Privacy Policy

Wavvia ("we", "us", "our") operates the Wavvia travel planning platform at wavvia.app. We are committed to protecting your personal data and respecting your privacy.

For questions about this policy, please use the contact form on our website.

We collect the following types of data:

• Account data — email address, name, and authentication provider (Google or Apple) when you create an account.
• Trip profile data — traveller type, destinations, dates, dietary preferences, health conditions, and budget tier that you provide during trip planning.
• Usage data — pages visited, features used, and interactions with the platform (e.g. popup responses), collected via server logs and anonymised analytics.
• Device data — browser type, operating system, and IP address, used for security and performance purposes.
• Guest sessions — if you use Wavvia without an account, we assign a temporary anonymous session ID stored locally on your device. No personal data is linked to guest sessions.

We do not collect payment information directly. Booking transactions are handled by our affiliate partners (Booking.com, GetYourGuide, etc.) under their own privacy policies.

• To generate your personalised travel itinerary and safety reports
• To remember your preferences across sessions (logged-in users only)
• To improve our platform features using anonymised, aggregated data
• To send transactional emails (trip confirmations, account notices) — never marketing without consent
• To detect and prevent fraud and abuse
• To comply with legal obligations

We process your data on the legal basis of contract performance (to deliver the service you requested), legitimate interests (platform security and improvement), and consent (optional communications).

Some trip profile information — such as LGBTQ+ identity, health conditions, dietary requirements, and gender — may constitute special category personal data under GDPR.

This data is provided voluntarily by you to personalise your experience. It is:

• Stored encrypted at rest (AES-256 via Supabase)
• Never shared with third parties or affiliate partners
• Never used for advertising profiling
• Deleted immediately when you delete your account

You can choose not to provide this information — the platform works without it, but personalisation will be reduced.

We do not sell your personal data. Ever.

We share data only in the following limited circumstances:

• Google (Gemini AI) — your trip profile and conversation context is sent to Google's Gemini AI to generate your itinerary and chat responses. This transfer is protected by Standard Contractual Clauses (SCCs) under Google's Data Processing Agreement. We do not send sensitive identity data (LGBTQ+ status, health conditions) beyond what is necessary to generate your personalised plan.
• Supabase — database and authentication storage. Data is encrypted at rest. GDPR-compliant.
• Vercel — hosting and serverless compute. Processes request data including IP addresses for routing and security.
• Firebase (Google) — user authentication. Handles sign-in via Google and Apple. Subject to Google's privacy terms.
• Cloudflare — DDoS protection, CDN, and caching. Processes IP addresses and request metadata for security purposes.
• Upstash (Redis) — rate limiting and session caching. Stores anonymised request counts keyed to IP address. No personal data retained beyond the active session window.
• Sentry — error monitoring. Captures anonymised error reports and performance traces. All text inputs and media are masked; no personal data is logged.
• Kiwi Tequila (Kiwi.com) — flight price enrichment. Your departure city and destination are sent to retrieve indicative flight prices. No personal identity data is shared.
• TravelPayouts — affiliate flight and hotel search widget. Anonymised click data is shared for commission tracking.
• Google Maps Platform — used for place search and venue verification. Destination names are sent to Google's Places API. Subject to Google's privacy terms.
• Affiliate networks (CJ, Awin, Impact, Amazon Associates) — when you click a product or booking link, anonymised click tracking data (no PII) is sent to the relevant network for commission attribution.
• Legal requirements — if required by law, court order, or to protect the rights and safety of our users.

We use the following types of cookies:

• Essential cookies — required for the platform to function (session management, authentication). Cannot be disabled.
• Preference cookies — store your dark mode setting and guest session ID. No personal data.
• Analytics cookies — anonymised usage data to help us improve the platform. Only set with your consent.

You can manage cookie preferences via the cookie banner shown on your first visit, or by clearing your browser cookies at any time.

• Account data: retained while your account is active, deleted within 30 days of account deletion
• Trip data: retained for 12 months from creation, then automatically deleted
• Shared trip links: expire after 90 days and are then deleted
• Guest session data: deleted after 30 days of inactivity
• Server logs: retained for 90 days for security purposes

If you are in the UK or EU, you have the right to:

• Access — request a copy of the data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests
• Restriction — request that we limit how we use your data

To exercise any of these rights, please use the contact form on our website. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK).

We take security seriously. All data is transmitted over TLS 1.3 and stored encrypted at rest. Authentication is handled by Firebase Auth — we never store passwords. Access to production data is restricted to authorised personnel only.

No system is 100% secure. If you discover a security vulnerability, please report it responsibly via the contact form on our website.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete — request deletion of personal information we have collected, subject to certain exceptions.
• Right to correct — request correction of inaccurate personal information.
• Right to opt-out of sale or sharing — we do not sell or share your personal information with third parties for cross-context behavioural advertising. No opt-out is required.
• Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights.

To exercise your California rights, please contact us using the contact form on our website. We will respond within 45 days as required by CCPA.

Wavvia operates from Sri Lanka and is subject to the Personal Data Protection Act No. 9 of 2022 (PDPA). Under the PDPA:

• Lawful basis — we process your data only where we have a valid lawful basis: your consent, contractual necessity, or a legal obligation. Sensitive categories (health, LGBTQ+ identity) are processed only with your explicit consent.
• Breach notification — in the event of a data breach affecting your personal data, we will notify the Data Protection Authority of Sri Lanka within 72 hours and inform affected users without undue delay.
• Your rights — you have the right to access, correct, and request deletion of your personal data held by us. Contact us using the form on our website to exercise these rights.
• Data Protection Authority — you may lodge a complaint with the Data Protection Authority of Sri Lanka at privacycommission.lk.

If you are a resident of India, the Digital Personal Data Protection Act 2023 (DPDPA) grants you the following rights:

• Consent — we obtain your explicit consent before processing your personal data. You may withdraw consent at any time by deleting your account or contacting us.
• Right to information — you may request details of the personal data we hold about you and how it is processed.
• Right to correction and erasure — you may request correction of inaccurate data or deletion of your personal data. We will action this within 30 days.
• Grievance redressal — to raise a data-related grievance, please use the contact form on our website. We will acknowledge within 48 hours and resolve within 30 days.

Wavvia is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this policy from time to time. We will notify registered users of material changes by email. The "last updated" date at the top of this page reflects the most recent revision. Continued use of Wavvia after changes constitutes acceptance of the updated policy.