Legal
Privacy Policy
Last updated 14 July 2026
Invitra helps people invite the people they love to the things that matter to them. This policy explains what we collect, why, and what you can do about it — in plain English, without the hedging. If something here is unclear, email us. We would rather explain it than have you guess.
1. Who we are
Invitra builds and operates the Invitra digital invitation platform at invitra.space. Under India’s Digital Personal Data Protection Act, 2023 (the “DPDP Act”), we are a Data Fiduciary for the personal data described below, and you are a Data Principal.
You can reach a human at invitra.space@outlook.com. That address is monitored, and it is the right place for every request in this policy.
2. If you create an invitation (hosts)
When you sign up, we collect:
- Your email address — so you can sign in and so we can send you RSVP notifications about your own events.
- Your name and profile picture, if you sign in with Facebook. We request only public_profile and email. We do not read your friends list, your posts, or anything else, and we never post anything to Facebook.
- The events you create — the title, date, venue, wording, photos and settings you enter.
Our lawful basis for this is your consent, given when you sign up. Signing in with Facebook is optional; you can use an email link instead and never touch Facebook.
3. If you were invited to something (guests)
Guests never need an account. You do not sign up, you do not create a password, and we do not track you across other websites. Your information reaches us in one of two ways.
a. You RSVP’d yourself
You typed your name and, if you chose to, a phone number, email address, headcount, dietary preference or a message. You gave that to the host voluntarily in order to answer their invitation, and we use it only to answer that invitation. You can change or withdraw it at any time — see section 8.
b. A host added you to their guest list
A host may upload a list of names, phone numbers and email addresses of people they want to invite. If that is how you got here, you never had a relationship with Invitra before this invitation. We are honest about this: we hold that information on behalf of the host who invited you, we use it for nothing except delivering their invitation and recording your answer, and you can have it deleted immediately by emailing us. Hosts are required by our Terms to have a proper reason to invite the people on their list.
We may also record:
- That the invitation was viewed — a count, the referring site, and your browser type. We do not store your IP address. To count unique viewers without identifying anyone, we convert your IP and browser into a one-way scrambled value that cannot be turned back into you and changes daily.
- Photos you upload to an event’s gallery, if the host enabled one.
- That you arrived, if the host used check-in at the door.
4. Guest data belongs to the event — not to us
This is the part we care most about, so we will be blunt:
Invitra staff do not read your guest lists or RSVP messages. Access to production data is limited to what is needed to keep the service running or to fix a fault you have reported.
5. Children
Under the DPDP Act, a child is anyone under 18 — not 13. Children come to birthday parties and appear in photographs, so we take this seriously rather than pretending it does not apply.
- Invitra is for adults. You must be 18 or older to create an account and host an event.
- We do not track or profile children, and we show no advertising to anyone, of any age, anywhere on Invitra. We do not do behavioural advertising at all.
- If a host tells us their event involves children, we switch off view analytics for that invitation entirely and require photos to be approved by the host before anyone else can see them.
- Hosts are responsible for having a parent’s or guardian’s consent before entering a child’s details or uploading a photograph of a child who is not their own.
- A parent or guardian can email us at any time to see or delete information about their child, including photographs. We will act on it — see section 8.
6. Where your information is kept
Invitra runs on Supabase (database, sign-in and file storage) and Vercel (hosting). Our database is located in Tokyo, Japan, and our website is served from servers around the world, including India. Transactional email is sent through Resend.
The DPDP Act permits transferring personal data outside India except to countries the Government has specifically restricted. Japan is not a restricted country. We tell you this plainly because you are entitled to know where your information physically lives.
These providers process data on our instructions under contract, and they are not permitted to use it for their own purposes.
7. How long we keep it
We keep information only for as long as it is doing the job it was collected for, and then we delete it.
- Your account — until you delete it.
- An event, its guest list, RSVPs and photos — while the event is live, and then for up to 12 months after the event date, so you can look back at who came and download your photos. After that we delete it automatically.
- A deleted event — removed from your dashboard immediately and permanently erased within 30 days. The 30 days exist so we can undo an accidental deletion.
- A deleted account — everything you created is permanently erased within 30 days.
- View counts — aggregate numbers with nothing identifying in them; kept for up to 12 months after the event.
If you withdraw consent, we delete rather than keep, unless a law requires us to hold something.
8. Your rights, and how to actually use them
Under the DPDP Act you can ask us to:
- Tell you what we hold about you and who we have shared it with.
- Correct anything wrong, incomplete or out of date.
- Erase your personal data.
- Withdraw your consent — as easily as you gave it. If you RSVP’d, you can change or delete your answer from the invitation itself.
- Nominate someone to exercise these rights for you if you die or become unable to.
- Complain to us, and then to the Data Protection Board of India if we have not sorted it out.
Email invitra.space@outlook.com from the address you signed up with, or — if you are a guest without an account — tell us the invitation link and the name you RSVP’d with. We aim to respond within 7 days and to finish within 30 days.
There is no charge, and we will not make you jump through hoops. See deleting your data for step-by-step instructions.
9. Complaints
If you are unhappy with how we have handled your information, contact our Grievance Officer at invitra.space@outlook.com with “Grievance” in the subject line. We will acknowledge within 7 days and resolve within 30.
If we do not resolve it, you have the right to complain to the Data Protection Board of India.
10. How we protect it
- Everything travels over HTTPS, and is encrypted where it is stored.
- Every table in our database denies access by default. A host can only ever read their own events and their own guests — this is enforced by the database itself, not just by our code.
- Guest phone numbers and email addresses are never included in a public invitation page.
- Sign-in is passwordless, so there is no password of yours for us to lose.
- Photo uploads are checked and are approved by the host before anyone else sees them.
No system is perfect. If a breach happens that affects you, we will tell you and the Data Protection Board — promptly, and in plain language, not buried in a status page.
11. Cookies
We use cookies for one thing: keeping you signed in. There are no advertising cookies, no tracking pixels and no third-party analytics following you around the internet. If you are a guest, you can view an invitation and RSVP without us setting a single cookie.
12. Changes to this policy
If we change something that matters, we will update the date at the top and tell account holders by email before it takes effect. We will not quietly broaden what we do with your information.
13. Contact
invitra.space@outlook.com — for questions, requests, complaints, or to tell us this policy is unclear.
This policy is written to reflect how Invitra actually works, and to meet the Digital Personal Data Protection Act, 2023. It is not legal advice, and it has not yet been reviewed by a lawyer. If you are relying on it for your own business, get your own advice.