Your data,
clearly explained.

1. Who We Are and How to Contact Us

Invitrr Inc. ("Invitrr", "we", "our", "us") operates the Invitrr mobile

application and related services (collectively, the "Service"). We are

the data controller for personal information collected through the

Service.

• Privacy inquiries: privacy@invitrr.com

• General support: support@invitrr.com

• Legal: legal@invitrr.com

• Safety: safety@invitrr.com

• Website: https://invitrr.com

2. Scope and Acceptance

This Privacy Policy applies to all users of the Invitrr mobile

application, website, and related services globally. By using the

Service, you acknowledge that you have read, understood, and agreed to

the data practices described here.

If you are located in the European Economic Area (EEA), United Kingdom,

Canada, or California, additional rights and provisions apply to you as

described in Section 11.

3. What We Collect and Why

We collect information in three ways: information you give us directly,

information generated when you use the Service, and information we

receive from third parties. Below is a complete and transparent account

of everything we collect.

3.1 Account and Profile Information

Purpose: to create and maintain your account, verify your identity, and

enable others to find and connect with you.

• First and last name

• Email address

• Date of birth (used to verify you are 18 or older; your exact age is

visible to other users if you choose)

• Phone number (optional; used for SMS OTP verification and emergency

features)

• Profile photos (displayed to other users on the platform)

• Biography, city, interests, vibe preferences, and event preferences

• Role preference (host, attendee, or both)

• Legal basis: contract performance and legitimate interests

3.2 Verification Data

Purpose: to confirm you are a real person and reduce fraud and

impersonation on the platform.

• Selfie photos submitted during the optional identity verification

process

• Your selfie is compared to your profile photo using automated facial

analysis technology (AWS Rekognition)

• Verification selfies are retained for 14 days after the verification

decision, then permanently deleted

• A verified badge is displayed on your profile if you pass

verification

• Verification is not a background check and does not guarantee user

safety

• Legal basis: legitimate interests (platform safety and trust)

3.3 Behavioral and Usage Data

Purpose: to personalize your experience, improve the Service, and

operate our recommendation algorithms. This is one of the most important

categories of data we collect. We are being fully transparent about it

here.

• Every event card you view, like, pass, or request

• How long you spend viewing each event card (dwell time)

• Which features you use and how often

• Filters and preferences you apply when browsing

• Events you create, attend, cancel, or rate

• Join requests you send, receive, accept, or decline

• Messages you send (metadata: timestamp, conversation ID; not content

unless flagged for safety review)

• App open times, session duration, and session frequency

• Screens you visit and navigation patterns

• Legal basis: legitimate interests (personalization and product

improvement) and, where required, consent

3.4 Device and Technical Information

Purpose: to ensure the app functions correctly, diagnose issues, and

protect account security.

• Device model, manufacturer, and operating system version

• App version

• Unique device identifiers (used for push notifications and session

management)

• IP address (used for rate limiting, fraud detection, and approximate

country detection)

• Push notification token (used solely to send you notifications you

have requested)

• Crash reports and error logs (including device state at time of

crash)

• Legal basis: legitimate interests (security, reliability, fraud

prevention)

3.5 Location Data

Purpose: to show you events near you and calculate approximate

distances.

• City-level location: entered manually by you in your profile

• Approximate location: if you grant location permission, we use your

approximate location while the app is open to improve event

discovery relevance

• We do not collect or track your precise GPS location in the

background

• We do not share your location with other users beyond the city level

• You can revoke location permission at any time in your device

settings

• Legal basis: consent (you explicitly grant location permission)

3.6 Safety Feature Data

Purpose: to operate safety features and protect users in distress.

• Emergency contact names and phone numbers (stored securely; never

used for marketing)

• Bailout activation timestamps (logged on your account for your

reference)

• Safety-related reports you submit about other users

• Your Bailout PIN is stored only on your device in encrypted local

storage (iOS Keychain) and is never transmitted to or stored on

Invitrr servers

• Legal basis: vital interests and legitimate interests (user safety)

3.7 Payment and Subscription Data

Purpose: to manage your subscription and verify entitlements.

• Subscription status (active, expired, trial)

• Subscription tier and renewal date

• Purchase confirmation records from the Apple App Store

• Invitrr does not collect, store, or process payment card numbers.

All payment processing is handled by Apple.

• Legal basis: contract performance

3.8 Communications

Purpose: to respond to your requests and improve support.

• Messages you send to our support, safety, or legal teams

• Feedback and reports you submit

• Legal basis: legitimate interests (customer service)

4. How Our Algorithms Work

We are committed to full transparency about our use of automated

systems. This section explains exactly how algorithms affect your

experience on Invitrr.

4.1 The Discovery Feed Algorithm

When you open your discovery feed, you do not see events in random

order. Invitrr uses a proprietary ranking algorithm to determine which

events appear first. Here is exactly what it considers:

• Vibe match: how closely an event's described atmosphere matches your

saved vibe preferences

• Category match: whether the event type matches the types of events

you have expressed interest in

• Proximity: estimated distance between the event location and your

city or approximate location

• Host quality signals: whether the host is verified and has an

active, engaged profile

• Event freshness: events happening sooner appear higher in your feed

• Your past behavior: events similar to ones you previously liked or

requested rank higher; events similar to ones you passed on rank

lower

• Diversity: the algorithm intentionally varies event categories so

your feed does not become an echo chamber

• Serendipity: a small percentage of events that score lower on your

preferences are intentionally surfaced to help you discover new

things

The algorithm updates in real time as you interact with the feed. The

more you use the app, the more personalized your feed becomes.

You can reset your feed preferences at any time in Settings. This will

cause the algorithm to treat you as a new user and stop using your

behavioral history for ranking.

4.2 What the Algorithm Does Not Do

• It does not make decisions about your eligibility for services,

credit, employment, or any legally significant matter

• It does not use your race, religion, sexual orientation, or other

protected characteristics as ranking signals

• It does not permanently suppress your profile or events from all

users based on a single interaction

• It is not used to set prices or determine subscription eligibility

4.3 Identity Verification (Automated Face Detection)

When you submit a selfie for identity verification, it is analyzed by

AWS Rekognition, Amazon's automated facial analysis service. The system

compares your selfie to your profile photo to assess whether they appear

to be the same person.

• This is an automated process that produces a confidence score

• Invitrr staff may review borderline cases

• If you are declined verification, you may appeal by contacting

safety@invitrr.com

• Verification does not involve biometric identification — it is a

similarity comparison only

• Selfie data is sent to AWS for processing and deleted from their

systems after analysis

4.4 Safety and Moderation Systems

Invitrr uses automated systems to detect potential policy violations,

including:

• Text content that may violate Community Guidelines (flagged for

human review)

• Behavioral patterns associated with spam, fraud, or harassment

• Profile photos that may contain prohibited content

Automated flags result in human review, not automatic punitive action,

except in cases of clear and severe violations (such as child sexual

abuse material, which triggers immediate account removal and legal

reporting).

4.5 Your Rights Regarding Automated Processing

Under GDPR Article 22, you have the right not to be subject to decisions

based solely on automated processing that produce significant legal or

similarly significant effects. Invitrr's algorithmic ranking does not

produce such effects. However:

• You can request a human review of any account action taken against

you

• You can reset your behavioral profile at any time in Settings

• You can contact privacy@invitrr.com to request information about how

automated systems have processed your data

5. How We Use Your Information

5.1 To Operate the Service

• Create, maintain, and secure your account

• Enable event discovery, hosting, and attendance

• Facilitate in-app messaging between confirmed participants

• Deliver push notifications you have requested

• Process subscription purchases and manage entitlements

• Operate safety features including Bailout and emergency contacts

5.2 To Personalize Your Experience

• Rank your discovery feed using the algorithm described in Section 4

• Remember your filter preferences and settings

• Surface events we believe will be relevant to you based on your

history

• Adjust notification frequency and type based on your engagement

5.3 To Improve the Service

• Analyze aggregate usage patterns to understand how features are used

• Identify bugs, errors, and performance issues

• Test new features and measure their effectiveness

• Train and improve our recommendation and safety algorithms using

anonymized or aggregated data

• Conduct research and analysis to develop new features

5.4 To Protect the Platform and Users

• Detect and prevent fraud, spam, impersonation, and abuse

• Enforce our Terms of Service and Community Guidelines

• Investigate safety reports and conduct moderation reviews

• Cooperate with law enforcement requests where legally required

5.5 To Communicate With You

• Send transactional messages: OTP codes, account confirmations,

security alerts

• Send activity notifications: join requests, acceptances, event

reminders

• Send product updates about new features (you can opt out in

Settings)

• Respond to your support and legal inquiries

5.6 For Business Purposes

Invitrr may use aggregated, anonymized, and de-identified data derived

from platform activity for:

• Internal business analytics and reporting

• Industry research and trend analysis

• Demonstrating platform growth and engagement to investors

• Developing new products and services

Aggregated or de-identified data is not personal data and cannot be used

to identify you individually.

6. Data Sharing

6.1 We Do Not Sell Your Personal Data

Invitrr does not sell, rent, or trade your personal information to

advertisers, data brokers, or any third party for their independent use.

The Service does not display third-party advertisements.

6.2 Service Providers (Data Processors)

We share limited personal data with trusted service providers who

process it on our behalf, under strict data processing agreements that

prohibit them from using your data for any purpose other than providing

services to us:

• Cloudflare R2 — media and photo storage (Cloudflare, Inc., USA)

• Railway — API server and database hosting infrastructure

• Amazon Web Services (Rekognition) — automated facial analysis for

identity verification (AWS, USA)

• Resend — transactional email delivery for OTP codes and account

notifications

• Twilio — SMS delivery for OTP codes to US phone numbers

• Apple APNs — push notification delivery infrastructure

• Redis/Upstash — caching and real-time session infrastructure

• BullMQ/Redis — background job processing

6.3 Public Information

Information you choose to make public on your profile — including your

first name, profile photos, bio, city, and event listings — is visible

to other Invitrr users. Exercise care about what personal information

you include in public-facing fields.

6.4 Legal Disclosure

We may disclose personal information when required by law, legal

process, court order, or government authority, or when we reasonably

believe disclosure is necessary to: protect the rights, safety, or

property of Invitrr, our users, or the public; enforce our Terms; or

prevent fraud or illegal activity.

6.5 Business Transfers

In the event of a merger, acquisition, financing, reorganization, or

sale of assets, your data may be transferred as part of the transaction.

We will notify you via email and in-app notice at least 30 days before

any such transfer and require the acquiring party to honor the terms of

this Privacy Policy or provide you with notice of any material changes.

7. Data Retention

We retain personal data for as long as necessary to provide the Service,

comply with legal obligations, resolve disputes, and enforce our

agreements. Specific retention periods:

• Active account data: retained while your account is active

• Behavioral and analytics data: 12 months from collection, then

permanently deleted or anonymized

• Crash reports: 90 days

• Verification selfies: 14 days after the verification decision, then

permanently deleted

• Messages: retained while both parties' accounts are active; deleted

when either account is deleted

• Emergency contact data: deleted when you remove it or delete your

account

• Deleted account data: all personal data permanently erased within 30

days of account deletion

• Encrypted backup copies: may persist for up to 7 additional days

before being overwritten

• Legal hold: data subject to a legal hold or law enforcement request

may be retained beyond standard periods

8. Your Rights and Controls

8.1 In-App Controls

• Settings → Privacy: control who can send you requests and messages

• Settings → Notifications: manage all notification preferences

• Settings → Account → Clear Cache: remove locally cached data from

your device

• Settings → Account → Delete Account: permanently delete your account

and all associated data

• Settings → Feed: reset your behavioral profile to stop using your

history for personalization

8.2 Rights Under GDPR (EEA and UK Users)

• Right of access: request a copy of all personal data we hold about

you

• Right to rectification: correct inaccurate or incomplete data

• Right to erasure (right to be forgotten): request deletion of your

data, subject to legal retention obligations

• Right to restriction of processing: request we limit how we use your

data

• Right to data portability: receive your data in a machine-readable

format

• Right to object: object to processing based on legitimate interests,

including profiling for personalization

• Right to withdraw consent: for any consent-based processing, at any

time without penalty

• Right to lodge a complaint: with your local data protection

authority

8.3 Rights Under CCPA (California Residents)

• Right to know: what personal information we collect, use, share, and

disclose

• Right to delete: request deletion of personal information we have

collected

• Right to correct: correct inaccurate personal information

• Right to opt out of sale: we do not sell personal data

• Right to non-discrimination: we will not deny services or charge

different prices for exercising your rights

To submit a CCPA request, contact privacy@invitrr.com. We will verify

your identity before processing the request.

8.4 Rights Under PIPEDA and Quebec Law 25 (Canadian Users)

• Right to access your personal information held by us

• Right to correct inaccurate personal information

• Right to withdraw consent (subject to legal and contractual

restrictions)

• Right to be informed of any automated decision-making that

significantly affects you

• Right to data portability (Quebec Law 25)

• Right to be informed of privacy incidents that create a risk of

serious injury

Quebec residents have the right to be informed about the use of

technology involving automated processing and to request human review of

significant decisions.

8.5 How to Exercise Your Rights

To exercise any of the rights above:

• In-app: use the controls described in Section 8.1

• Email: privacy@invitrr.com with your request and sufficient

information to verify your identity

• We will acknowledge your request within 5 business days and respond

within 30 days

• We may require identity verification for sensitive requests

• Requests are free of charge unless manifestly unfounded or excessive

9. Data Security

We implement commercially reasonable technical and organizational

measures to protect your personal information. These include:

• All authentication tokens stored in iOS Keychain with device-level

hardware encryption

• All API communications secured with HTTPS/TLS 1.2 or higher

• Passwords hashed using Argon2id — your password is never stored in

plaintext

• Bailout PIN stored only on your device in encrypted local storage,

never transmitted

• Access to production data restricted to authorized personnel with

documented access controls

• Periodic security reviews and vulnerability assessments

• Rate limiting and IP reputation checks to prevent brute force and

abuse

No security system is completely impenetrable. In the event of a data

breach that poses a risk to your rights and freedoms, we will notify you

and the relevant regulatory authorities within 72 hours as required by

applicable law.

10. International Data Transfers

Invitrr is based in Canada. Your data may be processed in the United

States and other countries where our service providers maintain

infrastructure. When transferring personal data from the EEA or UK to

countries that have not been deemed to provide adequate protection, we

apply appropriate safeguards, including Standard Contractual Clauses

(SCCs) approved by the European Commission.

By using the Service, you acknowledge that your data may be transferred

and processed outside your country of residence.

11. Children's Privacy

The Service is strictly intended for users aged 18 and older. We do not

knowingly collect personal information from anyone under 18. If we

become aware that we have inadvertently collected data from a minor, we

will delete it immediately and terminate the associated account. If you

believe a minor has created an account, please contact

safety@invitrr.com immediately.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes to our data

practices, new features, or legal requirements. For material changes —

meaning changes that meaningfully affect your rights or how we use your

data — we will:

• Send a push notification to your device

• Display an in-app banner

• Post the updated policy to our website

• Provide at least 30 days' notice before the changes take effect

Continued use of the Service after the effective date of an updated

policy constitutes acceptance of the changes. If you do not agree, you

may delete your account before the effective date.

13. Contact and Complaints

For any questions, concerns, or requests related to this Privacy Policy:

• Privacy requests and data rights: privacy@invitrr.com

• Safety and trust: safety@invitrr.com

• Legal matters: legal@invitrr.com

• General support: support@invitrr.com

• Website: https://invitrr.com

If you are located in the EEA and believe we have not adequately

addressed your privacy concerns, you have the right to lodge a complaint

with your local data protection authority. In Canada, you may contact

the Office of the Privacy Commissioner of Canada.