Legal · Privacy

Privacy Policy

How Egio handles your data — accounts, invitations, RSVPs, cloud storage, and marketing tools.

Last updated July 17, 2026

Introduction

Welcome to Egio (“we”, “us”, or “our”). We provide a platform to create, customize, and share digital wedding invitations online (the “Service”).

This Privacy Policy explains what personal and sensitive information we collect, how we use it, where it is stored, who we share it with, and what choices you have. By using Egio, you agree to the practices described here and to our Terms of Service.

Last updated: July 17, 2026

Data Controller & Processor Roles

For the purposes of applicable data protection laws, Egio acts as the data controller for customer account information — including registration details, billing-related records (where applicable), profile settings, and platform usage tied to your account.

Egio generally acts as a data processor for RSVP and guest information submitted through invitation pages, processing that data on behalf of the invitation owner (the couple or event organizer) who decides what guest data to collect and how to use it.

If you are a wedding guest submitting an RSVP, please contact the invitation owner directly for questions about how they use your information. You may also contact us if you need help reaching the relevant account holder.

Information We Collect

Account holders (couples / customers)

  • Email address, password (hashed — we never store plain-text passwords), and optional full name
  • Profile data such as credit/token balance and account creation date
  • Authentication data when you sign in with email/password or third-party providers (e.g. Google OAuth via Supabase)

Invitation content you create

  • Names of the couple and family members (bride, groom, parents)
  • Wedding date, ceremony schedule, venue name, address, and GPS / map links
  • Photos you upload (cover image, gallery, QR gift codes, custom design assets)
  • Contact details you choose to display (phone numbers, social handles)
  • Custom design data (template layout, colors, text, widgets such as RSVP and countdown)

Wedding guests (RSVP submissions)

  • Guest name, attendance status, number of guests, and optional wishes/message
  • Email or phone if you or the guest provide them in the future (currently optional fields in our schema)

Technical, security & usage data

  • Invitation view counts and page visit analytics
  • IP addresses, device identifiers, browser type, operating system, and request logs processed by our hosting provider
  • Session cookies and authentication tokens required to keep you logged in
  • Advertising and marketing identifiers (e.g. cookies, pixels, or similar technologies) when we run ads or when you interact with our content on third-party platforms

We may retain IP addresses, device identifiers, and security logs for fraud prevention, abuse detection, investigation of unauthorized access, enforcement of our Terms of Service, and compliance with applicable laws.

How We Use Your Information

  • Provide, operate, and improve the invitation builder and live invitation pages
  • Host and display your invitation at a unique link (e.g. /i/your-slug)
  • Process and store RSVP responses on behalf of invitation owners
  • Authenticate users and protect accounts from unauthorized access
  • Manage credits/tokens, templates, and admin features
  • Monitor performance, prevent abuse, investigate fraud, and maintain security (including review of IP and security logs)
  • Measure marketing performance and improve our reach (where advertising tools are enabled)
  • Respond to support requests, copyright complaints, and legal obligations
  • Enforce our Terms of Service, including removal of illegal, abusive, or infringing content

Where Your Data Is Stored (Infrastructure)

Egio uses trusted third-party infrastructure providers. Data may be processed in the United States, Singapore, or other regions where these providers operate data centers.

Supabase (Database & Authentication)

Account credentials, user profiles, invitation records, RSVP/guest entries, custom templates, and structured invitation JSON data are stored in a PostgreSQL database managed by Supabase. Supabase Auth handles login sessions, password hashing, and OAuth sign-in.

Cloudflare (Hosting, CDN & Object Storage)

Our website and API run on Cloudflare Workers (edge hosting). Uploaded images and assets (photos, backgrounds, icons, generated files) are stored in Cloudflare R2 object storage and served through Cloudflare’s global network. See Cloudflare’s Privacy Policy.

Google Fonts

When you preview or publish invitations that use certain fonts, your browser may load font files from Google Fonts. Google may receive your IP address as part of that request. See Google’s Privacy Policy.

Third-Party APIs & Creative Tools

To power design workflows and platform features — such as image processing, template rendering, automated layout tools, and optional AI-assisted creative features — we may connect to trusted third-party APIs and cloud services. When you use these features, relevant inputs (such as text prompts or images you provide) may be processed by those providers solely to deliver the requested result. We do not disclose our internal vendor list publicly, but we choose providers with appropriate security and data-handling standards.

AI disclaimer: AI-generated results may contain inaccuracies, unexpected outputs, or content that does not match your intent. You are responsible for reviewing all generated content before publishing or sharing it publicly.

Photo & AI features: Uploaded photos may be temporarily processed by AI services solely to generate the requested result (e.g. image enhancement, background removal, or AI Photo Booth effects). Egio does not use your uploads to train public AI models. Processing is limited to delivering the feature you requested.

Advertising, Analytics & Social Media

We may use advertising and analytics tools to promote Egio, understand how visitors find us, and measure campaign performance. These tools may collect or receive information such as your IP address, device type, browser, pages visited, and interactions with our ads or website.

Platforms we may use (now or in the future)

  • Google Ads — to show Egio promotions on Google Search, YouTube, and partner sites. See Google’s Privacy Policy.
  • Google AdSense — if we display ads on our blog or content pages, Google and its partners may use cookies to serve personalized or non-personalized ads based on your visits to our site and other sites. See How Google uses data in advertising.
  • Meta (Facebook & Instagram) — for social advertising and conversion measurement. See Meta’s Privacy Policy.
  • TikTok — for advertising and audience insights. See TikTok’s Privacy Policy.
  • Other social media & ad networks — we may use additional platforms (e.g. Pinterest, X/Twitter, LinkedIn, or regional ad partners) under similar privacy terms.

Your choices

  • You can manage ad personalization via your Google Account ad settings, Meta Ad Preferences, and TikTok settings
  • You can use browser controls or industry opt-out tools to limit certain tracking cookies
  • Where required by law, we will request consent before placing non-essential advertising cookies

Note: Wedding invitation pages created by our customers (/i/…) are separate from our marketing/blog pages. Third-party ads on Egio-owned pages (such as a future blog) do not change the privacy of your invitation content unless you visit those pages separately.

User Content & Copyright

You retain ownership of the content you upload or create on Egio. However, you are solely responsible for ensuring you have the rights to upload and publish photographs, music, logos, artwork, fonts, trademarks, and any other materials included in your invitations.

You may not upload content that infringes the intellectual property, privacy, or other rights of third parties — including copyrighted characters, celebrity images, brand logos, or licensed music — unless you have obtained proper permission or a valid license.

Copyright complaints (DMCA / content removal)

If you believe your copyrighted material has been used on Egio without permission, please contact us with: (1) identification of the copyrighted work, (2) the URL or location of the infringing content, (3) your contact information, and (4) a statement of good-faith belief that the use is unauthorized. We will review valid notices and may remove or restrict access to reported content in accordance with applicable law.

Prohibited Content & Enforcement

We may remove, suspend, or restrict invitations and accounts that contain illegal, fraudulent, defamatory, hateful, violent, sexually explicit, gambling-related, phishing, spam, infringing, or otherwise prohibited content — without prior notice where necessary to protect users, guests, and the platform.

We may disclose information — including IP addresses, account details, and activity logs — when we reasonably believe it is necessary to investigate fraud, abuse, illegal activities, copyright infringement, or threats to the safety of any person, or when required by law enforcement, courts, or regulatory authorities.

Examples of prohibited use include scam invitations, unauthorized gambling promotions, adult content, malware distribution, impersonation, and harassment.

Payments & Billing

If you purchase credits, subscriptions, or premium features, payment processing may be handled by a third-party payment provider such as Stripe.

  • Payment information (such as card details) is processed directly by the payment provider. Egio does not store your complete payment card information on our servers.
  • We may receive limited billing metadata from the payment provider — such as transaction status, amount, currency, and the last four digits of a card — to manage your account and provide support.
  • Stripe’s handling of payment data is governed by Stripe’s Privacy Policy.

This section applies when paid features are enabled. Free features may not require payment processing.

Public Invitation Links & Guest Data

When you publish an invitation, anyone with the link can view the content you included (names, photos, venue, schedule, etc.). Please do not publish information you are not comfortable sharing publicly.

RSVP forms collect guest responses on your behalf. Invitation owners can access guest names, attendance choices, guest counts, and messages through the platform. Guests should only submit information they agree to share with the couple.

How We Share Information

We do not sell your personal data. We may share information only in these situations:

  • Service providers — Supabase, Cloudflare, payment processors (e.g. Stripe), advertising/analytics partners, and other vendors that help us run the Service (under contractual obligations)
  • Legal requirements & law enforcement — when required by law, court order, subpoena, or regulatory request; or when we reasonably believe disclosure is necessary to investigate fraud, abuse, illegal activity, or threats to safety
  • Business transfers — in connection with a merger, acquisition, or asset sale (you would be notified where required)
  • With your direction — when you explicitly choose to share an invitation link or content publicly

Data Retention & Deletion

We retain data for as long as your account and invitations remain active, or as needed to provide the Service and comply with legal obligations.

  • When an invitation is deleted by an administrator, associated database records and uploaded assets (images, gallery files) are removed from our active systems, including Cloudflare R2 storage where applicable.
  • RSVP/guest records linked to an invitation are deleted when that invitation is deleted (cascade).
  • Account deletion requests can be sent to us — we will delete or anonymize personal data unless we must retain it for legal reasons.
  • Backups: Deleted data may remain in encrypted backups maintained by our infrastructure providers (e.g. Supabase, Cloudflare) for a limited period before being permanently removed, consistent with their backup and disaster-recovery practices.
  • We may retain certain logs (including IP addresses and security records) for a longer period where required for fraud prevention, abuse investigation, or legal compliance.

Security

We implement reasonable technical and organizational measures to protect your data, including:

  • Encrypted connections (HTTPS) for data in transit
  • Hashed passwords via Supabase Auth (we never see your plain password)
  • Row Level Security (RLS) policies on database tables to restrict access by account ownership and admin roles
  • Client-side image resizing before upload to reduce unnecessary data transfer
  • Access controls for administrative functions

No method of transmission or storage is 100% secure. Please use a strong password and keep your login credentials confidential.

Cookies & Local Storage

We use cookies and similar technologies to:

  • Keep you signed in (authentication session cookies via Supabase)
  • Remember editor preferences and locally saved drafts in your browser (e.g. template editor scene data in localStorage)
  • Maintain basic site functionality and security
  • Measure site traffic, marketing campaigns, and — where enabled — display or personalize advertisements (including Google AdSense on blog/content pages)

Some cookies are set by third-party advertising and analytics partners (Google, Meta, TikTok, etc.) when those services are active. See the Advertising section above for more detail.

Cookie consent: Where required by law (including GDPR and similar regulations), we will display a cookie consent banner before placing non-essential analytics or advertising cookies. Essential cookies required for login and security may still be used without consent.

You can control cookies through your browser settings. Disabling cookies may limit login, ads personalization, and certain features.

Your Rights & Choices

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate information in your account or invitation
  • Request deletion of your account or specific data
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with a data protection authority

Users in Indonesia may have additional rights under applicable personal data protection laws (including UU PDP). To exercise your rights, contact us using the details below.

Children’s Privacy

Egio is not directed at children under 13, or under 16 where a higher minimum age is required by local law (such as in certain EU/EEA jurisdictions under GDPR). We do not knowingly collect personal information from children below the applicable minimum age. If you believe a child has provided us personal data, please contact us and we will take steps to delete it.

International Data Transfers

Because we use global cloud providers (Supabase, Cloudflare, Google), your information may be transferred to and processed in countries other than your own. We rely on our providers’ compliance frameworks and contractual safeguards where applicable.

Service Availability

While we take reasonable measures to protect, maintain, and improve the Service, we cannot guarantee uninterrupted availability. Outages or delays may occur due to circumstances beyond our control — including failures or maintenance at third-party providers such as Cloudflare, Supabase, Google, Stripe, or other infrastructure partners. We are not liable for temporary unavailability caused by such events, but we will work to restore service as quickly as reasonably possible.

Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top will reflect the latest version. Material changes may be announced on our website. Continued use of the Service after changes means you accept the updated policy.

Contact Us

If you have questions about this Privacy Policy, copyright complaints, or wish to make a data request, contact us at:

Egio — Privacy
Email: nongrei.prompt@gmail.com

As Egio grows, we may publish a dedicated privacy inbox (e.g. privacy@egio.cc (coming soon)). Until then, the address above is our official contact for privacy and data-protection matters.

We aim to respond to privacy requests within a reasonable timeframe (typically within 30 days).