InviteHero Privacy Policy

Month, Inc., a Delaware corporation doing business as InviteHero ("InviteHero," "we," "us," or "our"), operates the website at https://invitehero.app and the related personalized-invitation service (the "Service"). This Privacy Policy explains what information we collect about you and about the child featured in each invitation, how we use it, with whom we share it, and what choices and rights you have.

This Policy is part of our Terms of Service, includes our Children's Privacy section below, and is supplemented by our Biometric Data Notice. If the Children's Privacy section or the Biometric Data Notice conflicts with the rest of this Policy, the more specific notice controls for the subject matter it covers. Capitalized terms we don't define here have the meanings given in the Terms.

Summary of the most important points:

• You upload a photo of your child to create a personalized video invitation. We run that photo through automated content moderation, use it to generate a short personalized video, and publish a private invitation page you can share.
• We do not use your photos, your child's photos, or the generated videos to train artificial-intelligence or machine-learning models. We contractually require the same of every service provider that receives this data.
• We do not sell personal information. We do not "share" personal information for cross-context behavioral advertising as that term is defined by the CCPA/CPRA.
• Source photos are automatically deleted on the earlier of (a) 30 days after your party date or (b) 90 days after upload. You can request deletion at any time.
• The Service is directed to adults. We do not knowingly collect personal information from children under 13 directly, and we obtain verifiable parental consent before collecting personal information about a child under 13.
• The Service is not offered in Illinois, Texas, the European Economic Area, the United Kingdom, or certain other jurisdictions. See Sections 4 and 11.

1. Who this Policy applies to

This Policy covers three groups of people:

• Hosts — adults who create an account, purchase an invitation, and upload party details and a child's photograph.
• Children featured in invitations — children (typically ages 4 to 8) whose parent or legal guardian is the Host. We collect information about these children only from the Host, not from the child. Our specific practices with respect to children under 13 are described in detail in the Children's Privacy section below.
• Guests — people who open an invitation link and submit an RSVP.

2. Information we collect

2.1 Information Hosts provide

• Account information: name (optional), email, and either a password or a Google account identifier.
• Order and payment information: order ID, items purchased, amount paid, and billing metadata. Full payment-card details are handled directly by our payment processor (see Section 5). We receive limited information such as the last four digits of the card, card brand, and billing ZIP code.
• Intake information about the party and the child: the child's first name, the child's age, party date and time, party location, and an optional message to guests (160-character limit).
• Photograph of the child: the image you upload. We use this photograph as a reference to generate the personalized video. See Section 4 for how we handle this photograph and the face data derived from it.
• Communications with us: messages you send to support@invitehero.app, including any replacement photographs or regeneration requests.
• Consent records: a record that you confirmed you are the parent or legal guardian of the child (or have their parent's or guardian's verifiable consent) and agreed to the Terms and this Policy. For every order involving a child under 13, we also retain a record of verifiable parental consent obtained through the process described in the Children's Privacy section below.

2.2 Information we collect about Guests

When a Guest opens an invitation and submits an RSVP, we collect:

• response (Yes / No / Maybe),
• guest name,
• guest email,
• number attending,
• optional note to the Host, and
• whether the Guest used the one-click Add-to-Calendar.

Guest data is collected at the direction of the Host to run that specific party. A Host may choose to show an optional guest list on the invitation page. When enabled, that list shows guest names only under Attending and Not replied; it does not show guest emails, phone numbers, notes, attendee counts, delivery status, or internal IDs. We do not email Guests for marketing purposes in MVP. Before submitting an RSVP, each Guest is presented with a Terms and Privacy summary and must click to acknowledge it.

2.3 Information we collect automatically

When anyone uses the Service, we collect technical information such as:

• IP address,
• browser and device type,
• operating system,
• referring URL,
• pages viewed and links clicked, and
• approximate location derived from IP.

We use first-party cookies, a small number of essential third-party cookies, and equivalent technologies to operate the Service, keep you logged in, measure traffic, and detect fraud. We honor the Global Privacy Control (GPC) signal where required. We do not use cookies or SDKs for targeted advertising and we have no advertising partners.

2.4 Generated information

As part of providing the Service, we generate:

• a prepared reference image derived from your uploaded photograph (which, together with facial-feature representations derived from your photograph, constitutes "biometric data" — see Section 4 and the separate Biometric Data Notice),
• a short personalized video,
• moderation results from the automated content-moderation service, and
• internal logs of order events, delivery, and access to source photos and generated assets.

3. Children's Privacy

This Children's Privacy section is provided in compliance with the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506, and its implementing regulations at 16 C.F.R. Part 312 ("COPPA"), including the 2025 amendments. If anything in the rest of this Policy conflicts with this section, this section controls with respect to personal information about children under 13.

3.1 Operator

Month, Inc. (doing business as InviteHero)
74 E Glenwood Ave Unit #5647, Smyrna, DE 19977
Email: support@invitehero.app (subject line: "COPPA Request" for children's privacy matters)
Website: https://invitehero.app

All operators that collect or maintain personal information on behalf of InviteHero are identified in Section 3.5 below.

3.2 Scope and audience

The Service is designed to be used only by a parent or legal guardian of the child featured in the invitation, or by an adult who has the verifiable written consent of such a parent or guardian. We do not allow children to create accounts, purchase an invitation, log in, post content, or communicate with other users.

Through the Service, the parent/guardian voluntarily submits information about a child under 13 (the "Child") so that we can produce a personalized birthday invitation video. This section describes what we collect about the Child, how we use it, how we share it, the parental rights available under COPPA, and how to exercise those rights.

3.3 Personal information we collect about a Child

When a parent/guardian orders an invitation, we collect the following personal information about the Child:

We do not collect from or about the Child: Social Security number, precise geolocation, audio recordings, online contact information, persistent identifiers tied to the Child, school or classroom information, or any demographic data beyond age.

3.4 How we use a Child's personal information

We use the Child's personal information solely to:

• Generate and deliver the personalized video the parent/guardian ordered;
• Run automated content moderation on the uploaded photograph;
• Publish the personalized invitation page to which the parent/guardian directs guests;
• Provide support, regenerations, or refunds requested by the parent/guardian;
• Maintain order records for tax, accounting, and dispute-resolution purposes;
• Comply with legal obligations, including mandatory reporting to the National Center for Missing & Exploited Children in the event of misuse; and
• Enforce our Terms of Service.

We do not:

• Use the Child's personal information (including photographs, face data, or generated video) to train artificial-intelligence or machine-learning models;
• Sell, rent, trade, or disclose the Child's personal information for marketing or advertising purposes;
• Use the Child's personal information for targeted advertising, profiling, cross-context behavioral advertising, or surveillance;
• Disclose the Child's personal information to any third party except the limited service providers listed in Section 3.5; or
• Condition the Child's participation in the Service on the parent/guardian disclosing more information than is reasonably necessary.

3.5 Disclosure to service providers

We disclose Child personal information only to the following service providers, each bound by a written agreement requiring the provider to (i) use the data solely to provide services to InviteHero, (ii) implement reasonable security, (iii) destroy the data on completion of processing, (iv) refrain from training AI/ML models on the data, and (v) refrain from any further disclosure:

Cross-border transfer to Kling. The prepared reference image derived from the Child's photograph is transmitted to Kling 3.0 in the People's Republic of China. Kling is contractually required, under a written data-processing agreement, to (i) use the reference image solely to generate the video ordered, (ii) not train any AI/ML model on the data, (iii) destroy the data no later than 90 days after receipt, (iv) not disclose the data to any other party, (v) implement reasonable security controls, and (vi) promptly notify InviteHero of any government or law-enforcement request for the data. By completing the verifiable parental consent flow described in Section 3.6, you consent to this cross-border transfer on behalf of the Child.

We may also disclose Child personal information as required by a valid subpoena, court order, or warrant, and to law enforcement and NCMEC as required by 18 U.S.C. § 2258A if the Service is misused to create or distribute child sexual abuse material.

3.6 Verifiable parental consent

Before collecting any personal information about a Child, we obtain verifiable parental consent from the parent/guardian using the following method, consistent with 16 C.F.R. § 312.5(b):

Direct notice plus monetary-transaction verification. At the intake step, the parent/guardian (a) reviews this section and our Privacy Policy through a click-to-review interface, (b) affirms that they are the parent or legal guardian of the Child or have the verifiable written consent of the parent/guardian, and (c) completes a monetary transaction using a debit or credit card through our payment processor. The combination of direct notice, affirmative parental acknowledgment, and the card-based transaction satisfies 16 C.F.R. § 312.5(b)(2).

Before any material new use of the Child's personal information that exceeds the practices described in this section, we will obtain fresh verifiable parental consent.

If we cannot verify consent, we will not collect the Child's personal information and will not provide the Service.

3.7 Parental rights

The parent or legal guardian has the right, at any time, to:

• Review the specific Child personal information we have collected;
• Correct any inaccuracy;
• Delete the Child's personal information; and
• Refuse to permit further collection or use of the Child's personal information. Exercising this right will result in termination of the corresponding order or account.

To exercise any of these rights, email support@invitehero.app with subject line "COPPA Request" from the email address associated with the account, or write to the mailing address in Section 3.1. We will verify the request against information already associated with the account and respond within ten (10) business days. We will not charge a fee and we will not condition service on your decision.

If we decline a request, we will explain why and how you may appeal. You may also contact the Federal Trade Commission at www.ftc.gov or 1-877-FTC-HELP, or your state Attorney General.

3.8 Retention and destruction

We retain the Child's personal information only as long as needed to provide the Service:

A scheduled daily process enforces deletion. Backups expire within an additional 30 days. Destruction is permanent: data is removed from primary storage, caches, and service-provider systems (including Kling), and cannot be restored.

3.9 Security

We implement administrative, technical, and physical safeguards designed to protect Child personal information against unauthorized access, use, or disclosure. These include encryption of data at rest and in transit (TLS 1.2 or higher), role-based access controls, audit logging of all internal access to Child personal information, annual training of personnel with such access, vendor risk review of all service providers handling Child personal information, and an incident-response plan that includes notification to parents and, where required, to state attorneys general and the FTC.

3.10 Participation in a COPPA Safe Harbor Program

InviteHero is a participant in the kidSAFE Seal Program (a COPPA Safe Harbor certified by the Federal Trade Commission). Complaints that cannot be resolved directly with InviteHero may be submitted to kidSAFE at www.kidsafeseal.com, which provides an independent review process.

3.11 Changes to this section

We will notify parents/guardians by email of any material change to our children's privacy practices before the change takes effect and will obtain fresh verifiable parental consent where required by 16 C.F.R. § 312.5(c).

3.12 Children's Privacy contact

Month, Inc. (d/b/a InviteHero)
Attn: Privacy Officer
74 E Glenwood Ave Unit #5647, Smyrna, DE 19977
Email: support@invitehero.app (subject line: "COPPA Request")

You may also reach the Federal Trade Commission at www.ftc.gov or 1-877-FTC-HELP, or the kidSAFE Safe Harbor program at www.kidsafeseal.com.

4. Face data and biometric information

This Section is a summary. Our complete practices for biometric data, including the BIPA-required written release, are set out in our standalone Biometric Data Notice.

Because the Service uses automated, AI-based technology to generate a personalized video, it creates and processes facial-feature information derived from the photograph you upload.

• What we collect. The original photograph, and a prepared reference image derived from it that our video-generation provider can use to personalize the generated video, which together constitute biometric identifiers and biometric information as those terms are defined by the Illinois Biometric Information Privacy Act (740 ILCS 14/) and similar state laws.
• Why. Solely to produce the personalized video you ordered, to run safety and quality checks on that output, and to support and debug the Service for you.
• Consent. By completing the biometric consent step of the intake flow and uploading a photograph, you provide the written release required by BIPA § 15(b) and confirm that you are the parent or legal guardian of the child shown, or that you have the verifiable consent of the child's parent or legal guardian, and you consent on the child's behalf to the handling described in this Section.
• No training. We do not use photos, reference images, generated videos, or any facial-feature data derived from them to train artificial-intelligence or machine-learning models, and every service provider that receives this data is contractually prohibited from doing so.
• No sale or profit. We do not sell, lease, trade, or otherwise profit from this information.
• Processing with Kling. As described in Section 5, the prepared reference image is transmitted to our video-generation provider, Kling 3.0 (a product of Kuaishou Technology Co., Ltd., a company domiciled in the People's Republic of China). We require Kling, by written agreement, to (i) use the data solely to generate your video, (ii) not train any AI/ML model on the data, (iii) not retain the data beyond the time needed to generate the video, and (iv) not disclose the data to any third party.
• Retention. Source photographs are automatically deleted on the earlier of (a) 30 days after the party date or (b) 90 days after upload. Prepared reference images and generated videos follow the same schedule by default. See Section 8.
• Your choice. You may decline to provide a photograph and not use the Service. You may also request earlier deletion at any time at support@invitehero.app.

Illinois and Texas users. We do not currently offer the Service in Illinois or Texas. Uploads from IP addresses and billing ZIP codes associated with those states are blocked. If you are located in Illinois or Texas, please do not attempt to use the Service.

We do not use facial data for identity verification, facial recognition across users, surveillance, profiling, or targeted advertising.

5. How we use information

We use the information described above to:

• create, manage, and deliver your order and your invitation page,
• run automated content moderation on uploaded photographs,
• use automated, AI-based technology to generate the personalized video,
• publish the invitation page and capture RSVPs for the Host,
• deliver transactional emails (order confirmation, delivery notification, regeneration updates, refund confirmations, security notices),
• provide customer support,
• investigate and resolve quality, refund, and support issues,
• detect, prevent, and respond to fraud, abuse, and safety concerns,
• comply with legal obligations and enforce our Terms, and
• operate and improve the Service in aggregate — for example, by understanding which templates are ordered most often.

We do not use your personal information, your child's information, or generated assets:

• to train AI or machine-learning models,
• to sell, lease, trade, or profit from to anyone,
• to target advertising to you on third-party sites,
• to recognize your child in any other photograph or context, or
• for any secondary purpose not described in this Policy, the Children's Privacy section, or the Biometric Data Notice.

6. How we share information

We do not sell or "share" (as those terms are defined by the CCPA/CPRA) personal information. We share it only as follows:

Cross-border transfer to Kling. The prepared reference image and template parameters for video generation are transmitted to Kling 3.0, which processes the data on infrastructure operated by Kuaishou Technology Co., Ltd. in the People's Republic of China. Kling is contractually required, under a written data-processing agreement, to (i) use the data solely to provide video-generation services to InviteHero, (ii) implement reasonable security controls, (iii) destroy the data on completion of processing and in any event no later than 90 days after receipt, (iv) not use the data to train any AI/ML model, (v) not disclose the data to any other party, and (vi) promptly notify InviteHero of any government or law-enforcement request for the data. By using the Service, you consent to this cross-border transfer.

Each other service provider is contractually required to use personal information only to provide services to us and not for their own purposes, including a prohibition on training AI/ML models on the data and a prohibition on any further disclosure.

Other than the Kling transfer described above, we do not use any service provider that processes personal information from within a "country of concern" as defined by Executive Order 14117 and 28 C.F.R. Part 202.

We will specifically cooperate with law enforcement and, as required by law (including 18 U.S.C. § 2258A), report to the National Center for Missing & Exploited Children if the Service is misused to create or distribute child sexual abuse material.

7. Invitation pages and Guest visibility

Invitation pages are unlisted. They are served with `noindex` headers, excluded from our sitemap and robots file, and not publicly browsable on our Service. However, anyone who has the link can open the page. The Host is responsible for deciding whom to share the link with and for any risks of re-sharing.

Each invitation page shows the generated video, the party details the Host submitted, any optional message to guests, and a subtle footer linking back to https://invitehero.app.

8. Data retention and deletion

A scheduled job runs daily to enforce the retention schedule above. On request, we will also delete any of the above earlier — just email support@invitehero.app. We may retain limited records after deletion to the extent legally required (for example, for tax, accounting, or abuse-investigation purposes).

Backups. Deleted data may persist in encrypted backups for up to an additional thirty (30) days before permanent expiration through our backup lifecycle policy.

9. Security

We use reasonable administrative, technical, and physical safeguards designed to protect personal information, including signed upload handling, access controls on host dashboards, separation of public invitation pages from owner-management views, and audit logging of internal access to uploaded and generated assets. Transactional email is sent from a domain configured with SPF, DKIM, and DMARC. Data at rest is encrypted using AES-256 or equivalent. Data in transit uses TLS 1.2 or higher. Personnel with access to source photographs, biometric data, or other sensitive information are trained annually on COPPA, biometric privacy, and incident response.

No system is perfectly secure. If we experience a security incident that affects your information, we will notify affected users without unreasonable delay and in any event within the shortest period required by applicable law, including, where applicable, the Illinois Personal Information Protection Act, California Civ. Code §§ 1798.29 / 1798.82, and similar state breach-notification statutes. We will also notify state attorneys general and the Federal Trade Commission as required by law.

10. Your rights and choices

10.1 Account and content choices

You can view your orders and invitation pages in your host dashboard. You can edit party details where supported, add a replacement photo through support, and request a regeneration or refund consistent with our Terms.

10.2 Communications

We send you transactional emails related to your order (order confirmation, delivery notification, regeneration updates, refund confirmations, security notices). You cannot opt out of transactional emails while you have an active order. If we ever send marketing emails, we will include an unsubscribe link and honor opt-out requests within ten (10) business days, consistent with the CAN-SPAM Act.

10.3 Cookies

You can manage cookies through your browser or device settings. Blocking essential cookies may break the Service. We honor the Global Privacy Control (GPC) browser signal as an opt-out of "sale" and "share" as those terms are defined by CCPA/CPRA regulations.

10.4 California residents (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, share, or disclose.
• Access / portability — receive a copy of personal information we hold about you.
• Correct inaccurate personal information.
• Delete personal information we hold about you, subject to legal exceptions.
• Limit the use of sensitive personal information — in our case, photographs and the face data derived from them. We already limit our use of this information to providing the Service.
• Non-discrimination — we will not deny service or charge different prices because you exercised a privacy right.
• Opt-out of automated decision-making — to the extent applicable under finalized CPPA automated decision-making technology ("ADMT") regulations.

We do not sell or "share" (as those terms are defined in the CCPA/CPRA) personal information, including personal information of California residents under 16. We do not use or disclose sensitive personal information for purposes that would trigger the right to limit such use.

To exercise any of these rights, email support@invitehero.app with subject line "Privacy Request" or write to us at the mailing address in Section 15. We will verify your request by confirming information already associated with your account or order. You may designate an authorized agent by providing signed written permission. We will respond within the timeframes required by California law (generally 45 days, extendable once by 45 days on notice).

Notice of financial incentive. We do not offer any financial incentive in exchange for the retention or sale of personal information.

10.5 Other U.S. state rights

Residents of other U.S. states with comprehensive privacy laws (for example, Colorado, Connecticut, Virginia, Utah, Oregon, Delaware, Montana, Iowa, Tennessee, Indiana, New Hampshire, New Jersey, Minnesota, Maryland, Rhode Island, and others) may have similar rights to access, correct, delete, and opt out of targeted advertising or sales, as well as to opt out of profiling that produces legal or similarly significant effects and to consent to processing of sensitive data. We do not engage in targeted advertising or sales, and we obtain affirmative consent before processing biometric data, which is a category of sensitive data under most of these laws — see Section 4 and the Biometric Data Notice. To exercise other rights, email support@invitehero.app with subject line "Privacy Request."

10.6 Appeals

If we decline your rights request, you may appeal by replying to our response within sixty (60) days. If we still decline, you may contact your state's attorney general.

10.7 Physical mailing address for rights requests

You may submit privacy rights requests in writing to:
Month, Inc. (d/b/a InviteHero) — Attn: Privacy Officer, 74 E Glenwood Ave Unit #5647, Smyrna, DE 19977.

11. International users

The Service is operated from the United States and intended for customers in the United States. All Service data other than the prepared reference image transmitted to our video-generation provider Kling 3.0 (see Section 6) is processed in the United States.

We do not currently offer the Service in the European Economic Area, the United Kingdom, Switzerland, Canada, or any other jurisdiction whose laws would require additional disclosures or safeguards (for example, the EU General Data Protection Regulation, the UK GDPR, Canada's PIPEDA/Quebec Law 25). We use IP-based geo-blocking at checkout and will refuse orders originating from these jurisdictions.

If, despite our restrictions, personal information of an EEA or UK resident is submitted, the contractual basis for our limited processing is the necessity to fulfill the order and, where applicable, Article 6(1)(f) (legitimate interests) and Article 9(2)(a) (explicit consent) of the GDPR. You may contact us to exercise your GDPR/UK GDPR rights or to lodge a complaint with your supervisory authority.

12. Automated decision-making and AI

The Service uses automated, AI-based technology to generate the personalized video and to run automated content moderation on uploaded photos.

• Video generation produces a stylized video based on your photograph and the template you selected. It does not make any decision that has a legal or similarly significant effect on you.
• Content moderation screens uploads for illegal or unsafe content. An upload that the automated system flags is reviewed by our team before any further action (accepting the upload, requesting a different photo, or issuing a refund). A human is always in the loop for flagged cases. Uploads that are not flagged are processed automatically.

We do not use automated decision-making to make decisions that produce legal or similarly significant effects on you. To the extent any future use of the Service would involve such decision-making, we will provide pre-use notice and honor any applicable opt-out under state automated decision-making technology (ADMT) regulations.

13. Third-party links

Our emails and invitation pages may include links to third-party sites (for example, calendar providers). Those sites have their own privacy practices and are not covered by this Policy.

14. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will post the updated Policy at https://invitehero.app/privacy and update the "Last updated" date above. For material changes affecting how we use information we already hold about you, we will also notify you by email or by a prominent in-product notice at least thirty (30) days before the change takes effect, and we will obtain fresh verifiable parental consent for any change that materially expands the use of personal information about a child under 13.

15. Contact us

Questions, requests, or concerns about this Policy or your information can be directed to:

Month, Inc. (d/b/a InviteHero)
Attn: Privacy Officer
74 E Glenwood Ave Unit #5647, Smyrna, DE 19977
Email: support@invitehero.app

Please use the following subject-line conventions so we can route your request promptly:

• Privacy rights request: "Privacy Request: [Access / Delete / Correct / Limit]"
• COPPA (children's information) request: "COPPA Request"
• Biometric data request: "Biometric Request"
• DMCA takedown: "DMCA Notice"
• Arbitration opt-out: "Arbitration Opt-Out"
• General support: no prefix required

COPPA and children's privacy complaints may also be directed to the Federal Trade Commission at www.ftc.gov or 1-877-FTC-HELP.

This Policy is a plain-English draft. It is not legal advice. Please have it reviewed by a licensed attorney in your jurisdiction — particularly with respect to COPPA (children's information) and the 2025 COPPA Rule amendments, state biometric laws such as Illinois BIPA and Texas CUBI, Executive Order 14117 and the DOJ Data Security Program, and state comprehensive privacy laws — before publishing.