MiniEvent.

Privacy

How we handle your data.

Last updated: 2026-05-22

This Privacy Policy describes how MiniEvent ("we", "us") collects, uses, and shares information when you use the Service.

Information we collect

  • Account information — name, email address, and profile photo. You can sign up with Google OAuth or with an email and password. If you choose email/password, we store a salted bcrypt hash of your password — never the password itself.
  • Event data — events you create, guest lists you upload, RSVP responses, timeline items, shopping lists, cover images, and AI-generated assets.
  • Location input — when you search for a venue, the text you type is sent to the Google Maps Places API to return suggestions. Only the place you select is stored with your event.
  • Billing data — for Pro subscribers, Stripe stores your payment method; we receive a customer ID, subscription status, and payment history. We never see or store your card number.
  • Usage data — pages visited, features used, device type, and approximate location (via Google Analytics).
  • Security data — we log your IP address transiently to enforce rate limits and detect abuse on authentication, RSVP, and AI endpoints.
  • AI prompts — text you submit to AI features (shopping assistant, image generation, music generation, run-of-show) is sent to our AI providers (Google Gemini, Google Lyria) for processing.

How we use information

  • To provide and operate the Service.
  • To process payments and manage subscriptions.
  • To send transactional emails (invitations, receipts, account notices).
  • To improve the Service and debug issues.
  • To comply with legal obligations.

Third-party processors

We share data with the following service providers only as needed to deliver the Service:

  • Stripe — payment processing.
  • Google Cloud (Cloud Run, Cloud SQL, OAuth, Gemini, Lyria, Maps Places) — hosting, auth, AI generation, and venue search.
  • Supabase — file storage for cover images and music.
  • Resend — transactional email delivery.
  • Upstash — Redis caching and async job queue.
  • Google Analytics — anonymized usage analytics.

Data retention

We retain your account data for as long as your account is active. The following automated retention windows apply:

  • Account, events, guests, RSVPs, uploaded images — retained while your account is active. Deleted within 30 days of account deletion (the cascade fires immediately; backups roll off within the 30-day window).
  • Email verification tokens — deleted nightly after they expire (typically within 24 hours).
  • Password reset tokens — valid for 15 minutes; used or expired tokens are purged nightly and fully removed within 90 days.
  • Stripe webhook event records — retained for 90 days for replay protection, then deleted.
  • Billing records (invoices, payments) — retained as long as required by tax and accounting law (typically 7 years), even after account deletion.
  • Audit log — sensitive operations (account changes, exports, password resets, bulk imports) are logged for security forensics and retained for 1 year.

Your rights

Subject to your jurisdiction, you may have the right to access, correct, delete, or export your personal data. You can exercise several of these rights yourself:

  • Access / export — Account → Support → "Download my data" produces a JSON file containing your profile, events, guests, payments, and subscription history.
  • Correction — Edit your profile in Account → Profile.
  • Deletion — Account → Support → "Delete account" removes your account and cascades to all related events, guests, drafts, and uploads.
  • Password reset — Use the "Forgot password?" link on the sign-in page.

For any rights not covered by the in-product flows, or for help, email contact@minievent.net.

California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (as amended by the CPRA):

  • Right to know — what categories of personal information we collect, the sources, the purposes, and the categories of third parties we share with. Categories collected in the past 12 months: identifiers (name, email, IP address), internet activity (pages visited, features used), commercial information (subscription, payment history), and inferences derived from your activity for service operation.
  • Right to access and portability — exercised via Account → Support → Download my data, as above.
  • Right to delete — exercised via Account → Support → Delete account.
  • Right to correct — exercised via Account → Profile, or by emailing us.
  • Right to opt-out of sale / sharing we do not sell or share your personal information as those terms are defined under CCPA / CPRA. The third-party processors listed above are service providers operating on our behalf under contract.
  • Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes that would require an opt-out under CPRA. The only sensitive category we may receive is dietary information voluntarily provided by guests on RSVP, used solely to inform the event host.
  • Right to non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised any of these rights.

To submit a verifiable consumer request, email contact@minievent.net from the email address associated with your account. We will respond within 45 days. You may also use an authorized agent; we may require written authorization.

Children

The Service is not directed to children under 13. We do not knowingly collect data from children under 13. If you believe we have, contact us to request deletion.

Cookies and similar technologies

We use the following cookies. None are used for advertising or cross-site tracking.

  • authjs.session-token (or __Secure-authjs.session-token on HTTPS) — strictly necessary. Stores your signed-in session. Cleared when you sign out or after the session expires.
  • auth_intent — short-lived (5 minutes). Set when you click "Sign up with Google" so we can distinguish sign-up from sign-in.
  • _ga, _ga_*, _gid — analytics. Set by Google Analytics to measure aggregate page views and feature usage. We exclude invitation pages (/invites/*) from analytics so guest visits are not tracked. You can opt out by installing the Google Analytics Opt-out Browser Add-on, or by blocking analytics cookies in your browser settings.

Changes

Material changes to this policy will be communicated by email or in-app notice at least 14 days before taking effect.

Contact

For privacy questions or data requests, email contact@minievent.net.