Privacy Policy
Last updated: June 22, 2026
What we collect
- Account: email address, display name, password hash (stored by Supabase), and optional profile avatar.
- Trip data: prompts, destinations, activities, notes, budget entries, and optional travel documents and emergency contacts you choose to save in your profile (document numbers encrypted with application-level encryption in addition to platform encryption at rest via Supabase).
- Consent signals: your GDPR Art. 22 AI opt-in and CCPA marketing opt-out preferences, stored in our database.
- Usage analytics: page views and feature events (e.g. trip created, paywall viewed) aggregated via PostHog - only if you have consented to analytics cookies.
- Billing: handled entirely by Stripe. WaySavia never stores card numbers or full PAN data.
- Contact form: optional name, email, subject, message, plus IP address and browser user-agent for spam prevention (retained per our retention table).
- Security signals: approximate location derived from IP address during concurrent-login detection (via ip-api.com) for fraud prevention.
How we use your data
- Generate and refine travel itineraries via OpenRouter and model providers.
- Enrich activity constraints via Google Places, Mapbox, and OpenWeatherMap.
- Operate billing and subscription management via Stripe.
- Improve product features using aggregated, anonymised analytics (PostHog).
- Send transactional emails (account confirmation, password reset) via Supabase Auth.
We do not use your data for advertising, nor do we sell it to third parties.
Sub-processors
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, auth, file storage | US / EU |
| Stripe | Payment processing | US |
| OpenRouter | AI inference routing | US |
| Google (Places API) | POI and constraint data | US |
| Mapbox | Maps and geocoding | US |
| OpenWeatherMap | Weather data | EU |
| PostHog | Product analytics (opt-in) | US |
| Sentry | Error monitoring | US |
| Spacemail (SMTP) | Transactional email delivery | US |
| OpenAI | AI inference fallback when OpenRouter is unavailable | US |
| TravelPayouts | Affiliate hotel and travel search links | EU / US |
| ip-api.com | Approximate geo lookup for concurrent-login detection | EU |
A Data Processing Agreement (DPA) is available on request for Pro and B2B customers.
Data retention
| Data type | Retention period |
|---|---|
| Account profile | Deleted within 30 days of account deletion request |
| Trip data (itineraries, activities, expenses) | Deleted immediately on account deletion |
| Documents and passport data | Deleted immediately on account deletion |
| Encrypted database backups (Supabase) | Rolling backups may persist up to 30 days for disaster recovery; not restored for deleted accounts except where law requires retention |
| Server access logs | 90 days, then purged |
| Anonymised analytics | Retained indefinitely (no PII) |
| Billing records | 7 years (legal / tax obligation, held by Stripe) |
International data transfers
WaySavia is operated from the United States. If you access the Service from the European Economic Area, United Kingdom, or other regions with data transfer rules, your personal data may be transferred to the US and other countries where our sub-processors operate.
We rely on appropriate safeguards where required, including Standard Contractual Clauses (SCCs) or equivalent mechanisms offered by vendors such as Supabase, Stripe, Google, and OpenRouter. Vendor-specific transfer terms are available in their DPAs. Contact privacy@waysavia.com for a copy of relevant transfer documentation on request.
Children's privacy (COPPA)
WaySavia is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us personal information, contact privacy@waysavia.com and we will take steps to delete it. Users in the EU may need to be 16 or older to consent to certain processing in their jurisdiction.
Your rights (GDPR)
If you are in the European Economic Area or the United Kingdom, you have the following rights:
- Access & portability: export your trip data from Profile (JSON download).
- Rectification: update your name and email from Profile.
- Erasure: delete your account and all data from Profile (Danger zone).
- Withdraw AI consent (Art. 22): toggle off “Allow AI processing” in Profile → Privacy & AI at any time. AI features will be disabled for your account.
- Lodge a complaint: you may contact your local supervisory authority (e.g. the ICO in the UK, CNIL in France).
California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide the following rights:
- Right to know. You may request the categories and specific pieces of personal information we have collected, the sources, the business purpose, and any third parties with whom we share it.
- Right to delete. You may ask us to delete the personal information we hold about you (subject to legal-hold or contractual exceptions).
- Right to correct. You may request correction of inaccurate personal information.
- Right to opt out of sale or sharing. We do not sell personal information and do not share it for cross-context behavioural advertising. To exercise this right formally, use the “Do Not Sell or Share My Personal Information” toggle in your Profile, or email us.
- Right to limit use of sensitive personal information. Passport and travel document data (sensitive PI under CPRA) is used only to provide the document-storage feature and is not used for AI inference or shared with third parties.
- Right to non-discrimination. We will not treat you differently for exercising any CCPA / CPRA rights.
Categories of personal information collected
- Identifiers: name, email address, account ID
- Commercial information: subscription tier, billing history (held by Stripe)
- Internet activity: page views and feature events (PostHog, opt-in only)
- Geolocation: approximate destination cities entered by the user; IP-based geo for security
- Sensitive PI: passport or travel document details you optionally save in your profile (encrypted with application-level encryption; used only for your trip planning)
To submit a CCPA/CPRA request, use our CCPA request form, email privacy@waysavia.com with subject “CCPA Request”. We will verify your identity and respond within 45 calendar days (extendable by 45 days with notice).
Contact
Email our privacy team at privacy@waysavia.com.
Data Protection Officer (DPO) inquiries: privacy@waysavia.com.