Privacy Policy

Effective: 1 January 2026 · Version 1.0 · Last updated: 10 May 2026

1. Scope & who we are 2. What data we collect 3. How we use your data 4. Who we share data with 5. Data location & transfers 6. How long we keep data 7. Your rights (DPDP & GDPR) 8. Security measures 9. Children's data 10. Contact us

1. Scope & who we are

This policy describes how Event Super OS (the "Platform") collects, uses, shares, and protects personal data when you use:

The marketing site (/, /pricing)
The studio app (/event-manager) — for event-studio operators
The team workspace (/team) — for studio crew
The client portal (/client) — for couples / event clients
The guest pages (/rsvp, /invitation, /voucher, /vendor)
Per-studio public pages at /studio/<slug>

This policy is published in compliance with India's Digital Personal Data Protection Act, 2023 (DPDP) and aligned with the EU General Data Protection Regulation (GDPR).

2. What data we collect

Category	Examples	Source
Account data	Email, password hash, full name	You, at sign-up
Studio profile	Studio name, tagline, logo, brand colors, phone	You, in onboarding / settings
Event data	Event name, dates, venue, vendors, crew, guests, RSVPs, photos, documents	Studios & their clients enter this
Guest data	Guest names, contact details, RSVPs, dietary preferences, accommodation	Studios upload; guests respond via /rsvp
Payment data	Card last 4, payment status. Full card numbers are NEVER stored on our servers.	Stripe / Razorpay (PCI-compliant)
Usage data	Pages viewed, actions taken, IP address, browser, OS	Automatically, when you use the Platform
Marketing data	UTM parameters, referrer, ad campaign IDs	If you arrive via a campaign link

3. How we use your data

Provide the service — store events, send invitations, run the day-of cockpit
Account & security — authentication, suspension enforcement, audit logs
Billing — invoice you for plan fees
Support — respond to your tickets and questions
Product analytics — understand which features are used (anonymised where possible)
Legal compliance — respond to lawful requests from authorities

We do not sell your data. We do not use your event data to train AI models. We do not share guest contact details with third parties for advertising.

Processor	Purpose	Data location
Supabase Inc. (USA)	Database & auth hosting	AWS Mumbai (ap-south-1) by default
Cloudflare	CDN & static asset delivery	Global edge
Stripe / Razorpay	Payment processing	Their respective regions
Resend / Postmark	Transactional email	USA / EU
OpenAI (optional)	AI co-pilot — only if you provide your own API key	USA

Each sub-processor is bound by a data-processing agreement that requires equivalent or stronger safeguards than this policy.

5. Data location & transfers

Primary storage is in India (AWS Mumbai). Data may transit briefly through Cloudflare's global edge for delivery. We do not transfer your event data outside of India for storage without your consent. White-label resellers may select an alternative region in writing.

6. How long we keep data

Active studios: indefinitely while your subscription is active
Cancelled studios: data is read-only for 90 days, then archived for 90 more, then permanently deleted unless you request earlier deletion
Audit logs: kept for 7 years (legal requirement under Indian tax law)
Payment records: kept for 8 years (Indian GST requirement)
Marketing analytics (anonymised): 26 months

7. Your rights

Under the DPDP Act and GDPR, you have the right to:

Access — request a copy of all data we hold about you
Correction — fix inaccurate data
Erasure — delete your account and all associated data
Portability — export your data in JSON / CSV format
Object — to certain processing
Withdraw consent — at any time
Lodge a complaint — with the Data Protection Board of India

You can exercise data export and account deletion directly inside /event-manager → Settings → Privacy. Other requests: email us using the address below; we respond within 30 days.

8. Security measures

HTTPS / TLS 1.3 on all traffic
Row-level security (RLS) at the database — no studio can read another studio's data
Encrypted backups, point-in-time recovery
Audited admin actions (every privileged operation logged)
2FA available for super-admin accounts (rolling out for studio accounts in v100.1)
Regular security reviews

If you believe you've found a security vulnerability, email security@eventsuperos.com. We respond within 24 hours and will not pursue legal action against good-faith researchers.

9. Children's data

The Platform is not intended for users under 18. Studios may capture guest data that includes children (e.g., kids attending a wedding). In those cases, we treat such data with extra care and the studio is the data controller; we are merely a processor. Studios must obtain appropriate consent from parents/guardians before entering minors' data.

10. Contact us

Data Protection Officer
Email: dpo@eventsuperos.com
Postal: [Studio mailing address — to be filled in by Anthropic / studio operator]

India grievance officer (DPDP §10): grievance@eventsuperos.com · we acknowledge within 24 hours and resolve within 30 days.