Privacy Policy

Last updated: 2026-04-29 (2026-04-29-v1)

This Privacy Policy describes how Simple Seat Planner (“we”) handles personal data. The legal basis for processing your account data is contract performance (delivering the Service you signed up for); some processing relies on legitimate interest as noted below.

Data we collect

  • Account email address and display name (from your Google sign-in)
  • Plan content you create: tables, guest names, dietary notes, conflicts, layouts
  • Payment metadata for Pro subscribers (Stripe customer ID; card details are handled by Stripe, never by us)
  • Diagnostic logs (request paths, timestamps, error traces) used to run and debug the Service

Sub-processors

We share data with the following sub-processors strictly to deliver the Service:

  • Stripe — payment processing for Pro subscriptions
  • Supabase — primary database, authentication, and file storage
  • Google OAuth — sign-in identity provider
  • Vercel — application hosting and edge delivery

This is the closed v1 sub-processor list. If we add a sub-processor in the future, we will update this Privacy Policy to a new version, post the change, and re-prompt for acceptance where required.

Guest data and joint-controller arrangement

When you add guests to a plan, you and Simple Seat Planner are joint controllers for that guest data under GDPR Article 26. The respective responsibilities are:

  • You (the account owner) decide which guests appear in your plan, the purpose of inviting them, and whether to share a link that exposes their names. You are the primary point of contact for guest data-subject requests, including informing your guests that their data is being processed.
  • We (Simple Seat Planner) determine technical defaults: how share links are generated and revoked, retention windows for deleted plans, the security perimeter, and the analytics or error-monitoring scope (currently none).

Share links are unauthenticated by design. Anyone with a share link can see the guest list. Treat share links as you would treat any public URL.

Your rights (data subjects)

You have the right to access, rectify, port, and request deletion of your personal data, and the right to lodge a complaint with your local Data Protection Authority. Submit requests to privacy@simpleseatplanner.com. To verify your identity we will require either: (a) the request must originate from the email address on file for the account, or (b) you must respond to a challenge sent to that address. We respond within 30 days as required by GDPR Article 12.

Retention

  • Account and plan data: retained while your account is active. Deletion removes plan and guest data immediately.
  • Stripe customer records: retained per financial-records law (we cancel subscriptions on deletion but the customer row at Stripe remains).
  • Diagnostic logs: retained per Vercel and Supabase platform windows (typically days to weeks).
  • Database point-in-time backups: deleted rows persist within the Supabase platform PITR window before purge.

International transfers

Sub-processors may process data outside your country of residence. Where data leaves the EEA, we rely on Standard Contractual Clauses and the sub-processor's certifications.

Contact

For privacy questions, including DSARs, contact privacy@simpleseatplanner.com.