Legal

Privacy policy

What we collect, why, where the data lives and what your rights are.

Last updated: 4 July 2026.

1. Data controller

The controller of personal data under the General Data Protection Regulation (GDPR) is Marko Stjepanović, trading as xtwo.dev (Einzelunternehmer, small business under § 19 UStG).

Address: Gerhart-Hauptmann-Straße 3, 78112 St. Georgen im Schwarzwald, Germany.

For any data protection question, write to kontakt@xtwo.dev.

2. Data we collect

To provide the service we process the following categories of personal data:

  • Account data: email, name, a hashed password if you register with email, or an account identifier if you sign in with Google.
  • Event content: guests, invitations, seating plans, gift lists and photos that you or your guests add.
  • Payment data: processed solely through Stripe. We do not store card numbers or other financial details.
  • Technical data: IP address, browser type and the date and time of access, recorded in server logs.
  • Anonymous visit data: aggregated metrics such as visit counts and popular pages, collected via Vercel Analytics without cookies and without cross-session tracking.

3. Purposes and legal basis

Every processing activity rests on a clear GDPR legal basis:

Providing the service and managing your account

Legal basis: Article 6(1)(b) GDPR, performance of a contract with you.

Processing payments

Legal basis: Article 6(1)(b) GDPR. Payments are processed through Stripe.

Security and abuse prevention

Legal basis: Article 6(1)(f) GDPR, our legitimate interest in keeping the platform working correctly and securely.

Anonymous traffic analytics

Legal basis: Article 6(1)(f) GDPR. Vercel Analytics uses no cookies and leaves no data on your device.

Legal obligations

Legal basis: Article 6(1)(c) GDPR, retention of tax and accounting records under German law.

4. Service providers

We work with carefully selected providers who process data on our behalf. Each has a data processing agreement in place under Article 28 GDPR.

Vercel Inc.

Privacy policy

Hosting of the web platform and anonymous traffic analytics.

EU data centers (Frankfurt) where available; parent company in the USA.

European Commission Standard Contractual Clauses (SCCs).

Supabase Inc.

Privacy policy

Authentication, database and file storage.

EU data centers (Frankfurt).

Data processing agreement and SCCs.

Stripe Payments Europe, Ltd.

Privacy policy

Payment processing for the Premium plan.

Based in Ireland (EU).

Data processing agreement.

5. Transfers outside the EU

Some of our providers are US companies. Where possible we use their EU data centers. For any transfer of data to the USA we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework.

Stripe Payments Europe, Ltd. is based in the EU and payment data stays within Stripe's EU systems.

6. Cookies and local storage

We use only technically necessary cookies and local storage. No third-party cookies, no advertising cookies, no cross-site tracking.

Supabase authentication (cookies)

Keep you signed in after you have logged in yourself.

Last for the session or until you log out.

xtwo-locale (localStorage)

Remembers the language you chose yourself.

Stays until you change or clear it.

xtwo-theme (localStorage)

Remembers the light or dark mode you chose.

Stays until you change or clear it.

xtwo-geo-locale (cookie)

Set automatically based on the country you visit from, so the page loads in your language right away.

Valid for 1 year.

gift_pass (sessionStorage)

Temporarily remembers the password you entered for a public gift list while you browse it.

Cleared when you close the browser tab.

Vercel Analytics runs without cookies. It stores no identifier on your device and does not track you across sites. That is why browsing this site requires no cookie consent.

7. Retention periods

Account data

Kept while your account is active. After you delete your account we keep it for at most 90 days for security and legal reasons.

Event content

Deleted together with your account, or earlier on request. Media of events whose Premium plan or trial expired more than 12 months ago may be deleted after prior notice by email at least 30 days in advance.

Payment data and invoices

Kept for 10 years as required by § 147 of the German Fiscal Code (AO).

Server logs

Deleted after 14 days.

8. Your rights

Under the GDPR you have the following rights regarding your personal data:

  • Right of access (Article 15)
  • Right to rectification of inaccurate data (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object to processing (Article 21)
  • Right to withdraw consent where processing is based on it (Article 7(3))
  • Right to lodge a complaint with a supervisory authority. For our operations in Germany this is the Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg.

Send your request to kontakt@xtwo.dev. We respond within 30 days. You can also request deletion of your entire account the same way; we carry out the deletion within 30 days.

9. Users outside the EU

This policy also applies to users outside the EU. If you are in California, the California Consumer Privacy Act (CCPA) gives you the right to know what data we collect, request its deletion and opt out of the sale of data. We do not sell your data to anyone.

Users in the United Kingdom have the same rights under the UK GDPR as users in the EU.

Wherever you are, reach us at kontakt@xtwo.dev for any privacy question.

10. Changes to this policy

We may update this policy from time to time. We will announce material changes by email to registered users or by an in-app notice at least 14 days before they take effect.

A privacy question?

Reach out directly. We answer every request within 30 days.

Send a request
Privacy Policy · xtwo.events