Privacy Policy

Last updated: 24 February 2026

Overview

Gather ("Gather," "we," "our," or "us") operates the Gather mobile application and website (gatherinvites.com) (collectively, the "Service").

This Privacy Policy explains how we collect, use, and protect personal data when you use the Service.

1. Data Controller

Gather is the data controller for personal data processed through the Service.

Contact: [email protected]

Primary Hosting: Hetzner Online GmbH, Falkenstein, Germany

2. Information We Collect

2.1 Account Information (Hosts)

If you create an account, we may collect:

  • Name (if provided)
  • Email address
  • Authentication credentials
  • Account activity data

2.2 Event Information

When creating an event, we may collect:

  • Event title
  • Description
  • Date and time
  • Selected venue/location
  • Uploaded cover images
  • Event configuration settings

Event content may be accessible to anyone with the event link.

2.3 RSVP Information (Guests)

When a guest submits an RSVP, we may collect:

  • Name
  • Email address
  • Attendance status (Yes / No / Maybe)
  • Optional message
  • Additional response fields configured by the host (such as headcount, dietary preferences, notes, or similar event-related information)

RSVP information is visible only to the event host, not publicly displayed, and not shared with other guests unless explicitly configured.

Guests provide their information directly. Hosts do not upload guest email lists.

3. Location Search

When a user searches for a venue or place:

  • The typed search query is sent to geoify.com
  • No user identifiers are transmitted with the query
  • We do not collect GPS location
  • We store only the location selected for the event

4. Image Storage

Uploaded images are stored in Cloudflare R2 (Eastern Europe region).

  • Images are stored in a public object storage bucket
  • Images are accessible via direct URL
  • Images are not indexed or listed publicly by Gather
  • Anyone with the event link may load associated images

Users should not upload sensitive personal documents or confidential materials.

5. Email Communications

We use Resend (Ireland, eu-west-1) to send:

  • Account verification emails
  • Event notifications
  • RSVP confirmations
  • Service-related communications

Resend processes recipient email addresses and message content solely to deliver emails.

6. Analytics

We use self-hosted Plausible Analytics.

  • Hosted on our own infrastructure
  • No advertising tracking
  • No cross-site tracking
  • No third-party analytics networks
  • No persistent tracking cookies for marketing

We collect aggregated metrics such as page views, referrers, device type, and country (derived from IP, not permanently stored).

Analytics data does not identify individuals.

7. Session & Technical Data

We use:

  • Redis for session storage
  • Secure HTTP-only cookies for authentication
  • Server logs for security and abuse prevention

Session cookies are strictly necessary for the Service to function.

8. Legal Basis for Processing (GDPR)

We process personal data under:

  • Performance of a contract — to provide event and RSVP functionality
  • Legitimate interests — security, abuse prevention, service improvement
  • Legal obligations — where applicable

9. Data Sharing

We do not sell personal data.

We share data only with necessary infrastructure providers:

  • Hetzner (Germany — hosting)
  • Cloudflare R2 (Eastern Europe — image storage)
  • Resend (Ireland — email delivery)
  • geoify.com (location query processing)
  • Self-hosted Plausible (analytics)

All providers operate under GDPR-compliant obligations.

10. Public vs Private Data

Publicly Accessible:

  • Event details (via shared link)
  • Uploaded event images

Private (Host-Only):

  • Guest RSVP responses
  • Guest email addresses
  • Optional RSVP form fields

Gather does not guarantee private access beyond link-based sharing controls. Hosts are responsible for sharing links appropriately.

11. Data Retention

We retain personal data:

  • While the account remains active
  • Until events are deleted
  • For reasonable backup periods
  • As required by law

You may request deletion of your account and associated data at any time.

12. Your GDPR Rights

If you are located in the EEA, you may:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion
  • Restrict processing
  • Request portability
  • Object to processing

Contact: [email protected]

13. Security

We implement:

  • HTTPS encryption
  • Secure session management
  • Access control restrictions
  • Infrastructure firewalls
  • Internal access limitations

However, no system is fully secure.

14. Children's Privacy

Gather is not directed to children under 13.

If you believe a child has submitted personal data unlawfully, please contact us.

15. Changes to This Policy

We may update this Privacy Policy periodically.

Material updates will be communicated via the Service.

16. Contact

For questions about this Privacy Policy:

[email protected]