Privacy
policy.

CKR Technology Group Ltd ("we," "us," or "Vowly Event"), a private limited company registered in England and Wales with its registered office at Unit A, 82 James Carter Road, Mildenhall, Suffolk IP28 7DE, United Kingdom, acts as the data controller for personal data processed through the Vowly Event platform. We are accountable for ensuring your personal data is processed lawfully, fairly, and transparently.

This policy applies to all personal data we collect when you use our website (vowly.co), web application (web.vowly.co), mobile applications, or interact with us through email, customer support, or marketing channels. It covers both hosts (organisers) and guests who interact with events created on our platform.

• Website visitors and prospective customers
• Registered hosts (event organisers) using paid or trial subscriptions
• Guests who receive invitations and submit RSVPs via our platform
• Partners listed in our partner directory and their representatives
• Job applicants and business contacts

We collect only the personal data that is necessary to deliver and improve the Vowly Event service. The categories of data we process depend on your role and how you interact with the platform.

• Identity data: name, email address, phone number, profile photograph
• Account data: encrypted password hash, account preferences, language settings
• Event data: event title, date, venue, theme selection, cover imagery
• Guest data: names, RSVP status, dietary preferences, plus-one details supplied by hosts or guests
• Payment data: processed by Stripe Inc. — we never store full card numbers; we retain only the last four digits, billing country, and Stripe customer reference
• Technical data: IP address, browser type, device identifiers, time zone, operating system
• Usage data: pages visited, features used, click events, error logs, performance metrics
• Communication data: support tickets, in-app messages, marketing preferences

We process your personal data under specific lawful bases as defined in Article 6 of the UK GDPR and EU GDPR. Different processing activities rely on different legal grounds.

• Contractual necessity — to provide the platform, manage your subscription, and deliver invitations and RSVP tracking
• Legitimate interests — to improve our services, prevent fraud, ensure platform security, and conduct anonymised analytics
• Consent — for marketing communications, optional cookies, and non-essential third-party integrations (you may withdraw consent at any time)
• Legal obligation — to comply with tax, accounting, anti-money-laundering, and cybersecurity regulations applicable to UK companies

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including any legal, accounting, or reporting requirements. Retention periods vary based on data type.

• Account data: retained for the duration of your subscription plus 90 days after closure to allow account reactivation
• Event and guest data: deleted within 30 days of event completion unless you choose to archive specific events
• Payment records: retained for 7 years to comply with UK and EU tax obligations (HMRC requirements)
• Support correspondence: 3 years from last interaction
• Marketing preferences: until consent is withdrawn
• Anonymised analytics: indefinitely (no personal identifiers retained)

We do not sell your personal data. We share data only with carefully selected service providers (processors) who help us deliver the Vowly Event platform under strict data processing agreements (DPAs).

• Google Cloud / Firebase (Ireland) — hosting, database, authentication, file storage
• Stripe Payments Europe Ltd (Ireland) — subscription billing and payment processing
• Resend Inc. — transactional email delivery (EU data handling under SCCs where applicable)
• Cloudflare (EU/UK) — DNS and network security
• Apple Inc. & Google LLC — exclusively for app store distribution and push notification routing

Under the UK GDPR and EU GDPR, you have extensive rights regarding your personal data. We honour all rights requests within one calendar month at no charge.

• Right of access — request a copy of all personal data we hold about you
• Right to rectification — correct inaccurate or incomplete personal data
• Right to erasure ("right to be forgotten") — request deletion of your data subject to legal exceptions
• Right to restrict processing — limit how we use your data in specific circumstances
• Right to data portability — receive your data in a machine-readable format
• Right to object — to direct marketing or processing based on legitimate interests
• Right to withdraw consent — for any processing based on consent
• Right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk

Vowly Event primarily processes data within the European Economic Area (EEA) and the United Kingdom. Some service providers may transfer data to other jurisdictions; in those cases, we ensure equivalent protection through legal safeguards.

• Standard Contractual Clauses (SCCs) approved by the European Commission and UK ICO
• Adequacy decisions where available (e.g., UK–EU adequacy)
• Technical safeguards including end-to-end encryption and key management

Vowly Event is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you become aware that a minor has provided us with personal data without parental consent, please contact support@vowly.co and we will promptly delete it.

We implement a layered security programme to protect personal data against unauthorised access, alteration, disclosure, or destruction. See our dedicated Security page for full details.

• TLS 1.3 encryption in transit for all connections
• AES-256 encryption at rest for databases, file storage, and backups
• Role-based access controls (RBAC) and multi-factor authentication for staff
• Continuous monitoring, vulnerability scanning, and penetration testing
• Incident response procedures with mandatory breach notification within 72 hours

We may update this Privacy Policy from time to time to reflect changes in law, regulation, or our service. Material changes will be communicated to registered users by email at least 30 days before they take effect. The latest version is always available at vowly.co/privacy.

For any privacy-related questions, complaints, or to exercise your data rights, please contact our Data Protection Officer at support@vowly.co or write to: Data Protection Officer, CKR Technology Group Ltd, Unit A, 82 James Carter Road, Mildenhall, Suffolk IP28 7DE, United Kingdom. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) — ico.org.uk — or your local EU supervisory authority.