Legal

Privacy policy

Last updated:

This policy explains what personal data Plus + One collects, why we collect it, how we keep it safe, and the rights you have under the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") as supplemented by Cyprus Law 125(I)/2018 (and Greek Law 4624/2019 where applicable to Greek customers). We're upfront people — if anything below is unclear, email [email protected] and a real human will reply.

Who we are (the controller)

Plus + One operates the website plusone.events and the event microsites it produces. Plus + One is operated from Cyprus by an unincorporated founder; a Cyprus-registered legal entity will be formed as the business grows and these terms will be updated accordingly. The data controller for the personal data described in this policy is Plus + One. For any privacy question, write to [email protected].

We have not appointed a Data Protection Officer (DPO) — under Article 37 GDPR we are not required to. The privacy@ inbox is monitored daily and routed to whoever is best placed to answer.

When we process personal data on behalf of a client (i.e. guest data submitted to the client's microsite), the client is the controller and Plus + One acts as processor under the Data Processing Agreement at /legal/dpa.

What personal data we collect

We collect three categories of personal data, depending on how you interact with us:

Website visitors — anonymous analytics: pages viewed, referrer, approximate country (derived from IP, never stored in the clear), device class, locale preference, Core Web Vitals samples. We do not use third-party advertising trackers or browser fingerprinting.

Clients (couples / hosts who book a microsite) — your full name, email, phone, billing address (for invoices), event details (date, venue, tier chosen, decisions captured during onboarding), payment-method reference (we never store card numbers — invoices are settled by bank transfer, Revolut, or in-person), correspondence you send us, audit-log entries of admin actions performed on your event.

Guests of an event — anything they submit on the microsite RSVP form: name, email, phone (optional), attendance, plus-ones with their names if provided, dietary requirements, song requests, free-text answers to custom questions, photos uploaded to the gallery, guestbook messages, IP address (kept 90 days for abuse prevention).

We do NOT collect special-category data (Article 9 GDPR — health, religion, etc.) unless a guest voluntarily provides it (e.g. a dietary preference revealing a religious observance). Such information is processed solely to fulfil the catering / hospitality purpose for which it was given.

Why we collect it (lawful basis)

Performance of a contract (Art. 6(1)(b) GDPR) — we need your contact details and event details to build and operate the microsite you've ordered.

Legitimate interests (Art. 6(1)(f)) — keeping the platform secure, preventing fraud and abuse, basic site analytics that don't identify individuals, responding to support enquiries.

Legal obligation (Art. 6(1)(c)) — invoicing and accounting records, retained for the period required by applicable Cyprus tax and accounting law (currently up to 6 years under the Assessment and Collection of Taxes Law 4/1978 as amended).

Consent (Art. 6(1)(a)) — for optional analytics cookies and any direct-marketing email (you have to opt in; you can opt out at any time without affecting any other processing).

Marketing communications

We do not send unsolicited marketing email. If we ever launch a newsletter, joining will be opt-in only, and every message will carry a one-click unsubscribe link that takes effect immediately.

Transactional messages (invoice receipts, password-reset emails, event-day reminders configured by your hosts) are not marketing and are sent on the basis of contract performance.

Automated decision-making

We do not carry out automated decision-making or profiling within the meaning of Article 22 GDPR. No part of our service produces legal or similarly significant effects on individuals based on a purely automated assessment.

Children's data

Our services target adults organising events. We do not knowingly collect personal data from children under 16. If a host enters guest information about a child (e.g. for a christening RSVP), the host is the controller of that information and is responsible for the lawful basis. If you believe we hold data about a child without an appropriate basis, email [email protected] and we will erase it.

How long we keep it

Microsite data (your event content, photos, RSVPs, guestbook) — for the lifetime of the package you selected (12 months on Keepsake, 24 months on Signature, indefinite hosted archive on Heirloom while the service operates). After that we send a 30-day notice and delete or export on request.

Invoicing and accounting records — up to 6 years from issue, as required by Cyprus tax and accounting law.

Lead-form / contact-form messages — 24 months unless you've become a customer, in which case they fold into your client record.

Server logs and security events — 90 days.

Backups — encrypted point-in-time backups are retained for 30 days, after which they are overwritten.

Who we share it with (sub-processors)

We use carefully chosen sub-processors, each of whom has signed a GDPR Article 28 data-processing agreement with us. We do not sell, rent, or otherwise commercialise personal data.

Current sub-processor list: Vercel Inc. (US, Frankfurt fra1 region — application hosting + analytics — SCCs in place), Neon Inc. (Postgres database, EU region target), Novu Inc. (US — notification orchestration + transactional email — SCCs in place), Cloudflare Inc. (R2 photo / file storage, EU jurisdiction; CDN), Sentry (error monitoring, EU), Inngest (background jobs, EU). The full live list with the exact purposes and locations is the annex of /legal/dpa.

International transfers

Where data leaves the European Economic Area (Vercel is US-headquartered), we rely on the EU-US Data Privacy Framework or the European Commission's Standard Contractual Clauses (SCCs, 2021/914), supplemented by technical measures (TLS 1.2+ in transit, AES-256 at rest, strict access scoping). Copies of the SCCs are available on request.

Your rights

Under Articles 15–22 GDPR you have the right to: (a) access the personal data we hold about you; (b) have inaccurate data corrected; (c) have your data erased; (d) restrict our processing of it; (e) receive a portable machine-readable copy; (f) object to processing based on legitimate interests; and (g) withdraw any consent you previously gave (Art. 7(3)) — withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email [email protected]. We will respond within 30 days (Art. 12(3)). For complex requests we may extend by a further two months and we will tell you why. We may ask for proof of identity before acting on a request — typically a reply from the email address on file is sufficient.

Clients can also export and delete their data self-serve from the dashboard at app.plusone.events/account/privacy. Guests should ask the host who invited them — the host is the controller of the guest list — and we will assist the host with technical fulfilment.

Complaints to a supervisory authority

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). Plus + One's lead supervisory authority is the Cypriot Commissioner for Personal Data Protection. We would appreciate the chance to address concerns directly first, but the choice is yours and you may also complain to the authority of your country of residence.

Cyprus (lead authority) — Office of the Commissioner for Personal Data Protection. Address: 1 Iasonos Street, 2nd floor, 1082 Nicosia. Phone: +357 22 818 456. Web: www.dataprotection.gov.cy.

Greece — Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα). Address: Kifisias Avenue 1-3, 11523 Athens. Phone: +30 210 6475600. Web: www.dpa.gr.

Security

We implement the technical and organisational measures required by Article 32 GDPR. Highlights: TLS 1.2+ encryption in transit, AES-256 at rest, strict Content-Security-Policy with no third-party scripts beyond named integrations, per-event data scoping enforced at the data layer, daily encrypted point-in-time backups, production write-access limited to a small named team using SSO + hardware-token MFA. We disclose security incidents to affected clients without undue delay (within 72 hours of awareness).

Updates to this policy

We update this policy when something material changes. The last-updated date at the top reflects the current version. Substantive changes affecting existing customers will be emailed at least 30 days before they take effect.