meetinginvite.app

Legal

Privacy Policy

Effective date: 30 May 2026

1. Who We Are

meetinginvite.app (“we”, “us”, or “our”) is an online service that allows event organisers (“Hosts”) to create registration landing pages, collect attendee sign-ups, and send calendar invites. This Privacy Policy explains how we collect, use, store, and share personal data when you use our platform — whether as a Host (registered account holder) or as an Event Registrant (someone signing up for a Host’s event).

For the purpose of the UK GDPR and EU GDPR, the data controller for our platform’s own data processing is meetinginvite.app. For data collected through a Host’s registration pages, the Host is the data controller and we act as a data processor on their behalf.

Questions? Contact us at privacy@meetinginvite.app.

2. Data We Collect

2a. Host accounts

When you create a meetinginvite.app account, we collect:

  • Email address and hashed password (via Supabase Auth)
  • Organisation name, brand colour, and logo (if you set them in Settings)
  • Notification preferences
  • Privacy and compliance settings (policy URLs, GDPR toggle, data retention period)

2b. Event Registrants

When someone registers for an event via a Host’s registration page, we collect:

  • First name and last name
  • Work email address
  • Company name (optional)
  • Job title (optional)
  • Consent record (if GDPR consent is enabled by the Host)
  • Registration timestamp

This data is collected on behalf of the Host. The Host is responsible for ensuring they have a lawful basis for collection and have provided their registrants with appropriate notice.

2c. Usage data

Our hosting provider (Vercel) collects standard server logs including IP addresses, browser type, and page requests. We do not use third-party analytics trackers on our platform.

3. How We Use Your Data

Host accounts

  • To provide and maintain your account and dashboard
  • To send transactional emails (e.g., email confirmation, password reset)
  • To notify you when new registrations are received (if enabled)
  • To enforce service limits and prevent abuse

Event Registrants

  • To record your registration and add you to the Host’s event attendee list
  • To send you a confirmation email and .ics calendar invite (on behalf of the Host)
  • To send you event communications if the Host chooses to do so

4. Legal Basis for Processing

We process personal data on the following legal bases:

Processing activityLegal basis
Providing the Host platformPerformance of contract (Art. 6(1)(b))
Sending transactional emails to HostsPerformance of contract (Art. 6(1)(b))
Sending registration confirmations to RegistrantsLegitimate interests (Art. 6(1)(f)) — delivering the service the Registrant signed up for
GDPR-gated registration with explicit consent checkboxConsent (Art. 6(1)(a)) — where the Host has enabled this
Server logging (Vercel)Legitimate interests — security and fraud prevention

5. Data Sharing and Processors

We do not sell personal data. We share data only with trusted processors necessary to operate the service:

ProcessorPurposeLocation
SupabaseDatabase and authenticationUS / EU (configurable)
ResendTransactional email deliveryUS
VercelPlatform hosting and CDNUS / global edge
Google FontsFont loading (Geist font)Google CDN

We have Data Processing Agreements in place with each processor. Transfers outside the UK/EU are covered by Standard Contractual Clauses (SCCs) or equivalent adequacy mechanisms.

6. International Data Transfers

Our primary infrastructure (Supabase, Vercel, Resend) is operated from the United States. Where personal data is transferred from the UK or European Economic Area (EEA) to the US, we rely on the UK International Data Transfer Agreement (IDTA) and the EU Standard Contractual Clauses (SCCs) to ensure an equivalent level of protection.

7. Data Retention

Host account data

We retain your account data for as long as your account is active. When you delete your account, we delete or anonymise your personal data within 30 days, except where we are required to retain it by law.

Registrant data

The Host sets a data retention period in their Privacy & Compliance settings (default: 1 year). We recommend Hosts delete registrant data after their chosen retention period. Actual deletion is currently a manual process for Hosts; we are building automated deletion tooling.

Event Registrants may request deletion of their data at any time by using the Data Request form or by contacting the Host directly.

8. Your Rights Under GDPR

If you are in the UK or EEA, you have the following rights:

  • Right to access — request a copy of your personal data.
  • Right to rectification — request correction of inaccurate data.
  • Right to erasure (“right to be forgotten”) — request deletion of your data.
  • Right to restriction — request we limit processing in certain circumstances.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests.
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, use the Data Request form or email privacy@meetinginvite.app. We will respond within 30 days in accordance with applicable law.

You also have the right to lodge a complaint with your supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO) at ico.org.uk. In the EU, contact your local Data Protection Authority.

9. Cookies

We use only strictly necessary cookies to operate the service. No advertising, analytics, or tracking cookies are used.

CookiePurposeDuration
sb-access-tokenSupabase authentication session token (Host login)1 hour
sb-refresh-tokenSupabase session refresh (keeps Host logged in)30 days

Strictly necessary cookies do not require consent under UK/EU law; however, you are informed about them here in the interest of full transparency. Public event registration pages do not set any cookies.

10. Security

We take appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include:

  • Encrypted data transmission (TLS/HTTPS on all connections)
  • Password hashing via Supabase Auth (bcrypt)
  • Row-level security (RLS) policies enforced in the database
  • Admin API access secured via service-role key stored as an environment variable

No method of transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to industry-standard practices.

11. Children's Privacy

meetinginvite.app is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will notify Host account holders by email. Continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact Us

For any privacy-related questions, requests, or concerns, please contact:

meetinginvite.app — Privacy Team

Email: privacy@meetinginvite.app

Or use the Data Subject Request form