Storage: Event invite pages and encrypted RSVP responses are stored in Supabase database.
- Automatic Deletion: All event data and RSVPs are automatically deleted 7 days after the event ends.
- Manual Deletion: You can delete events anytime before the auto-delete period in the app settings.
- Short Links: Short links expire when the event is deleted (automatic or manual).
Who Can See Your Data
- Event Creator (You): Full access to all event details and RSVP responses via the InviteDay app.
- Invited Guests: Can only see public event details (title, date, time, location). Cannot see other people's RSVP responses.
- InviteDay/Servers: Store encrypted RSVP data but cannot decrypt or read responses due to zero-knowledge architecture.
- Third Parties: We do NOT sell or share your data with advertisers or data brokers.
Your Rights Under GDPR
If you are in the European Economic Area (EEA), you have the following rights:
- Right to Access: You can request a copy of your personal data.
- Right to Deletion: You can request deletion of your events and RSVP data by deleting them in the app or contacting us.
- Right to Rectification: You can correct inaccurate data directly in the app.
- Right to Data Portability: You can export your event data.
- Right to Object: You can object to data processing by not using certain features.
- Right to Restrict Processing: You can limit how we process your data.
To exercise any of these rights, please contact us at kettunen.miika@gmail.com.
Data Security Measures
We implement multiple layers of security:
- End-to-End Encryption: AES-256-GCM encryption for all RSVP data
- Secure Key Storage: Encryption keys derived on-device, never transmitted
- Transport Security: HTTPS/TLS 1.3 for all network communications
- Database Security: Row-level security policies in Supabase PostgreSQL
- Access Controls: Authentication required for all database operations
- No Payment Data: We never handle credit cards (managed by Apple/RevenueCat)
- Automatic Deletion: Data minimization through 7-day auto-delete policy
Children's Privacy
InviteDay is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us immediately.
Pricing & Subscription
Current Status: Free for All Users
InviteDay is currently free to use with all features available. We plan to introduce optional subscription features in the future, but core event creation and RSVP tracking will remain available.
International Data Transfers
Your data is primarily stored in EU-hosted servers (Supabase Frankfurt). If you are outside the EU, your data may be transferred to and processed in the EU. We ensure adequate safeguards are in place for such transfers in compliance with GDPR.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by updating the "Last Updated" date at the top of this policy and, if changes are significant, by providing a notice in the app.
Contact Us
If you have questions about this Privacy Policy or want to exercise your GDPR rights, please contact us:
Email: kettunen.miika@gmail.com
Developer: Miika Petteri Kettunen
Address: Talvionpolku 1, 04300 Tuusula, Finland
Privacy Summary
- π RSVP data encrypted with AES-256-GCM (bank-level security)
- π Zero-knowledge: Only you can decrypt RSVP responses
- ποΈ Automatic deletion: All data removed 7 days after event ends
- ποΈ Privacy-first: Guests cannot see other people's responses
- π« We do NOT sell your data to third parties
- β You can delete your events anytime in the app
- β Full GDPR rights: access, delete, port your data
- π EU-hosted servers (Frankfurt, Germany)
- β Currently free - subscription features coming soon