Skip to main content
STEVENSTEVEN

Legal

Privacy Policy

Last updated: June 11, 2026

STEVEN ("STEVEN", "we", "us") is a wedding and event management platform operated by PrinTrail. This policy explains what personal data we collect, why we collect it, who we share it with, and the rights you have over it. It applies to event hosts who create an account, and to guests whose information is entered into STEVEN or who interact with our public RSVP and Memories pages.

1. Data we collect

  • Account data - when you sign up as a host we collect your name, email address, and authentication credentials. If you sign in with a social provider, we receive the profile data that provider shares.
  • Event and guest data entered by hosts - hosts add guest names, email addresses, phone numbers, dietary preferences, plus-one details, seating assignments, and similar event information.
  • RSVP data submitted by guests - when guests respond to an invitation, we collect their RSVP status, attendance details, dietary preferences, and any messages they include.
  • Photos and videos (Memories)- guests may upload photos and videos to an event's Memories gallery. These are stored with our media hosting providers and displayed to the host and other guests of that event.
  • Payment data - subscriptions are processed by Polar, our merchant of record. We never see or store full card numbers; we receive only confirmation of payment status and plan entitlements.
  • Usage and analytics data - we collect product usage events, device and browser information, and approximate location (from IP address) to understand how STEVEN is used and to improve it. See the Cookies section below.
  • Support communications - if you email us, we keep the correspondence to resolve your request.

2. How we use your data

  • Providing the service: guest management, RSVPs, seating, budgets, notifications.
  • Sending transactional emails (RSVP confirmations, invitations, account emails).
  • Sending marketing emails to hosts who have opted in (you can unsubscribe anytime).
  • Processing payments and managing subscriptions.
  • Product analytics, debugging, and error monitoring.
  • Preventing fraud, abuse, and security incidents.

3. Legal bases for processing

Where the GDPR or similar laws apply, we rely on the following legal bases:

  • Contract - processing needed to provide the service you signed up for (account data, event data, billing).
  • Legitimate interests - service security, fraud prevention, error monitoring, and improving the product, balanced against your rights.
  • Consent - analytics cookies (via the cookie banner), marketing emails, and guest photo uploads. You can withdraw consent at any time.
  • Legal obligation - retaining billing records where tax or accounting law requires it.

For guest data entered by a host, the host is generally the data controller and STEVEN acts as a processor on the host's behalf. Hosts are responsible for having a lawful basis to enter their guests' details.

4. A note for guests

If your information appears in STEVEN, it was most likely entered by the host of an event you were invited to, or submitted by you through an RSVP or Memories page. You still have rights over that data: you can ask the event host to correct or remove your details, or contact us directly at steven@printrail.com and we will assist with access, correction, or deletion requests - including removing photos or videos of you from a Memories gallery.

5. Third-party processors

We share data with the following service providers, only to operate STEVEN:

  • Supabase - authentication and database hosting (account, event, guest, and RSVP data).
  • Cloudinary - hosting of guest-uploaded photos and videos (Memories).
  • Google Cloud Storage - file uploads and image storage.
  • PostHog - product analytics (subject to your cookie consent).
  • Sentry - error monitoring and performance tracking.
  • Knock - in-app and workflow notifications.
  • Plunk - transactional and marketing email delivery.
  • Polar - payments, billing, and subscription management (merchant of record).
  • Upstash - rate limiting and caching infrastructure.
  • Google Maps - venue location display and search.

Each provider processes data under its own data processing agreement with us. We do not sell personal data to anyone.

6. Cookies and analytics

We use essential cookies for authentication and security - these are always on. We also use PostHog analytics, which stores identifiers in your browser, only if you accept analytics in the cookie consent banner shown on your first visit. If you decline, analytics tracking is turned off for your browser. You can change your mind by clearing the cookie-consententry from your browser's local storage, which makes the banner reappear.

7. Data retention

  • Account and event data are kept while your account is active.
  • If you delete your account, we delete or anonymize associated data within 30 days, except where law requires longer retention (e.g. billing records).
  • After a subscription ends, event data remains accessible (read-only on the free plan) so hosts can export it; hosts can delete events at any time.
  • Guest photos and videos are removed when the host deletes them or the event.

8. Your rights

Depending on where you live (including under the GDPR and the Philippine Data Privacy Act of 2012), you may have the right to access, correct, export, restrict, object to the processing of, or delete your personal data. To exercise any of these rights, email us at steven@printrail.com. We respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9. International transfers

Our infrastructure providers may store and process data in the United States, the European Union, and other regions. Where data is transferred out of the EEA or UK, we rely on our providers' standard contractual clauses and equivalent safeguards.

10. Children's data

STEVEN is not directed at children under 16, and we do not knowingly collect their data as account holders. Hosts may include minors on a guest list (for example, a family invitation); the host is responsible for having permission to do so. If you believe we hold a child's data inappropriately, contact us and we will remove it.

11. Security

Data is encrypted in transit, access to production systems is restricted, and we use row-level security on our database so hosts can only access their own events. No system is perfectly secure, so please use a strong, unique password.

12. Changes to this policy

We may update this policy as the product or the law changes. We will post updates on this page and, for material changes, notify hosts by email. The "Last updated" date at the top reflects the latest revision.

13. Contact us

Questions about privacy? Email steven@printrail.com. See also our Terms of Service.