Privacy Policy

The data controller is InvitiApp, owned by Duribe Tech, operational contact at duribe@invitiapp.com. If you contact us about your data, we respond in English or Spanish.

We do not have a designated representative in the European Union or the United Kingdom. If you reside in those regions, you may contact your country's data protection authority.

Account: name, email, profile picture (if synced from Google/Auth0), Auth0 internal identifier, preferred language, country detected by IP, and optionally phone number.

Content you upload: titles, descriptions, dates, locations, photos, videos, audio, dress code, itinerary, FAQs, and notes for each invitation or event. Also the custom RSVP questions you define.

Guests (third-party data): when you add guests to an invitation, we store their name and optionally their email or phone so they can RSVP. You are responsible for having authorization to share that data with us.

Event management: vendor categories, quotes (with attachments), budget, itinerary, task list, and collaborators you invite.

Usage and technical: IP address, browser (user agent), country/city detected by CloudFront, unique visitor identifier (cookie), unique view count per invitation, and error logs. If you accept push notifications, we store the browser endpoint and cryptographic keys.

Marketing attribution: UTM parameters, click IDs (gclid, fbclid, ttclid, msclkid), referrer, and landing page. Stored in two cookies (inv_ft 180 days, inv_lt 30 days) and associated with your account when you sign up.

Payment: if you purchase Premium, the payment processor (Lemon Squeezy) receives your financial information. We only store the amount, method, and a transaction identifier — we never see your card.

• Operate the service: create, display, and deliver your invitations; send transactional emails and WhatsApp messages (RSVP confirmations, view-limit notifications).
• Prevent abuse and fraud: detect misuse of the free plan and protect the platform.
• Improve the product: measure what works, debug errors, and understand usage patterns in aggregate.
• Communication: respond to support and send operational communications (not marketing unless you opt in).
• Comply with legal obligations when applicable.

Where GDPR (EU/UK) or equivalent laws apply:

• Performance of the contract to operate your account and deliver the requested service.
• Consent for non-essential cookies (analytics and attribution) and push notifications.
• Legitimate interest to prevent abuse, measure aggregate usage, and improve the platform.
• Legal obligation when an authority requires information or we must retain records for tax or accounting reasons.

For residents in Mexico (LFPDPPP) and Colombia (Law 1581/2012), processing is carried out under the consent you grant when creating an account or accepting this policy.

We do not sell your data. We share it only with providers that help us operate the service (data processors), under contract and only as necessary.

We will also share data if you ask us to (for example when inviting a collaborator to your event), if a legally competent authority requires it, or if necessary to investigate a security incident.

Current sub-processor list. This section is updated when we add or replace a provider.

Our primary infrastructure is in the United States (AWS us-east-1). If you reside outside the US (EU, UK, Mexico, Colombia, etc.), your data is transferred to and processed in the United States.

For transfers from the EU/UK we rely on the Standard Contractual Clauses (SCC) our providers include in their terms. For transfers from Colombia or Mexico we rely on your consent when accepting this policy.

• Draft invitations (no date or no location) are automatically deleted two days after their last edit.
• Inactive free invitations (no views for more than six months and over six months old) are automatically deleted with all associated data (guests, photos, video).
• Premium (paid) invitations are kept indefinitely until you delete them or close your account.
• Account data is kept while your account is active. When you close it, we delete associated data within 30 days, except where a legal obligation requires retention (e.g., tax records for up to 5 years in some jurisdictions).
• Public reviews you publish remain visible unless you request removal.

You have the right to:

• Access your personal data.
• Rectify inaccurate or incomplete data.
• Erase your data ('right to be forgotten'), except where legally required to retain.
• Restrict or object to processing in certain circumstances.
• Port your data to another provider in a structured format.
• Withdraw consent at any time (does not affect the legality of prior processing).
• File a complaint with your country's data protection authority.

To exercise any of these write to duribe@invitiapp.com. We respond within 30 days. To verify identity we may ask for additional information.

We use cookies to operate the service, remember your preferences, and measure usage. The complete list is in our Cookie Policy.

We apply reasonable technical and organizational measures: encryption in transit (TLS), authentication managed by Auth0, role-based access controls, database backups, and production error monitoring. No online system is 100% secure; if you spot an issue, contact the privacy address above.

The platform is not directed to children under 13. We do not knowingly collect data from children under that age; if you believe a child has provided us data, contact us to remove it.

To create an account you must be at least 18 years old or of legal age in your jurisdiction. If you are a host inviting minors as guests, you are responsible for having authorization from their parents or guardians.

If we update this policy we publish the new version here and change the 'Last updated' date. If changes are material (affect your rights), we notify you by email or on the platform before they take effect.

For anything related to your personal data or this policy, write to duribe@invitiapp.com. For general support use duribe@invitiapp.com.