QuickfestDossier N° 02  ·  On DataUpdated · May 26, 2026
Privacy Notice

What we collect, and what we don't.

A plain-English account of every byte that crosses our servers, and the much longer list of things we've decided not to keep. Written for hosts, not for lawyers.

Frame   PIPEDA · Ontario CPAHosting   Vercel + SupabaseTrackers   None
§ 01

The short version

This page is written in plain English on purpose. The legal backstop is short because the data practices behind it are short. We operate under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and the Ontario Consumer Protection Act.

  • You can create and edit an event without an account. Anonymous drafts live for 7 days, then expire.
  • We do not store raw IP addresses. For QR scans we keep only the coarse region + city that Vercel resolves on the edge.
  • We do not use third-party trackers. No Google Analytics, no Facebook Pixel, no ad networks.
  • You can ask us to delete your data at any time: hello@quickfest.app.
§ 02

What we do, what we don't.

Two columns. Things we keep are on the left; things we've decided to leave on the floor are on the right. The right column is the longer one on purpose.

We do collect

07 items
  • Your email + display name, if you sign up
  • The event content you type into the editor
  • RSVPs your guests submit (name + answers)
  • Photos you upload to your gallery
  • QR scan time + 5-chapter lifecycle phase
  • Coarse region (e.g. CA-ON) and Vercel-derived city
  • Browser user-agent on QR scans

We don't collect

09 items
  • Raw IP addresses
  • Payment or banking information
  • Google Analytics events
  • Facebook Pixel or ad-network IDs
  • Hotjar, FullStory, or session replays
  • Cross-site or third-party cookies
  • Health or biometric data
  • Government IDs
  • Anything we don't actively use to run the product
§ 03

What we collect, in detail

When you create an account (optional)

You can sign up with an email + password or with Google. We store your email address, a display name, and a hashed password (if you picked that option). Authentication is handled by Supabase Auth.

When you create an event

Everything you type into the event editor — the name, date, city, schedule, custom notes, RSVP questions, photo gallery — is stored in our Postgres database on Supabase. If you haven't signed in, we issue a qf_session cookie so we can match your browser back to drafts you started anonymously.

When a guest RSVPs to your event

We store the name the guest provides, their yes/no/maybe choice, optional headcount, and any custom-field answers you (the host) asked for. You can export the full list as CSV from the RSVP report.

When someone scans your QR

We log: the time of the scan, the lifecycle phase the event was in (save-the-date / invite / now / photos / thanks), the coarse region (a code like CA-ON), the city Vercel resolves from request headers, and the browser user-agent string. We do not store the raw IP address.

When you upload photos

Photos are stored in Supabase Storage. By default they're viewable by anyone with the event URL; hosts can switch the gallery to RSVPd guests only from the editor.

§ 04

Cookies, named

We use a small number of strictly-necessary cookies. No analytics cookies, no marketing cookies, no consent banner required.

  • qf_sessionYour anonymous owner token, so you can edit drafts before signing up. 7-day TTL.
  • sb-*Supabase auth cookies — only set if you sign in. Keep you logged in.
  • NEXT_LOCALERemembers your last chosen language.
§ 05

Who can see your event

Every event has a visibility setting. By default it's private — only people with the link can find it, and search engines are asked not to index it. You can opt-in to public, which lists the event on /discover and makes it indexable. You can flip the setting back at any time; we don't retroactively re-publish removed events.

For photo galleries specifically, hosts can additionally restrict viewing to RSVPd guests. Each guest who can view photos gets a one-time view token tied to their RSVP, which the host can revoke.

§ 06

Where data lives

Quickfest is hosted on Vercel (serverless edge + functions) with Postgres + storage on Supabase. Vercel and Supabase are US companies that operate global infrastructure; data may be processed in or transit through the United States. We aim to minimise what we keep, retain it only as long as needed, and never sell it.

§ 07

Retention

  • Anonymous drafts (no account attached) are deleted 7 days after creation.
  • Signed-in events live as long as your account does. Delete an event from /my and it's gone from our primary database immediately; backups roll off within 30 days.
  • QR scan records are retained for 18 months, then aggregated into period totals and the row-level records deleted.
  • RSVPs and uploaded photos follow the event they belong to.
§ 08

Your rights

Under PIPEDA you have the right to know what we hold about you, correct it, ask us to delete it, and complain to the Office of the Privacy Commissioner of Canada if you think we've mishandled it. To exercise any of these rights, email hello@quickfest.app from the address attached to your account (or include enough context to verify ownership of an anonymous draft). We aim to respond within 30 days.

§ 09

Children

Quickfest isn't designed for or marketed to children under 13. Hosts often create birthday-party sites about children, but the host accepting these terms is expected to be an adult.

§ 10

Changes to this policy

If we make a material change we'll update the “last updated” date and, for account holders, send an email at least 14 days before the change takes effect.

§ 11

Contact

Privacy questions, data requests, or concerns: hello@quickfest.app.