Privacy Policy · ShareDay

This Privacy Policy explains how ShareDay collects, uses, stores, and discloses personal data when people use the ShareDay website, application, website builder, personalized invitation pages, RSVP features, and related services (collectively, the “Service”).

ShareDay is operated by the legal operator identified in the Terms of Service. In this Policy, “ShareDay,” “we,” “us,” and “our” refer to that operator.

1. Scope

This Policy applies to:

people who visit shareday.io;
people who create or use a ShareDay account (“Customers”);
agencies, planners, couples, and other event organizers;
people whose information is uploaded to ShareDay;
Guests who access an invitation page or submit an RSVP (“Guests”).

This Policy does not govern independent third-party websites or services linked from ShareDay.

2. Our privacy roles

2.1 Customer and website visitor data

For account information, Service usage, security records, support communications, and information used to operate ShareDay, ShareDay generally determines why and how the personal data is processed.

In these circumstances, ShareDay acts as the data controller, business, or equivalent responsible organization under applicable privacy law.

2.2 Guest Data

Customers decide:

which Guests to invite;
which Guest Data to upload;
which invitation content each Guest can see;
which RSVP questions to ask;
how Guest responses are used.

For this Guest Data, the Customer generally acts as the controller or responsible business, and ShareDay processes the information to provide the Service on the Customer’s behalf.

Customers are responsible for:

having an appropriate legal basis to process Guest Data;
providing Guests with any legally required notice;
obtaining consent where required;
limiting collection to information reasonably necessary for the event;
responding to Guest privacy requests;
avoiding unnecessary collection of sensitive information.

ShareDay may independently process limited Guest information where necessary to secure the Service, investigate abuse, prevent fraud, comply with law, or establish or defend legal claims.

3. Personal data we process

3.1 Account information

We may process:

email address and email-verification status;
password hash and authentication records;
country of organization;
agency logo, if uploaded;
account, workspace, language, and product settings;
account status and creation date.

We do not store your plain-text password.

3.2 Customer Content

We process information Customers add to the Service, including:

event names and descriptions;
dates, schedules, locations, and venue information;
written invitation content;
photographs, images, videos, logos, and branding;
templates and visual settings;
custom-domain settings;
personalization rules;
RSVP questions;
other material uploaded, entered, or configured by the Customer.

The exact Customer Content depends on how each Customer uses ShareDay.

3.3 Guest Data and RSVP information

Guest Data may include:

names;
email addresses or other contact information;
language;
family, household, table, category, or guest group;
invitation and access status;
personalized Guest link or access token;
information about whether an invitation was accessed;
attendance and RSVP status;
plus-one information;
meal preferences;
allergies;
accessibility requirements;
transport and travel details;
arrival and departure information;
accommodation information;
answers to custom RSVP questions;
notes, messages, wishes, and other Customer-created fields.

Because Customers can import spreadsheet columns and create custom questions, the exact categories depend on the event.

Customers must not use ShareDay to collect passwords, payment-card data, bank credentials, passport copies, government identification numbers, biometric data, full medical records, criminal-offence information, or excessive information unrelated to legitimate event-management purposes.

Allergies, accessibility requirements, religion-related dietary preferences, and similar information may reveal sensitive personal data. Customers should request such information only where it is necessary and lawful.

3.4 Usage, device, and security data

When the Service is accessed, we may process:

IP address;
browser, device, and operating-system information;
timestamps;
session and authentication records;
pages and features used;
actions performed in an account or event dashboard;
invitation access and RSVP activity;
error, diagnostic, security, and audit logs.

We use necessary cookies and similar local technologies for authentication, session management, security, preferences, and core Service functionality.

We may use limited, privacy-focused analytics to understand website traffic and product usage. We do not use Guest Data for behavioral advertising or cross-site advertising profiles.

3.5 Transaction information

When a Customer makes a Purchase, we may receive limited information from the payment provider, such as:

account or customer email;
transaction or receipt identifier;
product purchased;
number of Event Credits purchased;
transaction amount and currency;
payment status;
refund, dispute, or chargeback status;
invoice or tax status where relevant.

ShareDay does not receive or store complete payment-card numbers.

Payment providers process payment information under their own terms and privacy notices.

3.6 Support and communications

We process information contained in:

support requests;
privacy requests;
security and abuse reports;
refund requests;
legal correspondence;
other communications with ShareDay.

4. How we use personal data

We use personal data to:

create and authenticate accounts;
administer account settings;
provide website-building and preview functionality;
publish and host invitation websites;
personalize content for individual Guests;
generate and manage Guest links;
collect and store RSVP responses;
provide dashboards, exports, and event-management tools;
connect supported custom domains;
administer Event Credits and hosting periods;
process transaction records;
provide support;
respond to privacy, legal, and security requests;
send necessary account, transaction, security, and Service messages;
monitor performance and diagnose errors;
protect accounts and the Service from fraud, abuse, phishing, and security threats;
enforce the Terms of Service;
comply with legal obligations;
establish, exercise, or defend legal claims;
understand and improve Service reliability and usability.

ShareDay does not:

sell Customer or Guest personal data;
use Guest Data for unrelated marketing;
use Guest Data for advertising;
act as a data broker;
use Customer Content or Guest Data to train artificial-intelligence models.

5. Legal bases

Where laws such as the GDPR or UK GDPR apply, ShareDay relies on one or more of the following legal bases:

Contract

Processing necessary to:

create and maintain an account;
provide purchased or requested Service functionality;
publish and host events;
provide support;
administer Event Credits and transactions.

Legitimate interests

Processing necessary for legitimate interests such as:

operating and improving the Service;
maintaining security and reliability;
preventing fraud and abuse;
understanding product usage;
communicating with Customers;
protecting ShareDay, Customers, and Guests;
establishing or defending legal claims.

We rely on legitimate interests only where those interests are not overridden by the relevant individual’s rights and interests.

Where applicable law requires consent for optional cookies, communications, or another processing activity.

Consent may be withdrawn at any time, without affecting processing that occurred before withdrawal.

Legal obligation

Processing necessary to comply with:

tax and accounting obligations;
court orders;
lawful government requests;
regulatory requirements;
applicable recordkeeping obligations.

For Guest Data processed on behalf of a Customer, the Customer determines the applicable legal basis.

6. Communications

We send necessary communications concerning:

account verification;
password and security events;
transactions;
refunds and disputes;
material Service changes;
event hosting and expiration;
support requests;
legal or operational notices.

Where we send optional promotional communications, they will include an unsubscribe method where required by law.

Unsubscribing from promotional communications does not prevent necessary account, security, transaction, or Service messages.

ShareDay does not currently send event invitations or RSVP reminders directly to Guests. Customers distribute personalized Guest links using their own email, messaging, CRM, or communication tools.

7. How we disclose personal data

We may disclose personal data to the following categories of recipients where reasonably necessary:

cloud-hosting, database, storage, and backup providers;
content-delivery, network, and security providers;
transactional-email providers;
analytics, monitoring, and error-diagnostic providers;
payment, invoicing, tax, fraud-prevention, and transaction providers;
professional advisers and contractors subject to confidentiality obligations;
courts, authorities, regulators, or law-enforcement bodies where legally required;
a buyer, investor, successor, or adviser in connection with a financing, reorganization, merger, acquisition, or sale of the business;
other parties at the Customer’s direction or with the relevant individual’s authorization.

Service providers receive only the access reasonably necessary to perform their function.

Some payment providers and other recipients may independently determine how they process information under their own legal obligations and privacy notices.

We do not sell personal data.

8. International data processing

ShareDay is operated from Ukraine.

Personal data may be processed in Ukraine, the United States, and other countries where ShareDay or its service providers operate.

Those countries may have privacy laws that differ from the laws in the individual’s country.

Where applicable law requires safeguards for an international transfer, we use or require an appropriate lawful mechanism, which may include:

contractual data-protection obligations;
standard contractual clauses;
recognized adequacy decisions or frameworks;
another legally permitted transfer mechanism.

Individuals may contact privacy@shareday.io for more information about international processing relevant to their data.

9. Data retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Policy, subject to legal, security, fraud-prevention, and dispute-resolution requirements.

Our intended retention periods are:

Active published event: for the 12-month hosting period and any purchased extension;
Expired event: retained privately for up to 12 additional months so that the Customer may restore or extend it, after which it is scheduled for deletion;
Customer-deleted event: removed from active use promptly and deleted from primary systems within 30 days;
Deleted account: deactivated promptly and deleted from primary systems within 30 days, except for records that must be retained for legal, fraud-prevention, security, accounting, or dispute purposes;
Backups: deleted or overwritten within 90 days after deletion from primary systems;
Ordinary application logs: generally retained for up to 90 days;
Security and abuse logs: generally retained for up to 12 months, or longer where required for an active investigation or legal claim;
Support communications: generally retained for up to 24 months after the matter is closed;
Transaction and accounting records: retained for the period required by applicable tax, accounting, fraud-prevention, and legal obligations;
Analytics information: retained only for as long as reasonably necessary to understand website and product usage; aggregated or irreversibly anonymized statistics may be retained longer.

When a published event’s hosting expires, the invitation page becomes unavailable to the public. This does not necessarily mean that the underlying event data is immediately deleted.

10. Security

We use reasonable technical and organizational measures designed to protect personal data.

These measures may include:

HTTPS/TLS encryption in transit;
encryption at rest where supported by the infrastructure;
password hashing;
authentication and access controls;
restrictions on production access;
security and audit logging;
backups and recovery procedures;
monitoring for abuse and unauthorized access.

Personalized Guest links may function as confidential access credentials. Customers and Guests should not publish or forward private links to unauthorized people.

No system or method of transmission is completely secure. We cannot guarantee absolute security.

Security concerns may be reported to security@shareday.io.

11. Privacy rights

Depending on applicable law, an individual may have the right to:

access personal data;
correct inaccurate or incomplete data;
request deletion;
restrict processing;
object to certain processing;
withdraw consent;
receive portable data;
complain to a competent privacy authority;
appeal certain privacy decisions where local law provides that right.

Customers can manage some account and event information through the Service.

Requests concerning personal data controlled by ShareDay may be sent to privacy@shareday.io.

Guest requests

A Guest should normally contact the organizer identified on the invitation because that organizer determines how the Guest Data is used.

If a Guest contacts ShareDay directly, we may:

verify the request;
identify the relevant Customer;
forward the request to that Customer;
provide reasonable assistance as required by applicable law.

We may retain limited information where deletion is not required or is prohibited, including information required for security, fraud prevention, legal obligations, or legal claims.

12. Children

ShareDay accounts are available only to people aged 18 or older.

The Service is not directed to children for account creation.

An event guest list may include minors. The Customer is responsible for ensuring that information about minors is collected and used lawfully, including obtaining permission from a parent or guardian where required.

Customers should avoid collecting unnecessary information about children.

13. Third-party content and services

Invitation pages may contain third-party:

links;
maps;
videos;
music;
social-media content;
widgets;
embedded services.

Those third parties may collect or process information under their own privacy notices.

The Customer is responsible for deciding which third-party content to include and for providing any additional notice or obtaining consent where required.

14. Changes to this Policy

We may update this Policy to reflect changes in:

the Service;
our data practices;
law or regulation;
security requirements;
business operations.

The updated version will be posted with a new effective date.

Where a material change requires additional notice or consent, we will provide it as required by applicable law.

15. Contact and complaints

Privacy requests and complaints: privacy@shareday.io General support: support@shareday.io Legal inquiries: legal@shareday.io Security and abuse reports: security@shareday.io Telephone: +380 73 883 21 10

We aim to acknowledge privacy complaints promptly and provide a substantive response within a reasonable period appropriate to the request.

Individuals may also contact the competent privacy or consumer-protection authority in their jurisdiction.