Updated · 19 June 2026

Privacy Policy

This Privacy Policy explains what personal data Occavia ("we", "us") collects when you use our service, why we collect it, how we store and protect it, and the rights you have over it. We are committed to handling your data transparently and in accordance with applicable data-protection law, including the EU General Data Protection Regulation (GDPR) where it applies.

⚠️ This is a starting template, not legal advice — please have a qualified lawyer review it before relying on it.

1. Who We Are

Occavia is the data controller for the personal data described in this policy. [PLACEHOLDER: full legal entity name and registered address]. Contact: zmanistorege@gmail.com.

2. Data We Collect

Account data: your email address and, if you sign in with Google, your Google account name and profile photo.

Event content: names, event date, venue, story text, schedule, and any other information you enter while building your invitation.

Uploaded media: photos and videos you upload as a cover image or to an event gallery, stored in Cloudflare R2.

Guest RSVP data: names, attendance status, party size, dietary notes, and personal messages submitted by your guests through the invitation page. Guests may also upload photos and videos.

Payment data: your purchase is processed entirely by Paddle. We receive only a transaction reference, the product purchased, the amount, and your country (used for tax purposes). Your card number and payment credentials are never transmitted to or stored by us.

Technical and usage data: IP address, browser type, device type, pages visited, and error logs, collected automatically as you use the service.

3. How We Use Your Data

To operate and deliver the service: create and host your invitation page, show RSVPs and the guest photo wall in your dashboard, and send transactional emails (e.g., sign-in links, RSVP notifications). Legal basis: performance of a contract.

To process payments: pass a checkout session to Paddle and reconcile the completed transaction. Legal basis: performance of a contract.

To keep the service secure and prevent fraud: monitor for suspicious activity and enforce our acceptable-use rules. Legal basis: legitimate interests.

To comply with legal obligations: respond to valid legal requests from authorities, keep tax records. Legal basis: legal obligation.

4. Cookies

We use strictly necessary cookies to keep you signed in (session token stored in an HttpOnly, Secure cookie). We do not set advertising, tracking, or cross-site cookies. If we add analytics cookies in the future, we will update this policy and seek your consent where required.

5. Data Storage & Security

Structured data (accounts, event content, RSVPs) is stored in Supabase, a managed PostgreSQL service. Access is restricted by row-level security policies so each user can access only their own data.

Media files (photos and videos) are stored in Cloudflare R2. Files are served via signed or public URLs. Uploads are restricted to reasonable file-size limits.

All data is encrypted in transit using TLS. Secrets and API keys are stored server-side and never exposed to the browser.

6. Data Retention

Account and event data is retained while your account is active. If you delete your account, your event data (including guest RSVPs and uploads) is deleted within 30 days, subject to legal retention requirements for financial records.

If you delete a specific event, all guest RSVPs, messages, and uploaded media for that event are permanently deleted.

Payment transaction records are retained for the period required by applicable tax and financial law (typically 7 years).

7. Sub-processors

We share personal data with the following trusted sub-processors to operate the service:

Supabase, Inc. (USA) — database, authentication, and server functions. Data is stored in the EU region (Frankfurt). Privacy policy: supabase.com/privacy.

Cloudflare, Inc. (USA) — media storage (R2) and content delivery. Data is stored according to Cloudflare's data localisation settings. Privacy policy: cloudflare.com/privacypolicy.

Paddle.com Market Limited (UK/Ireland) — payment processing as Merchant of Record. Paddle is responsible for collecting and processing your payment information. Privacy policy: paddle.com/privacy.

Google LLC (USA) — optional Google Sign-In (OAuth 2.0), used only if you choose to sign in with Google.

8. International Transfers

Some sub-processors (Supabase, Cloudflare, Google) are based in the United States. Where personal data is transferred from the European Economic Area (EEA) or the United Kingdom to a country that does not have an adequacy decision, we rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards as the transfer mechanism.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data: (a) Access — request a copy of the data we hold about you; (b) Rectification — ask us to correct inaccurate data; (c) Erasure — ask us to delete your data ("right to be forgotten"); (d) Data portability — receive your data in a machine-readable format; (e) Restriction — ask us to restrict how we process your data; (f) Objection — object to processing based on legitimate interests.

To exercise any of these rights, email us at zmanistorege@gmail.com with your request. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

10. Children

The service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected such data, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy here with a revised "Updated" date. For significant changes that affect how we use your data, we will also notify you by email.

12. Contact

For any questions about this Privacy Policy or to exercise your data rights, contact us at: zmanistorege@gmail.com. [PLACEHOLDER: If you have appointed a Data Protection Officer (DPO), add their contact details here.]