Privacy Policy
Last updated: June 12, 2026
This Privacy Policy explains how 15797535 Canada Inc. (d/b/a fastinvites) (“fastinvites”, “we”, “us”, or “our”) collects, uses, discloses, and protects personal information when you use fastinvites.com and related services (the “Service”).
We are based in Ontario, Canada, and handle personal information in accordance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Because the Service is publicly accessible, this policy also describes the rights of visitors in the European Economic Area / United Kingdom (under the GDPR) and in California (under the CCPA/CPRA).
If you have any questions, contact us at [email protected].
1. Our privacy principle: collect as little as possible
fastinvites is built to need very little personal information. You can create an event and collect registrations without creating an account. Accounts are optional and only add a dashboard and ownership features. We do not sell personal information and we do not run advertising. With your consent, we use Google Analytics and PostHog to understand how the Service is used — these are optional analytics tools that collect aggregate, anonymized data and are never used for advertising or profiling.
2. Information we collect
a. Information you provide
- Event details (from hosts). When you create an event you provide a title, date and time, time zone, and an optional description, meeting link, and host message. Anything you type into these fields may be visible to anyone who has the public event link. Do not include sensitive personal information you would not want shared with your guests.
- Registration details (from guests). When you register for an event you provide only a name — no email address and no account. Your name is visible to the event’s host, along with whether you clicked through to join the event at showtime. (If you later create an account and your registration is linked to it, event emails are sent to your account email; the host never sees that address.)
- Account information (optional). If you create an account, we collect your email address and a password. Passwords are never stored in readable form — they are hashed using bcrypt. We also store whether your email has been verified.
- Reports. If you report an event, we record that a report was made (associated with your anonymous visitor identifier, and your account if you are logged in).
b. Information we collect automatically
- Anonymous visitor identifier. We set a long-lived
vidcookie containing a random identifier so the Service can recognize the events and registrations created from your browser (for example, to show you your existing registration, or to link your activity to your account if you sign up). It does not by itself identify you. - Security tokens. We set a
csrfcookie and, when you are logged in, ansidsession cookie. See our Cookie Policy. - Analytics data (with your consent). If you consent via our cookie banner, we use Google Analytics (via Google Tag Manager) and PostHog to collect aggregate, anonymized information about how the Service is used — page views, feature usage, and general traffic patterns. These tools are configured to honour your consent choice on every page load, and analytics cookies are deleted automatically if you withdraw consent. We do not use this data for advertising or profiling.
- Technical and security data. When you log in, we store the IP address and browser user-agent associated with that session for security and abuse prevention. Our servers also keep operational request logs (which may include IP address, the visitor identifier, the page requested, response status, and timing) for a limited period to operate, secure, and debug the Service.
c. Information we do not collect
We do not knowingly collect government IDs, financial account numbers (see Payments below if/when enabled), precise geolocation, biometric data, or special-category data. We do not buy personal information from data brokers.
3. How we use information, and our legal bases
| Purpose | Examples | Legal basis (GDPR) |
|---|---|---|
| Provide the Service | Create and display events, record and show registrations, show registrants the join button at start time, send event notifications by email to account holders who opt in, recognize returning guests, operate the host dashboard | Performance of a contract |
| Accounts & communications | Verify your email, send password resets, claim anonymous events onto your account | Performance of a contract; consent |
| Security & abuse prevention | Session/IP records, CSRF protection, rate limiting, handling event reports and moderation | Legitimate interests; legal obligation |
| Reliability & debugging | Error tracking and operational logs | Legitimate interests |
| Legal compliance | Responding to lawful requests, enforcing our Terms | Legal obligation; legitimate interests |
Under PIPEDA we rely on your consent (express or implied through your use of the Service) together with the limited, reasonable purposes above. We use personal information only for the purposes identified here.
We do not use your information for advertising, profiling, or automated decision-making that produces legal or similarly significant effects about you.
4. Cookies
We use strictly necessary cookies (vid, csrf, sid) that are always active, and optional analytics cookies (Google Analytics, PostHog) that are only set with your consent. There are no advertising or cross-site tracking cookies. You can manage your analytics preference at any time via our cookie banner. The full list of cookies and their lifetimes is in our Cookie Policy.
5. How we share information
We do not sell or rent personal information. We share it only as follows:
- With other users, as inherent to the Service. Event details you publish are visible to anyone with the event link (including the public signup count); registration details are visible to the event host. The host’s meeting link is shown only to registrants, shortly before the event starts. This is how the Service works.
- With service providers (processors) who operate the Service on our behalf, under contractual confidentiality and data-protection obligations:
| Provider | Role | Data involved |
|---|---|---|
| Hetzner | Application server hosting (Ashburn, Virginia and Hillsboro, Oregon, USA) | All request data in transit/processing |
| Crunchy Bridge (on AWS) | Managed PostgreSQL database (AWS us-east-1, Northern Virginia, USA) | All stored application data |
| Cloudflare | DNS, TLS, CDN, and secure tunnel ingress | Network/request metadata |
| Tailscale | Private network for admin/database access | Network metadata only |
| SMTP2GO (or equivalent SMTP relay) | Sending account email (verification, password reset, notifications) | Recipient email address and message content |
| Honeybadger | Error and exception tracking | Diagnostic data, which may include request metadata |
| Google Analytics (via Google Tag Manager) | Aggregate usage analytics (consent-gated) | Anonymized page-view and traffic data; no advertising use |
| PostHog | Product analytics (consent-gated) | Anonymized feature usage and flow data; no advertising use |
- For legal reasons. We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of fastinvites, our users, or the public.
- Business transfers. If we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to this policy.
A current list of subprocessors is available on request at [email protected].
6. International transfers
fastinvites is operated from Canada, but your information is stored and processed in the United States — application servers in Ashburn, Virginia and Hillsboro, Oregon (Hetzner), and the database in AWS us-east-1 (Northern Virginia, Crunchy Bridge) — and our service providers may process it in other countries. Where information is transferred outside your jurisdiction (including out of Canada or the EEA/UK), we rely on appropriate safeguards such as the providers’ standard contractual clauses and equivalent protections. By using the Service you understand your information may be processed outside your home country.
7. How long we keep information
- Events and registrations are retained while the event exists and, for account holders, while your account is active, so hosts can manage their events and guests can update their details. You can delete your account or request deletion (Section 9).
- Account data is retained while your account is active.
- Sessions expire automatically; expired session records are cleared.
- Email verification / password-reset tokens are single-use and short-lived.
- Operational logs are retained only as long as needed for security and debugging, then discarded.
We keep information only as long as necessary for the purposes above or as required by law.
8. How we protect information
We use industry-standard safeguards, including: TLS encryption in transit; bcrypt password hashing; storing secret tokens (manage links, sessions, email and moderation tokens) only as hashes, never in readable form; CSRF protection on form submissions; private, non-public network access to our servers and database; and the principle of least data. No method of transmission or storage is perfectly secure, but we work to protect your information and to limit what we collect in the first place.
If we become aware of a breach of security safeguards involving a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada (and other regulators as required) in accordance with applicable law.
9. Your rights and choices
Depending on where you live, you have some or all of the following rights:
- Access the personal information we hold about you.
- Correct inaccurate or incomplete information.
- Delete your information (“right to erasure”).
- Port your information (receive it in a portable format).
- Withdraw consent at any time (this may limit your ability to use the Service).
- Object to or restrict certain processing (GDPR).
- Not be discriminated against for exercising your rights (CCPA/CPRA).
- Opt out of the “sale” or “sharing” of personal information — note that we do not sell or share personal information as those terms are defined under the CCPA/CPRA.
To exercise any right, email [email protected]. We will verify your request and respond within the time required by law — 30 days under PIPEDA/GDPR and 45 days under the CCPA (extendable where permitted). We will not charge a fee except where allowed.
You may also delete most of your own data directly: hosts can cancel events, guests can update their registration details, and account holders can request account deletion.
Complaints. You have the right to complain to a regulator: the Office of the Privacy Commissioner of Canada (priv.gc.ca), your EU/UK data protection authority, or the California Privacy Protection Agency / California Attorney General.
10. Children’s privacy
The Service is not directed to children. We do not knowingly collect personal information from children under 13 (or the minimum age in your jurisdiction, e.g. 16 in parts of the EEA). If you believe a child has provided us personal information, contact [email protected] and we will delete it.
11. Payments
This section applies only once paid tickets or subscriptions are offered. It is currently inactive.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will revise the “Last updated” date above and, for material changes, take reasonable steps to notify you (for example, by email to account holders or a notice on the site). Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
13. Contact us
15797535 Canada Inc. (d/b/a fastinvites)
2967 Dundas St W #250
Toronto, Ontario, M6P 1Z2, Canada
Email: [email protected]
For privacy matters, you may also address correspondence to our Privacy Officer at the same email.