Security

Guest data, handled like a guest list.

The programs ConciergeOS serves involve names, affiliations, and movements of people who value discretion. This page describes the standard every deployment is held to.

Your files remain the system of record

We do not import your guest list into a CRM, marketing database, or any system of ours. Your spreadsheet — in your account, under your control — stays the single source of truth for the entire engagement. Revoke our access at any time and the relationship to your data ends with it.

Read-only, for one purpose

Our access to your source files is read-scoped and used for exactly one thing: rendering the app your guests see. Guest information is never used for analytics, profiling, advertising, or any purpose beyond the deployment — and it is never sold or shared.

Access rules enforced server-side

Public, invite-only, application, whitelist, and paid tiers are enforced on the server — not merely hidden in the interface. A guest without access to an event does not receive that event's data at all.

Purged when the event window closes

When your event window ends, deployment data is purged from our production systems — rendered copies, caches, and exports included — unless you choose to keep the app live under an ongoing plan. Archival, extension, or deletion is your call, made explicitly.

Payments never touch us

Paid access runs through your own Stripe account. Card numbers and payment credentials are handled by Stripe end to end — they never pass through or rest on our systems.

Questions or disclosures

Security questionnaires, data-processing agreements, and disclosure requests are part of normal business for us — raise them on your demo call and we will turn them around quickly.