Privacy Policy

We collect only the information needed to create, publish, and manage your invitation website.

We use trusted service providers such as Google Firebase (Firestore for data storage), Neon (database hosting), Cloudinary (media hosting), Razorpay (payment processing), and Resend (transactional emails). Each is bound by their own contract not to misuse your data.

We do not sell your data.

We do not display third-party advertising.

We do not use your invitation content, photos, or guest information to train AI models.

Upon account deletion, personal data is removed from active systems within 30 days. Backups are purged within 30 days of deletion, except where retention is required by law.

Information You Provide When Creating an Account

• Name
• Email address
• Password (stored only in encrypted or hashed form; we never store plain-text passwords).

Information You Provide When Creating an Invitation

Depending on the template and event type, you may provide:

• Event title
• Host names
• Event date and time
• Venue information
• Invitation message
• Photos and media uploads
• RSVP settings
• Custom links and event details

Information Submitted by Your Guests

When guests respond to an invitation, we may collect:

• Name
• Email address (if requested)
• Phone number (if requested)
• RSVP response
• Guest count
• Messages or notes submitted through RSVP forms

RSVP information is collected on behalf of the invitation owner and is accessible to the invitation owner through their dashboard.

Automatically Collected Information

We may automatically collect:

• IP address (used for rate-limiting and abuse detection — not stored beyond 30 days)
• Browser type
• Device information
• Pages visited
• Standard server logs (request paths, response codes, timestamps) — used for debugging, rotated within 30 days
• Basic usage analytics

This information helps us maintain security, prevent abuse, and improve our services.

We use collected information to:

• Create and manage user accounts
• Publish and host invitation websites
• Process payments and issue receipts
• Send service-related emails, including account notifications, payment confirmations, and RSVP updates
• Manage RSVPs
• Provide customer support
• Improve platform performance using aggregated, anonymous metrics
• Prevent fraud, abuse, and unauthorized access

We only share information with the minimum set of trusted service providers necessary to operate the platform, including:

• Google Firebase (Firestore) — cloud database hosting and storage for invitation data, RSVPs, rate-limiting, and pending transaction statuses
• Neon — database hosting and storage
• Cloudinary — media storage and processing for user-uploaded images and event media files
• Razorpay — payment processing (we share your name, email, and phone so they can contact you about a failed transaction)
• Resend — transactional email delivery
• Hosting and infrastructure providers — see request metadata the same way every web host does

These providers process information on our behalf and are bound by their own contracts not to misuse it.

We do not sell, rent, or trade personal information to advertisers, marketing companies, or data brokers. We do not share data with advertising networks or AI training pipelines. We will share data with law enforcement only when compelled by a valid legal order from a jurisdiction we operate in.

Your information may be stored and processed using cloud infrastructure operated by our service providers. Depending on the service used, data may be processed in countries other than your country of residence.

We take reasonable steps to ensure appropriate safeguards are in place for such transfers.

We retain information only as long as necessary to provide our services.

• Account information remains until the account is deleted.
• Invitation content and uploaded media (stored on Cloudinary) remain until deleted by the owner.
• RSVP information remains associated with the invitation.
• Payment records are retained for 7 years as required by applicable tax and accounting laws.
• Server logs and IP address data are retained for up to 30 days unless a longer period is required for security investigations or legal obligations.
• Backups are rotated regularly; upon account deletion, backups are purged within 30 days.

You may:

• Access your personal information — email us and we will send a data export within 7 days.
• Correct inaccurate information — most fields are editable directly from your dashboard.
• Delete invitation content or request full account deletion.
• Export a copy of your personal data in a commonly used electronic format, where applicable.
• Object to processing or withdraw consent by contacting us at hello@goshco.in.
• Lodge a complaint with the data protection authority in your country if you believe we have handled your data improperly. In India, that is the body designated under the DPDP Act 2023.

We process personal data in accordance with applicable laws, including India's Digital Personal Data Protection Act, 2023 (DPDP Act), where applicable.

We use industry-standard security measures to protect your information, including:

• HTTPS encryption across all pages
• Secure authentication systems
• Access controls and rate limiting
• Regular security updates

While we work to protect your information, no online service can guarantee absolute security. If we experience a breach affecting your data, we will notify you by email within 72 hours of confirming it and post a notice on the platform.

By using our Services, you acknowledge and accept the inherent security risks associated with transmitting information over the internet.

Material changes to this Privacy Policy — such as new data uses, new third-party sharing, or reduced user rights — will be emailed to all active users at least 14 days before they take effect.

Minor updates such as typo fixes or clarifications will receive a quiet update with a revised effective date on this page.