Privacy Notice

EverAfter is a service of HNS Corp PH (“EverAfter”, “we”, “us”). We operate the wedding website platform at everafter.rsvp and each per-wedding subdomain such as {couple-slug}.everafter.rsvp. Legacy URLs at everafter.hnscorpph.com also work and resolve to the same data.

For each wedding site, the couple (or their wedding planner) is the personal information controller for the guest data they collect. EverAfter is the personal information processor acting under their direction.

We collect personal data only to operate the platform. Specifically:

We do not sell, rent, or share personal data with advertisers or third-party marketers.

We process personal data on the following bases under PH DPA Sec. 12:

• Consent — explicit consent given when a guest ticks the “OK to publish my note” box in the RSVP wizard, or when a couple signs up for a wedding site.
• Contractual necessity — processing required to fulfil the couple’s request to host their wedding site and accept RSVPs.
• Legitimate interest — limited security and abuse prevention (e.g. rate limiting, login attempts).

Per PH DPA Sec. 11(e), we keep personal data only as long as necessary. Specifically:

• Rejected sign-up requests — automatically deleted 90 days after the rejection date.
• RSVP free-text (messages, dietary notes, song requests) — automatically redacted 6 months after the wedding date. The attendance status and guest name are retained so the couple keeps their guest list.
• Self-service access tokens — automatically deleted 24 hours after expiry (tokens themselves expire 30 minutes after creation).
• Wedding site content — retained while the wedding site is active. When a couple closes their site or our agreement ends, content is deleted within 30 days unless they ask for a data export first.

Automated cleanup runs nightly at 03:00 Philippine time.

You have the right to:

• Be informed about what data we hold about you and how it is used.
• Access your data — see exactly what is stored.
• Correct inaccurate or outdated information.
• Delete or block processing of your data.
• Object to specific uses of your data.
• Lodge a complaint with the National Privacy Commission (NPC) at privacy.gov.ph.

If you are a wedding guest: the fastest way to access, correct, or delete your RSVP is to visit /guest on the wedding site you were invited to (for example, {couple-slug}.everafter.rsvp/guest). Enter the email address the couple used to invite you and we will send a one-time access link.

If you are a couple or planner: you can manage your wedding site’s data via the admin dashboard at /admin on your wedding subdomain.

For everything else: email privacy@hnscorpph.com. We will respond within 30 days as required by PH DPA.

We use industry-standard measures, including TLS/HTTPS for all traffic, encryption-at-rest on the database, row-level security to enforce per-wedding data isolation, and service-role-only access for write operations. Photos are served from a public storage bucket because they are intended to be viewable by anyone with the wedding URL — do not upload anything you would not want visible on the public site.

Personal data is stored in Supabase data centres (operated by Supabase Inc., region: AP-Southeast-1 / Singapore). Photos may be stored in the same region. Some platform infrastructure (Vercel for hosting, Cloudflare for DNS, Resend for transactional email) may process data outside the Philippines as part of normal operation. We rely on each provider’s standard contractual safeguards for cross-border transfers, consistent with PH DPA Sec. 21.

EverAfter uses only essential cookies — an admin session cookie (12-hour expiry) and Supabase Auth session cookies for couples and planners who log in. We do not use advertising or analytics tracking cookies.

Material changes will be announced at the top of this page with a new “Last updated” date. We may notify affected couples via email when a change meaningfully affects them.

EverAfter / HNS Corp PH
Email: privacy@hnscorpph.com