We collect information in the following ways: Account Information: When you create an account, we collect your first name, last name, email address, phone number, and password. Your password is securely hashed and never stored in plain text. Event Information: When you create an event, we collect event details you provide, including event name, date, time, location, description, and any images you upload. Guest Information: When you invite guests, we collect the names, email addresses, and phone numbers you provide. You may also choose to import contact information from your device's address book to add guests. When guests respond to invitations, we collect their RSVP status, number of adults and children attending, dietary restrictions, and any messages they include. Event hosts are responsible for ensuring they have permission to share guest contact information for the purpose of sending event invitations. Photos & Camera: If you upload an event image, we access your device's camera or photo library (with your permission) to capture or select the image. Uploaded images are stored securely in the cloud. Third-Party Sign-In: If you choose to sign in using a third-party authentication service, we receive your name and email address as provided by that service. We do not receive or store your third-party account password. Location Information: The Service may include location-based features in the future. If implemented and enabled by you, we may collect your approximate location to provide relevant functionality such as venue location views. We do not currently collect device location data, and we do not track your location in the background. Calendar Integration: The Service may include calendar integration features in the future. If implemented and you choose to sync events with your device calendar or a third-party calendar service, we would access only the calendar data necessary to create or update event entries. Calendar integration is not currently available. IP Address & Server Logs: When you access the Service — whether as a registered user, an unauthenticated guest viewing an invitation, or a guest submitting an RSVP response — our servers automatically record your Internet Protocol (IP) address with each request. We collect IP addresses for the following purposes: • Security and fraud prevention: Detecting unauthorized access attempts, brute-force attacks, and suspicious activity patterns • Rate limiting: Enforcing limits on authentication attempts, email sending, and API requests to prevent abuse of the Service • CAPTCHA verification: Your IP address is sent to our CAPTCHA provider (Cloudflare Turnstile) when you submit forms such as public RSVP responses, to verify that the submission is from a human user • View deduplication: When you view an invitation or public event link, a one-way hash of your IP address (not the raw IP) is used to count unique views and prevent duplicate tracking • Approximate geolocation: We may derive your general geographic region (city or country level) from your IP address to support service functionality, enforce geographic restrictions, or comply with legal requirements. We do not use IP-based geolocation to build a detailed location profile of you. • Debugging and reliability: Diagnosing server errors, outages, and performance issues IP address data is stored in server logs hosted on Amazon Web Services (AWS) infrastructure in the United States. For invitation view tracking, only a salted cryptographic hash of your IP address is stored — not the raw IP address itself. We do not sell IP address data or share it with third parties for marketing purposes. Device & Technical Information: When you use the Service, our servers also log non-identifying technical data such as device type, operating system version, browser type, and request timestamps. We may use analytics tools to understand how users interact with the Service and to improve our features. Any analytics data is collected in aggregate or pseudonymized form where possible. Push Notification Tokens: If you enable push notifications, we collect device tokens provided by your mobile operating system to deliver notifications about event updates and RSVP responses.

Geographic Scope: This Privacy Policy applies to users of Just Invite located in the United States. The Service is currently in beta and is not offered to individuals located in the European Economic Area (EEA), the United Kingdom, or Switzerland. We do not knowingly collect or process personal data from individuals in these regions. If you are located in the EEA, the United Kingdom, or Switzerland, please do not use the Service or submit any personal data. We recognize that event hosts located in the United States may invite guests who reside outside the United States, including in the EEA. Where guest data is submitted by a US-based host, we process that data as a service provider acting on the host's instructions. Hosts are responsible for ensuring they have appropriate legal authority to share guest contact information with the Service. Beta Data Practices: The Service is currently in Beta. During the Beta period, the following additional data practices apply: • While we implement the security measures described in the 'Data Storage & Security' section, the Beta nature of the Service means that features, infrastructure, and security measures are still under active development. There is an inherently elevated risk of data loss, service interruption, or unintended data exposure compared to a generally available service. • We may collect additional usage data during the Beta period to improve the Service, including interaction patterns, feature usage frequency, error reports, crash logs, and performance metrics. This data helps us identify bugs, prioritize features, and improve stability. • If the Beta period ends or the Service transitions to general availability, your data will carry forward subject to the then-current Privacy Policy. If the Service is discontinued, we will provide at least 30 days' notice and an opportunity to export your data before it is permanently deleted. • We do not sell, rent, or trade your personal information during the Beta period.

We use the information we collect to: • Operate, maintain, and provide the features of the Service • Create and manage your account and authenticate your identity • Send event invitations, RSVP confirmations, and event updates on your behalf, strictly as a result of user-initiated actions • Deliver push notifications about event activity (if enabled) • Send transactional emails (user-initiated and service-related) including email verification codes, password reset codes, account notifications, and event-related communications • Enforce safeguards to prevent misuse of email functionality, including rate limiting, monitoring for abuse patterns, and suppression of email addresses associated with delivery failures, spam complaints, or unsubscribe requests • Notify you of material changes to the Service, these Terms, or our Privacy Policy via email • Analyze usage patterns and trends to improve the Service and develop new features • Personalize your experience, such as suggesting event templates or relevant features • Detect, investigate, and prevent fraudulent or unauthorized activity • Use IP addresses to enforce rate limits on login attempts, API requests, and email-related actions, and to detect and block potentially fraudulent or abusive access patterns • Power automated or AI-assisted features, if introduced • Comply with legal obligations We process your information as necessary to provide the Service under our Terms of Service, when you have given consent to specific features, and for our legitimate business purposes such as improving the Service, preventing fraud, and ensuring security. We do not currently use your information for targeted advertising. We do not sell your personal information to third parties. If we introduce advertising or promotional features in the future, we will update this policy and provide you with appropriate controls, including opt-out options.

We share your information only as described below: With Other Users: When you RSVP to an event, the event host can see your name, response status, guest count, dietary restrictions, and any message you include. Service Providers: We use trusted third-party service providers to operate the Service, including Amazon Web Services (AWS) for cloud hosting, data storage, and email delivery via Amazon Simple Email Service (SES), Expo (expo.dev) for push notification delivery and over-the-air app updates, Sentry (sentry.io) for error tracking and crash reporting, Cloudflare for CAPTCHA verification and bot protection, and Google Firebase Cloud Messaging (FCM) for Android push notification delivery. These providers process data only as necessary to provide services to us and do not use your data for their own marketing or independent purposes. Analytics & Improvement Partners: We may share anonymized or aggregated usage data with analytics providers to help us understand how the Service is used and to improve our features. This data cannot reasonably be used to identify you personally. Third-Party Integrations: If you connect third-party services (such as authentication providers, calendar services, or map providers), those services may receive information necessary to complete the integration. Each third-party service is governed by its own privacy policy, and we encourage you to review those policies. AI Service Providers: If we introduce AI-powered features, we may share relevant event or user data with AI service providers solely to deliver those features. Data shared with AI providers is subject to contractual protections and is not used to train third-party models without your consent. Legal Requirements: We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others. Business Transfers: If Just Invite is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change. We do not sell, rent, or trade your personal information to third parties for their marketing purposes. If our data sharing practices change materially, we will update this policy and notify you before sharing begins.

We send the following types of emails: Transactional Emails: These are essential to the Service and include email verification codes, password reset codes, event invitations, RSVP notifications, and event cancellation notices. These emails cannot be opted out of while your account is active, as they are necessary for the Service to function. These emails are sent only as a direct result of actions performed by users within the Service and are expected as part of the event experience. We currently do not send marketing or promotional emails. All emails we send are directly related to your account activity or events you are involved with. Recipients receive emails only because they were explicitly invited by an event host or are participants in an event workflow. If we introduce marketing or promotional communications in the future, they will be opt-in only, and you will be able to unsubscribe at any time. We maintain suppression mechanisms to prevent sending emails to addresses that have resulted in delivery failures (hard bounces), spam complaints, or unsubscribe requests. Unsubscribe and suppression requests are processed within 10 business days. Once an email address is added to our suppression list, no further emails will be sent to that address unless the owner of that address subsequently creates an account or takes an action that initiates a new transactional email. This ensures responsible email practices and protects recipients from unwanted communication. If you are a guest who received an invitation and do not wish to receive further emails from the Service, you may opt out by clicking the unsubscribe link included in any invitation email, or by contacting us at privacy@justinvite.app. We will add your email address to our suppression list within 10 business days of receiving your request, and you will not receive further emails from the Service unless you subsequently create an account or take an action that initiates a new email (such as submitting an RSVP). The Service is not intended for bulk email distribution or unsolicited messaging. Users are prohibited from using the platform to send spam or communications to recipients who have not consented to receive event-related emails. Event invitation emails are sent on behalf of the event host to facilitate the recipient's participation in a specific event. These are initiated by the host through the Service and are not bulk marketing messages. Recipients of invitation emails have not opted in to a mailing list and will not receive further emails from the Service unless they are invited to additional events, respond to an invitation, or create an account.

Your data is stored on secure servers hosted by Amazon Web Services (AWS) in the United States. We implement industry-standard security measures to protect your information, including: • Passwords encrypted using bcrypt hashing • All data transmitted over HTTPS (TLS encryption) • JWT-based authentication with short-lived access tokens and rotating refresh tokens • Secure, access-controlled cloud infrastructure • Event images stored in private S3 buckets with server-side encryption While we take reasonable measures to protect your information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data. Data Breach Notification: In the event of a data breach affecting your personal information, we will notify affected users without unreasonable delay after becoming aware of the breach, in accordance with applicable state and federal notification requirements.

We retain your information as follows: • Account Data: Retained for as long as your account is active. When you delete your account, all associated personal data is permanently removed from our systems. • Event Data: Retained until you delete the event or your account. • Event Images: Stored in secure cloud storage. Images are automatically deleted 7 days after the event date. Images are also deleted if the event or host account is deleted. • Guest & RSVP Data: Retained as part of event data and removed when the event or host account is deleted. For guests who do not have a Just Invite account, personal data (name, email address, phone number, dietary restrictions, and RSVP responses) is automatically deleted 12 months after the event date, even if the host has not deleted the event. Guests may request earlier deletion at any time (see Your Rights & Choices section). • Technical Logs: Server logs containing IP addresses, request metadata, and associated technical identifiers are retained for security monitoring, fraud prevention, rate limiting enforcement, and debugging purposes in accordance with our log retention policies, after which they are purged. IP addresses are not included in data portability exports as they are classified as operational security data. • Analytics Data: We retain aggregated statistical data (such as total event counts, average guest list sizes, and feature usage rates) indefinitely to improve the Service. This data is aggregated across all users and does not contain individual-level records. We apply industry-standard aggregation techniques to ensure that retained analytics data cannot reasonably be used to identify any individual user. • Push Notification Tokens: Device tokens are retained while push notifications are enabled for your account. Tokens are deleted when you disable push notifications, log out, or delete your account. Upon account deletion, processing of your deletion request begins within 48 hours. All personal data is permanently deleted from our primary database within 72 hours of your request. Residual copies in encrypted backups are overwritten within 30 days. Images are immediately removed from active cloud storage and are no longer accessible to any user. Residual copies in encrypted backup systems and CDN caches are permanently purged within 30 days of the deletion request.

Depending on your location, you may have the following rights regarding your personal information: • Access: View your personal data through the Service at any time. • Correction: Update or correct your account information through your account settings. • Deletion: Delete your account and all associated data at any time from within the app. Deletion is permanent and cannot be undone. • Data Portability: You may request a copy of your personal data by contacting us at privacy@justinvite.app. We will provide your data in JSON format (or CSV upon request) within 45 days of receiving your verified request. The export will include your account information, events you have created, guest lists, RSVP responses you have submitted, and notification preferences. If we need additional time, we will notify you of the extension and the reason, for a maximum total response time of 90 days. • Withdraw Consent: Where we process your data based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. • Push Notifications: You can enable or disable push notifications at any time through the app settings or your device settings. • Notification Preferences: You can manage which types of notifications you receive through the notification settings in the app. • Third-Party Connections: You can disconnect third-party integrations at any time through your account settings. Disconnecting removes our access to that service but does not affect data already collected. • Regulatory Complaint: If you believe your privacy rights have been violated, you may contact the California Attorney General's office or the relevant privacy authority in your jurisdiction. Guest Data Rights: If you are a guest who received an invitation through the Service (and do not have a Just Invite account), you have the following rights: • Access: Request a copy of all personal data we hold about you. • Correction: Request correction of inaccurate data. • Deletion: Request deletion of your personal data from all events where you appear as a guest. • Opt-out: Opt out of receiving further emails from the Service by clicking the unsubscribe link in any invitation email or by contacting us. • Automatic expiry: Your personal data is automatically deleted 12 months after the event date. To exercise these rights, email privacy@justinvite.app from the same email address used in your invitation. We will verify your identity by matching your email address against our invitation records and process your request within 45 days. To exercise any of these rights, you may use the in-app features or contact us at privacy@justinvite.app.

We use browser local storage and secure device storage to maintain your authentication session (access and refresh tokens). This is strictly necessary for the Service to function. We may use analytics technologies (such as first-party analytics or privacy-respecting third-party tools) to understand how the Service is used. If we use cookies or similar technologies beyond what is strictly necessary for functionality, we will provide clear notice and obtain your consent where required by law. We do not currently use: • Advertising or retargeting cookies • Cross-site tracking technologies • App Tracking Transparency (ATT) frameworks or cross-app tracking identifiers The data stored on your device includes what is required to keep you signed in, deliver push notifications, and support any analytics or personalization features you have enabled. Do Not Track & Global Privacy Control: We honor the Global Privacy Control (GPC) signal as a valid opt-out of the sale or sharing of personal information under applicable state privacy laws. Because we do not currently sell or share personal information for cross-context behavioral advertising, the GPC signal will not result in a change to your experience, but we recognize and log the signal for compliance purposes.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA): Categories of Personal Information We Collect (Cal. Civ. Code 1798.140(v)): • (A) Identifiers: Real name, email address, phone number, IP address, device identifiers, push notification tokens • (B) Personal information under Cal. Civ. Code 1798.80(e): Name, telephone number • (D) Commercial information: Event creation and RSVP history • (F) Internet or other electronic network activity: Device type, operating system version, request timestamps, analytics data, interaction with the Service We do not collect categories (C) protected characteristics, (E) biometric information, (H) sensory data, (I) professional information, (J) education information, (K) inferences, or (L) sensitive personal information as defined under the CCPA. Sensitive Personal Information: We collect account login credentials (email address in combination with your password) for the purpose of authenticating your identity. Passwords are stored only in irreversibly hashed form and are never accessible in plain text. We use this sensitive personal information solely for the purpose of providing the Service and verifying your identity. • Right to Know: You can request details about the categories and specific pieces of personal information we have collected about you. • Right to Delete: You can request deletion of your personal information. You can also delete your account directly within the app. • Right to Correct: You can request correction of inaccurate personal information we maintain about you. • Right to Opt-Out of Sale or Sharing: We do not sell your personal information as defined under the CCPA (Cal. Civ. Code 1798.140(ad)), nor do we share your personal information for cross-context behavioral advertising as defined under the CCPA (Cal. Civ. Code 1798.140(ah)). If our practices change, we will update this policy, provide a conspicuous 'Do Not Sell or Share My Personal Information' link, and honor universal opt-out preference signals such as Global Privacy Control. • Right to Non-Discrimination: We will not deny you the Service, charge you different prices, provide you a different level or quality of Service, or suggest that you will receive a different price or quality, because you exercised your rights under this section. You may designate an authorized agent to make a request on your behalf. If you use an authorized agent, we will require the agent to provide written proof of authorization signed by you, and we may independently verify your identity directly. Alternatively, you may provide your agent with a valid power of attorney under the California Probate Code. To make a request, please contact us at privacy@justinvite.app. We will verify your identity before processing any request and respond within 45 days as required by law.

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or another US state with a comprehensive consumer privacy law, you may have additional rights, including: • Right to access the personal data we have collected about you • Right to delete your personal data • Right to correct inaccurate personal data • Right to data portability — receive your data in a portable, readily usable format • Right to opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects • Right to appeal: If we decline your privacy request, you may appeal by contacting us at privacy@justinvite.app with the subject line 'Privacy Request Appeal.' We will respond to your appeal within 60 days. If your appeal is denied, you may contact your state's attorney general. Universal Opt-Out Signals: We honor browser-based universal opt-out preference signals (such as the Global Privacy Control) as a valid request to opt out of the sale or sharing of personal information, where applicable under state law. To exercise any of these rights, contact us at privacy@justinvite.app. We will verify your identity and respond within the timeframe required by your state's law (generally 45 days, with a possible extension of an additional 45 days if reasonably necessary).

The Service is not intended for use by children under the age of 16. We do not knowingly collect or solicit personal information from anyone under 16 years of age. If we learn that we have collected personal information from a child under 16, we will delete that information as quickly as possible. If you believe a child under 16 has provided us with personal information, please contact us at privacy@justinvite.app. If you are between 16 and 18 years of age, your parent or legal guardian must consent to your use of the Service and to our collection and processing of your personal information as described in this Privacy Policy. Parents and legal guardians may exercise any of the rights described in the Your Rights & Choices section on behalf of their minor child by contacting us at privacy@justinvite.app with proof of the parental relationship. Guest Data and Minors: Event hosts may invite guests of any age. If a guest who responds to an invitation via our public RSVP form is under 16, a parent or legal guardian must submit the response on their behalf. Just Invite does not knowingly collect personal information directly from individuals under 16, whether they are registered users or guests. Hosts are advised not to share the personal contact information (email, phone number) of children under 16 without parental consent.

The Service is currently available only to users located in the United States (see our Terms of Service for geographic eligibility). All data is stored and processed on servers located in the United States using Amazon Web Services (AWS). If you access the Service, your information will be stored and processed in the United States under United States federal and state law, including applicable data protection, privacy, and law enforcement access laws. Data protection laws in the United States may differ from those in other countries. The Service is not currently offered to users in the European Economic Area (EEA), the United Kingdom, Switzerland, or other jurisdictions that require specific international data transfer mechanisms. We do not currently implement Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), or self-certification under the EU-US Data Privacy Framework. As the Service expands beyond the beta period, we will implement appropriate transfer safeguards and update this policy before offering the Service in those regions. Canadian Users: If you are located in Canada, Canada's Anti-Spam Legislation (CASL) may apply to certain communications you receive through the Service. Event invitations are sent on behalf of event hosts who represent that they have a pre-existing relationship with the recipient. You may withdraw consent to receive further communications at any time by clicking the unsubscribe link in any email or by contacting us at privacy@justinvite.app. In the course of operating the Service, guest data provided by US-based hosts may include information about individuals located outside the United States. Such data is processed and stored in the United States in accordance with this Privacy Policy.

The Service may integrate with or contain links to third-party services, including but not limited to: • Authentication providers • Calendar services • Map and location providers • Analytics and performance monitoring tools • AI and machine learning service providers When you use these integrations, the third-party service may collect information directly from you or receive information from us as necessary to provide the integration. Each third-party service is governed by its own privacy policy, and we encourage you to review those policies. We are not responsible for the privacy practices of third parties. You can manage or disconnect third-party integrations through your account settings at any time.

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. We will notify you of material changes by posting a prominent notice within the Service or by sending you an email. The "Last Updated" date at the top of this policy indicates when it was last revised. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: Just Invite Email: privacy@justinvite.app Mailing Address: [To be provided] For data protection or privacy-related inquiries, please contact us at privacy@justinvite.app. We will respond to all inquiries within a reasonable timeframe.