Privacy Policy
Last updated: June 2026
1. Introduction
Wandar ("we", "us", "our") operates wandar.app. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have over it.
We are committed to handling your data responsibly. If you have questions, contact us at hello@wandar.co.
2. Data We Collect
2.1 Account Data
When you sign up, we collect:
- Email address (via Clerk, our authentication provider)
- Display name and username
- Profile photo (if you upload one)
- Travel style preferences selected during onboarding
- Dream destinations (if provided)
2.2 Trip and Experience Data
When you use the Service, we collect:
- Trip details: title, destination(s), travel dates, status, privacy setting, cover image, currency, group type, travel style tags
- Day-by-day itineraries including experience titles, locations, times, costs, categories, and notes
- Photos and media attached to experiences (stored via Cloudinary)
- Ratings you assign to experiences
- Country codes derived from trip destinations (used to award country stamps)
2.3 Social and Discovery Data
- Trips you save (favourites)
- Trips and experiences you remix or cherry-pick, including attribution chain data (which trip or experience was the source)
- Collaborators you invite to trips, and their access permissions
2.4 AI Planner Data (Pro)
- Prompts and messages you send to the AI trip planner
- Itineraries generated in response to your requests
2.5 Account Activity
- Milestones and country stamps you have earned
- Notifications received (milestone awards, collaboration invites, activity)
- Subscription tier (free or Pro) and billing status
2.6 Technical Data
- IP address
- Browser type, operating system, and device type
- Pages visited, actions taken, and time spent in the app (via PostHog analytics)
- Errors and performance data (via Sentry)
- Page view and engagement data (via Vercel Analytics)
- Authentication tokens managed by Clerk
2.7 Payment Data
Payment information is collected and processed by Stripe. We do not store your full card details. We receive from Stripe: subscription status, billing cycle, payment success or failure events, and a Stripe customer ID linked to your account.
3. How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing the Service | All account, trip, and experience data | Contract performance |
| Authentication and security | Account data, IP, auth tokens | Contract performance / Legitimate interests |
| AI trip planning | Prompts, conversation history, trip context | Contract performance (Pro feature) |
| Awarding milestones and country stamps | Trip destinations, activity data | Contract performance |
| Billing and subscription management | Payment data, subscription status | Contract performance |
| Personalised discovery feed | Trip data, saved trips, travel style | Legitimate interests |
| Analytics and product improvement | Technical data, usage events | Legitimate interests |
| Error monitoring and reliability | Error logs, performance data | Legitimate interests |
| Communication | Email address | Contract performance / Legitimate interests |
| Legal compliance | As required | Legal obligation |
4. Data Sharing
We do not sell your personal data. We share data only as described below.
4.1 Third-Party Service Providers
We work with the following providers who process data on our behalf:
| Provider | Purpose | Data Shared |
|---|---|---|
| Clerk | Authentication | Email, name, account identifiers |
| Stripe | Payments | Email, billing info, subscription status |
| Cloudinary | Media storage | Photos and images you upload |
| Mapbox | Maps and location features | Trip destinations, map interactions |
| Anthropic | AI trip planner | Prompts and conversation messages |
| Inngest | Background job processing | Trip and user data needed for jobs |
| Resend | Transactional email | Email address, notification content |
| Vercel | Hosting and infrastructure | All data processed by the platform |
| Neon / PostgreSQL | Database | All stored application data |
| PostHog | Product analytics | Usage events, pseudonymous identifiers |
| Sentry | Error monitoring | Error logs, user ID (when signed in) |
All providers are contractually obligated to handle your data in accordance with applicable privacy law and to use it only for the purposes we specify.
4.2 Public Content
Trips and experiences you set to "public" are visible to all users of the Service, including unauthenticated visitors. Your username and profile details are displayed alongside your public content. You control the privacy setting of each trip.
4.3 Collaborators
If you invite collaborators to a trip, they can view and edit the trip content. Collaborators can see your username and display name.
4.4 Attribution Data
When another user remixes or cherry-picks from your public content, your username is stored and displayed as the original source. This attribution persists even if you later set the content to private or delete the original, though the linked content will no longer be accessible.
4.5 Legal Disclosure
We may disclose your data if required by law, court order, or regulatory authority, or where necessary to protect the rights, property, or safety of Wandar, our users, or the public.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account and profile data | Until account deletion, plus 30 days in backup |
| Trip and experience data | Until account deletion or trip deletion |
| AI conversation messages | Until end of current AI session |
| Payment records | 7 years (legal and tax requirement) |
| Error logs (Sentry) | 90 days |
| Analytics events (PostHog) | 12 months |
| Auth tokens (Clerk) | Until session expiry or sign-out |
When you delete your account, we permanently delete your personal data from our systems within 30 days, except where we are required by law to retain it.
6. Cookies and Tracking
We use the following:
- Authentication cookies — set by Clerk to maintain your session. Strictly necessary.
- Analytics — PostHog collects anonymised usage events. You can opt out by adjusting your browser settings or using a content blocker.
- Error tracking — Sentry captures error events linked to your user ID when signed in.
- Performance monitoring — Vercel Analytics collects aggregate page view data with no individual tracking.
We do not use advertising cookies or sell data to advertising platforms.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you
- Correction — request that inaccurate data be corrected
- Deletion — request deletion of your personal data (you can also delete your account directly in settings)
- Portability — request your data in a portable format
- Restriction — request that we restrict processing of your data in certain circumstances
- Object — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, email hello@wandar.co. We will respond within 30 days. We may need to verify your identity before fulfilling a request.
8. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- HTTPS encryption for all data in transit
- Encrypted storage for sensitive fields
- Authentication handled by Clerk (industry-standard security)
- Secrets and API keys stored in Vercel environment variables, never committed to code
- Access to production data restricted to authorised personnel only
- Error monitoring and alerting via Sentry
No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we take the protection of your data seriously and maintain a responsible disclosure policy.
9. International Data Transfers
Our service providers may process data outside the United Kingdom or European Economic Area. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or equivalent mechanisms, in accordance with applicable data protection law.
10. Children's Privacy
Wandar is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact us at hello@wandar.co and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or via in-app notice at least 14 days before they take effect. The updated policy will be posted at wandar.app/privacy with an updated "Last updated" date.
12. Contact and Complaints
For privacy-related questions or to exercise your rights:
Email: hello@wandar.co Website: wandar.co
If you are located in the UK or EEA and are not satisfied with how we handle your request, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk.