Privacy Policy
Last updated: May 9, 2026
This Privacy Policy explains what personal data Wanderlust Weaver ("we", "us") collects when you use our website and services, why we collect it, who we share it with, and the rights you have over it. We aim to keep this short, plain, and honest.
1. Data we collect
- Account data: email address, display name, optional avatar, and the password hash you set (we never see your plain-text password).
- Profile data you choose to share: public handle, bio, traveler profile (preferences like pace, interests, dietary needs).
- Trip content: destinations, dates, generated itineraries, packing lists, day comments, and uploaded cover images.
- Collaboration data: emails you invite to collaborate on trips, and the role you assign them.
- Payment data: processed by Stripe — we receive your customer ID, subscription status, and the last 4 digits of your card. We do not store full card numbers.
- Usage data: generation counts, tweak counts, error logs, and basic device/browser info needed to operate and debug the Service.
- Email preferences and suppression list: so we honor your unsubscribe choices and don't send to addresses that have bounced or complained.
2. How AI prompts and outputs are handled
When you generate an itinerary, your destination, dates, style, and traveler profile are sent to large-language-model providers (e.g. Google Gemini, OpenAI) via the Lovable AI Gateway. We do not send your name or email to the model. Generated outputs are stored on your account so you can revisit them. Model providers may temporarily process the prompt to deliver the response but, under our agreements with them, do not use it to train their models.
3. Why we use your data (legal bases under GDPR)
- To provide the Service — generating, saving, and sharing your trips. Legal basis: performance of a contract.
- To process payments — via Stripe. Legal basis: performance of a contract.
- To send transactional emails (signup confirmation, password reset, trip share, day-comment notifications, billing receipts). Legal basis: performance of a contract / legitimate interest.
- To send product updates and marketing emails — only with your consent. You can opt out at any time from the Account page or the unsubscribe link in every email.
- To improve the Service and prevent abuse — usage analytics, error logs, rate-limit data. Legal basis: legitimate interest.
- To comply with legal obligations — tax, accounting, responding to lawful requests.
4. Who we share data with
We use a small set of trusted processors to run the Service:
- Lovable Cloud — hosting, database, authentication, file storage.
- Stripe — payment processing.
- Lovable AI Gateway (Google, OpenAI) — itinerary and content generation.
- Email delivery provider — sending transactional and product emails.
We do not sell your personal data. We share data with these processors only as needed to run the Service, under contracts that require them to protect it.
5. International transfers
Some of our processors are based outside the EU/UK (e.g. in the United States). When we transfer personal data internationally, we rely on the European Commission's Standard Contractual Clauses or equivalent safeguards.
6. How long we keep your data
- Account and trip content: until you delete your account.
- Billing records: 7 years (legal/tax retention).
- Email send logs: 90 days.
- Error logs and analytics: up to 12 months.
7. Your rights
Subject to local law, you have the right to:
- access the personal data we hold about you;
- correct inaccurate data (most fields can be updated on the Account page);
- delete your account and associated data;
- export your data in a portable format;
- object to or restrict certain processing;
- withdraw consent for marketing emails at any time;
- lodge a complaint with your local data-protection authority.
To exercise any of these rights, use the Account page or contact us via the Contact page.
8. Cookies, local storage, and your consent
Wanderlust Weaver does not use any third-party advertising or tracking cookies. We use a small number of strictly necessary browser-storage entries to operate the Service, plus optional first-party analytics that you control. You can change your choice at any time on the Cookie Settings page.
Strictly necessary (always on)
These are required to sign you in, secure the admin area, complete OAuth redirects, and remember UI state. They are exempt from consent under the ePrivacy Directive.
| Name | Type | Purpose | Lifetime |
|---|---|---|---|
sb-*-auth-token | localStorage | Keeps you signed in (Lovable Cloud auth session). | Until sign-out |
ww:oauth:redirect | sessionStorage | Resumes the page you were on after a Google OAuth round-trip. | Tab session |
ww:admin:mfa-verified-at | sessionStorage | Remembers a successful admin MFA challenge for the tab. | Tab session |
ww:packing:*, ww:packing-list:* | localStorage | Remembers which packing-list items you've checked off, per trip. | Until cleared |
ww:itinerary:expanded:* | localStorage | Remembers which itinerary days you expanded or collapsed. | Until cleared |
sidebar_state | Cookie | Remembers whether the sidebar is open or collapsed. | 7 days |
Optional analytics (consent required)
First-party analytics help us understand how the product is used (page views, signup & trip-creation funnel). Events are stored in our own database and are never shared with third-party ad networks. Nothing is recorded until you accept on the consent banner or on the Cookie Settings page. Legal basis: your consent (GDPR Art. 6(1)(a) and ePrivacy Directive Art. 5(3)).
| Name | Type | Purpose | Lifetime |
|---|---|---|---|
ww:analytics:consent | localStorage | Remembers your consent choice (granted / denied) so we don't ask again. | Until cleared |
ww:analytics:sid | sessionStorage | Random session ID used to group events from the same visit. Only set after consent. | Tab session |
How to change or withdraw consent
- Visit Cookie Settings to enable, disable, or reset your analytics choice at any time.
- Clearing your browser's site data for Wanderlust Weaver removes all of the entries above; the consent banner will reappear on your next visit.
9. Security
We protect your data with encryption in transit (HTTPS), encryption at rest, row- level security on the database, leaked-password protection on signup, and sign-out-everywhere controls. No system is perfectly secure — if you suspect a breach of your account, change your password and contact us immediately.
10. Children
Wanderlust Weaver is not directed to children under 16 (or the age of digital consent in your country). We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date and, for material changes, notify you by email or in-app notice.
12. Contact
Privacy questions or requests? Reach us via the Contact page.