Privacy Policy
The Gather Group Limited
Last updated: 28th May 2026
1. Important information and who we are
The Gather Group Limited ("we", "us", "our") is committed to protecting and respecting your privacy. This policy explains how we collect, use and look after personal data when you interact with us, whether you are a host using Gather to plan a celebration or a guest responding to a celebration through a Gather RSVP site.
This policy applies whenever you use www.hellogather.com or www.gatherguests.com (together, "Our Sites"), and supplements any other privacy notice we may give you at the point we collect your personal data. It should be read together with our Terms of Service at www.hellogather.com/our-policies.
Our service is not intended for children and we do not knowingly collect personal data relating to children.
Our contact details. The Gather Group Limited is a company registered in England and Wales (company number 06997585). Our registered office is at 30 Gay Street, Bath, Somerset, BA1 2PA. You can contact us about this policy or anything in it by email at [email protected] or by post at the address above.
Complaints. You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us first.
Changes to this policy. We keep this policy under regular review. This version was last updated in May 2026. We will tell you about material changes by posting an updated version on our policies page and, where the change is significant, by emailing account holders directly. Previous versions are available on request.
2. Hosts and guests - our two different roles
Gather has two types of user, and our role under data protection law is different for each. It is important to understand which applies to you, because it affects how this policy applies and who you should contact about your data.
If you are a host (account holder). When you sign up for a Gather account to plan a celebration, we are the data controller of the personal data we hold about you. That means we decide what personal data we collect from you, why we collect it, and how we use it. This policy tells you everything you need to know about how we handle your data as a host.
If you are a guest. When you respond to an invitation, share dietary requirements, or otherwise interact with a Gather RSVP site set up by a host, the host is the data controller of the personal data you provide through their site. Gather acts as a data processor on the host's behalf, which means we handle that data under the host's instructions and only for the purpose of operating their RSVP site. If you have questions about how your data is being used, or you want to exercise any of your data protection rights (see clause 11), you should usually contact the host first. We will support the host in responding.
Where we are the controller for guests too. There are some limited circumstances where we are the data controller for data we hold about guests - for example, technical information collected when you visit Our Sites (such as your IP address), or where we receive a direct query from a guest at [email protected]. Those uses are covered by this policy in the normal way.
3. The legal framework
Our handling of personal data is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where this policy refers to "data protection law", that means both of these together.
4. The personal data we collect
We collect different types of personal data depending on whether you are a host or a guest. We have set this out in two tables below.
Personal data we collect from hosts (Gather as controller):
| Category | What we collect |
|---|---|
| Identity data | First name, last name, the name of the celebrant(s), date(s) of celebration. |
| Contact data | Email address, postal address, telephone number. |
| Account data | Account username, hashed password, your chosen RSVP URL, account preferences, and the content you upload to your RSVP site (text, images, event details, settings). |
| Transaction data | Records of payments made to us. We do not store your payment card details - these are handled directly by Stripe (see clause 8). |
| Technical data | IP address, login data, browser type and version, time zone setting, operating system, device type, and similar technical information collected automatically when you use Our Sites. |
| Usage data | Information about how you use Our Sites, including pages visited, features used, and interaction patterns. |
| Marketing data | Your preferences for receiving marketing from us, and your communication preferences. |
| Communications | The content of any messages you send us (for example, support requests). |
Personal data collected from guests via host RSVP sites (Gather as processor):
| Category | What hosts may collect from their guests via Gather |
|---|---|
| Identity data | First name, last name, names of accompanying guests or children. |
| Contact data | Email address, phone number, and (where the host asks for it) postal address. |
| RSVP responses | Attendance choices, menu selections, song requests, free-text messages, and any other responses you submit through the RSVP site. |
| Dietary and accessibility information | Information you provide about food requirements, allergies, or accessibility needs. See clause 6 - some of this may be special category data. |
| Optional contributions | Where the host has enabled Gift Fund, information necessary to process a contribution (handled by Stripe, see clause 8). |
| Technical data | IP address, browser type, and similar technical information collected automatically when you visit the RSVP site. This information is collected by Gather and we are the controller of this technical data. |
Hosts decide which fields are presented to their guests and what information is requested. If you are a guest and you have a question about why the host is asking for a particular piece of information, please contact the host directly.
5. How we collect personal data
We collect personal data in three main ways:
- Directly from you. When you create a host account, contact us, fill in a form, leave a review, or respond to an RSVP site as a guest, you provide personal data directly.
- Automatically as you use Our Sites. We collect technical and usage data automatically using cookies and similar technologies (see clause 12).
- From third parties. Occasionally we receive personal data from third parties such as Stripe (for payment confirmation) and analytics providers. These third parties act under their own privacy policies and we only receive what we need for the purpose described.
6. Special category data - dietary and accessibility information
Some of the information that guests provide through a Gather RSVP site may be special category data under UK GDPR. In particular:
- Dietary requirements may reveal religious belief (for example, halal or kosher diets) or health conditions (for example, coeliac disease or a severe allergy).
- Accessibility needs may reveal information about a guest's health or disability.
Where this information is collected through a host's RSVP site, the host is the controller and is responsible for deciding what to ask for and what to do with the responses. Gather processes this information on the host's behalf for the sole purpose of operating the RSVP site.
Lawful basis. Where this information amounts to special category data, the lawful basis for processing is your explicit consent under UK GDPR Article 9(2)(a), given at the point you submit the information through the RSVP site. You are free to leave these fields blank, and you can withdraw your consent at any time by contacting the host (or, for technical assistance, by contacting us at [email protected]).
7. How we use host personal data, and our lawful bases
This section applies to data we hold about hosts as controller. For guest data processed on a host's behalf, see clause 2 - the host's own privacy notice (if any) and instructions govern how that data is used.
| Purpose | Data used | Lawful basis |
|---|---|---|
| To register and operate your host account, including providing the RSVP site service | Identity, Contact, Account | Performance of our contract with you |
| To take and process payment for your account | Identity, Contact, Transaction | Performance of our contract with you |
| To send service messages (reminders that your trial is ending, payment confirmations, changes to our terms, account closure notifications) | Identity, Contact, Account | Performance of our contract with you / compliance with a legal obligation |
| To send marketing communications about our services and to invite reviews | Identity, Contact, Marketing | Our legitimate interests (promoting our business), subject to your right to opt out at any time. For non-customers, we rely on your consent. |
| To advertise Gather on Google and to measure the performance of those campaigns, including remarketing to visitors who have previously visited Our Sites | Identity, Contact, Technical, Usage, Marketing | Your consent (given through the cookie banner). You can withdraw consent at any time. |
| To operate, maintain, secure and improve Our Sites | Technical, Usage, Account | Our legitimate interests (running and improving our service, fraud prevention, network security) |
| To respond to support requests and handle complaints | Identity, Contact, Communications | Our legitimate interests (good customer service); performance of our contract |
| To comply with legal, accounting, tax and regulatory obligations | Identity, Contact, Transaction | Compliance with a legal obligation |
| To establish, exercise or defend legal claims | Any relevant category | Our legitimate interests (protecting our legal position) |
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will tell you and we will explain the legal basis which allows us to do so.
8. Who we share your personal data with
We share personal data with the following categories of recipient, and only to the extent necessary:
- Stripe - our payment processor. When you pay for a Gather account, or when a guest contributes through the Gift Fund feature, payment card details are submitted directly to Stripe and we never see or store them. Stripe is based in Ireland and acts as an independent controller for the payment data it handles. Stripe's privacy policy is at stripe.com/privacy.
- Hosting and infrastructure providers. Personal data is stored on cloud infrastructure operated by Amazon Web Services in their London (eu-west-2) UK region. See clause 9 for more on international transfers.
- Marketing email provider. We use Klaviyo (US) to send marketing emails to hosts. Klaviyo does not handle guest data.
- Transactional email provider. We use Amazon SES (UK) to send transactional emails such as account notifications, trial reminders and RSVP confirmations.
- Google Analytics (Google LLC). We use Google Analytics to understand how visitors use Our Sites. With your cookie consent, Google Analytics records information about your visit including your IP address, pages viewed, time spent, and interactions. We have Google Signals enabled, which means that where you are signed in to a Google account that allows it, Google may also associate your activity across devices and infer demographic and interest information about you.
- Google Ads (Google LLC). We use Google Ads to advertise Gather on Google search, the Google Display Network, YouTube and partner sites. With your cookie consent, we share data with Google Ads about your visit to Our Sites so that Google can: (i) measure the performance of our advertising; (ii) build audience lists for remarketing, so that you may see Gather adverts elsewhere after visiting Our Sites; and (iii) help Google optimise our campaigns. From 15 June 2026 your cookie consent is the single control over what data is shared with Google Ads - if you accept, the full set of signals described above is shared; if you decline, only minimal and anonymous data is shared.
- Trustpilot (Trustpilot A/S). We use Trustpilot to collect and display customer reviews. We share host email addresses with Trustpilot so that review invitations can be sent.
- Professional advisers and authorities. We may share personal data with our accountants, lawyers, auditors, insurers, and regulatory or law enforcement authorities where we are legally required to do so, or where it is necessary to establish, exercise or defend legal claims.
- Buyers or successors. If we sell or transfer our business, or any part of it, personal data may be one of the transferred assets. We will tell you if this happens.
All of our processors are required by written contract to handle your personal data securely, only on our instructions, and in compliance with data protection law.
9. International transfers
We store personal data on cloud infrastructure operated by Amazon Web Services in their London region (eu-west-2), within the United Kingdom. Most of our processing therefore involves no international transfer at all.
Some of our third-party providers do involve transfers outside the UK. Specifically:
- Stripe (our payment processor) is based in Ireland. Transfers to Ireland are covered by UK adequacy regulations, which recognise the EEA as providing an essentially equivalent level of protection to the UK.
- Klaviyo (our marketing email provider, used for host data only) is based in the United States. Transfers to Klaviyo are covered by the UK Addendum to the EU Standard Contractual Clauses.
- Google LLC (Google Analytics and Google Ads) is based in the United States. Transfers to Google are covered by the UK Addendum to the EU Standard Contractual Clauses, as set out in Google's Controller-Processor Data Processing Terms.
You can ask us for a copy of the relevant safeguards by contacting us at [email protected].
10. How long we keep your personal data
We only keep your personal data for as long as we need it. The following table sets out the main retention periods that apply.
| Type of data | Retention period |
|---|---|
| Unpaid (trial) host accounts and all associated content | Deleted at the end of the 30-day grace period that follows the 21-day Trial Period - i.e. approximately 51 days from account creation, unless payment is received. See Terms of Service clauses 4.7 and 4.8. |
| Paid host accounts and all associated content (including guest RSVP data on the host's site) | Retained until 90 days after the date of your celebration, then deleted. See Terms of Service clause 4.6. |
| Payment and financial records | Retained for 6 years from the end of the relevant tax year, in line with HMRC requirements. |
| Marketing consent records and unsubscribe records | Retained for as long as we process you under that consent, plus 3 years after you unsubscribe, to evidence the basis on which we contacted you. |
| Support correspondence and complaints | Retained for 2 years after the matter is resolved, or longer if needed for an ongoing complaint or legal claim. |
| Technical logs (e.g. server access logs) | Retained for up to 12 months for security and troubleshooting purposes. |
| Data needed for legal claims | Retained for up to 6 years after the end of our relationship (in line with the Limitation Act 1980). |
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
11. Your rights
Under data protection law, you have the following rights in relation to your personal data:
- Access - to ask us for a copy of the personal data we hold about you.
- Rectification - to ask us to correct personal data that is inaccurate or incomplete.
- Erasure - to ask us to delete your personal data in certain circumstances (sometimes called the "right to be forgotten").
- Restriction - to ask us to restrict our processing of your personal data in certain circumstances.
- Objection - to object to our processing where we rely on legitimate interests, and to object to direct marketing at any time.
- Portability - to ask us to provide your personal data in a structured, commonly used and machine-readable format, or to transfer it to another controller, in certain circumstances.
- Withdraw consent - where we rely on your consent, you can withdraw it at any time. Withdrawing your consent will not affect the lawfulness of processing carried out before your withdrawal.
How to exercise your rights. If you are a host, contact us at [email protected]. If you are a guest exercising rights in relation to RSVP data on a host's site, please contact the host first - we act as processor and the host decides how that data is used. If the host cannot assist, or you are unable to reach them, contact us and we will help.
No fee usually required. You will not have to pay a fee to exercise your rights. However, we may charge a reasonable fee, or refuse to comply, if your request is clearly unfounded, repetitive or excessive.
Verifying your identity. We may need to ask for specific information to confirm your identity before responding to a request. This is a security measure to ensure that personal data is not disclosed to anyone who has no right to receive it.
Response time. We aim to respond to all legitimate requests within one month. If your request is particularly complex, or if you make a number of requests, we may need up to a further two months - we will let you know within the first month if this is the case.
Complaints. You also have the right to complain to the ICO (www.ico.org.uk). We would appreciate the chance to address your concerns first - please contact us before going to the ICO if you can.
12. Cookies
Cookies are small text files placed on your device when you visit a website. We use the following categories of cookie:
- Strictly necessary cookies. These are required for Our Sites to function (for example, to keep you logged in). They are always on and do not require your consent.
- Analytics cookies. These help us understand how visitors use Our Sites so we can improve them. They are used by Google Analytics (see clause 8).
- Functionality cookies. These remember choices you make so we can give you a more personalised experience.
- Advertising and targeting cookies. These are used by Google Ads (see clause 8) to measure our advertising performance, to build audience lists for remarketing (so that you may see Gather adverts after visiting Our Sites), and to help Google optimise our campaigns. Where you are signed in to a Google account that allows it, Google may also use these cookies to associate your activity across the devices you use and to infer demographic and interest information about you.
Where cookies are not strictly necessary, we will only place them on your device with your active consent, which you give through the cookie banner shown when you first visit Our Sites. You can change your preferences at any time using the cookie settings link in the footer of Our Sites.
What accepting cookies means in practice. If you accept non-essential cookies, you are consenting to the data flows described in the bullets above and in clause 8. In particular, accepting cookies means that Google Analytics and Google Ads will receive a richer set of data about your visit - including, where applicable, the cross-device and demographic signals described above. If you decline non-essential cookies, only minimal and anonymous data is shared. You can withdraw your consent at any time using the cookie settings link in the footer.
13. Data security
We have put in place appropriate technical and organisational measures to protect your personal data from accidental loss, unauthorised access or use, alteration or disclosure. We limit access to your personal data to those of our employees, agents, contractors and other third parties who have a business need to know, and they are subject to a duty of confidentiality.
We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Despite our measures, the transmission of information via the internet is not completely secure. While we do our best to protect your personal data, we cannot guarantee the security of data transmitted to Our Sites; any transmission is at your own risk.
14. Links to third-party sites
Our Sites and RSVP sites may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy practices. When you leave Our Sites, we encourage you to read the privacy policy of every website you visit.
15. Contact us
If you have any questions about this policy or about how we handle your personal data, please contact us:
- By email: [email protected]
- By post: The Gather Group Limited, 30 Gay Street, Bath, Somerset, BA1 2PA.