1. What this document covers
This document describes the personal data KRUSPIN may process when operating the planner workspace, project, RSVP, guest website, and related modules.
For data the customer enters into a project about its clients, guests, vendors or team, the customer is typically the controller and KRUSPIN is the processor. For account, security, support and service operation data, KRUSPIN may be the controller.
2. Categories of personal data
| Category | Examples |
|---|---|
| Account and sign-in | Name, e-mail, secured password information, sign-in sessions, e-mail verification, password reset, roles and memberships. |
| Workspace and project | Workspace name, team members, weddings/events, date, venue, internal processes and project notes. |
| Clients, guests and households | Names, contacts, addresses, language, technical links and RSVP identifiers, household relationships, plus-ones, children, preferences and notes. |
| RSVP and logistics | Attendance, meal, allergies, questionnaire answers, response time, changes and response review. |
| Accommodation and seating | Places, buildings, rooms, beds, guest assignments, arrival/departure, capacities and instructions. |
| Vendors and finance | Vendor contacts, responsible people, statuses, fees, deposits, balances, budget items and payment notes. |
| Billing and payments | Billing e-mail, customer and payment identifiers at the payment provider, payment status and billing communication when online payments are enabled. |
| Files and content | Uploaded documents, photos, guest website images, venue/accommodation galleries, project content and publicly published content. |
| Technical data | IP address or derived security signals, device and browser data, request technical data, error logs, audit events and security records. |
3. Where data comes from
- From users who register, sign in or manage a workspace.
- From planners and customers who import or manually enter guests, clients, vendors, team and project data.
- From guests or clients who complete RSVP, a guest form or client access.
- From technical operation of the application, such as logs, sign-in cookies, e-mail delivery, files or monitoring.
- From external services when a user uses them, such as a map service for an address or text translation for the guest website.
4. Why we process data
- Creating and securing accounts, sign-in and access management.
- Operating the planner workspace, project, RSVP, accommodation, seating, timeline, tasks, files and vendor modules.
- Delivering transactional e-mails such as account verification, password reset and invitations.
- Publishing the guest website and processing RSVP when the customer enables it or sends the link.
- Managing the commercial relationship, manual invoicing and optionally online payments through a payment provider when explicitly enabled.
- Security, abuse prevention, audit, support handling and bug fixes.
- Meeting legal, contractual or accounting obligations where they apply.
- Improving, testing and optimising the service, measuring performance and quality, capacity planning, fixing errors and developing new features. Where possible, we use aggregated, anonymised, pseudonymised or otherwise minimised data.
- Automated and AI-assisted processing for features started by the customer or user, or for support, security and service quality control. This may include translations, text suggestions, summaries, search, import cleanup or workflow recommendations.
5. Legal bases
For account, access, support, billing and security data, processing may rely mainly on contract performance or steps before entering into a contract, legitimate interest in secure and functional service operation, legal obligations and consent where a concrete feature is consent-based.
For project data about clients, guests, vendors and other people entered by the customer, the customer typically determines the legal basis as controller. KRUSPIN processes this data as processor under the contract, documented instructions and service operation needs.
Service improvement, security, error detection, technical support, product analytics and feature development may rely on legitimate interests in operating a secure and functional service. For project data entered by the customer, KRUSPIN acts according to its processor role, the contract, documented customer instructions and the settings of the specific feature.
6. Private data vs. shared outputs
Private project data is not intended for the public. Access is governed by the role in the workspace or project.
Public or shared content exists only when the customer publishes the guest website, sends an RSVP link, invites a client or exports and shares data outside the application. Such content may include selected information about the wedding/event, program, address, contacts, accommodation or RSVP.
7. Recipients and processors
The overview of external services and processors is listed in the Data Processing document. We do not share data with ad networks or marketing analytics. If product analytics is enabled, it is limited to selected operational events and does not use browser autocapture, session recording or marketing pixels.
We use external AI or automation services only where a specific feature is enabled, where needed for support, or where this follows from customer settings. We do not use project data to train a general public AI model without a separate agreement.
8. Retention, export and deletion
Project data is retained while the service is used or according to the customer agreement. Support can handle export, correction or deletion manually on request. Automatic download of the full data copy or direct in-app account deletion is not available yet.
Some records may remain for a limited time in backups, logs, audit records or where needed for security, legal defense, accounting or incident handling.
9. Individual rights
- An account user can request access, correction, restriction, deletion or portability of account data.
- A guest, client or vendor should first contact the planner or organization that entered the data into the project. That organization is usually the controller for project data.
- If a request comes directly to the processor, KRUSPIN will help identify the relevant customer-controller or forward the request where possible and contractually appropriate.
- Requests are usually answered without undue delay and at the latest within one month; complex or numerous requests may be extended under GDPR.
- For KRUSPIN operation requests, support can be contacted at support@kruspin.com.
- The data subject also has the right to lodge a complaint with the Czech Office for Personal Data Protection.
- We respond to legal requests under GDPR and according to KRUSPIN’s role as controller or processor.
10. Security
We use access roles, sign-in cookies, server checks, database access controls and separate environments. Files are stored in object storage.
This document does not promise absolute protection, security certification or encryption of every individual personal-data field unless such a measure is expressly confirmed for the service.