Legal

Privacy Policy

Last updated: 22 April 2026

One Touch Invite ("we", "us", "our") respects your privacy. This Privacy Policy explains what data we collect, why we collect it, how we use it, and the choices you have. It applies to onetouchinvite.com and all subdomains used to host customer invites.

1. Who is the data controller?

One Touch Invite is the controller of personal data collected through the Service. For Customer Content uploaded by buyers (couple photos, names, guest lists), the buyer is the controller and we act as the data processor.

2. Information we collect

We collect three categories of data:

a) Account information

  • Name, email address, password (hashed using bcrypt) when you register.
  • Google profile data (name, email, profile picture) if you sign in with Google.

b) Order and invite data

  • Razorpay payment identifiers (order ID, payment ID, signature). We do not store full card numbers, CVVs, UPI PINs, or net-banking credentials — these are handled entirely by Razorpay.
  • Customer Content you upload to your invite: couple names, dates, venue, photos, background music, RSVP form fields.
  • RSVP responses submitted by your guests through the published invite.

c) Technical & usage data

  • IP address, browser type, device type, referrer, pages viewed, time of visit.
  • Aggregated invite analytics (page views, RSVP counts) shown to the buyer in their dashboard.
  • Cookies for authentication sessions and (if enabled) basic, privacy-friendly analytics.

3. How we use your data

  • To create and manage your account, and authenticate sessions.
  • To process your purchase, deliver the invite, and provide hosting.
  • To send transactional emails: order confirmation, publish notification, RSVP alerts.
  • To respond to support requests.
  • To detect, prevent, and respond to fraud, abuse, and security incidents.
  • To comply with legal obligations (e.g., tax, accounting, court orders).

We do not sell your personal data to advertisers, and we do not use your Customer Content for any purpose other than operating the Service.

4. Legal bases (DPDP Act 2023 / GDPR)

  • Contractual necessity — to deliver the invite you purchased.
  • Consent — for optional marketing emails (you can withdraw consent at any time via the unsubscribe link).
  • Legitimate interest — for security monitoring, fraud prevention, and improving the Service.
  • Legal obligation — for tax records, GST invoicing, and lawful requests from authorities.

5. Sub-processors we use

We rely on the following trusted vendors to operate the Service. Each has its own privacy policy and security commitments:

  • Razorpay — payment processing (India).
  • Supabase — managed PostgreSQL database.
  • Vercel — hosting for the marketing site and templates.
  • Railway — hosting for the API server.
  • Cloudinary — image and audio CDN for uploaded media.
  • Google — OAuth login (only if you sign in with Google).
  • Resend / SendGrid — transactional email delivery.

6. Data retention

  • Account data — kept while your account is active and for 24 months after deletion (for fraud prevention and legal records).
  • Invite content — kept while the invite is published and hosted. Removed within 30 days of you closing the invite or your hosting expiring.
  • Payment records — retained for 8 years to comply with Indian tax law.
  • RSVP responses — kept until the buyer deletes them or the invite is taken down.

7. Your rights

Subject to Indian and applicable foreign data-protection law, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and associated data.
  • Export your invite content and RSVP data (CSV).
  • Withdraw consent for marketing communications.
  • Lodge a complaint with the Data Protection Board of India or your local regulator.

To exercise any of these rights, email hello@onetouchinvite.com. We will respond within 30 days.

8. Security

We use industry-standard measures to protect your data: TLS encryption in transit, hashed passwords (bcrypt), JWT-based authentication, signed payment webhooks, and access controls on our infrastructure. No system is 100% secure — please use a strong, unique password and notify us immediately at the email above if you suspect unauthorised access.

9. International data transfers

Some of our sub-processors (Vercel, Cloudinary, Resend, Google) store data outside India. By using the Service, you acknowledge and consent to your personal data being transferred to and processed in jurisdictions that may have different data-protection rules from your own. Where required by law, we rely on standard contractual clauses or equivalent safeguards offered by these providers.

10. GDPR & UK-GDPR (international users)

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with comparable data-protection law, you have the following rights in addition to those in §7 above:

  • Right of access to your data
  • Right to rectification
  • Right to erasure ("right to be forgotten") subject to lawful retention obligations
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent at any time
  • Right to lodge a complaint with your local supervisory authority

We process personal data on the following legal bases under GDPR / UK-GDPR: contractual necessity (to deliver your purchase), legal obligation (tax, fraud, dispute handling), and legitimate interest (security monitoring and service improvement).

11. Children's privacy

The Service is not directed to anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

12. Cookies

We use a small number of essential cookies for authentication and session management. We do not use advertising or tracking cookies. If we add analytics in future, we will use a privacy-friendly provider (e.g., Plausible) with no cross-site tracking.

13. Changes to this Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the latest revision. Material changes will be communicated by email or a prominent notice on the site.

14. Contact

Operated by: [Registered legal entity name]
Email: hello@onetouchinvite.com
Registered address: [Registered business address]
Grievance Officer (per IT Rules 2021): [Officer name and email]