RSVP'd
ResourcesLog inStart Free

Privacy Policy

Effective May 2, 2026

This Privacy Policy explains how PositionScale ("we", "us", or "our") collects, uses, shares, and protects information when you use RSVP'd, our AI event planning platform, available at rsvpd.ai. We are based in Vancouver, British Columbia, Canada.

We follow Canadian privacy law (PIPEDA), Canada's anti-spam law (CASL), the EU General Data Protection Regulation (GDPR) where it applies, and the California Consumer Privacy Act (CCPA / CPRA) for California residents.

1. What we collect

We collect the following categories of information:

Account information

Name, email address, password (hashed), profile photo (if you sign in with Google, Microsoft, or Apple), and phone number (optional).

Event data

Event details (date, type, venue, cultural profile), guest lists (names, emails, phone numbers, dietary needs, RSVPs, plus-ones), vendor information (business contacts, quotes, contracts, status), checklist items, budget entries, photos, messages, and anything else you input or upload.

Communication data

When you connect Gmail or Outlook, we receive an OAuth token and read messages from vendors so we can route them to the right event channel. When you use shared SMS or WhatsApp numbers, message content flows through our system. We store these messages to display the conversation history. Tokens are encrypted at rest.

Payment data

Plan, subscription status, and Stripe customer/subscription IDs. We do not store full credit card numbers. Stripe processes payment information directly under their own privacy policy.

Usage data

Information about how you use the service, including pages viewed, features used, IP address, browser type, device type, and timestamps. We use this for security, debugging, abuse prevention, and product improvement.

AI interaction logs

We log AI requests and responses (prompts sent to Claude, results returned, costs) for billing, abuse prevention, and quality improvement. These logs are tied to your account and event but are not used to train third-party AI models.

2. How we use it

  • Provide, operate, and improve the service
  • Authenticate you and secure your account
  • Process payments and manage subscriptions
  • Send transactional emails (sign-up, password reset, billing receipts, vendor notifications, system messages)
  • Generate AI-assisted content at your direction
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations and enforce our Terms
  • Send occasional product updates by email — you can unsubscribe at any time

3. Subprocessors

We share data with the following service providers ("subprocessors"), each of whom is contractually required to protect it and use it only for the purposes we specify:

  • Cloudflare (USA / global) — hosting, database (D1), file storage (R2), key-value store (KV), AI inference (Workers AI), DDoS protection
  • Anthropic (USA) — Claude AI for drafting emails, analyzing contracts, planning suggestions
  • Stripe (USA / Canada) — payment processing, subscription billing
  • Resend (USA) — transactional email delivery
  • Twilio (USA) — SMS delivery (when you use the SMS feature)
  • Meta Platforms (WhatsApp Business) (USA / Ireland) — WhatsApp messaging (when you use the WhatsApp feature)
  • Google (USA) — Sign-in with Google, Gmail API integration, Google Places API for vendor data
  • Microsoft (USA / Ireland) — Sign-in with Microsoft, Outlook / Microsoft Graph API integration
  • Apple (USA) — Sign in with Apple
  • Google Cloud (Pub/Sub) (USA) — Gmail push notifications for inbound vendor email routing

We will update this list as our subprocessor relationships change.

4. AI processing disclosure

When you use AI features (drafting emails, contract review, vendor classification, planning suggestions), we send the relevant context (event details, vendor information, message history) to our AI providers. We have configured providers to disable training on inputs where supported. AI output is generated automatically and may be inaccurate; review before sending or relying on it.

5. Sharing with collaborators

When you invite collaborators (planners, family, vendors, party members) to your event, they see the data their role grants access to. The couple (or event host) controls these permissions and can adjust them per-member at any time. Vendors only see their own conversation thread; guests only see the public RSVP page and day-of features you publish.

6. Legal disclosures

We may disclose your information if required by law, court order, or valid legal process, or to protect the rights, property, or safety of users, the public, or ourselves. We will notify you when legally permitted to do so.

7. Where we store data

Your data is stored on Cloudflare's global network. Cloudflare D1 databases are regionally distributed; the primary region for your data may be in the United States, Europe, or Asia depending on Cloudflare's placement. Backups and processing may occur in multiple jurisdictions. By using the service, you consent to international transfer of your data, including to the United States, where applicable laws may differ from those of your home country.

8. How long we keep it

  • Active account data — for as long as your account is active
  • Event data after deletion — soft-deleted for 30 days, then permanently deleted from production. Backups expire within 90 days.
  • Messages older than 6 months — automatically archived from D1 to cold storage (R2), still accessible to you but slower to retrieve
  • Billing records — retained for 7 years to comply with Canadian tax law
  • Security and audit logs — retained for up to 13 months

9. Your rights

You can:

  • Access — view your account and event data through the dashboard, or request a full export by emailing us
  • Correct — update any field in your account or event data directly
  • Delete — close your account in settings, which initiates deletion of your event data
  • Export — download event data, guest lists, and vendor records as CSV or JSON from your account
  • Object / restrict — ask us to stop or limit certain processing, subject to legal obligations
  • Withdraw consent — disconnect Gmail, WhatsApp, or other integrations at any time from settings
  • Lodge a complaint — with your local privacy regulator (in Canada, the Office of the Privacy Commissioner; in the EU, your national DPA)

To exercise rights that are not self-serve in the dashboard, email privacy@rsvpd.ai. We will respond within 30 days.

10. Cookies

We use a small number of cookies, all functional:

  • Session cookies for authentication (Better Auth)
  • CSRF and security cookies

We do not use third-party advertising cookies or cross-site tracking. Anonymized usage analytics may be collected via Cloudflare Web Analytics, which does not use cookies and does not track individuals across sites.

11. Marketing email

We send transactional email (sign-up, billing, system notifications) without a separate opt-in because you need them to use the service. We may send occasional product updates, tips, or feature announcements; these include an unsubscribe link and we respect CASL's implied and express consent rules.

12. Children

RSVP'd is not intended for anyone under 18. We do not knowingly collect data from children. If you believe a child has created an account, email us at privacy@rsvpd.ai and we will delete it. Note that wedding guest lists may include minors as plus-ones or family attendees; that data is treated like any other guest data and is the responsibility of the host who entered it.

13. California residents

California residents have additional rights under the CCPA / CPRA, including the right to know what personal information we collect, the right to delete it, the right to correct it, and the right to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information for behavioural advertising purposes. To exercise CCPA rights, email privacy@rsvpd.ai. We will not discriminate against you for exercising these rights.

14. Security

We use industry-standard measures to protect your data: TLS for transport, encryption at rest for OAuth tokens, hashed passwords (Better Auth defaults), permission scoping per event, and regular security audits. No system is perfectly secure; if we ever experience a breach affecting your data, we will notify you and applicable regulators as required by law.

15. Changes to this policy

We may update this Privacy Policy from time to time. If changes are material, we will notify you by email at least 14 days before they take effect. The "effective date" at the top reflects the latest version.

16. Contact

Privacy questions, data requests, or complaints? Email privacy@rsvpd.ai. You can also reach us at legal@rsvpd.ai for legal matters.