Privacy Policy

Last updated: February 19, 2026

1. Introduction

At Convitly (“we”, “us”, or “our”), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our website and digital invitation platform (the “Service”). By using the Service, you consent to the practices described in this policy.

2. Data Controller

The data controller responsible for your personal data is Convitly, based in Portugal. For any data-related enquiries, please contact us at hello@convitly.com.

3. Information We Collect

We may collect the following types of data:

  • Account information: name, email address, and authentication credentials when you create an account.
  • Invitation content: photos, text, music selections, and other materials you upload to create your invitation.
  • RSVP data: guest names and responses submitted through integrated RSVP forms.
  • Payment information: billing details processed securely by our payment provider (Stripe). We do not store your full card details on our servers.
  • Usage data: information about how you interact with the Service, including pages visited, actions taken, browser type, device type, and IP address.
  • Cookies and tracking: data collected through cookies and similar technologies (see Section 8 below).

4. How We Use Your Data

We use your personal data for the following purposes:

  • To provide and operate the Service, including creating, hosting, and delivering your digital invitation.
  • To process payments and manage your account.
  • To communicate with you about your account, orders, and support requests.
  • To improve and personalise the Service through analytics and usage data.
  • To comply with legal obligations and enforce our Terms and Conditions.

5. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

  • Contract: processing necessary to perform our contract with you (providing the Service).
  • Consent: where you have given explicit consent, such as for optional analytics cookies.
  • Legitimate interests: to improve our Service, prevent fraud, and ensure security.
  • Legal obligation: to comply with applicable laws, regulations, or legal proceedings.

6. Data Sharing and Third Parties

We do not sell your personal data. We may share data with the following third-party service providers who assist in operating the Service:

  • Supabase: authentication and database hosting.
  • Stripe: payment processing.
  • Google Forms: RSVP form integration.
  • PostHog: product analytics.
  • Vercel: website hosting and delivery.
  • Zoho: email communications.
  • Cloudflare: DNS and domain management.

These providers process data on our behalf and are contractually obligated to handle your data securely and in accordance with applicable data protection laws.

7. Data Retention

We retain your personal data for as long as necessary to provide the Service and fulfil the purposes described in this policy. When your data is no longer needed, we will securely delete or anonymise it. Specifically:

  • Account data is retained for the duration of your account and a reasonable period thereafter.
  • Published invitation content is retained for the availability period communicated at the time of purchase.
  • Payment records are retained as required by tax and accounting regulations.

8. Cookies

We use cookies and similar technologies to improve your experience and analyse usage. The types of cookies we use include:

  • Essential cookies: required for the Service to function (e.g., authentication, session management).
  • Analytics cookies: help us understand how visitors interact with the Service (e.g., PostHog).

You can manage your cookie preferences through your browser settings or through the cookie consent banner displayed on our website.

9. Your Rights

Under the GDPR and applicable Portuguese law, you have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure: request deletion of your personal data (“right to be forgotten”).
  • Restriction: request that we restrict processing of your data in certain circumstances.
  • Portability: request your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests or for direct marketing purposes.
  • Withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at hello@convitly.com. We will respond within 30 days.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (TLS/SSL), secure authentication, and access controls. However, no method of transmission over the internet is completely secure, and we cannot guarantee absolute security.

11. International Transfers

Some of our third-party service providers may process data outside the European Economic Area (EEA). Where this occurs, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, to protect your data.

12. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. We encourage you to review this policy periodically. Continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

14. Contact

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at hello@convitly.com.

You also have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD) if you believe your data protection rights have been violated.