Privacy Policy
Nawarto ("we", "us", or "our") operates the Nawarto mobile application (the "App"), a service that enables hosts to design and send personalised event invitations via messaging and to manage guest RSVPs, dietary preferences, entry barcodes, and event changes.
This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights under the General Data Protection Regulation (GDPR) and other applicable privacy laws. By using the App, you acknowledge that you have read and understood this policy.
1. Who We Are (Data Controller)
For the purposes of GDPR, Nawarto is the data controller of personal data you provide as a host. For personal data belonging to your guests, you (the host) act as the controller and Nawarto acts as the data processor, processing that data on your instruction to deliver invitations and manage RSVPs.
Contact: contact@nawarto.com
2. Data We Collect and Why
The table below sets out each category of personal data we process, the purpose, and the legal basis under GDPR Article 6 (and Article 9 where applicable).
| Category | Data | Purpose | Legal basis |
|---|---|---|---|
| Account & identity | Mobile phone number, display name / host name | Authentication via OTP; identifying you as a host within the App | Performance of a contract (Art. 6(1)(b)) |
| Guest contact data | Guest names and phone numbers imported from your device contacts (only those you select) | Building invitation lists; delivering invitations via our messaging provider | Legitimate interests of you as the host in inviting your own guests (Art. 6(1)(f)); you as host are responsible for any additional consent required from guests |
| Event data | Occasion name, date, venue, venue link, custom message, language preference, media (header image or video, welcome audio) | Creating and delivering personalised invitations; event management features | Performance of a contract (Art. 6(1)(b)) |
| RSVP & questionnaire data | RSVP status (confirmed/declined), a timestamped response history, plus-ones count, dietary choice, notes to the host, conversation state | Tracking guest attendance and preferences on the host's behalf; delivering follow-up prompts | Performance of a contract (Art. 6(1)(b)); processing dietary data on the basis of explicit consent given by the guest when answering (Art. 9(2)(a)) |
| Health-adjacent data (special category) | Food allergies reported by guests | Informing the host of guests' dietary restrictions for event planning purposes | Explicit consent of the guest (Art. 9(2)(a)); guests provide this voluntarily during the RSVP questionnaire |
| Entry & check-in data | Entry barcode token, check-in timestamps, check-in operator ID | Managing gate entry at the event when the host enables the Entry Barcodes feature | Performance of a contract (Art. 6(1)(b)) |
| Delivery & messaging data | Message IDs, delivery/read timestamps, failure codes received from our messaging provider | Tracking invite delivery status; crediting hosts on failed deliveries; debugging | Legitimate interests (Art. 6(1)(f)) — operating a reliable messaging service |
| Purchase & credit data | Credit balance, transaction records (amount, type, timestamp); purchase receipt tokens (not raw payment card data) | Managing prepaid credit packs; processing refunds for failed deliveries | Performance of a contract (Art. 6(1)(b)); legal obligation for transaction records (Art. 6(1)(c)) |
| Organizer data | Phone number and name of co-organizers added by the host | Granting scanner/check-in access to designated event organizers | Legitimate interests (Art. 6(1)(f)) |
| Usage analytics | Your account identifier and in-app interaction events (e.g. invite created, invite sent, purchase completed, screens viewed) | Understanding how the App is used to improve features and reliability | Legitimate interests (Art. 6(1)(f)) |
| Crash & diagnostic data | Your account identifier, crash logs, and error diagnostics | Diagnosing crashes and keeping the App stable | Legitimate interests (Art. 6(1)(f)) |
| Aggregated statistics | Non-identifying, aggregated event and messaging outcome counters | Measuring overall App usage and reliability | Legitimate interests (Art. 6(1)(f)) |
| Device / technical data | Push notification token, device OS version, app version | Delivering push notifications; crash diagnostics | Legitimate interests (Art. 6(1)(f)) |
3. What We Do Not Collect
- Payment card numbers or banking details (all purchases are handled by our payment processor)
- GPS location or precise location data
- Advertising identifiers or cross-app tracking data
- Contacts other than those you explicitly select and import
- The content of private conversations between you and your guests outside the Nawarto RSVP flow
We do not sell your data or your guests' data to any third party, and we do not use it for advertising.
4. How We Use Your Data
- Authenticating your account and maintaining your session securely
- Creating, previewing, and delivering invitations via our messaging provider on your behalf
- Routing RSVP replies, questionnaire answers, and follow-up messages (plus-ones, dietary, allergy, notes prompts)
- Sending event reminders, change notifications, and cancellation notices to invited guests
- Generating entry barcodes and digital wallet passes; recording gate check-ins
- Processing credit purchases and issuing credits for failed deliveries
- Transliterating guest names when requested by the host
- Providing the guest-facing RSVP web page (nawarto.com/rsvp/…), barcode page, and calendar link
- Improving the App through anonymised, aggregated analytics
- Responding to your support or data-rights requests
5. Sharing Your Data With Third Parties
We share personal data only with the following categories of processors, each contractually bound to protect it:
- Cloud infrastructure provider (US): Our primary infrastructure for authentication, database, storage, and application hosting. Data is transferred to the US under Standard Contractual Clauses.
- Messaging platform provider (US): Guest phone numbers and personalised invitation content are transmitted to our messaging provider to deliver messages on your behalf. Inbound RSVP replies are returned to us via a secure webhook. Data is transferred to the US under Standard Contractual Clauses.
- Payment processor: In-app credit purchases are processed by our payment processor. We receive a receipt token for verification and never have access to your payment card details.
- Translation service provider (US): When you use the optional name-translation feature, guest names are sent to a translation API. Data is transferred to the US under Standard Contractual Clauses.
- Analytics & diagnostics provider (US): Your account identifier, in-app interaction events, and crash/diagnostic logs are processed by our analytics and crash-reporting provider so we can understand usage and fix stability issues. Data is transferred to the US under Standard Contractual Clauses.
We do not sell your data or your guests' data to any third party, and we do not share it for advertising purposes.
6. International Data Transfers
Our infrastructure runs primarily in the United States. If you are located in the European Economic Area (EEA), UK, or Switzerland, we transfer your personal data to the US on the basis of the European Commission's Standard Contractual Clauses (SCCs) incorporated into our agreements with our service providers. You may request a copy of these safeguards by writing to contact@nawarto.com.
7. Data Retention
- Account and event data: Retained for as long as your account is active. Deleting your account removes all associated personal data within 30 days.
- Guest data (invitees): Approximately 15 days after an event ends or is cancelled, each guest record is automatically anonymised — names are reduced to initials and phone numbers to their last few digits — regardless of whether the event is deleted. Deleting an event removes its guest records outright.
- Allergy data: Automatically deleted at the ~15-day post-event anonymisation and never retained beyond that point.
- RSVP outcome data: RSVP status, plus-ones, dietary choice, and any note to the host may be retained after anonymisation in a form no longer linked to an identifiable guest, so the host keeps a record of their event.
- Event media: Header images, video, welcome audio, and entry barcodes are deleted at the ~15-day post-event anonymisation.
- Credits: Purchased credit packs are valid for 3 months from the date of purchase; unused credits expire and are forfeited. Credit transaction records are retained for up to 7 years to comply with financial record-keeping obligations.
- Delivery logs and diagnostic data: Retained for up to 90 days.
- Aggregated statistics: Retained indefinitely (no personal data).
8. Security
Personal data is stored on our cloud infrastructure, encrypted in transit (TLS) and at rest (AES-256). Database security rules ensure each user can only access their own events and guest data. We apply the principle of least privilege to all internal access.
No system is entirely secure. If you become aware of any security concern related to the App, please notify us immediately at contact@nawarto.com.
9. Your Rights Under GDPR
If you are located in the EEA, UK, or Switzerland, you have the following rights. We will respond within 30 days of receiving a verifiable request.
- Right of access (Art. 15): Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): Request deletion of your personal data. You can delete your account directly in the App; we will erase associated data within 30 days.
- Right to restriction (Art. 18): Request that we limit how we process your data in certain circumstances.
- Right to data portability (Art. 20): Request your personal data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests. We will cease unless we can demonstrate compelling legitimate grounds.
- Right to withdraw consent (Art. 7(3)): Where processing is based on consent (e.g. allergy data), you may withdraw consent at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint: You have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national DPA in the EU).
To exercise any of these rights, contact us at contact@nawarto.com or delete your account directly in the App under Profile > Delete Account.
Note for hosts: You are the data controller for your guests' personal data. You are responsible for ensuring you have an appropriate legal basis (such as a legitimate interest in hosting a private event, or explicit consent) to collect and process guest information. You should inform your guests that their RSVP responses, dietary preferences, and allergy information are stored and used for event-planning purposes.
10. Children's Privacy
The App is not directed to children under 13. We do not knowingly collect personal data from children. If you believe a child has provided data through the App, please contact us at contact@nawarto.com and we will promptly delete it.
11. Cookies and Tracking
The Nawarto mobile App does not use cookies. The App's hosted web pages (barcode, RSVP, calendar, and marketing pages at nawarto.com) do not use advertising or tracking cookies. Web pages load fonts from a third-party CDN, which may involve a network request to that provider's servers.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will update the "Last updated" date at the top of this page. For material changes, we will provide notice in the App. Continued use of the App after changes constitutes acceptance of the updated policy.
13. Contact Us
For any privacy questions, data-rights requests, or concerns, please contact us:
Email: contact@nawarto.com
We aim to respond to all requests within 30 days.