Privacy Policy

1. Who we are and scope

RSVPhere.app ("RSVPhere", "we", "us", "our") is an event invitation and RSVP service operated by H Factor Limited. This Privacy Policy explains how we collect, use, share, and protect personal information when you use our website, hosted events, and related services. It applies to event hosts ("Hosts"), event guests ("Guests"), and visitors to rsvphere.app.

This policy provides a general overview of our practices. It is not legal advice. If you have specific questions, contact us at privacy@rsvphere.app.

2. Our role: Controller and Processor

Depending on the context, H Factor Limited acts in one of two capacities under the EU/UK General Data Protection Regulation ("GDPR") and the Thailand Personal Data Protection Act B.E. 2562 (2019) ("PDPA"):

As Data Controller

When we collect and process personal information for our own purposes — such as Host account registration, authentication, billing, fraud prevention, platform analytics, and our own service communications — H Factor Limited determines the purposes and means of processing and is the Data Controller.

As Data Processor

When a Host uses RSVPhere to create events, invite guests, and collect RSVPs, we process that guest information strictly on behalf of, and under the documented instructions of, the Host. In that context the Host is the Data Controller and RSVPhere is the Data Processor.

If you are a Guest and want to exercise your data rights for a specific event (for example, access or deletion of your RSVP), please contact the Host of that event directly. We will assist Hosts in responding to such requests as required by law. A Data Processing Agreement (DPA) is available to Hosts on request at privacy@rsvphere.app.

3. Personal data we collect

From Hosts

• Account details: name, email address, password (hashed), authentication identifiers (e.g. Google sign-in ID).
• Profile information you choose to add.
• Billing identifiers and subscription status (full card details are handled by Paddle, not by us — see Section 6).
• Event content you create: titles, descriptions, dates, locations, images, and guest lists you upload.
• Support and feedback messages you send us.

From Guests

• Information submitted via an RSVP form: name, email address, attendance status, +1 details, dietary preferences, answers to custom questions configured by the Host.
• Any other information a Host chooses to collect through their event.

From all users and visitors

• Usage data: pages viewed, features used, referring URLs.
• Device and log data: IP address, browser type, operating system, timestamps.
• Cookies and similar technologies (see Section 10).

4. How we use your data

• To operate, maintain, and improve the service.
• To deliver invitations, reminders, and transactional emails on behalf of Hosts.
• To provide analytics, reporting, and event management tools to Hosts.
• To manage subscriptions, billing, and customer support.
• To prevent fraud, abuse, and security incidents and to enforce our Terms.
• To send service announcements and, with your consent where required, marketing communications (which you can opt out of at any time).
• To comply with legal, regulatory, and tax obligations.

5. Legal basis for processing

Where the GDPR or Thai PDPA applies, we rely on the following lawful bases:

• Performance of a contract. Processing necessary to provide the service to Hosts and to fulfil event invitations and RSVPs.
• Legitimate interests. Running and improving the service, securing the platform, preventing fraud, and sending essential service communications, where these interests are not overridden by your rights.
• Legal obligation. Complying with applicable laws, including tax, accounting, and responses to lawful requests from authorities.
• Consent. Where required, for non-essential cookies and optional marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.

6. Sharing and disclosure

We do not sell your personal information. We share data only as described below:

• Service providers (sub-processors). Hosting, database, email delivery, analytics, and customer support providers acting on our instructions under appropriate contracts.
• Hosts. A Host can view RSVP information submitted by their own Guests.
• Legal and safety. Where required by law, court order, or to protect the rights, property, or safety of users or the public.
• Business transfers. In connection with a merger, acquisition, or sale of assets, subject to confidentiality protections.

Merchant of Record. Our order process is conducted by our online reseller Paddle.com. Paddle is the Merchant of Record for all orders and handles checkout, payment processing, subscription billing, tax compliance, invoicing, refunds, and related customer service. Paddle collects payment information directly from buyers and acts as an independent data controller for the personal data it processes during checkout. See Paddle's Buyer Terms and Privacy Notice.

7. International data transfers

RSVPhere is a global service. Your personal data may be transferred to, stored in, and processed in countries outside your own, including outside the European Economic Area (EEA), the United Kingdom, and Thailand. Where we transfer personal data from these regions to a country that has not been deemed to provide an adequate level of protection, we put appropriate safeguards in place — typically the European Commission's Standard Contractual Clauses (SCCs), and the UK International Data Transfer Addendum (IDTA) where applicable.

8. Data retention

We retain personal data only for as long as necessary to fulfil the purposes set out in this policy or as required by law:

• Host account data. Retained while your account is active. If you close your account, we delete or anonymise associated data within 90 days, except where retention is required by law.
• Guest event data. Retained in accordance with the Host's instructions and applicable law. We typically retain event data for up to 12 months after the event concludes, after which it is anonymised or deleted, unless the Host requests earlier deletion.
• Billing and transaction records. Retained as required for tax, accounting, and legal purposes, typically up to 7 years.
• Encrypted backups. Retained for up to 90 days before permanent deletion.
• Support correspondence. Retained for as long as needed to resolve issues and for a reasonable period afterwards.

9. Your rights

Depending on where you live, including the EEA, UK, and Thailand, you have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — request that we correct inaccurate or incomplete data.
• Erasure — request deletion of your personal data, subject to legal exceptions.
• Restriction — ask us to limit how we process your data.
• Portability — receive your data in a structured, commonly used, machine-readable format.
• Objection — object to processing based on legitimate interests or to direct marketing.
• Withdraw consent — where processing is based on consent, withdraw it at any time.
• Complain — lodge a complaint with your local supervisory authority.

How to exercise these rights. Hosts can manage most of their data directly in Account Settings or by contacting us at privacy@rsvphere.app. We respond within one month, as required by GDPR. Guests should contact the Host of the relevant event (the Data Controller for that event); we will assist Hosts in fulfilling those requests.

10. Cookies and tracking

We use a small number of essential cookies for authentication and session management, and limited analytics cookies to understand how the service is used. Where required by law, we ask for your consent before setting non-essential cookies. You can also manage cookies through your browser settings.

11. Security

We use industry-standard technical and organisational measures to protect personal data, including encryption in transit, access controls, hashed credentials, and regular reviews. No system is perfectly secure, but we work to protect your data and to detect and respond to incidents promptly.

12. Data breach notification

Where a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, as required by GDPR Article 33. Where we are the Data Controller and the breach is likely to result in a high risk to you, we will also notify affected users directly. Where we act as a Data Processor on behalf of a Host, we will notify the Host without undue delay so they can meet their own notification obligations.

13. Notice to residents of Thailand (PDPA)

If you are in Thailand, your personal data is processed in accordance with the Personal Data Protection Act B.E. 2562 (2019) ("PDPA"). In addition to the rights listed in Section 9, you have the right to file a complaint with the Personal Data Protection Committee (PDPC) if you believe our processing of your personal data violates the PDPA. Where we rely on your consent to process personal data, you may withdraw that consent at any time; this does not affect the lawfulness of processing carried out before withdrawal.

14. Children's privacy

The service is not directed at children under 13, and we do not knowingly collect personal information from them. If you believe a child has provided us with personal data, please contact us so we can remove it.

15. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the service or by email. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

16. Contact us

H Factor Limited is the data controller responsible for personal data processed under this policy (except where we act as a Data Processor for a Host, as described in Section 2). For privacy questions, data requests, or to request our Data Processing Agreement, contact us at privacy@rsvphere.app.