Privacy Policy

Last updated: 2026-06-01

This privacy policy is a draft pending review by qualified legal counsel. Items marked [PLACEHOLDER] must be completed with confirmed entity details before public launch.

1. Who We Are

Joyfully Invited is operated by OpStudio ("we", "us", "our"), the data controller responsible for the personal data described in this policy.

  • Legal entity and form: OpStudio BV
  • Registered address: Schaliënhofstraat 50, 1980 Zemst, Belgium
  • Enterprise number (KBO/BCE): 1010.204.916, VAT: BE 1010.204.916
  • Country of establishment: Belgium
  • Contact: hello@joyfullyinvited.com or the contact form

We are established in Belgium. Our lead supervisory authority is the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données).

2. Scope And Our Role

This policy covers personal data we process through the Joyfully Invited service: host accounts, event configuration, payments, the guest camera flow, bingo, guest notes, live event surfaces, and public albums.

We act as an independent data controller for this data. A host who creates an event for a private occasion (for example a wedding, birthday, or family gathering) is acting in a personal or household capacity and is not a data controller in their own right. We determine the purposes and means of the processing involved in running the service.

Counsel note: For business or organisational hosts (for example a company event), the controller analysis may differ. Confirm whether OpStudio's controller responsibility extends to those hosts or whether a processor/DPA arrangement is needed for that segment.

Hosts have contractual responsibilities, described in our Terms of Service, including obtaining any consent required at their venue or event and using the service lawfully. Those are contractual duties and do not make the host a controller under this policy.

3. Data We Collect

We collect the data needed to operate the event camera and album flows:

  • Host account data from Clerk, such as email address and display name.
  • Payment and invoice data handled by Stripe, such as billing details and transaction metadata. We do not store full card numbers; Stripe processes card data.
  • Event configuration entered by the host, such as event name, dates, branding, bingo content, and retention or sharing settings.
  • Guest participation data, including guest display name, exposure count, bingo progress, guest notes, and uploaded photos. Guests may join without an account through an anonymous guest session.
  • Operational telemetry related to photo upload reliability, such as retry counts and upload failure events.

4. Purposes And Lawful Basis

We process personal data for the purposes below. The lawful basis is indicated for each; final basis wording is subject to legal review.

  • Authenticate hosts and guests (account data, guest session). Basis: contract, Art. 6(1)(b).
  • Process purchases and issue invoices (payment metadata). Basis: contract, plus legal obligation for tax and accounting, Art. 6(1)(b) and (c).
  • Operate the guest camera, exposure limits, bingo, notes, QR codes, thumbnails, and live surfaces (event config, guest participation). Basis: contract, Art. 6(1)(b).
  • Create and serve public albums and album emails (photos, notes, host email). Basis: contract, Art. 6(1)(b).
  • Troubleshoot upload reliability and keep the service stable (operational telemetry). Basis: legitimate interests in keeping the service reliable, Art. 6(1)(f).
  • Respond to support and handle refunds (account, payment, support correspondence). Basis: contract and legitimate interests, Art. 6(1)(b) and (f).
  • Comply with legal, tax, and accounting obligations (payment and invoice records). Basis: legal obligation, Art. 6(1)(c).

Photos and guest notes are content created by guests during an event. We process them to deliver the service the host purchased. We do not use event photos or notes to train models or for advertising.

5. Service Providers (Sub-processors)

We rely on third-party processors for core infrastructure. Each processes data only as needed to provide its service. Provider-specific data processing agreements, processing regions, and transfer mechanisms are being confirmed as part of our legal review and will be completed here before launch (see the note below).

  • Clerk: host authentication and sessions; processes account data. Configured for European Union (EU/EEA) data residency.
  • Stripe: payments and invoicing; processes payment and billing metadata. Configured for European Union (EU/EEA) data residency.
  • Resend: transactional and album email; processes email addresses and email content. Configured for European Union (EU/EEA) data residency.
  • Postgres hosting: application database; stores host accounts, event configuration, guest participation records, notes, and photo metadata (such as storage keys and image dimensions). It does not store the photo or thumbnail image files themselves. Provider: Railway. Region: European Union (EU/EEA).
  • S3-compatible object storage: stores the photo and thumbnail image files. Provider: Railway. Region: European Union (EU/EEA).

Counsel / engineering note: Confirm each provider's processing region and the applicable transfer mechanism (Standard Contractual Clauses or adequacy) before launch, and link each provider's DPA.

6. Photo And Note Sharing

Photos and notes are private to the host unless the host chooses to share a public album link. Public album links are tokenized. Anyone with the link may view the curated album until access expires or the host rotates the token. Hosts control curation, including hiding photos, choosing which notes appear, and approve-first moderation where enabled.

7. Retention

Event galleries use a standard 12-month access window unless extended by a paid or support-approved option. After the access window expires, the public album link no longer serves the album and the event may be marked archived. Hosts can still contact support about access, export, or deletion requests.

Photos that are reserved but never completed (orphaned uploads) are reaped by a scheduled sweep after about 10 minutes. The sweep refunds the guest's exposure and attempts to delete the storage object on a best-effort basis; if a deletion fails, the object is left for a later cleanup pass rather than retried immediately.

Deletion of stored event photos is currently a manual operation, available on request through support. Our object-storage lifecycle policy transitions event photo and thumbnail files to lower-cost cold storage after about 400 days and expires temporary export files after 30 days, but it does not by itself delete event photos. Operational telemetry is retained for troubleshooting and then cleaned up by scheduled jobs.

8. International Transfers

Where a sub-processor stores or processes data outside the EU/EEA, we rely on an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses or an adequacy decision. The specific mechanism for each provider is being confirmed as part of our legal review and will be listed in section 5 before launch.

9. Cookies And Local Storage

We use only strictly necessary cookies and local storage. We do not use analytics, advertising, or cross-site tracking cookies, so no cookie consent banner is required.

  • ji_guest_session: an essential, HTTP-only session cookie that identifies an anonymous guest and enforces their exposure quota.
  • Clerk session cookies: essential cookies that keep a host signed in.
  • IndexedDB upload recovery: essential client-side storage that lets a guest's photo uploads survive going offline or reloading the page.

If we ever introduce non-essential cookies or visitor analytics, we will update this policy and add a consent mechanism beforehand.

10. Your Rights

If you are in the EU or another region with data protection rights, you may request to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • erase your data;
  • restrict or object to certain processing;
  • receive your data in a portable format.

To exercise any of these, email hello@joyfullyinvited.com or use the contact form. Because many guests participate anonymously, we may need additional information to locate your data or to verify your identity before acting on a request.

You also have the right to lodge a complaint with a supervisory authority. Our lead authority is the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données).

11. Minors And Sensitive Events

Joyfully Invited is intended for hosts who are adults and for events where camera use is appropriate and permitted. Hosts are responsible for not using the service at events involving children or sensitive settings where doing so would be unlawful or against venue rules.

Counsel note: Confirm a minimum age for hosts and any restrictions for school/minor or otherwise sensitive events, and align this language with sales copy.

12. Security, Changes, And Contact

We take reasonable technical and organisational measures to protect personal data, and we work with established infrastructure providers. No online service can guarantee absolute security. If a personal data breach is likely to affect your rights, we will act in line with our legal obligations, including notifying the supervisory authority where required.

We may update this policy as the product and our legal review evolve. Material changes will be reflected by the "Last updated" date above.

For any privacy question, email hello@joyfullyinvited.com or use the contact form.