Privacy Policy
How Wayra handles your personal data, which providers we share it with, and what rights you have to control any of it.
1. Who's responsible
The data controller is Rodrigo Arenas Paiz, based in Madrid (Spain), the operator of wayratrip.io. For any privacy-related question, write to [email protected].
2. What we collect
Only what's needed to run the service:
- Data you give us directly: the trip text you describe in the planner, the name you pick when joining a group, your email and name if you sign in with Google or a magic link, the shared expenses you log, and the amounts you mark as paid.
- Automatic technical data: IP address (anonymized in analytics), browser and device type, language, referring page, visit timestamp.
- Cookies and local storage: session ID, CSRF token, your cookie preferences, and — if you consent — analytics IDs. Full breakdown in the Cookies Policy.
We don't collect special-category data (health, ideology, sexual orientation, or anything else covered by GDPR Article 9). We don't do cross-device tracking or advertising profiles.
3. How we use it
Each purpose has a GDPR legal basis:
| Purpose | Legal basis |
|---|---|
| Generate your trip plan from the prompt you wrote | Performance of a requested service (Art. 6(1)(b)) |
| Keep your session signed in and link trips to your account | Performance of a requested service (Art. 6(1)(b)) |
| Share the plan with your group via a link | Performance of a requested service (Art. 6(1)(b)) |
| Detect errors and abuse (rate limiting, monitoring) | Legitimate interest (Art. 6(1)(f)) |
| Measure how the site is used with analytics | Consent (Art. 6(1)(a)) |
| Send transactional emails (confirmations, notifications) | Performance of a requested service (Art. 6(1)(b)) |
4. Who we share it with
Wayra is an independent project and doesn't sell or transfer your data to third parties for commercial purposes. To run the service we share strictly necessary information with the following processors:
| Provider | Purpose | Location |
|---|---|---|
| Anthropic, PBC | Process your trip prompt with Claude to build the plan | United States |
| Amadeus IT Group | Real hotel and flight search | Spain (EU) |
| Open-Meteo | Weather forecast | Germany (EU) |
| Pexels | Destination imagery | Germany (EU) / United States |
| Mapbox | Interactive maps | United States |
| Google LLC | OAuth sign-in and analytics (only with consent) | United States |
| Microsoft Clarity | Heatmaps and session recordings (only with consent) | United States |
| Functional Software, Inc. (Sentry) | Error monitoring | United States |
| Resend, Inc. | Transactional email delivery (verify, magic-link, welcome) | United States |
| Railway Corp. | App and database hosting | United States |
| Cloudflare, Inc. | DNS, domain registration, email forwarding | United States |
5. International transfers
Several of the providers above are based in the United States. Those transfers are covered by the Standard Contractual Clauses approved by the European Commission, or where applicable by the EU–US Data Privacy Framework. You can ask us for a copy of the safeguards applied to a specific provider at [email protected].
6. How long we keep it
- Anonymous trips (no account): 30 days from last activity, unless you claim them by linking to an account.
- Trips linked to an account: as long as the account exists, or until you ask for deletion.
- Account data: as long as the account is active. After a deletion request, we wipe personal data within 30 days, keeping only anonymized security logs for 12 months.
- Analytics data: per Google Analytics 4 settings (14 months by default) and Microsoft Clarity (90 days).
- Sentry error logs: 30 days.
7. Your rights
As the data subject you can exercise the following rights at any time:
- Access: get a copy of the data we hold on you.
- Rectification: correct inaccurate data.
- Erasure (right to be forgotten): have your data deleted.
- Restriction: freeze a specific processing.
- Portability: receive your data in a structured, reusable format.
- Object: object to processing based on legitimate interest.
- Withdraw consent: at any time, without affecting prior processing. You can do this from the "Cookie settings" button in the footer.
To exercise any of them, write to [email protected] stating which right you want to exercise. We'll respond within 30 days.
If you believe we're handling your data improperly, you have the right to complain to your local supervisory authority. The European Data Protection Board keeps a list at edpb.europa.eu. Spanish residents can complain to the Spanish Data Protection Agency (aepd.es).
8. Security
We apply reasonable technical and organisational measures to protect your data: encryption in transit (HTTPS), CSRF tokens on forms, rate limiting against abuse, error monitoring, restricted database access. No system is invulnerable; in case of an incident affecting personal data, we'll notify you within the GDPR timeframes (Articles 33 and 34).
9. Minors
Wayra isn't aimed at users under 16. We don't knowingly collect data from anyone under that age. If you think a minor has sent us data, write to us and we'll remove it.
10. Changes to this policy
If we update this policy, we'll publish the new version at the same URL with the date at the top updated. If the changes materially affect how we handle your data, we'll notify you by email (if you have an account) or with a prominent on-site notice.
11. Contact
For any question about this policy or how Wayra handles your data: [email protected].