Privacy Policy
Plain language summary
We collect only what we need to run Wrtyn. We will never sell your personal information (name, email, phone, event details). We may sell or share pseudonymized, aggregated data that cannot identify you. You control your analytics and marketing preferences, and you can change them at any time. Here is exactly what we collect, why, and what you can do about it.
What we collect and why
Account information (required)
When you sign up, we collect:
| Data | Why | How long |
|---|---|---|
| First and last name | Display your identity in the app and on invites | Until you delete your account |
| Email address | Log you in, send transactional emails (password resets, event notifications) | Until you delete your account |
| Password | Authenticate you. Stored as a one-way hash (bcrypt). We cannot read your password. | Until you delete your account |
| Date of birth | Verify you meet the minimum age requirement (13+, COPPA compliance) | Until you delete your account |
| Phone number (optional) | Contact preference for event coordination if you choose to provide it | Until you delete your account or remove it |
Event data
When you create events, we store:
- Event details (name, date, location, description, settings)
- Guest lists (names, emails, RSVP status, dietary preferences, plus-ones)
- Media you upload (photos, logos)
- Template configurations for invite sites
- Ticket sales data and check-in records
- Messages sent through our messaging system
This data exists to power the features you use. We do not sell your event data or guest lists.
Technical data (automatic)
When you use Wrtyn, our servers automatically log:
- IP address (for security, rate limiting, and abuse prevention)
- Browser type and version
- Device type (desktop/mobile)
- Timestamps of requests
Server logs are retained for 90 days, then deleted.
Your consent choices
During signup you explicitly accept or reject each of the following. You can change any of these at any time from your Settings page. Changes take effect immediately.
Web Analytics
- What we collect: Pseudonymized usage data: pages you visit, features you use, time spent, browser type, screen size.
- What is NOT included: Your name, email, event content, or guest data.
- Purpose: Understand which features are used, find bugs, improve the product.
- How: Umami (self-hosted, privacy-focused analytics). No data sent to Google or other ad networks.
Mobile Analytics
- What we collect: App usage patterns: screens visited, feature usage, app version, device model.
- What is NOT included: Your name, email, event content, or guest data.
- Purpose: Improve the mobile experience and fix crashes.
- How: Compliant with Apple's App Tracking Transparency (ATT). We ask permission before tracking.
Marketing Emails
- What we collect: Occasional emails about new features, product updates, and event planning tips.
- What is NOT included: We will not email you on behalf of a third party or share your email with advertisers.
- Purpose: Keep you informed about Wrtyn improvements.
- How: Sent by us directly. Every email includes a one-click unsubscribe link.
Partner Data Sharing
- What we collect: Pseudonymized, aggregated usage statistics shared with research, marketing, and business partners. Example: '40% of users create events with custom templates.'
- What is NOT included: Your name, email, phone number, event details, or any data that could identify you.
- Purpose: Support product research and business partnerships.
- How: Data is aggregated across many users before sharing. Individual behavior is not disclosed.
Pseudonymized means we replace your identity with a random identifier. The data shows usage patterns but cannot be traced back to you without additional information that we keep separately and securely.
Cookies
| Cookie | Purpose | Required? | Duration |
|---|---|---|---|
| Session cookie | Keeps you logged in | Required | Expires when you log out or after 30 days of inactivity |
| Analytics cookie | Tracks page views if you opted in | Optional (web analytics consent) | Expires after 24 hours |
We do not currently use advertising cookies, social media tracking pixels, or fingerprinting techniques. If this changes, we will update this policy and notify you in advance.
Third-party services
We share data with these services only as needed to operate:
| Service | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing for ticket sales and subscriptions | Payment details (card info goes directly to Stripe, we never see it), transaction amounts |
| Email provider | Sending transactional and marketing emails | Your email address and name |
| Cloud hosting | Storing your data and serving the application | All application data (encrypted at rest and in transit) |
We may share pseudonymized, aggregated data with business partners (see Partner Data Sharing consent above). We do not share your personal information with advertising networks, data brokers, or social media platforms. We do not currently embed third-party tracking scripts from Google, Facebook, or similar companies.
How we protect your data
- All data is encrypted in transit (TLS/HTTPS) and at rest.
- Passwords are hashed using bcrypt. We cannot read or recover them.
- Session tokens are stored in HttpOnly, Secure cookies to prevent XSS attacks.
- We implement rate limiting to prevent brute-force attacks.
- Database access is restricted to the application layer with role-based permissions.
- We maintain an audit trail of all consent changes (when you granted or revoked each consent, from which IP).
Your rights
You can always:
- Access your data - Your account, events, and guest lists are visible in the app. For a full data export, email [email protected].
- Correct your data - Edit your profile, events, and guest information directly in the app.
- Delete your data - Delete your account from Settings, or follow the step-by-step instructions on the Account & Data Deletion page (works without signing in). Personal data is removed within 30 days. Backup copies are purged within 90 days.
- Change consent - Toggle any consent option from your Settings page at any time.
- Data portability - Request a machine-readable export of your data by emailing [email protected].
If you are in the EU/EEA, you have additional rights under GDPR including the right to restrict processing and to lodge a complaint with your local data protection authority.
Guest privacy
If someone invites you to an event through Wrtyn, the event organizer collected your information. They are the data controller. We process your data on their behalf to deliver the invitation, track RSVPs, and support the event.
- You can manage your RSVP and preferences from your invite link.
- You can request the event organizer to remove your information.
- If you cannot reach the organizer, contact us at [email protected] and we will assist.
Children's privacy
Wrtyn is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete their account and data promptly.
Data retention
| Data type | Retention period |
|---|---|
| Account data | Until you delete your account + 30 days |
| Event data | Until you delete the event or your account + 30 days |
| Server logs | 90 days |
| Consent audit trail | 7 years (legal compliance) |
| Billing records | 7 years (tax/legal compliance) |
| Backup copies | Up to 90 days after deletion |
Changes to this policy
When we make changes, we update the date at the top and email registered users about material changes at least 14 days before they take effect.
Contact
Privacy questions? Email [email protected] or use our contact page.