Privacy Policy

• Account: email address, display name, password hash (stored by Supabase), and optional profile avatar.
• Trip data: prompts, destinations, activities, notes, budget entries, and optional passport / calendar tokens (encrypted at rest via Supabase Vault).
• Usage analytics: page views and feature events (e.g. trip created, paywall viewed) aggregated via PostHog - only if you have consented to analytics cookies.
• Billing: handled entirely by Stripe. WaySavia never stores card numbers or full PAN data.
• Consent signals: your GDPR Art. 22 AI opt-in and CCPA marketing opt-out preferences, stored in our database.

• Generate and refine travel itineraries via OpenRouter and model providers.
• Enrich activity constraints via Google Places, Mapbox, and OpenWeatherMap.
• Operate billing and subscription management via Stripe.
• Improve product features using aggregated, anonymised analytics (PostHog).
• Send transactional emails (account confirmation, password reset) via Supabase Auth.

We do not use your data for advertising, nor do we sell it to third parties.

A Data Processing Agreement (DPA) is available on request for Pro and B2B customers.

We use three tiers of cookies. You can review and change your preferences at any time using the cookie banner (shown on first visit, and re-accessible from our footer).

• Necessary: Supabase authentication session cookie. Required for the app to function. Cannot be disabled.
• Analytics (opt-in): PostHog page-view and feature-event tracking. Helps us understand which features are used most. Disabled until you accept analytics cookies.
• Marketing (opt-in): We do not currently run advertising campaigns or tracking pixels. This tier is reserved for future use and is off by default.

If you are in the European Economic Area or the United Kingdom, you have the following rights:

• Access & portability: export your trip data from Profile.
• Rectification: update your name and email from Profile.
• Erasure: delete your account and all data from Profile (Danger zone).
• Withdraw AI consent (Art. 22): toggle off “Allow AI processing” in Profile → Privacy & AI at any time. AI features will be disabled for your account.
• Lodge a complaint: you may contact your local supervisory authority (e.g. the ICO in the UK, CNIL in France).

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide the following rights:

• Right to know. You may request the categories and specific pieces of personal information we have collected, the sources, the business purpose, and any third parties with whom we share it.
• Right to delete. You may ask us to delete the personal information we hold about you (subject to legal-hold or contractual exceptions).
• Right to correct. You may request correction of inaccurate personal information.
• Right to opt out of sale or sharing. We do not sell personal information and do not share it for cross-context behavioural advertising. To exercise this right formally, use the “Do Not Sell or Share My Personal Information” toggle in your Profile, or email us.
• Right to limit use of sensitive personal information. Passport and travel document data (sensitive PI under CPRA) is used only to provide the document-storage feature and is not used for AI inference or shared with third parties.
• Right to non-discrimination. We will not treat you differently for exercising any CCPA / CPRA rights.

To submit a CCPA/CPRA request, email privacy@travelapp.example with subject “CCPA Request”. We will verify your identity and respond within 45 calendar days (extendable by 45 days with notice).

Email our privacy team at privacy@travelapp.example.

Data Protection Officer (DPO) postal address: [DPO address - update before go-live].