Mystinvitation
Get started

Privacy Policy

Last updated · 2026-06-01

1. Introduction

Mystinvitation ("we", "the Service") respects your privacy. This policy explains what personal data we collect, how we use it, who we share it with, and your rights under Indonesia's Personal Data Protection Law (UU 27/2022 — UU PDP) and GDPR-equivalent principles.

By using the Service, you confirm you've read and agreed to this policy.

2. Data we collect

When you create an account: name, email, password (hashed), language preference.

When you create an invitation: bride/host names, event date/location, story text, photos, audio, hashtag, guest list (name, email, phone, group) you upload.

When guests open invitations: IP address (hashed), user agent, referrer, visit time, RSVP responses, wishes.

When you pay: amount, method (card/bank/e-wallet), transaction reference. Credit card details are NEVER stored on our servers — processed directly by Midtrans.

When you use AI: the prompts you send to AI features (Story Writer, Theme Generator, Chatbot, Translate).

3. Lawful basis & purposes

Under UU PDP and GDPR principles, we process your data on the basis of:

  • Contract performance — to provide invitation services, manage accounts, process payments
  • Legitimate interest — to improve the product, detect abuse, send transactional communications
  • Consent — for marketing communications, non-essential cookies, analytics

We DO NOT use your data for automated profiling, automated legally-binding decisions, or sell it to third parties.

4. Third-party processors

Our service uses these vendors as data processors:

  • Supabase (database + auth + storage) — Singapore servers
  • Vercel (hosting + CDN) — global
  • Anthropic & OpenAI (AI features) — USA. Data sent only when you explicitly trigger AI features
  • Resend (email) — USA
  • Midtrans (payments) — Indonesia
  • Sentry (error monitoring) — USA. Cookies + auth headers stripped before sending
  • Meta (WhatsApp Business API, optional) — global

Cross-border data transfers use standard contractual safeguards as required by UU PDP Article 56 and GDPR.

5. Cookies and similar technologies

We use three categories of cookies:

  • Essential — login, security, payments. Cannot be disabled
  • Analytics — aggregated usage to improve the product
  • Marketing — personalized offers

You can choose when the consent banner appears or change your choices anytime in account settings.

6. Data retention

  • Account data: while the account is active + 30 days after deletion
  • Invitations & guest data: per your tier validity (Free 3 months, Basic 12 months, Pro lifetime), then deleted 90 days after validity ends
  • Payment logs: 5 years (tax compliance)
  • Error & audit logs: 90 days
  • Database backups: up to 30 days

7. Your rights as a Data Subject

Under UU PDP Articles 5–12 and GDPR, you have the right to:

  • Access your personal data (Settings → Export Data)
  • Correct inaccurate data (directly in the dashboard)
  • Delete your data (Settings → Delete Account — effective in 30 days)
  • Restrict/withdraw consent (toggle cookie categories or email preferences)
  • Receive data in a portable format (JSON export)
  • Object to processing
  • File a complaint with the Personal Data Protection Authority

To exercise these rights, log into your account or email privacy@mystinvitation.com — we respond within 14 business days.

8. Security

We apply:

  • TLS 1.3 encryption for all connections
  • Encryption-at-rest for the database (AES-256)
  • Bcrypt password hashing
  • HMAC SHA-256 signatures for QR codes
  • Role-based access separation
  • Audit logging on sensitive data access
  • Automated vulnerability scanning

No system is 100% secure; in the event of a breach, we will notify you + the Indonesia Personal Data Protection Authority within 72 hours.

9. Children's data

The Service is not intended for children under 17. We don't knowingly collect data from children. If you know a child has provided data, contact us for immediate deletion.

10. Policy changes

We may update this policy as the service or regulations evolve. Material changes will be announced via email and an in-app banner at least 14 days before taking effect. The "last updated" date above always reflects the current version.

11. Contact

Data Controller: Mystinvitation Jakarta, Indonesia privacy@mystinvitation.com

For privacy questions or exercising rights: privacy@mystinvitation.com For general support: hello@mystinvitation.com