WhoSitsWhere The Art of Seating
Legal

Privacy Policy

Last updated: 28 February 2026

1. Introduction

WhoSitsWhere ("we", "us", "the Service") is committed to protecting your privacy. This Privacy Policy explains what data we collect, how we use it, and your rights under the EU General Data Protection Regulation (GDPR) and other applicable laws.

2. Data Controller

The data controller for the Service is WhoSitsWhere, based in Sweden. For privacy-related inquiries, contact us at privacy@whositswhere.com.

3. Data We Collect

Account data: When you register, we collect your name, email address, and a hashed password. If you sign in via a third-party provider, we receive your name, email address, and provider-specific identifier.

Event data: Guest names, relationships, family groupings, table configurations, seating rules, constraint weights, and generated arrangements. This data is provided by you and stored to deliver the Service.

Usage data: Server logs may record IP addresses, request timestamps, and browser user agent strings for security and debugging purposes.

4. How We Use Your Data

  • To provide and operate the seating planner Service
  • To authenticate your identity and secure your account
  • To generate seating arrangements based on your rules and preferences
  • To send important service notifications (e.g., terms changes)
  • To diagnose technical issues and maintain system security

5. Legal Basis for Processing (GDPR)

We process your data based on:

  • Contract performance — processing necessary to provide the Service you requested
  • Legitimate interest — security logging and fraud prevention
  • Consent — where applicable, such as optional communications

6. Third-Party Services

When you sign in using a third-party OAuth provider (Google, Microsoft, Facebook, or Apple), we receive limited profile information from that provider. We do not share your event data with these providers. Each provider has its own privacy policy that governs the data they collect.

7. Cookies

We use a session cookie to keep you signed in. This cookie is strictly necessary for the Service to function and does not track you across other websites. We do not use analytics cookies or advertising trackers.

8. Data Storage and Security

Your data is stored in an encrypted database. Passwords are hashed using industry-standard algorithms and are never stored in plain text. We use HTTPS for all data transmission and apply security headers to protect against common web vulnerabilities.

9. Data Retention

We retain your account and event data for as long as your account is active. If you delete your account, all associated data (events, guests, arrangements) will be permanently deleted within 30 days. Server logs are retained for a maximum of 90 days.

10. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate personal data
  • Erasure — request deletion of your personal data ("right to be forgotten")
  • Data portability — receive your data in a structured, machine-readable format
  • Restriction — request that we limit processing of your data
  • Objection — object to processing based on legitimate interest

To exercise any of these rights, contact us at privacy@whositswhere.com. We will respond within 30 days.

11. Data Transfers

Your data is stored and processed within the European Economic Area (EEA). If any data transfer outside the EEA becomes necessary, we will ensure appropriate safeguards are in place.

12. Children

The Service is not intended for children under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or an in-app notice. The "Last updated" date at the top of this page indicates the most recent revision.

14. Supervisory Authority

If you are located in the EU/EEA and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local supervisory authority. In Sweden, this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).

15. Contact

For any privacy-related questions or requests, contact us at privacy@whositswhere.com.