Privacy Policy

This privacy policy explains how Invito (invi.to) (“Invito”, “we”, “us”) handles personal data when you use our RSVP management platform.

Controller details (please complete before launch):
Legal name: [Your legal entity name]
Registered address: [Your registered address]
Contact email: [Your privacy contact email]

Invito is used by event hosts to create events, upload guest lists, and collect RSVPs. Guests receive a private invite link and can respond without creating an account.

In many cases, the event host is the data controller for guest list data (names, contact details, and RSVP responses) because they decide why and how that data is used for their event. Invito typically acts as a processor for that guest data, providing the service on the host’s behalf.

Invito is the controller for data we need to run and secure the platform (for example, host account data, billing records, and security/anti-abuse data).

Depending on how you use the service, we may process:

• Account data (hosts): email address and authentication/session data.
• Event data (hosts): event name, dates/times, venue/location, RSVP settings, and similar event configuration you enter.
• Guest list data (uploaded by hosts): guest name, phone number and (optionally) email address, plus optional relationship/notes fields depending on your configuration.
• RSVP response data (guests): attendance status, party size details, optional notes, and any custom questions the host has configured.
• Invite and calendar link tokens: private link identifiers used to access RSVP pages and calendar feeds.
• Calendar access metadata: subscription timestamps and fetch counts, to operate the calendar feed feature.
• Technical and security data: basic log/diagnostic data from our hosting and security providers (for example, request logs and anti-bot signals).

We do not intend to collect special category data (for example, health information). Hosts should not upload special category data unless they have a lawful basis and the necessary safeguards.

We use personal data for the purposes below, relying on these lawful bases under UK GDPR:

• To provide the service (create accounts, manage events, send/serve invite links, collect RSVPs, provide calendars). Lawful basis: performance of a contract (where applicable) and legitimate interests.
• To secure the platform (prevent abuse, detect fraud/bots, enforce rate limits, and maintain service integrity). Lawful basis: legitimate interests.
• To process payments and keep records for billing and accounting. Lawful basis: performance of a contract and legal obligation (where applicable).
• To improve reliability (debugging and performance monitoring). Lawful basis: legitimate interests.

Hosts are responsible for ensuring they have a lawful basis to upload and use guest contact details (for example, because you are inviting someone to an event you are organising).

We use a limited set of cookies that are necessary to operate the service.

• Essential cookies: used for authentication sessions and security. These are required for the service to function.
• Preference cookie: we may store your inferred country as invito_country to localise pricing and reduce repeated lookups.
• Anti-bot protection: we use Cloudflare Turnstile on sign-in and sign-up pages to reduce automated abuse. Turnstile may use its own cookies or similar technologies as part of its operation.

You can usually control cookies through your browser settings. Blocking essential cookies may prevent you from signing in or using host features.

We share personal data with service providers where needed to operate Invito, including:

• Cloudflare (hosting/runtime, security, Turnstile, and operational logging/observability).
• Stripe (payment processing for paid upgrades). We receive payment identifiers and status information from Stripe; we do not store full payment card details on our servers.

We may also share data if required by law or to protect our rights, users, or the public.

Some of our service providers may process data outside the UK. Where this happens, we aim to use appropriate safeguards (for example, UK-approved transfer mechanisms) to protect personal data.

We keep personal data only as long as necessary for the purposes described in this policy, including to provide the service, comply with legal obligations, and resolve disputes.

• Host accounts: retained while your account is active, then deleted or anonymised within a reasonable period after closure (subject to legal requirements).
• Events and guest lists: retained until the host deletes the event or account, subject to backups and operational retention.
• Billing records: retained as needed for accounting, tax, and audit purposes.

We take reasonable technical and organisational measures designed to protect personal data, including encryption in transit, access controls, and monitoring for abuse.

No online service is completely secure. Please keep invite links private and contact us if you believe a link has been shared improperly.

Depending on the circumstances, you may have rights under UK GDPR including access, rectification, erasure, restriction, portability, and objection.

If you are a guest, the event host is typically the best first point of contact for requests relating to your invitation and RSVP data. You can also contact us using the details above and we will help route your request appropriately.

You have the right to complain to the UK Information Commissioner’s Office (ICO) if you are unhappy with how your personal data is handled. You can find more information at ico.org.uk.

We may update this privacy policy from time to time. We will post the updated version on this page and update the “Last updated” date.

For related terms on using Invito, see our Terms.