Privacy Policy

Last updated: 7/3/2026

This Privacy Policy explains what personal data Owambeflow collects, how we use it, who we share it with, and the rights you have. By using the Service you consent to the practices described below.

1. Data we collect

  • Account data: name, email, phone number, country, username, date of birth (18+ attestation; immutable once set), avatar, role (planner/celebrant), authentication identifiers (including Google sign-in).
  • Event data: events you create or join, event metadata (date, venue, expected guest count), invitations, RSVPs, items, orders, payments, refunds, fulfillment status.
  • Delivery addresses: the address you enter on an order is stored on the order record and shared with the event owner for fulfillment.
  • E-Spray contributions: amount, currency, method (card/transfer), optional message, anonymity flag, status, payment reference, contributor identity (retained internally even when the contribution is marked anonymous, for compliance and dispute resolution).
  • Chat messages and uploads: message body, attachments, mentions, replies. Chat is encrypted in transit; it is not end-to-end encrypted.
  • Reviews and media: ratings, review text, photos uploaded to event galleries.
  • Email engagement: sends, bounces, complaints, unsubscribes.
  • Security and audit logs: sign-ins, IPs, user agents, sensitive actions (publish, cancel, archive, guest add/remove, role change, refund, contribution).
  • Cookies and analytics: see our Cookies page. We use first-party cookies for sessions and aggregate analytics for product improvement.

2. How we use data

  • To run the Service: authentication, RSVPs, orders, contributions, chat, email delivery.
  • To protect users: fraud detection, abuse moderation, AML compliance (see AML policy).
  • To improve the Service: aggregate usage analytics and bug reports.
  • To meet legal obligations and respond to lawful requests.

3. Anonymity in E-Spray

When you spray anonymously, your name is hidden from the event owner, other guests, and chat announcements. Owambeflow retains your identity internally to support refunds, dispute resolution, regulatory inquiries, and AML obligations. We will not disclose anonymous identity to the event owner except where required by law.

4. Who we share data with

  • Event owners see guest contact details, RSVPs, orders, delivery addresses, delivery-confirmation status, and non-anonymous contributions for their own events.
  • Other event guests in a shared chat see your username, avatar, and messages.
  • Service providers we currently use: Supabase (authentication, database, storage, realtime), PostHog (product analytics), and an email delivery provider for transactional emails and engagement metrics. They process data on our behalf under written terms.
  • Payment processors may be introduced to record and settle E-Spray contributions and aso-ebi orders.
  • Authorities when required by law, court order, or to prevent harm.

5. International transfers

Data may be processed in countries other than where you reside. We use appropriate safeguards (standard contractual clauses where applicable).

6. Retention

  • Account, event and order data: while your account is active and as required for tax, accounting and legal obligations.
  • Contributions and AML records: at least 5 years from the transaction date, in line with local regulations.
  • Chat messages: retained for the lifetime of the event chat; deleted messages remain in audit logs.
  • Audit logs: retained for security and compliance for up to 7 years.

7. Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or export your personal data, and to object to certain processing. Contact us to exercise these rights. We will respond within applicable statutory deadlines. Some data — such as audit logs and AML records — may be retained as required by law even after account deletion.

8. Children

Owambeflow is for users 18 and older. We do not knowingly collect data from minors.

9. Security

We use industry-standard encryption in transit (TLS), encryption at rest where supported by our providers, role-based access control, row-level security on tenant data, and audit logging. No system is perfectly secure; please use strong passwords and enable two-factor authentication.

10. Changes

We may update this policy and will notify you of material changes.

11. Contact

Privacy questions or requests? Reach us via the Contact page.