Skip to main content
Invyt
Back to Home

Privacy Policy

Last updated: February 14, 2026 | Effective: February 14, 2026

1. Introduction

Vyt, trading as Invyt ("Company," "we," "us," or "our") is an Australian company that respects your privacy and is committed to protecting your personal data in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our event invitation platform ("Service"). This policy also addresses your rights under international privacy laws including the GDPR and CCPA where applicable.

By using the Service, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide, including:

  • Account Information: Name, email address, and profile picture when you sign in via Google OAuth
  • Event Information: Event details you create (title, date, time, location, description, host name, event type)
  • Response Information: RSVP responses, guest names, dietary requirements, plus-one details, and messages
  • Payment Information: Payment transactions are processed securely by Stripe. We do not store credit card numbers. We do store transaction records including purchase amounts, fee breakdowns, and payment status for accounting purposes
  • Gift Contribution Information: If you send or receive gift contributions through the Service, we store the gift amount, platform fees, processing fees, and payout amounts
  • Custom Content: Images you upload for custom invitation cards, event gallery photos, or company logos
  • Communications: Bug reports, support requests, and feedback you submit

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

  • Device Information: Browser type, operating system, device type (mobile, tablet, desktop)
  • Usage Data: Pages visited, features used, time spent on the Service
  • Log Data: IP addresses, access times, referring URLs, country (derived from IP)
  • Session Data: We track active sessions including IP address, user agent, device type, browser, and last activity timestamp to manage session security and timeouts
  • Cookies and Local Storage: Small data files stored on your device (see Section 5)

2.3 Analytics and Funnel Tracking

To understand how people use our event creation tools and improve the Service, we collect analytics data about your progress through the event creation process. This includes:

  • Anonymous Tracking Identifier: We generate a random identifier stored in your browser's local storage to track creation flow progress. This identifier does not contain any personal information
  • Funnel Milestones: We record when you start creating an event, select a card design, and complete event details. These records include your device type, browser, country, and referring website
  • Identity Linking: If you later sign in or create an account, we link your anonymous analytics data to your account so we can provide a complete view of your activity

2.4 Browser Storage

We use your browser's local storage and IndexedDB (similar to cookies but stored differently) to:

  • Save draft event details so you can return to them later
  • Store event gallery images locally before upload
  • Remember your display name and email for faster RSVP responses across events
  • Track which events you have responded to
  • Enforce usage limits for anonymous (non-registered) users

This data is stored on your device and is not transmitted to our servers unless you take an action (such as submitting an RSVP or creating an event). You can clear this data at any time through your browser settings.

2.5 Information from Third Parties

We may receive information from:

  • Google OAuth: Basic profile information (name, email, profile picture) when you sign in
  • Stripe: Transaction status, payment confirmations, and webhook notifications for completed payments

3. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Process transactions and send related information (receipts, confirmations)
  • Send event-related communications (RSVP confirmations, event updates, broadcast messages from hosts)
  • Send push notifications about event updates (if you have opted in via your browser)
  • Respond to your inquiries and provide customer support
  • Monitor and analyze usage patterns and trends to improve our creation flow
  • Detect, prevent, and address technical issues, fraud, or abuse
  • Comply with legal obligations

We do not sell your personal information to third parties. We do not use guest data for marketing purposes. Guests who RSVP to events will only receive communications related to that specific event.

4. Information Sharing and Disclosure

We may share your information in the following circumstances:

4.1 Event Participants

When you create an event, event details are shared via the invitation link with anyone who has the link.

When you respond to an event (RSVP), you are asked to consent to your response data being shared with the event host. Your response details (name, attendance status, dietary requirements, messages, plus-one information) are visible to the event host. If the host has granted co-host access to another user, co-hosts can also view your response details through the event dashboard.

4.2 Service Providers

We use third-party services to operate the Service:

  • Stripe: Payment processing for premium features, ticket sales, and gift contributions
  • Vercel: Hosting, infrastructure, and file storage (for uploaded images)
  • Turso: Database services
  • Google: Authentication services (OAuth)
  • Resend: Email delivery (RSVP confirmations, payment receipts, event update broadcasts)

These providers process your information only to perform services on our behalf. Each provider is subject to their own privacy policy and data protection obligations.

4.3 Event Update Broadcasts

Event hosts can send broadcast messages to all confirmed ("going") guests. When a host sends a broadcast, we transmit the update content and your email address to our email delivery provider to send the notification. Hosts cannot see individual guest email addresses through the broadcast feature.

4.4 Legal Requirements

We may disclose information if required by law or in response to:

  • Court orders, subpoenas, or legal process
  • Requests from government authorities
  • Protection of our rights, property, or safety
  • Investigation of suspected fraud or illegal activity

4.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

5. Cookies and Tracking Technologies

We use cookies and similar technologies including browser local storage and IndexedDB to:

  • Keep you signed in to your account
  • Remember your preferences
  • Analyze how the Service is used
  • Track event creation progress for analytics
  • Store draft data and gallery images locally

5.1 Types of Cookies and Storage

  • Essential Cookies: Required for the Service to function (authentication, security, session management)
  • Functional Storage: Remembers your choices, draft event data, and RSVP history (stored in browser local storage and IndexedDB)
  • Analytics: Helps us understand how you use the Service, including anonymous funnel tracking identifiers

5.2 Managing Cookies and Storage

When you first visit the Service, a cookie consent banner allows you to:

  • Accept All: Enable all cookie categories
  • Reject All: Disable all non-essential cookies
  • Manage Preferences: Choose individual cookie categories

You can change your preferences at any time. If you reject analytics cookies, Google Analytics will not load and no usage data will be collected. Most browsers also allow you to control cookies and clear local storage through settings. Note that disabling cookies or clearing local storage may affect the functionality of the Service, including loss of saved draft events and gallery images.

6. Push Notifications

With your consent, we may send browser push notifications about event updates and broadcasts. When you opt in, we store a push subscription endpoint associated with your browser. You can opt out of push notifications at any time through your browser settings. We do not use push notifications for marketing purposes.

7. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this policy. Specifically:

  • Account Data: Retained while your account is active and for 30 days after deletion request to allow for recovery
  • Event Data: Retained for 12 months after the event date, then automatically anonymized or deleted
  • Transaction Records: Retained for 7 years as required by Australian tax and financial reporting obligations
  • Analytics Data: Funnel milestone records are retained for 24 months for trend analysis, then deleted
  • Session Data: Active session records expire after 30 days of inactivity or 24 hours of idle time
  • Log Data: Server logs are retained for 90 days for security and debugging purposes

When data is no longer needed, we securely delete or anonymize it.

8. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • HTTPS encryption for all data transmission
  • Secure authentication via Google OAuth (we never handle or store passwords)
  • Hashed session tokens and admin recovery codes
  • Access controls and data minimization

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

9. Data Breach Notification

In the event of a data breach that is likely to result in serious harm to affected individuals, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. Where applicable, we will also notify relevant authorities under GDPR and other applicable data protection laws.

10. Your Rights and Choices

Depending on your location, you may have the following rights:

10.1 Access and Portability

You can download a copy of your personal data at any time from your account settings. The export includes your profile, events, responses, purchases, and all associated records in machine-readable JSON format.

10.2 Correction

You can request correction of inaccurate or incomplete data.

10.3 Deletion

Account holders: You can delete your account from your account settings. This permanently removes your profile, sessions, and personal data. Financial records required for legal compliance are anonymised rather than deleted.

Event guests: If you responded to an event without creating an account, you can delete your RSVP data using the response secret provided when you submitted your response.

Note that client-side data (browser local storage, IndexedDB) is stored on your device and can be cleared directly through your browser settings.

10.4 Opt-Out of Communications

You can opt out of marketing communications at any time. Event-related communications (such as RSVP confirmations and host broadcasts for events you have confirmed attendance to) are transactional and cannot be opted out of while your RSVP is active.

10.5 Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise these rights, contact us using the details in Section 17. We will respond within 30 days as required by applicable law.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your own, primarily the United States (where our hosting, payment, email, and authentication providers are located). These countries may have different data protection laws.

We take steps to ensure that your data receives adequate protection in accordance with this Privacy Policy and applicable law, including the Australian Privacy Principles regarding cross-border disclosure (APP 8).

12. Children's Privacy

Account creation and event hosting require users to be at least 18 years of age. We do not knowingly collect personal information from children under 18 for the purpose of account registration.

Our Service may be used by parents and guardians to create invitations for children's events (such as birthday parties). In these cases, the parent or guardian is responsible for submitting event details and managing guest responses. Children who receive invitations and submit RSVP responses provide only their name and attendance status. We do not use children's information for marketing or profiling purposes.

If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete it promptly.

13. Australian Privacy Rights

Under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), Australian residents have the following rights:

13.1 Access to Personal Information (APP 12)

You have the right to request access to the personal information we hold about you. We will respond to your request within 30 days.

13.2 Correction of Personal Information (APP 13)

You can request that we correct any personal information we hold about you that is inaccurate, out-of-date, incomplete, irrelevant, or misleading.

13.3 Anonymity and Pseudonymity (APP 2)

Where practicable, you have the option to interact with our Service without identifying yourself or by using a pseudonym. You can create events without an account using email verification. Note that some features (such as co-host access) require a registered account.

13.4 Cross-Border Disclosure (APP 8)

We disclose personal information to overseas recipients including our service providers located in the United States (Vercel, Stripe, Google, Resend, Turso). Before doing so, we take reasonable steps to ensure that overseas recipients do not breach the APPs.

13.5 Complaints

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint using the contact details in Section 17. We will investigate and respond within 30 days. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

  • Right to Know: What categories of personal information we collect (identifiers, commercial information, internet activity, geolocation data) and how it is used
  • Right to Delete: Request deletion of your personal information
  • Right to Non-Discrimination: Equal service regardless of exercising privacy rights
  • Right to Opt-Out: We do not sell or share personal information for cross-context behavioral advertising

To exercise these rights, contact us using the details in Section 17.

15. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under GDPR:

  • Right of access to your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing, including profiling
  • Right to lodge a complaint with a supervisory authority

Our legal bases for processing are:

  • Performance of contract: Providing the Service, processing payments, sending event-related communications
  • Legitimate interests: Analytics and funnel tracking to improve the Service, fraud prevention, session security
  • Consent: Push notifications, marketing communications
  • Legal obligations: Financial record keeping, data breach notification, responding to legal requests

16. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

For significant changes that materially affect how we process your personal information, we will provide at least 30 days' notice via email or a prominent notice on the Service before the changes take effect.

17. Contact Us

If you have questions about this Privacy Policy or our data practices, or wish to exercise any of your rights described above, contact us at:

  • Email: support@invyt.io

For privacy-related complaints, you may also contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND AGREE TO THE COLLECTION AND USE OF YOUR INFORMATION AS DESCRIBED HEREIN.

Terms of Service|Return to Home