How We Protect Your Data

Guestlists are built on personal information: the names, email addresses, and especially the mobile phone numbers that guests share so an Organizer can reach them about an event. We treat that data as the most sensitive thing on our platform. This page explains, in plain terms, how we safeguard it. For the legal specifics of what we collect and why, see our Privacy Policy.

Encryption In Transit

All traffic between your browser or device and Plus One is encrypted over HTTPS (TLS). Data moving between our application and the systems that store it travels over encrypted connections as well. Nothing personal is sent in the clear over the network.

How We Encrypt Phone Numbers

Phone numbers, the most sensitive contact detail we hold, are encrypted with AES-256-GCM, an authenticated encryption standard, using keys that live outside the database. Access to the database alone is not enough to read a guest's number: the key needed to decrypt it is held separately, so a database compromise does not by itself expose contact details.

New records are written with this encryption in place. We are finishing the work to retire earlier unencrypted copies created before it was introduced, so that the encrypted values become the only form in which numbers are stored.

Lookups Without Exposing The Number

When we need to find a guest, whether to confirm an RSVP, honor a STOP opt-out, or prevent a duplicate entry, we look them up using a one-way keyed fingerprint of their phone number rather than querying the raw number itself. The fingerprint can confirm a match but cannot be reversed back into the phone number, so day-to-day operations don't require handling the number in the clear.

Isolation Between Organizers

Every table that holds personal information enforces row-level securityat the database layer. One Organizer cannot see another Organizer's guests, and a phone number collected for one Organizer's event is never used to contact people on behalf of a different Organizer. Isolation is enforced by the database itself, not just by application code.

Internal Access

Access to personal data inside Plus One is limited to the small number of people who need it to operate and support the service. Administrative actions taken on an account, such as support access, are recorded in an internal audit log so we can account for who did what.

Continuous Monitoring

We run automated guardrails that check our systems for accidental exposure of personal data. These run on every change to our code and on a daily schedule, and they flag issues such as a database table missing its access controls or a phone number appearing somewhere it shouldn't. Catching mistakes quickly is part of keeping the data safe over time.

What Plus One Does With Your Data

We collect only the information an Organizer chooses to gather on their page, plus what we need to run the platform. Plus One does not sell personal information, and we do not share phone numbers with marketers. The third parties that help us run the service, such as hosting and database, email delivery, and SMS delivery (like Twilio and Infobip), act as processors under contracts that require them to protect the data and use it only to provide their service to us.

That promise covers what Plus One does. The Organizer who collects your information through Plus One is an independent controllerof the contacts they gather, and they decide how to use them. We do not control, and cannot speak for, what an individual Organizer does with their own lists. If you're a guest, how a particular Organizer uses your information is governed by your relationship with that Organizer. You can ask them directly to stop contacting you or to remove your details, and you can always email us at privacy@useplusone.com for help.

Your Rights

You can request access to, correction of, or deletion of your personal information at any time. Guests can opt out of SMS at any point by replying STOP to a message. Depending on where you live, you may have additional rights under laws such as the GDPR or CCPA. To exercise any of these, email privacy@useplusone.com.

Reporting A Concern

If you believe you've found a security or privacy issue, please tell us at privacy@useplusone.com. We take reports seriously and will respond promptly.