Privacy policy
What we collect, why, where the data lives and what your rights are.
Last updated: 4 July 2026.
1. Data controller
The controller of personal data under the General Data Protection Regulation (GDPR) is Marko Stjepanović, trading as xtwo.dev (Einzelunternehmer, small business under § 19 UStG).
Address: Gerhart-Hauptmann-Straße 3, 78112 St. Georgen im Schwarzwald, Germany.
For any data protection question, write to kontakt@xtwo.dev.
2. Data we collect
To provide the service we process the following categories of personal data:
- Account data: email, name, a hashed password if you register with email, or an account identifier if you sign in with Google.
- Event content: guests, invitations, seating plans, gift lists and photos that you or your guests add.
- Payment data: processed solely through Stripe. We do not store card numbers or other financial details.
- Technical data: IP address, browser type and the date and time of access, recorded in server logs.
- Anonymous visit data: aggregated metrics such as visit counts and popular pages, collected via Vercel Analytics without cookies and without cross-session tracking.
3. Purposes and legal basis
Every processing activity rests on a clear GDPR legal basis:
Providing the service and managing your account
Legal basis: Article 6(1)(b) GDPR, performance of a contract with you.
Processing payments
Legal basis: Article 6(1)(b) GDPR. Payments are processed through Stripe.
Security and abuse prevention
Legal basis: Article 6(1)(f) GDPR, our legitimate interest in keeping the platform working correctly and securely.
Anonymous traffic analytics
Legal basis: Article 6(1)(f) GDPR. Vercel Analytics uses no cookies and leaves no data on your device.
Legal obligations
Legal basis: Article 6(1)(c) GDPR, retention of tax and accounting records under German law.
4. Service providers
We work with carefully selected providers who process data on our behalf. Each has a data processing agreement in place under Article 28 GDPR.
Vercel Inc.
Privacy policyHosting of the web platform and anonymous traffic analytics.
EU data centers (Frankfurt) where available; parent company in the USA.
European Commission Standard Contractual Clauses (SCCs).
Supabase Inc.
Privacy policyAuthentication, database and file storage.
EU data centers (Frankfurt).
Data processing agreement and SCCs.
Stripe Payments Europe, Ltd.
Privacy policyPayment processing for the Premium plan.
Based in Ireland (EU).
Data processing agreement.
5. Transfers outside the EU
Some of our providers are US companies. Where possible we use their EU data centers. For any transfer of data to the USA we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework.
Stripe Payments Europe, Ltd. is based in the EU and payment data stays within Stripe's EU systems.
7. Retention periods
Account data
Kept while your account is active. After you delete your account we keep it for at most 90 days for security and legal reasons.
Event content
Deleted together with your account, or earlier on request. Media of events whose Premium plan or trial expired more than 12 months ago may be deleted after prior notice by email at least 30 days in advance.
Payment data and invoices
Kept for 10 years as required by § 147 of the German Fiscal Code (AO).
Server logs
Deleted after 14 days.
8. Your rights
Under the GDPR you have the following rights regarding your personal data:
- Right of access (Article 15)
- Right to rectification of inaccurate data (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object to processing (Article 21)
- Right to withdraw consent where processing is based on it (Article 7(3))
- Right to lodge a complaint with a supervisory authority. For our operations in Germany this is the Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg.
Send your request to kontakt@xtwo.dev. We respond within 30 days. You can also request deletion of your entire account the same way; we carry out the deletion within 30 days.
9. Users outside the EU
This policy also applies to users outside the EU. If you are in California, the California Consumer Privacy Act (CCPA) gives you the right to know what data we collect, request its deletion and opt out of the sale of data. We do not sell your data to anyone.
Users in the United Kingdom have the same rights under the UK GDPR as users in the EU.
Wherever you are, reach us at kontakt@xtwo.dev for any privacy question.
10. Changes to this policy
We may update this policy from time to time. We will announce material changes by email to registered users or by an in-app notice at least 14 days before they take effect.