Privacy Policy

1. What we process

User data (organisers): e-mail, name, hashed password, workspace ID, role, IP address and login metadata.

Guest data: name, e-mail, phone, entourage size, check-in status, check-in time and notes — to the extent uploaded by the organiser.

Technical data: error logs, IP, user agent, audit records of account actions.

2. Purpose & legal basis

• Providing the service (contract, Art. 6(1)(b) GDPR).
• Account security, abuse prevention, audit (legitimate interest, Art. 6(1)(f) GDPR).
• Statutory obligations (accounting, tax) — organiser data only.

With respect to guest data the Provider acts as a processor; the organiser is the controller.

3. Retention

• Guest data: while the event exists + 30 days after archival, then deleted.
• User account: until deletion + 30 days.
• Security logs: max. 90 days.

4. Recipients & processors

Data is hosted on Supabase infrastructure (database, auth, storage) and Cloudflare (CDN, edge functions). All processors are located in the EU/EEA or provide adequate safeguards (SCC). We do not sell data to third parties.

5. Your rights

You have the right to access, rectify, erase, restrict processing, data portability and to object. Send requests to privacy@theguests.app. You may lodge a complaint with the Czech Data Protection Authority (uoou.cz).

6. Cookies

We use only strictly necessary cookies for authentication and language preference. No analytics or marketing cookies are used without consent.

7. Changes

Material changes will be communicated by e-mail or in-app at least 14 days in advance.