RSVP Platform
Sign in

Privacy Policy

Effective Date: May 11, 2026

1. Introduction

RSVP Platform("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our event RSVP platform and related services.

RSVP Platformis a multi-tenant platform: independent organizations ("Organizers") use our service to host events and manage RSVPs. When you RSVP to an event, the Organizer is the primary controller of your information for that event. We act as a service provider to the Organizer (a data processor under GDPR) and as a controller of account-level data for Organizer admins. This Policy covers what we, the platform, collect and do with your data; the Organizer's own privacy practices may also apply.

2. Information We Collect

Information you provide when you RSVP

  • Name (first and last)
  • Email address
  • Phone number (when the Organizer requires it)
  • Party size and any notes for the Organizer
  • The ticket or pricing option you choose at RSVP (when the Organizer offers multiple options), the day(s) you selected on multi-day events, and any later changes you make to that selection
  • Any answers you provide to custom questions the Organizer has added to their RSVP form. Custom questions are configured by the Organizer; you control whether to answer optional ones. Free-text answers are stored as you submit them, so do not include information you do not want the Organizer to receive.
  • Payment metadata — amount due, amount paid (if any), the payment method the Organizer recorded (e.g., Stripe, Venmo, cash), and any refund details the Organizer enters (refund method, reference identifier, amount, date). We do not process or store payment card information on our servers (see “Payments” below).
  • Check-in status at the event
  • Waitlist status when the event uses a waitlist (whether you are waiting, have been offered a seat, and whether the offer has expired or been accepted)
  • An optional 0–5 internal rating an Organizer may record alongside your RSVP when their event uses an approval workflow. The rating is visible only to the Organizer's own administrators (never to other Participants or other Organizers) and is used by the Organizer to decide which RSVPs to approve. See Section 9 for your right to request a copy of any rating held about you.

Information you provide when you create an account

  • Email address
  • Password (stored only as a one-way hash by our authentication provider — we never see your plaintext password)
  • Two-factor authentication enrollment (optional, recommended for organization administrators)
  • Role within an organization (admin, staff) when invited by an Organizer

Automatically collected information

We automatically collect your IP address and browser-level metadata when you interact with our platform. This information is used for:

  • Rate limiting to prevent abuse of our authentication and RSVP endpoints
  • Security monitoring and threat detection
  • IP blocklist enforcement to protect against malicious actors
  • Audit logging of administrative actions for accountability
  • Diagnosing errors when something goes wrong

IP addresses are stored in security event logs and audit logs. These logs are retained as necessary for security and compliance purposes and are not sold or shared for marketing.

Information from electronic waivers (optional)

When an Organizer requires participants to sign an electronic waiver before attending, we route you to our waiver provider, Smartwaiver. The waiver itself is collected and stored by Smartwaiver under its privacy policy. Once you complete it, Smartwaiver notifies us via webhook so we can mark your RSVP as ready for check-in. We store: your waiver completion timestamp, the waiver record id, the email Smartwaiver associated with your signature, and a link to the signed PDF (hosted by Smartwaiver). We do not see or store the contents of the waiver document.

3. How We Use Your Information

We use the information we collect to:

  • Process and manage your RSVP for events you sign up for
  • Send transactional emails — RSVP confirmations, payment instructions, "you're set" emails with your check-in QR code, waitlist notifications, and event reminders
  • Generate the QR code that lets the Organizer check you in at the event
  • Generate Apple Wallet and Google Wallet passes containing your check-in QR code when you choose to save your RSVP to a wallet
  • Operate any waitlist the Organizer enables — placing you on the list when an event is full, sending you a seat-offer email when one becomes available, and recording whether the offer was accepted before its expiration
  • Track refund records when the Organizer marks a refund as issued (the Platform does not move funds — see Section 5)
  • Support the Organizer's internal review and ranking workflow when their event uses one
  • Allow Organizers to send you event-related messages (e.g., last-minute updates, weather notices)
  • Provide secure account access and authentication for Organizer admins and staff
  • Detect and prevent fraud, abuse, and unauthorized access
  • Maintain audit trails of administrative actions taken in your Organizer's account
  • Comply with legal obligations and respond to lawful requests
  • Diagnose, fix, and improve platform reliability

4. Information Sharing

We share your information in the following circumstances:

  • With the Organizer of the event you RSVP'd to. The Organizer receives the information you provide on the RSVP form (name, email, phone, party size, notes, custom answers, ticket / day selection), your payment and refund status, your waiver status, and any internal review notes their own administrators add to your RSVP. Each Organizer can only see RSVPs for their own events — never another Organizer's data. Organizer admins may export their event's RSVPs as a CSV file (including custom answers and any internal notes their team has recorded) to support running the event off-platform; the export inherits the Organizer's data-handling obligations under our Terms of Service.
  • With service providerswho help us operate the platform, as described in the “Third-Party Service Providers” section below. Each provider processes data only for its specific purpose and under its own privacy policy.
  • For legal reasons — when required by law, subpoena, or court order, or to protect the rights, safety, or property of RSVP Platform, our users, or the public.

Public event pages and search engines.When an Organizer publishes an event, the event's public detail page (title, description, date, location, host organization, and any lineup or imagery the Organizer chose to include) is accessible to anyone with the link and is listed in our public sitemap so that search engines can index it. The sitemap and public event pages do not include any Participant data — your RSVP is private to you and the Organizer.

We do not sell your personal information. We do not share participant data with marketing networks, advertisers, or data brokers.

5. Payments

RSVP Platform does not process credit card payments directly. When an Organizer collects payment for an event, you pay the Organizer using the payment method they provide (typically a Venmo, PayPal, Cash App, Stripe, or similar payment link they have set up themselves). Your payment is processed by that third party under their privacy and terms. We record only whether the Organizer has marked your payment as received, the amount, and — if a refund is later issued — the method and reference the Organizer entered for that refund.

Some Organizers may also connect a Stripe account to the Platform through Stripe Connect. At present, the Platform uses this connection only to confirm the Organizer's eligibility to receive Stripe payments (their charges-enabled and payouts-enabled status); we do not currently process charges or refunds on the Organizer's behalf. If and when we begin routing payments through Stripe Connect, we will update this Policy before any change takes effect.

We do not see, store, or transmit your payment card numbers, bank account details, or third-party payment account credentials.

6. Third-Party Service Providers

We use the following third-party services to operate, secure, and improve our platform. Each provider processes data only as necessary for its designated purpose and in accordance with its own privacy policy.

Supabase (Database & Authentication)

Supabase serves as our database and authentication provider. All RSVP records, account data, and Organizer information are stored in Supabase-hosted infrastructure. Passwords are stored as one-way hashes; Supabase manages session tokens and two-factor authentication. Supabase processes data on our instructions as a data processor.

Brevo (Transactional Email)

We use Brevo (formerly Sendinblue) to deliver transactional emails — RSVP confirmations, payment instructions, check-in QR codes, admin invitations, and event-related messages from Organizers. Your email address, name, and the email content are processed through Brevo's API for the sole purpose of delivery. Brevo also retains delivery logs for diagnostic and compliance purposes.

Smartwaiver (Electronic Waivers)

When an Organizer requires a signed waiver, we route you to Smartwaiver to complete the signature. Smartwaiver collects and stores the waiver record (your signature, the document you signed, your email, and any additional fields the Organizer's waiver template requires) under its own privacy policy. We receive only the metadata described in Section 2 (“Information from electronic waivers”). Waivers are only used when an Organizer has explicitly configured Smartwaiver for their event; otherwise no waiver data is collected.

Cloudflare Turnstile (Bot Protection)

We use Cloudflare Turnstile as a CAPTCHA verification service on login and other sensitive auth surfaces. Turnstile collects browser fingerprint data and interaction patterns to distinguish legitimate users from bots. This data is processed by Cloudflare in accordance with Cloudflare's privacy policy.

Vercel (Hosting & Infrastructure)

Our platform is hosted on Vercel. Vercel processes platform request data (HTTP requests, response logs, function invocations) as part of operating the hosting infrastructure. We do not currently use Vercel Analytics or any other third-party visitor analytics; we will update this Policy before activating any optional analytics service that requires visitor consent.

Stripe (Connected-Account Onboarding)

When an Organizer opts in to Stripe Connect, the Platform creates a Stripe Express account on the Organizer's behalf and exchanges status updates with Stripe via webhooks (whether the Organizer's account is verified, whether charges and payouts are enabled, what verification items Stripe still requires). The Organizer enters their identity and banking details directly into a Stripe-hosted onboarding form; the Platform never sees those details. Stripe processes this data under its own privacy policy. Payments themselves are not currently routed through the Platform — see Section 5.

Apple PassKit & Apple Wallet

When you choose to save your RSVP to Apple Wallet, the Platform generates a signed Apple Wallet pass (.pkpass) containing your name, the event name, date, location, and your check-in QR code, and delivers it to your device. The pass is stored locally in Apple Wallet on your iPhone or iPad. If you keep the pass on your device, the Platform may register the pass with Apple's Push Notification service so that updates to the event (e.g., a date change or your check-in status) can be reflected on the pass; this registration happens between your device and Apple, and Apple receives only the pass-update endpoint we expose, not your underlying RSVP record. Apple processes pass data under its own privacy policy.

Google Wallet

When you choose to save your RSVP to Google Wallet, the Platform sends Google a signed token (a JSON Web Token) describing the pass — your name, the event name, date, location, the Organizer's branding, and your check-in QR code — which Google uses to render and store the pass in your Google Wallet account. The Platform also registers event-level class metadata (event name and branding) with Google so that all passes for the same event render consistently. Google processes pass data under its own privacy policy.

7. Data Security

We implement technical and organizational security measures to protect your information, including:

  • HTTPS encryption for all traffic between your browser and our servers
  • Database row-level security (RLS) so each Organizer can only access their own data
  • One-way password hashing — your password is never stored in plaintext
  • Optional two-factor authentication for Organizer admins and required for platform administrators
  • Rate limiting and IP blocklist enforcement on authentication endpoints
  • Bot protection (Cloudflare Turnstile) on sensitive forms
  • Audit logs of administrative actions for accountability
  • Principle of least privilege for service-role credentials, kept server-only and never exposed to your browser

No method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

8. Data Retention

We retain different categories of data for different periods:

  • RSVPs and event data:retained for as long as the Organizer maintains their account. If the Organizer is suspended or soft-deleted by the Platform, their records remain in our database but are inaccessible to the Organizer until restored. If the Organizer's account is hard-deleted by Platform administrators, their events, RSVPs, and any Participant data are removed by database cascade and cannot be recovered. Organizers can also delete individual event records at any time.
  • Account credentials: retained while the account is active. You may delete your account by contacting support@jbcre8iv.com.
  • Audit logs and security event logs: retained as long as necessary for security investigation and compliance purposes.
  • Email delivery logs (Brevo) and the Platform's outbound email outbox:retained per Brevo's default retention policies and our own short-term outbox retention used to retry transient send failures and support bulk sends durably across deploys.
  • Wallet pass artifacts: Apple Wallet (.pkpass) files and Google Wallet tokens are generated on demand and are not retained server-side beyond the request that produced them. The pass itself lives in your wallet on your device or in your Google Wallet account. Apple Wallet pass registrations (used so we can push event updates to your device) are retained for the lifetime of your RSVP while the pass remains installed; cancelling your RSVP expires the pass.
  • Refund records: retained alongside the originating RSVP for the same period as the RSVP itself.
  • Waiver records (Smartwaiver):retained per the Organizer's Smartwaiver account settings, typically for the legal retention period required by their insurer.

9. Your Rights

Depending on your location, you may have certain rights regarding your personal information:

  • Access and receive a copy of your data
  • Correct inaccurate information
  • Request deletion of your data
  • Opt out of non-essential communications from Organizers
  • Data portability

For RSVP-specific data, you can also contact the Organizer of the event directly — they are the primary controller of your RSVP information. To exercise these rights against the platform itself, contact us at support@jbcre8iv.com.

10. Cookies and Tracking

We use cookies and similar technologies in a limited capacity:

  • Essential cookies:required for authentication (so we know you're still signed in) and core platform functionality. These cannot be disabled without breaking sign-in.
  • Local storage:we use your browser's local storage to remember small UX preferences (e.g., dismissed checklist banners). This data lives in your browser only and is not transmitted to us.

We do not currently set advertising cookies, third-party tracking pixels, or behavioral analytics cookies. If we add optional analytics in the future, we will update this Policy and present a consent banner before any analytics data is collected.

11. Third-Party Links

Our platform may contain links to third-party websites and destinations, including the public websites of Organizers, payment links (Venmo, PayPal, Stripe, etc.), external waiver pages (Smartwaiver), and the “Save to Apple Wallet” and “Save to Google Wallet” flows. We are not responsible for the privacy practices of these external sites or services. We encourage you to review their privacy policies.

12. Children's Privacy

Our platform is not intended for children under 13 years of age. We do not knowingly collect personal information directly from children under 13. When a parent or guardian RSVPs on behalf of a minor (which is common for school events, training programs, etc.), the parent or guardian is the registered participant of record and is responsible for any minor included in their party size. If we learn we have collected personal information from a child under 13 without parental consent, we will delete it promptly.

13. International Data Transfers

Our infrastructure providers (Supabase, Vercel, Brevo, Cloudflare, Smartwaiver) are located in the United States and other jurisdictions. By using our platform, you consent to the transfer of your information to these jurisdictions, which may have data protection laws different from those of your home country.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the “Effective Date” at the top. Your continued use of our platform after changes constitutes acceptance of the updated policy. For changes that materially expand the categories of data collected or the purposes of use, we will provide additional notice (typically via email to your registered account address) before the change takes effect.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

RSVP Platform

Email: support@jbcre8iv.com

Operated by JB CRE8IV.