Aurelia ("we", "our", "us") is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your information when you use our platform at aurelia.events.
Information We Collect
- Account information: name, email address, and authentication credentials when you create an account (via email or Google OAuth).
- Event data: event titles, dates, venues, host names, and other details you provide when creating an invitation.
- Guest data: names, email addresses, RSVP responses, dietary preferences, and plus-one details submitted by guests through your invitation page.
- Payment data: processed securely by Stripe. We never store credit card numbers on our servers.
- Usage data: pages visited, features used, and general interaction patterns to improve our service.
How We Use Your Data
- To create, host, and deliver your AI-generated event invitations.
- To process RSVP responses and send email notifications to event hosts.
- To process payments through Stripe for plan purchases and add-ons.
- To improve our AI design engine and overall service quality using aggregated, anonymized data.
- To send transactional emails (RSVP notifications, payment confirmations, event reminders).
Legal Basis for Processing (GDPR)
Under the General Data Protection Regulation (GDPR), we process personal data only where we have a lawful basis. The table below sets out each processing activity and its corresponding legal basis.
| Processing Activity | Legal Basis |
|---|
| Account creation | Contract performance |
| Event creation & AI generation | Contract performance |
| Payment processing | Contract performance |
| Email notifications (RSVP, gifts) | Legitimate interest |
| Marketing emails | Consent |
| Analytics | Legitimate interest |
| Cookie tracking | Consent |
| Fraud prevention / security | Legitimate interest |
Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Data Storage & Security
- All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
- Data is stored on Amazon Web Services (AWS) infrastructure in secure, access-controlled environments.
- We use DynamoDB for structured data and S3 for media files, both with server-side encryption enabled.
- Authentication passwords are hashed using bcrypt with salt rounds — we never store plaintext passwords.
- Payment processing is handled entirely by Stripe (PCI-DSS Level 1 compliant). We do not process or store card details.
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law. Specific retention periods are listed below.
| Data Category | Retention Period |
|---|
| Account data | Retained while account is active + 30 days after deletion |
| Event / invitation data (Essential plan) | 3 months post-event |
| Event / invitation data (Pro plan) | 6 months post-event |
| Event / invitation data (Grand plan) | 12 months post-event |
| RSVP guest data | Retained with event; deleted when event is deleted or upon guest request |
| Payment records | 7 years (tax and legal requirements) |
| Server logs | 90 days |
| Email queue data | 7 days |
| Suppression list (opt-out records) | Indefinitely (to honor your opt-out preference) |
| Analytics data | 26 months |
After the applicable retention period, data is permanently and irreversibly deleted from all systems.
AI Data Processing Disclosure
- Event details such as event type, title, tone, date, and venue are sent to the Google Gemini API for AI-powered content generation.
- No personal guest data (names, emails, RSVP responses) is ever sent to the AI service.
- AI-generated content (text and images) is stored in Aurelia's own database — not on Google's servers.
- Google's data processing terms apply to AI API usage. See the Google Cloud Data Processing Addendum at https://cloud.google.com/terms/data-processing-addendum for details.
- Google does not use customer data submitted through the Gemini API for model training purposes.
Third-Party Services
- Stripe: payment processing and subscription management.
- Google Gemini: AI content and image generation (event data is sent to generate your invitation content).
- Amazon Web Services: cloud infrastructure, data storage, and content delivery.
- Google Analytics: anonymized usage analytics to improve our service.
- Nodemailer via SMTP: transactional email delivery.
Sub-processors
The following third-party sub-processors may process personal data on our behalf:
| Sub-processor | Purpose | Location |
|---|
| Amazon Web Services (AWS) | Hosting, DynamoDB, S3 storage | USA |
| Stripe | Payment processing | USA |
| Google Cloud / Gemini | AI content generation | USA |
| Hostinger | SMTP email delivery | Lithuania |
We will update this list if sub-processors change and will provide notice where required by law.
International Data Transfers
- Your personal data may be transferred to and processed in the United States by our infrastructure and service providers (AWS, Stripe, Google).
- Where data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards are in place, including the use of Standard Contractual Clauses (SCCs) approved by the European Commission.
- You may request a copy of the applicable transfer safeguards by contacting support@aurelia.events.
Your Rights
- Right to access: request a copy of all personal data we hold about you.
- Right to rectification: correct any inaccurate or incomplete information.
- Right to erasure ("right to be forgotten"): request deletion of your account and associated data, or deletion of your RSVP data as a guest.
- Right to restrict processing: request that we limit the way we use your data.
- Right to data portability: receive your data in a structured, commonly used, machine-readable format.
- Right to object: object to processing based on legitimate interest, including profiling.
- Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
- Right to lodge a complaint: you have the right to lodge a complaint with your local data protection supervisory authority.
- To exercise any of these rights, email support@aurelia.events or use the self-service account deletion option in your account settings. We will respond within 30 days (or sooner where required by law).
Your California Privacy Rights (CCPA)
- If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information.
- Right to know: you may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collecting it, and the categories of third parties with whom we share it.
- Right to delete: you may request that we delete personal information we have collected from you, subject to certain legal exceptions.
- Right to opt-out of sale: Aurelia does not sell your personal information to third parties. Because we do not sell data, there is no need to opt out.
- Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA rights.
- To exercise your rights under the CCPA, contact us at support@aurelia.events. We will verify your identity before fulfilling your request.
Data Breach Notification
- In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Aurelia will notify affected users within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
- Notification will include: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.
- Notification will be delivered via email to the address associated with your account, and — where appropriate — via an in-app notice.
- Where required by applicable law, Aurelia will also notify the relevant supervisory authority without undue delay.
Cookies
- We use essential cookies for authentication and session management.
- Google Analytics uses cookies to collect anonymized usage data.
- We do not use advertising cookies or sell data to advertisers.
- You can manage cookie preferences through your browser settings or the cookie consent controls provided on our site.
- For a detailed breakdown of each cookie, its purpose, and duration, please refer to the cookie consent settings available on aurelia.events.
Children’s Privacy
- Our service is not directed at individuals under the age of 16.
- We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected such data, we will take steps to delete it as soon as possible.
- If you believe that a child under 16 has provided us with personal information, please contact us at support@aurelia.events so we can take appropriate action.
Data Processing Agreement
- For business customers who require a Data Processing Agreement (DPA) to comply with GDPR or other data protection regulations, Aurelia offers a DPA upon request.
- To request a copy of our DPA, contact us at support@aurelia.events.
Contact for Privacy Inquiries
- Data Controller: Aurelia.
- For all privacy-related inquiries, data access requests, data deletion requests, or concerns about how we handle your information, contact us at support@aurelia.events.
- We aim to respond to all legitimate requests within 30 days. In certain circumstances (for example, where requests are particularly complex or numerous), we may need up to 60 days, but we will notify you of any extension and the reasons for it.
Changes to This Policy
- We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
- If we make material changes, we will notify you by email or through a prominent notice on our website prior to the change becoming effective.
- We encourage you to review this page periodically for the latest information on our privacy practices.