Privacy Policy

This Privacy Policy (“Policy”) describes how Open Invite (“we,” “us,” or “our”) collects, uses, and discloses information in connection with the Open Invite application and related services (collectively, the “Service”). By accessing or using the Service, you acknowledge that you have read and understood this Policy.

1. Information We Collect

1.1 Account Information

When you create an account, we collect the following personal information:

• Email address — used for account creation, authentication, and transactional communications (including circle invitations and password reset requests)
• Display name — displayed to other authenticated users of the Service
• Password — cryptographically hashed prior to storage; we do not store or have access to plaintext passwords
• Profile photograph — optionally provided by you, stored in our cloud infrastructure

If you choose to authenticate via Google OAuth, we receive your name, email address, and profile photograph from Google in accordance with your Google account permissions.

1.2 User-Generated Content

In the course of using the Service, you may create and submit the following content:

• Plans (events), including names, descriptions, dates, times, locations, external links, and cover images
• Circles (user-defined groups), including group names and membership information
• Polls, including options, votes, and user-submitted suggestions
• RSVP responses, including attendance status and optional comments
• Comments and emoji reactions on event discussion threads

1.3 Location Data

When you associate a location with a plan or poll, we store the place name and geographic coordinates you provide. We utilize a third-party geocoding service (Photon, operated by Komoot) to convert place names to geographic coordinates. Your search query and, if you have granted browser-level location access, your approximate device coordinates may be transmitted to this service to improve result relevance.

We do not collect, store, or monitor your device location on a continuous or background basis. The “locate me” feature within the map view initiates a single browser geolocation request; the resulting coordinates are processed locally on your device.

1.4 Analytics Data

We utilize Vercel Analytics to collect anonymous, aggregate page-view data (e.g., pages visited and visit frequency). This service operates without cookies, does not identify or track individual users, and does not collect personal information. We do not employ tracking pixels, advertising SDKs, or additional analytics services.

1.5 Cookies and Similar Technologies

We use a single, strictly necessary authentication cookie to maintain your session. We do not use third-party cookies, tracking cookies, or advertising cookies.

2. How We Use Your Information

We process your information for the following purposes:

• Providing the Service — displaying plans, circles, RSVPs, and notifications to authorized users
• Transactional communications — sending circle invitations and password reset emails as initiated by you or other users
• Access control — enforcing visibility restrictions to ensure content is accessible only to intended recipients
• Service improvement — analyzing aggregate, anonymized usage patterns to improve the Service

We do not use your information for advertising, behavioral profiling, or sale to third parties.

3. Third-Party Service Providers

We engage the following third-party service providers to operate the Service. Each provider processes data solely on our behalf and in accordance with their respective privacy policies:

• Supabase (database, authentication, and file storage) — hosts account data and application data on Amazon Web Services infrastructure located in the United States
• Vercel (web hosting and analytics) — serves the application and processes anonymous page-view analytics; may process IP addresses in server logs
• Google OAuth — provides third-party authentication, subject to Google's Privacy Policy
• Resend (email delivery) — processes and delivers transactional emails on our behalf
• Pexels (image search) — processes cover image search queries; no account or personal data is transmitted
• Photon / Komoot (geocoding) — processes location search queries and, where applicable, approximate device coordinates for proximity-based results
• OpenFreeMap (map tiles) — provides base map imagery; no personal data is transmitted

4. Data Sharing and Disclosure

The Service is designed with privacy by default. Your plans are visible only to members of circles you designate or to individuals you directly invite. Your profile information is visible to other users in accordance with your discoverability setting, which you may configure at any time in your account settings.

We do not sell, rent, or trade your personal information. We may disclose information if required to do so by law or in response to valid legal process (e.g., a subpoena or court order).

5. International Data Transfers

The Service is operated from the United States, and your information is stored on servers located in the United States. If you access the Service from outside the United States, including from the European Union or European Economic Area, you acknowledge that your information will be transferred to, stored in, and processed in the United States. We rely on our service providers' compliance with applicable data transfer mechanisms, including the EU-U.S. Data Privacy Framework and Standard Contractual Clauses, where applicable.

6. Data Retention and Deletion

We retain your information for the duration of your account. Upon account deletion (available in Settings), we permanently and irreversibly delete all associated data, including your profile, plans, RSVPs, comments, circle memberships, and notifications.

7. Your Rights and Choices

You may exercise the following rights through the Service:

• Access — view all data you have created within the application
• Rectification — edit your profile, plans, and RSVPs at any time
• Deletion — delete individual plans, comments, or your entire account and all associated data
• Restriction — control the visibility of your profile through discoverability settings, leave circles, and modify sharing preferences on plans

7.1 Rights of EU/EEA Residents (GDPR)

If you are located in the European Union or European Economic Area, the following applies: Our legal bases for processing your personal data are (a) performance of a contract (Article 6(1)(b) GDPR), as processing is necessary to provide the Service you have requested, and (b) legitimate interests (Article 6(1)(f) GDPR), specifically maintaining the security and integrity of the Service and analyzing aggregate usage patterns to improve the Service.

In addition to the rights listed above, you have the right to data portability (all content you have created is accessible through the application interface), the right to object to processing based on legitimate interests (Article 21 GDPR), and the right to lodge a complaint with a supervisory authority. Where processing is based on legitimate interests, we will cease processing upon your objection unless we demonstrate compelling legitimate grounds that override your interests. To exercise any rights not available through the application interface, please contact us at the address below.

7.2 Rights of California Residents (CCPA/CPRA)

If you are a California resident, the following applies: We do not sell personal information as defined under the California Consumer Privacy Act. We do not share personal information for cross-context behavioral advertising purposes. You have the right to know what personal information we collect, to request its deletion, and to opt out of any future sale of personal information. We will not discriminate against you for exercising any of these rights.

8. Children's Privacy

The Service is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided personal information, we will take steps to delete such information promptly. If you believe a child has created an account, please contact us at the address below.

9. Security

We implement reasonable administrative, technical, and physical safeguards to protect your information, including encryption of data in transit and at rest, row-level database security policies, and secure authentication protocols. However, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

10. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices or applicable law. The “Effective Date” at the top of this page indicates when this Policy was last revised. For material changes that affect the collection or sharing of your personal information, we will provide notice to active users through the Service prior to the changes taking effect. Your continued use of the Service after such notice constitutes acceptance of the revised Policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Policy or our data practices, please contact us at: privacy@openinvite.biz