Privacy Policy

Information organizers provide

• Account details: your name, email address, password (stored as a salted hash), and authentication tokens. If you sign in with Google, we receive your Google account email, name, and profile picture URL from Google.
• Event content: event name, date, time, location, hosted-by line, dress code, paragraph descriptions, design choices (palette, fonts, background style), uploaded images for the dress code carousel, registry items, menu items, seating layouts, and QR-code logo images.
• Guest list data: the names, phone numbers, and email addresses of people you invite. You are responsible for ensuring you have an appropriate basis to upload this information (see Terms of Service).
• Invitation messaging: the templates and personalized messages you compose for guests, along with metadata about whether and when each invite was sent.

Information guests provide

• RSVP responses: name, accept/decline status, guest count, additional guest names, dietary restrictions, free-text messages, and optional questions for the organizer.
• Menu selections: the menu choices a guest submits with their RSVP.
• Registry claims & suggestions: the items a guest reserves or proposes, and the name they enter when claiming.
• One-time verification codes: when a guest amends a prior RSVP, we send a short code to the phone number or email on file to verify it's really them. Codes are short-lived and not retained after expiry.

Information collected automatically

• Device and usage data: IP address, browser type and version, operating system, referring page, pages visited, and timestamps. We use this to operate the Service, secure it, and diagnose problems.
• Error reports: when something goes wrong in the application, our error-monitoring provider (Sentry) captures the error, a stack trace, and surrounding context (which may include your IP address, browser, and the route you were on). We use this only for debugging and reliability.
• Bot protection: Cloudflare Turnstile runs on certain forms to distinguish humans from bots. Turnstile collects browser characteristics for that purpose; SimplyRSVP does not see the raw signals.

• Provide the Service: render event sites, deliver invitations, save RSVPs, sync the dashboard in real time, and process file uploads.
• Communicate with you: send sign-in links, verification codes, password resets, account-related notices, and (with your action) WhatsApp or email invitations and reminders to your guests.
• Secure the Service: rate-limit abuse, detect suspicious sign-ins, and investigate violations of the Terms.
• Improve the Service: understand which features are used and where users get stuck, fix bugs, and ship reliability improvements.
• Comply with the law: meet legal obligations and respond to lawful requests from public authorities.

We do not sell your personal information, and we do not use guest data for advertising or to train machine-learning models.

We rely on a small number of trusted vendors to operate SimplyRSVP. Each receives only the minimum information needed for its function and is contractually required to protect it.

• Convex — our managed database and serverless backend. Stores event content, guest lists, RSVPs, design settings, registry items, menu items, and uploaded files.
• Better Auth — our authentication layer. Manages email/password sessions, Google OAuth, organization membership, and email verification.
• Google — when you choose “Sign in with Google,” Google handles your sign-in and shares basic profile information with us. Google Maps is also used to display venue locations and resolve place searches.
• Resend — transactional email delivery for invitations, verification codes, RSVP notifications, and password resets.
• Twilio — outbound WhatsApp messaging for guest invitations and reminders. If WhatsApp is disabled in our configuration, this provider is not contacted for your events.
• Cloudflare — Turnstile (bot protection) and edge network for performance and DDoS mitigation.
• Sentry — error monitoring and performance traces. Events are tunneled through our own domain, so Sentry does not see your IP unless the report itself contains it.

We may share information with additional providers in the future. We'll update this page when we do.

If you are in the European Economic Area, the United Kingdom, or another region with similar rules, we process your information on the following bases:

• Performance of a contract — to give you the Service you signed up for.
• Legitimate interests — to secure the Service, prevent fraud, and improve our product, balanced against your rights.
• Consent — where the law requires it (for example, certain non-essential cookies). You can withdraw consent at any time.
• Legal obligation — where we must process information to comply with the law.

We use a small number of cookies and similar technologies that are strictly necessaryto operate the Service:

• Session cookies to keep you signed in.
• Security cookies set by Cloudflare and Turnstile to detect abuse.
• Local storage on your device to remember your design palette previews and other interface preferences.

SimplyRSVP does not currently use third-party advertising or analytics cookies. If we add an analytics provider, we will update this page and, where required, ask for your consent.

We keep information only as long as needed:

• Account data is retained while your account is active. If you delete your account, we delete or anonymize associated personal data within 30 days, except where we are required to retain it (for example, to comply with the law or resolve disputes).
• Event content and guest data is retained while the parent event organization exists. When an organizer deletes an event, all guest data, RSVPs, registry claims, menu selections, seating assignments, and uploaded images for that event are deleted.
• Verification codes are deleted shortly after they expire.
• Server logs and error reports are kept for a limited period (typically up to 90 days) for security and debugging.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete information.
• Delete your account and the personal data associated with it.
• Export a copy of your data in a portable format.
• Object to or restrict certain processing.
• Withdraw consent where processing is based on it.
• Lodge a complaint with a data protection authority.

To exercise any of these rights, email us at support@simplyrsvp.io.

If you are a guest of an event and want to access, correct, or delete data on that event's site, please contact the event organizer directly — they control the guest list. You may also reach out to us, and we will pass your request along.

We use industry-standard safeguards to protect information, including encryption in transit (HTTPS), encryption at rest for stored data, hashed-and-salted passwords, multi-tenant isolation at the application layer, rate limiting, and strict Content-Security-Policy headers. No internet service can guarantee absolute security, but we work hard to minimize risk.

Our service providers may process information in the United States and other countries. Where required by law, we rely on appropriate safeguards such as Standard Contractual Clauses to protect international transfers.

SimplyRSVP is intended for adults. The Service is not directed to children under 13 (or the equivalent age in your jurisdiction), and we do not knowingly collect personal information from them. If you believe a child has provided personal data to us, contact us and we will delete it.

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. Material changes will be highlighted by email or in-app notice where appropriate.

Questions, requests, or concerns? Email us at support@simplyrsvp.io.