Last updated — 2026-04-23
Privacy Policy
This Privacy Policy explains how BaptiDay collects, uses and protects your personal data when you use our mobile app, website and associated services.
1. Data Controller
The data controller under Regulation (EU) 2016/679 (GDPR) is:
For any privacy-related inquiry, please contact us at hello@bapti.day.
2. Personal data we collect
We only collect what is strictly necessary to provide our services. The categories of data processed are:
2.1 Data you provide
- Account data: email address, hashed password, optional first/last name, avatar.
- Third-party authentication data: if you sign in with Apple or Google, the federated identifier (sub) and the email provided.
- Event content: date, venue, budget, invitation copy, photos, moodboard, checklist, etc.
- Guest contact data: first name, last name, email and/or phone numbers of people you add to your guest list (see section 7 for your obligations to inform those individuals).
- Support chat content: messages exchanged with our team via Crisp.
- Payment data: handled exclusively by Apple (App Store), Google (Play Store) and RevenueCat. We never access your card numbers.
2.2 Data collected automatically
- Technical data: device type, operating system, device identifiers, app version, language, time zone, IP address.
- Usage data: pages visited, actions taken (clicks, section opens), session duration, number of sessions, navigation path.
- Universally unique identifier (UUID): anonymous identifier used to link analytics events for the same user.
- Crash reports: error logs, execution trace, app state at the time of the crash.
- Push notification token: device identifier used to deliver push notifications (via OneSignal and Firebase Cloud Messaging).
3. Purposes and legal bases
In accordance with Article 6 GDPR, every processing is based on a specific legal basis:
| Purpose | Legal basis | Retention period |
|---|---|---|
| Account creation and management | Contract performance | Throughout the life of your account, then 3 years after deletion |
| Delivering app features (event, guests, budget, etc.) | Contract performance | Active account duration + 30 days after deletion |
| Subscription and payment management | Contract performance + legal accounting obligation | 10 years (accounting) after the last transaction |
| Customer support | Legitimate interest (service quality) | 3 years from last interaction |
| Transactional push, email and SMS notifications | Contract performance | Active account duration |
| Marketing / promotional notifications | Consent (withdrawable at any time) | Until consent withdrawal or 3 years of inactivity |
| Analytics, audience measurement, product improvement | Consent or legitimate interest depending on the tracker | Max. 13 months (CNIL guidance) |
| Fraud prevention, security | Legitimate interest | Rolling 12 months |
| Compliance with legal obligations (court order, etc.) | Legal obligation | As required by law |
4. Recipients and sub-processors
Your data is shared only with the following sub-processors, bound by contract under Article 28 GDPR:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database hosting, authentication, file storage | Singapore — Policy |
| Vercel Inc. | Website and serverless functions hosting | United States — Policy |
| Google LLC (Firebase / Crashlytics / FCM / Analytics) | Push notifications, crash reports, analytics | United States — Policy |
| Apple Inc. | Sign in with Apple, in-app payments, App Store Connect | United States / Ireland — Policy |
| Amplitude, Inc. | Product analytics | United States — Policy |
| OneSignal, Inc. | Push, email and SMS notifications | United States — Policy |
| RevenueCat, Inc. | In-app subscription management and reporting | United States — Policy |
| Crisp IM SAS | Customer support chat | France — Policy |
| Functional Software, Inc. (Sentry) | Error and performance monitoring | United States — Policy |
| Meta Platforms, Inc. (Facebook App Events) | Attribution and ad audience measurement (consent-based) | United States / Ireland — Policy |
5. International transfers
Some sub-processors are established outside the European Economic Area (notably in the United States and Singapore). Such transfers are protected by the appropriate safeguards under Articles 44 ff. GDPR:
- For the United States: enrolment in the Data Privacy Framework (DPF) when the sub-processor is certified; otherwise, Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914) apply.
- For Singapore: signing of Standard Contractual Clauses and Transfer Impact Assessment (TIA) ensuring equivalent protection.
- Additional technical measures: encryption in transit (TLS 1.2+), encryption at rest, pseudonymisation where possible.
You may request a copy of these safeguards by writing to hello@bapti.day.
6. Data retention
We retain your data only as long as necessary for the purposes described above. Main durations are:
- Active account: as long as you use the app.
- Deleted account: complete erasure within 30 days, except for legal obligations (billing, accounting, tax obligations: up to 10 years).
- Security logs: rolling 12 months.
- Anonymised analytics data: max. 13 months (CNIL guidance).
- Support messages: 3 years from the last exchange.
7. Guest data you upload
When you import or enter your guests' contact details (name, email, phone), you act as an independent data controller for that data.
Guests may request deletion of their data by contacting us at hello@bapti.day; we will forward the request to the relevant organiser.
8. Your rights
Under Articles 15 to 22 GDPR, you have the following rights:
- Right of access: obtain confirmation that we process your data and receive a copy.
- Right to rectification: correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): request deletion of your data, subject to legal retention obligations.
- Right to restriction: request processing suspension in specific cases.
- Right to object: object to processing based on legitimate interest or for direct marketing purposes.
- Right to data portability: receive your data in a structured, machine-readable format (JSON).
- Right to withdraw consent at any time for processing that relies on it.
- Right to set post-mortem instructions on the fate of your data (Article 85 French Data Protection Act).
- Right to lodge a complaint with the CNIL: www.cnil.fr or any competent supervisory authority.
To exercise your rights, write to hello@bapti.day. We will reply within one month, which may be extended by two months for complex requests. You may also delete your account directly from the app (Profile → Settings → Delete account).
9. Security
We implement appropriate technical and organisational measures:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Strong authentication with short-lived JWT tokens.
- Role-based access control and least-privilege principle.
- Strict environment separation (development, production).
- Supabase Row Level Security (RLS): each user can only access their own data.
- Access logging and anomaly detection.
- Daily automated backups and disaster recovery plan.
- Regular security testing and vulnerability monitoring.
In case of a personal data breach likely to result in a risk to your rights and freedoms, we will notify you within 72 hours of discovery, in accordance with Article 34 GDPR.
10. Minors
BaptiDay is intended for users aged 15 or older. Under Article 8 GDPR and the French Data Protection Act, minors under 15 require their legal representatives' authorisation.
Photos and names of children included in an event are entered under the sole responsibility of the organiser, who must have obtained the legal representatives' consent.
12. Policy updates
We may update this policy to reflect legal, technical or functional changes. Any substantial change will be communicated by email or via an in-app notification at least 30 days before it takes effect.
13. Contact
Supervisory authority: Commission Nationale de l'Informatique et des Libertés (CNIL) — 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France — www.cnil.fr.