BackGuest List

Privacy Policy

Effective Date: March 26, 2026

Guest List (“we,” “us,” or “our”) operates the Guest List platform at ontheguestlist.app. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our services.

1. Information We Collect

Information you provide directly:

  • Email address — used for authentication via one-time passcode (OTP) or Google Sign-In, and for transactional communications related to your event galleries.
  • Full name — displayed in your profile and used as your electronic signature for consent. Only your first name is ever displayed publicly on gallery photo tags, and only if you opt in.
  • Date of birth — used for age verification. If you are under 13, your date of birth is not stored.
  • Profile picture — optionally uploaded by you.
  • Tag visibility preference — your choice of whether your first name appears on photos in event galleries.

Information collected automatically:

  • IP address and browser user agent (for security and consent audit logging).
  • Usage data including pages visited, features used, and interaction timestamps.
  • Gallery activity data — photo download counts and gallery share counts associated with your account, tracked per event.
  • Device information (browser type, operating system).
  • Cookies and similar technologies — see our Cookie Policy for details.

2. How We Use Your Information

  • To authenticate your identity and manage your account;
  • To present your personalized event photo gallery;
  • To display your first name on gallery photos if you have opted in to tagging;
  • To send you SMS notifications about new photos (if opted in);
  • To verify your age for compliance with applicable laws;
  • To provide event organizers with aggregate and per-attendee gallery engagement data, including your name, photo download counts, and share counts, so they can understand how their event gallery is being used;
  • To improve, secure, and operate our platform.

3. Tag Visibility and Name Display

During onboarding, you are asked whether you would like your first name to be displayed on photos where you are recognized in event galleries. This preference is entirely optional:

  • If you opt in, only your first name will be shown — your full name is never displayed publicly on photos.
  • If you opt out (or have not yet made a choice), no name tag will appear on your photos in the gallery.
  • You may change your tag visibility preference at any time in your account settings.

4. Third-Party Service Providers

We share your information with the following third-party processors solely as necessary to provide our services:

  • Amazon Web Services (AWS) — cloud hosting and image storage.
  • Supabase — database hosting and file storage (hosted on AWS infrastructure).
  • Twilio — SMS delivery for OTP authentication and photo notifications (where applicable).
  • Resend — transactional email delivery for OTP verification codes and gallery notifications.
  • Stripe — payment processing for Creator subscription billing. Stripe collects and processes payment information directly; we do not store your full credit card number on our servers.
  • Vercel — application hosting and deployment.

We do not sell, rent, or share your personal information with third parties for their own marketing purposes.

5. Cookies and Tracking Technologies

We use cookies and similar technologies for authentication, security, preferences, and analytics. We do not use advertising or cross-site tracking cookies. For a complete description of the cookies we use and how to manage them, please see our Cookie Policy.

6. Data Retention

  • Account data (email, name, profile picture) is retained for as long as your account is active. Upon account deletion, your data is permanently removed within 30 days.
  • Consent audit logs are retained indefinitely for legal compliance (revoked records are marked but not deleted).
  • SMS logs are retained for operational and compliance purposes.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request that we correct inaccurate or incomplete personal information.
  • Deletion: Delete your account and all associated data using the self-service “Delete My Account” feature in your account settings, or by contacting us.
  • Data portability: Request a copy of your personal data in a structured, commonly used, machine-readable format.
  • Do Not Sell / Do Not Share: We do not sell or share your personal information for cross-context behavioral advertising as defined by the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA).
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights.

8. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or United Kingdom, we collect and process your personal information only where we have a lawful basis to do so. Our legal bases include:

  • Consent: Where you have given us explicit consent to process your data (e.g., tag visibility preference).
  • Contract performance: Where processing is necessary to provide the Service you signed up for (e.g., account authentication, photo gallery access).
  • Legitimate interests: Where processing is in our legitimate business interests and does not override your rights (e.g., platform security, service improvements, fraud prevention).
  • Legal obligation: Where processing is required to comply with applicable law.

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

9. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected individuals and applicable regulatory authorities as required by law. Where feasible, we will provide notification within 72 hours of becoming aware of the breach. Our notification will include a description of the breach, the types of data involved, and the steps we are taking to address and mitigate the impact.

10. Children's Privacy

Our Service is not available to users under the age of 13. We verify age during onboarding. If we become aware that we have collected personal information from a child under 13 without parental consent, we will delete that information promptly.

11. Security

We use industry-standard security measures to protect your personal information, including encryption in transit (TLS/HTTPS), encryption at rest, and access controls. However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using commercially reasonable safeguards.

12. International Data Transfers

Your data may be processed in the United States. By using our platform, you acknowledge that your information may be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. Where required by applicable law (such as the GDPR), we ensure that international data transfers are conducted using approved transfer mechanisms, including EU Standard Contractual Clauses (SCCs).

13. Third-Party Websites

Our platform may contain links to third-party websites or services that are not owned or controlled by Guest List. We are not responsible for the privacy practices or content of those third-party sites. We encourage you to review the privacy policies of any third-party websites you visit.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised effective date. Where required by law, we will provide additional notice (such as an in-app notification) for significant changes.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

Email: ontheguestlistapp@gmail.com

See also: Terms of Service · Cookie Policy · DPA