Invito
Log inCreate Event

Privacy Policy

Last updated: 19 May 2026

Invito is a private RSVP management platform. This page explains how personal data is handled when you create events, add guests, and collect RSVPs.

Who we are

This privacy policy explains how Invito (invi.to) (“Invito”, “we”, “us”) handles personal data when you use our RSVP management platform.

Controller details:
Legal name: Soft Ltd, trading as Invito.
Registered office: 89 C/D London Road, Morden, United Kingdom, SM4 5HP.
Contact email: contact@invi.to.

How this policy applies (hosts and guests)

Invito is used by event hosts to create events, upload guest lists, and collect RSVPs. Guests receive a private invite link and can respond without creating an account.

In many cases, the event host is the data controller for guest list data (names, contact details, and RSVP responses) because they decide why and how that data is used for their event. Invito typically acts as a processor for that guest data, providing the service on the host’s behalf.

Invito is the controller for data we need to run and secure the platform (for example, host account data, billing records, and security/anti-abuse data).

Personal data we process

Depending on how you use the service, we may process:

  • Account data (hosts): email address and authentication/session data.
  • Event data (hosts): event name, dates/times, venue/location, RSVP settings, and similar event configuration you enter.
  • Guest list data (uploaded by hosts): guest name, phone number and (optionally) email address, plus optional relationship/notes fields depending on your configuration.
  • RSVP response data (guests): attendance status, party size details, optional notes, and any custom questions the host has configured.
  • Invite and calendar link tokens: private link identifiers used to access RSVP pages and calendar feeds.
  • Calendar access metadata: subscription timestamps and fetch counts, to operate the calendar feed feature.
  • Technical and security data: basic log/diagnostic data from our hosting and security providers (for example, request logs and anti-bot signals).

We do not intend to collect special category data (for example, health information). Hosts should not upload special category data unless they have a lawful basis and the necessary safeguards.

How we use personal data and our lawful bases

We use personal data for the purposes below, relying on these lawful bases under UK GDPR:

  • To provide the service (create accounts, manage events, send/serve invite links, collect RSVPs, provide calendars). Lawful basis: performance of a contract (where applicable) and legitimate interests.
  • To secure the platform (prevent abuse, detect fraud/bots, enforce rate limits, and maintain service integrity). Lawful basis: legitimate interests.
  • To process payments and keep records for billing and accounting. Lawful basis: performance of a contract and legal obligation (where applicable).
  • To improve reliability (debugging and performance monitoring). Lawful basis: legitimate interests.

Hosts are responsible for ensuring they have a lawful basis to upload and use guest contact details (for example, because you are inviting someone to an event you are organising).

Cookies and similar technologies (PECR)

We use a limited set of cookies that are necessary to operate the service.

  • Essential cookies: used for authentication sessions and security. These are required for the service to function.
  • Preference cookie: we may store your inferred country as invito_country to localise pricing and reduce repeated lookups.
  • Anti-bot protection: we use Cloudflare Turnstile on sign-in and sign-up pages to reduce automated abuse. Turnstile may use its own cookies or similar technologies as part of its operation.

You can usually control cookies through your browser settings. Blocking essential cookies may prevent you from signing in or using host features.

Who we share data with

We share personal data with service providers where needed to operate Invito, including:

  • Cloudflare (hosting/runtime, security, Turnstile, and operational logging/observability).
  • Stripe (payment processing for paid upgrades). We receive payment identifiers and status information from Stripe; we do not store full payment card details on our servers.

We may also share data if required by law or to protect our rights, users, or the public.

International transfers

Some of our service providers may process data outside the UK. Where this happens, we aim to use appropriate safeguards (for example, UK-approved transfer mechanisms) to protect personal data.

How long we keep data

We keep personal data only as long as necessary for the purposes described in this policy, including to provide the service, comply with legal obligations, and resolve disputes.

  • Host accounts: retained while your account is active, then deleted or anonymised within a reasonable period after closure (subject to legal requirements).
  • Events and guest lists: retained until the host deletes the event or account, subject to backups and operational retention.
  • Billing records: retained as needed for accounting, tax, and audit purposes.

Security

We take reasonable technical and organisational measures designed to protect personal data, including encryption in transit, access controls, and monitoring for abuse.

No online service is completely secure. Please keep invite links private and contact us if you believe a link has been shared improperly.

Your rights

Depending on the circumstances, you may have rights under UK GDPR including access, rectification, erasure, restriction, portability, and objection.

If you are a guest, the event host is typically the best first point of contact for requests relating to your invitation and RSVP data. You can also contact us at contact@invi.to and we will help route your request appropriately. We aim to respond within one month of receiving a valid request, in line with UK GDPR.

Automated decision-making

We do not use automated decision-making (including profiling) that produces legal or similarly significant effects on you. Some operational features (such as anti-bot scoring from Cloudflare Turnstile and rate limiting) are automated but are used only to protect the service.

Marketing communications

We do not send marketing emails to guests. If we ever send service-related updates to hosts (for example, material changes to these policies or to the service), they are sent on the basis of legitimate interests or legal obligation. Any optional marketing communications would only be sent with your prior consent, which you could withdraw at any time.

Children's data

Invito is intended for use by adults organising and responding to events. Host accounts are not offered to children under 18. Hosts should not upload guest data relating to children unless they have the necessary authority from a parent or guardian and a lawful basis to do so.

Complaints

You have the right to complain to the UK Information Commissioner’s Office (ICO) if you are unhappy with how your personal data is handled. You can find more information at ico.org.uk.

Changes to this policy

We may update this privacy policy from time to time. We will post the updated version on this page and update the “Last updated” date.

For related terms on using Invito, see our Terms.