Name: Who's In?
Availability: InStock
Rating: 4.4 (10 reviews)
Author: Who's In?

Overview

Who's In? ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your personal information when you use our event coordination platform.

We follow data minimization principles and comply with applicable global data protection laws including:

General Data Protection Regulation (GDPR) - European Union
California Consumer Privacy Act (CCPA) - United States
Personal Data Protection Law (UU PDP) - Indonesia
Personal Data Protection Act (PDPA) - Singapore
Other applicable regional privacy regulations

Information We Collect

We collect only the minimum information necessary to provide our services:

Account Information

Email address: Required for account creation and event notifications
Name: Displayed to organizers and optionally to other attendees (as "First L.")
Phone number: Optional, for WhatsApp notifications if you enable them
Country: Optional, for time zone purposes

Event Data

Events created: Event details you provide (title, description, location, date/time)
RSVP history: Events you've registered for and attendance status
Check-in data: If enabled by organizer, arrival confirmations

Technical Data

Device information: Browser type, operating system (for compatibility)
Usage analytics: Anonymous, aggregated data about feature usage
Error logs: Technical errors to improve service reliability

How We Use Your Information

We use your information for these specific purposes:

Data	Purpose	Legal Basis
Email	Account login, event notifications, RSVP confirmations	Contract performance
Name	Display on RSVP lists, organizer communication	Contract performance
Phone	WhatsApp notifications (if enabled)	Consent
Event data	Event coordination, reminders, analytics	Contract performance
Usage data	Service improvement, bug fixes	Legitimate interest

What We Don't Do

✕We never sell your personal information to third parties
✕We never share your data for advertising or marketing
✕We never use your data for profiling or targeted ads
✕We never track your location without explicit consent
✕We never show ads — not now, not ever

AI Agent Access

NEW

Who's In? is "AI Agent Ready," meaning AI assistants (like ChatGPT, Claude, and Gemini) can discover and interact with public events through our API.

What Information AI Agents Can Access:

•Public event details only: Title, description, date, time, location, and capacity
•Real-time availability: Number of spots left and waitlist status
•No attendee information: AI agents never see who's attending your event

Human-in-the-Loop Safety:

When an AI agent initiates an RSVP on behalf of a user, that user must explicitly confirm via email before the RSVP is processed. AI agents cannot RSVP without human confirmation. This protects against AI errors and ensures user consent.

Private Events:

Only events marked as "Public" are discoverable by AI agents. Private events remain completely hidden from AI agent discovery and our public API.

For technical details about our AI agent integration, see our AI Agent Integration blog post or our OpenAPI specification.

Data Sharing & Recipients

We share your information only in these limited circumstances:

Event Organizers

When you RSVP to an event, organizers can see:

Your name and RSVP status
Your email (for event communication)
Check-in status (if enabled)

Other Attendees

If attendee list visibility is enabled:

Your name displayed as "First L." (privacy-preserving format)
Your RSVP/waitlist status
Email and phone are never shown to other attendees

Service Providers

We use trusted third-party services:

Google Firebase: Authentication, database, hosting (US/EU)
Resend: Email delivery (US)
Stripe: Payment processing (for Pro subscriptions)

All providers are contractually bound to process data only as instructed and maintain appropriate security.

International Data Transfers

Your data may be transferred to and processed in countries outside your residence, including the United States. We ensure adequate protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements with all service providers
Encryption in transit (TLS 1.3) and at rest (AES-256)

Your Rights

Depending on your location, you have the following rights:

Access

Request a copy of all personal data we hold about you

Correction

Update or correct inaccurate information in your account

Deletion

Request deletion of your account and all associated data

Portability

Receive your data in a machine-readable format (JSON)

Withdraw Consent

Opt out of marketing emails or notifications anytime

Restriction

Limit how we process your data in certain situations

To exercise these rights, visit Account Settings or contact us at [email protected]. We respond to all requests within 30 days.

For EU/EEA Residents (GDPR)

If you're in the European Economic Area, you have additional rights under GDPR:

Right to lodge a complaint with your local Data Protection Authority
Right to object to processing based on legitimate interests
Right not to be subject to automated decision-making

Data Controller: Who's In? App
Contact: [email protected]

For California Residents (CCPA)

If you're a California resident, you have additional rights under CCPA:

Right to know what personal information we collect and how it's used
Right to request deletion of your personal information
Right to opt-out of the sale of personal information (we don't sell data)
Right to non-discrimination for exercising your privacy rights

Categories of data collected: Identifiers, commercial information, internet activity
Data sold in last 12 months: None

For Indonesian Residents (UU PDP)

Untuk penduduk Indonesia, Anda memiliki hak berdasarkan UU PDP:

Hak untuk mendapatkan informasi tentang pengumpulan data Anda
Hak untuk memperbarui atau mengoreksi data pribadi Anda
Hak untuk menghapus data pribadi Anda
Hak untuk menarik persetujuan kapan saja
Hak untuk mengajukan keluhan kepada otoritas terkait

Data Security

We implement industry-standard security measures to protect your data:

Encryption: TLS 1.3 in transit, AES-256 at rest
Authentication: Secure passwordless login via magic links
Access Control: Role-based permissions, principle of least privilege
Infrastructure: Google Cloud Platform with SOC 2 certification
Monitoring: 24/7 security monitoring and incident response

Data Retention

Data Type	Retention Period
Account data	Until account deletion + 30 days
Event data (organizer)	Until event deleted + 90 days
RSVP history	1 year after event date
Marketing preferences	Until changed or account deleted
Security logs	90 days
Payment records	7 years (legal requirement)

Cookies & Tracking

We use minimal cookies essential for the service to function:

Authentication cookies: Keep you logged in securely
Preference cookies: Remember your settings
Analytics: Anonymous usage statistics (Firebase Analytics, can be disabled)

We do NOT use advertising cookies or cross-site tracking.

Children's Privacy

Our services are not directed to individuals under 16 (or under 13 in the US). We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately at [email protected].

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via:

Email notification to your registered address
Prominent notice in the app
Updated "Last modified" date at the top of this page

Your continued use of the platform after changes indicates acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or our data practices:

Email: [email protected]

Response time: Within 30 days

For urgent security concerns, please include "URGENT" in your subject line.

Privacy Policy

Privacy at a Glance