Privacy Policy

1. Who we are

Nyza Events is operated by Nyza Creations LLC, a Delaware limited liability company with its principal place of business at 701 NE Normandy Dr, Bremerton WA 98310, USA ("Nyza," "we," "us," "our"). For European data protection purposes, Nyza Creations LLC is the "controller" of personal data we process about you when you use the Service as a host, vendor, planner, or visitor. If you are a guest invited by a host, that host is the controller of your data and Nyza acts as a processor on their behalf — see Section 18.

2. Scope of this policy

This Privacy Policy explains how we collect, use, share, retain, and protect personal data when you visit nyzaevents.com, any subdomain at {slug}.nyzaevents.com, our APIs, or any related product or service (together, the "Service"). It applies in addition to our Terms of Service, Cookie Policy, and (where applicable) our Data Processing Addendum.

3. The data we collect

Account data

• Name, email address, password hash, profile photo (if you set one).
• Optional phone number, city, country, locale, and time zone.
• Role on the platform (host, vendor, planner) and any workspace memberships.

Event & planning data

• Event details you enter — type, dates, venue, budget, schedule, cultural modules, vendor selections, ceremony notes, design choices.
• Guest list contents — names, contact details, dietary or accessibility notes you record, RSVP responses, plus-one details, and any messages you send through Nyza.
• Chat transcripts with the AI co-pilot, including prompts and generated responses.
• Generated artifacts — moodboards, decor renders, save-the-date images, PDF invitations, save-the-date or invite videos.

Vendor profile data (vendors only)

• Business name, description, services offered, pricing, location, photos, portfolio.
• Public reviews, ratings, and inquiry history.
• Stripe Connect account ID and payout status — Stripe collects and stores the identity-verification, tax, and bank-account details required for payouts.

Payment data

• We store a Stripe customer ID, subscription status, and the last 4 digits / brand of your card. Full card details, billing addresses, and tax IDs are stored by Stripe under their privacy practices.
• For vendor and organizer payouts, we store transaction IDs, amounts, and status — Stripe holds the underlying bank or payout-method details.

Ticketing data (buyers + organizers)

• Ticket buyers: name, email address, ticket type, quantity, order total, Stripe payment intent ID, the unique QR token that identifies the ticket, and the check-in status (issued, redeemed, refunded). The QR token is stored as a hash on our servers; the buyer-visible code is delivered by email and only re-derivable when the buyer redeems it at the door.
• Organizers: aggregate sales counts and per-ticket-type revenue visible in the event dashboard; full attendee list (name, email, ticket type, check-in status) for the organizer's own event.
• Ticket confirmations are delivered by email through our transactional-email provider (Resend). Attendees may opt out of marketing emails from the organizer but receive transactional confirmations (the ticket itself, refund notifications, event-time changes) as part of the purchase.

Location data

• If you allow browser geolocation, we store an approximate latitude/longitude to help find nearby vendors. You can revoke this in your browser settings at any time.
• We infer coarse country/region from your IP address for tax and compliance routing.

Device, log & telemetry data

• IP address, browser type and version, device type, operating system, referrer URL, pages viewed, timestamps, and feature interactions.
• Error reports and stack traces (via Sentry) — we configure Sentry to strip request bodies and known PII fields where practicable.
• AI usage telemetry — token counts, model invoked, latency, success/failure — used for billing, capacity planning, and abuse detection. Stored alongside (not inside) the message content.

Cookies & similar technologies

See our Cookie Policy for the full list. In short: strictly necessary cookies for authentication and security, plus minimal product-analytics in aggregate. No third-party advertising cookies, no cross-site fingerprinting.

4. Where the data comes from

• Directly from you — when you sign up, fill in event details, upload a guest list, message the AI, contact a vendor, or pay.
• From other users — e.g., a planner adds you as a collaborator, a host adds you to a guest list, a vendor sends you a quote.
• From your devices — IP address, browser metadata, geolocation (with permission).
• From third parties on your behalf — Stripe sends us subscription and payment events; our email provider sends bounce/complaint signals; Twilio and Meta return SMS/WhatsApp delivery receipts.
• From publicly available sources — for the vendor marketplace, we may ingest publicly listed business data (business name, address, phone, photos, public reviews) via Apify Google Maps Extractor or Serper.dev Google search results. These create an "unclaimed" vendor profile until the business claims it. See Section 17.

5. How we use the data

• Provide, operate, and improve the Service — the entire product surface.
• Power the AI co-pilot, generative design tools, and vendor recommendations — your messages and event context are sent to the AI providers listed in Section 9 for inference.
• Process payments and vendor payouts via Stripe Connect.
• Send the guest communications you author (email, SMS, WhatsApp).
• Send transactional emails to you — sign-in links, billing receipts, security alerts, and account notifications.
• Detect, investigate, and prevent abuse, fraud, security incidents, and Terms violations.
• Measure, debug, and improve the Service — aggregate usage analytics, error reporting, capacity planning.
• Comply with legal obligations — tax, financial reporting (Stripe issues 1099-Ks where required), responding to lawful requests from authorities.
• Send infrequent product news or beta-feature invitations — you can unsubscribe from every marketing email, and we never share your email with third-party advertisers.

6. Our legal bases (EU/UK/EEA)

If GDPR or UK GDPR applies, we rely on the following legal bases for each processing purpose:

• Performance of a contract (Art. 6(1)(b)) — providing the Service you signed up for, processing payments, sending the guest communications you trigger.
• Legitimate interests (Art. 6(1)(f)) — securing the Service, preventing abuse, debugging, basic product analytics, and seeding the vendor marketplace with publicly available business data. We balance these interests against your rights and you may object at any time.
• Consent (Art. 6(1)(a)) — browser geolocation, optional product news, and any cookie category beyond "strictly necessary." You may withdraw consent at any time without affecting prior lawful processing.
• Legal obligation (Art. 6(1)(c)) — tax records, responding to regulator or court orders.

7. AI processing disclosure

Nyza Events uses third-party AI inference providers for text reasoning and image generation — to power the AI co-pilot, the event-design tools, and certain vendor-discovery features. When you use these features:

• The content of your chat messages, relevant event context, attached files, and any tools the AI invokes on your behalf are transmitted to the provider for inference.
• We use each provider's commercial API. Per their published terms, prompts and responses sent via these APIs are not used to train their public foundation models. We rely on these published commitments; if they change materially, we will update this section.
• Providers may retain inputs and outputs for a short period for abuse monitoring (each provider publishes the specific window in their API terms).
• AI outputs may be inaccurate, fabricated, or out of date. You are responsible for reviewing AI-generated content before sending it to guests, signing vendor contracts, or otherwise relying on it. See Terms § 7.
• We log telemetry (token counts, model, latency) separately from message bodies to support billing and capacity planning.
• We do not use your event content, guest data, or chat transcripts to train any model of our own.

8. How we share data

We share personal data only with:

• Subprocessors — the infrastructure, AI, payment, and communication vendors listed in Section 9, each bound by contractual data-protection obligations.
• Other users you interact with — vendors see your inquiry details and public profile when you contact them; collaborators you invite to your event see the event data you share with them.
• Authorities and other parties, when required by law (court order, subpoena, valid legal request) or to protect rights, safety, or property. We push back on overbroad requests and notify affected users where legally permitted.
• A successor entity in the event of a merger, acquisition, financing, or sale of assets — your data will continue to be protected by this Policy (or a successor with equivalent terms), and we'll notify you of material changes.

We do not sell your personal data in the ordinary sense of that word, and we do not share it with third-party advertisers for cross-context behavioral advertising. For the specific CCPA/CPRA meanings of "sell" and "share," see California Privacy Notice.

9. Subprocessors

Nyza relies on a small set of established infrastructure providers. Each only sees the data needed for its specific role. We keep this list current; material additions are announced via this page and (for paid users on the DPA) by email at least 30 days in advance.

10. International data transfers

Nyza is based in the United States. The data we hold about you is stored on DigitalOcean infrastructure located in the United States. Our subprocessors operate globally and may process data in jurisdictions outside your country of residence, including the United States and the European Union.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States or other jurisdictions without an adequacy decision, we rely on the appropriate safeguards available — including the European Commission's Standard Contractual Clauses (SCCs), the UK's International Data Transfer Addendum, and provider-specific certifications under the EU-US Data Privacy Framework where available. You may request a copy of the transfer mechanism applicable to your data at legal@nyzaevents.com.

11. How long we keep data

• Active account data — for as long as your account is open, plus a short period afterward for backup rotation and dispute resolution.
• Deleted accounts — purged from live systems within 30 days of your deletion request. Backups containing your data roll over and are overwritten within 90 days.
• Event archives — kept in your account indefinitely until you ask us to delete them; your wedding photos, vendor receipts, and guest book do not expire.
• Payment + tax records — retained as required by US and (where applicable) EU/UK tax law, typically 7 years.
• AI chat transcripts — kept while your account is active; deleted on account deletion. Provider-side abuse-monitoring retention is governed by each AI provider's API terms.
• Vendor outreach & compliance records — outreach attempts and unsubscribe requests are retained as long as needed to honor opt-outs (typically indefinitely, in minimal form).
• Security logs — retained for 90 days for incident investigation.

12. Security

We use TLS in transit, encryption at rest for the application database, scoped IAM for subprocessor access, hashed (never plaintext) account passwords, rate limiting, and principle-of-least-privilege engineering access controls. No system is perfectly secure; you can help by using a strong unique password and a password manager, and by reporting suspected vulnerabilities to hello@nyzaevents.com.

If a personal data breach is likely to result in a risk to your rights, we'll notify you and the relevant supervisory authorities as required by applicable law.

13. Your privacy rights

Regardless of where you live, you can:

• Access the data we hold about you — download a JSON/PDF export from Account → Data export.
• Correct your account or event data directly from your profile.
• Delete your account and associated data from Account → Data, or by emailing hello@nyzaevents.com.
• Port your data — the export is machine-readable JSON.
• Object to specific processing or restrict certain uses.
• Opt out of optional product emails (every marketing email has an unsubscribe link).

We respond to verifiable requests within 30 days (or 45 days where law permits an extension). We may need to verify your identity to protect your data.

14. EEA, UK & Swiss rights (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you also have the right to:

• Withdraw consent at any time, without affecting prior lawful processing.
• Lodge a complaint with your local supervisory authority. You can find your authority via the European Data Protection Board (edpb.europa.eu) or the UK Information Commissioner's Office (ico.org.uk).
• Receive information about the safeguards used for international data transfers (see Section 10).
• Request our Data Processing Addendum for GDPR Article 28 controller-processor terms — applicable when you (a host, planner, or vendor) entrust us with personal data of third parties.

We have not appointed an EU/UK Article 27 representative because we do not currently offer the Service to EU/UK residents in a way that triggers that requirement; if this changes, we will update this Policy.

15. California rights (CCPA / CPRA)

California residents have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These include the rights to know, delete, correct, limit use of sensitive personal information, and opt out of sale/sharing. We do not sell personal information or share it for cross-context behavioral advertising as those terms are defined under California law. For the full California-specific disclosure — categories collected, purposes, sources, recipients, retention, and how to exercise your rights — see our California Privacy Notice.

16. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has signed up, email hello@nyzaevents.com and we will promptly delete the account and associated data.

17. Public vendor data & discovery

To make the marketplace useful from day one in any city, Nyza ingests publicly listed business data (business name, address, phone number, public photos and reviews) for event-relevant categories — florists, caterers, photographers, decorators, performers, venues, planners, and so on — via Apify's Google Maps Extractor and (as fallback) Serper.dev's public-search results. We only ingest information that is publicly visible to anyone using those platforms; we do not scrape email addresses from third-party databases.

Profiles created this way are clearly marked "unclaimed." The business can claim the profile at any time, after which it becomes the authoritative source and the business is bound by these Terms going forward. If you are a business that does not wish to appear in the Nyza marketplace, email hello@nyzaevents.com with the subject "Remove vendor profile" and the URL, and we will remove it within 14 days.

We may send a limited number of cold-outreach emails to discovered vendors when there is genuine inbound demand for them on the platform. Every such email carries a clear unsubscribe link; we honor opt-out requests promptly and limit such outreach to a maximum of three attempts per business per 90 days.

18. If you are a guest, not a host

If a host (couple, family, organizer, planner) added you to a guest list or sent you a save-the-date, invitation, or RSVP link through Nyza:

• The host is the controller of your data. They decided to add you, chose what information to record about you, and chose to send you a message.
• Nyza acts as a processor on the host's behalf and only uses your data to deliver the message, record your RSVP, and operate the public event page.
• To exercise privacy rights over the data the host holds about you (access, correction, deletion), contact the host directly. If they are unresponsive, contact us at hello@nyzaevents.com and we will help mediate or remove your data where required by law.
• To stop receiving messages from a host, reply STOP to any SMS, click unsubscribe in any email, or reply STOP to any WhatsApp message.

19. Changes to this policy

We may update this Policy. The "Last updated" date at the top reflects the most recent change. Material changes will be announced by email to your account address at least 14 days before they take effect. Continuing to use the Service after the effective date means you accept the updated Policy.

20. Contact us

Nyza Creations LLC
701 NE Normandy Dr
Bremerton, WA 98310, USA
Phone: +1 (360) 919-4060
Email: hello@nyzaevents.com (general), legal@nyzaevents.com (privacy & legal — please include "Privacy:" in the subject)

Questions? Email legal@nyzaevents.com.

See also: Terms of Service · Cookie Policy · Acceptable Use · Refund Policy · DPA · California Notice