vite.in

Polityka prywatności

First draft — pending legal review

This page is a working draft based on standard templates and the operator's good-faith understanding. It must be reviewed by a qualified lawyer before public launch. Some fields (postal address, VAT identification) are placeholders until the Estonia OÜ registration completes.

About this notice

vite.in lets people create event invitations, share them, and collect RSVPs. This notice explains what personal data we process, why, on what legal basis, with whom we share it, and what rights you have. It applies to vite.in and all its subdomains.

Data controller

The controller within the meaning of GDPR Art. 4 (7) is the operator listed in the Impressum.

What we process

Anonymous event creation

When you create an event without an account: the email address you provide (for the magic link), the event details (title, date, location, description) and a hashed creator token. The plaintext token leaves the server only inside the magic-link email — we never store it.

Guests + RSVPs

When a guest RSVPs: the name they enter, an optional email (used only for the confirmation email if they provide one), their status (yes/maybe/no), an optional message, and the plus-one details if the event has Plus tier enabled.

User accounts

If you create an account: email address, optional display name, locale preference, and timezone. Sessions are tracked via a signed, server-side-validated cookie; we don't store passwords by default — sign-in is magic-link based.

Payments

When you upgrade an event to premium: Stripe processes the payment. We see the resulting payment confirmation (success/failure, tier, currency), never your card number. Your billing address may be transmitted by Stripe to determine VAT.

Server logs + Sentry

Operational logs include a request id, a salted hash of your IP address (never the raw IP), the route hit, response status, and Accept-Language. Errors are captured in Sentry (see sub-processors).

Legal basis

Processing happens under GDPR Art. 6 (1) (b) (performance of contract — providing the service you sign up for), (c) (legal obligation — invoicing, tax retention) and (f) (legitimate interest — operational logging, fraud prevention, error monitoring). Optional analytics cookies (not currently active) would only run under (a) (consent), gated by the cookie banner.

Sub-processors

We use the following services to operate vite.in. Each has a data processing agreement in place under GDPR Art. 28.

  • Cloudflare (US/global) — application hosting (Workers, Pages), object storage (R2), CDN, DDoS mitigation, DNS.
  • Neon (EU region) — managed Postgres database.
  • Resend (EU) — transactional email delivery.
  • Stripe (US/global) — payment processing and tax calculation.
  • Sentry (EU region) — error monitoring.

When the Phase-3 analytics layer goes live we will add the analytics provider here and require fresh consent for it via the cookie banner.

Cookies

We use the following cookies, all first-party. None of them carry personally identifiable information that could be used outside vite.in.

  • vitein_consent — your cookie-banner choice. Max-Age 1 year. Strictly necessary.
  • paraglide_lang — your language preference so the site renders in the right locale on the next visit. Strictly necessary.
  • __Secure-better-auth.session_token — your authentication session if you sign in. HttpOnly, Secure, SameSite=Lax. Removed on sign-out.

Retention

Account data is kept for as long as the account exists. On account deletion, soft-delete starts a 30-day grace period during which the account can be restored; after that, a cron job hard-deletes the rows. Events that have already happened are retained for one year after their start date for chargeback and audit purposes, then archived. Server logs are retained for 90 days; audit log entries are retained indefinitely as required for transaction-record purposes.

Your rights

Under GDPR Art. 15–22 you have the right to access, rectification, erasure, restriction of processing, data portability, and to object. You can also withdraw any consent you gave. Two paths to exercise these rights:

  • Self-service — sign in, open /account/settings, and use the export and delete buttons there. Export returns a JSON bundle of your profile, events, and RSVPs. Delete starts the 30-day grace.
  • Email — privacy@vite.in. We answer within 30 days as required by Art. 12 (3) GDPR.

You can also lodge a complaint with the data-protection authority of your habitual residence. In Germany this is the Landesdatenschutzbeauftragter of your federal state; in Switzerland the FDPIC.

International data transfers

Cloudflare and Stripe operate from the US and route requests through their global edge networks. Both are certified under the EU–US Data Privacy Framework (DPF) and have the Standard Contractual Clauses (SCCs) in place. Neon, Resend, and Sentry are configured to operate from EU regions.

Changes to this policy

We will update this notice when the service or our sub-processors change. Substantial changes are flagged via an in-product banner. The “Last updated” date below reflects the most recent revision.

Last updated: 2026-05-19