Last updated: February 2026
This Privacy Policy describes how Wayfare ("we", "us", or "our") collects, uses, and protects your personal information when you use our trip planning service ("the Service"). By using the Service, you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
Account Information: When you sign in with Google, we receive your name, email address, and profile picture from Google's OAuth service. We store your name and email to create and manage your account.
User Content: We store the content you create through the Service, including trip details, saved locations, location groups, expense records, participant information, checklists, and budget data.
Usage Data: We may collect information about how you access and use the Service, including your IP address, browser type, pages visited, and the date and time of your visit. This data is used solely for maintaining and improving the Service.
Guest Sessions: If you use the Service as a guest, we issue a temporary session token. Guest data is not associated with a persistent account and may be deleted at any time.
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service
- Authenticate your identity and manage your user session
- Associate your trips and data with your account
- Improve, personalize, and expand the Service
- Understand and analyze how you use the Service
- Communicate with you, including for customer support
- Detect, prevent, and address technical issues or abuse
3. Data Storage and Security
Your data is stored in a PostgreSQL database hosted on our infrastructure. We implement industry-standard security measures to protect your personal information, including encrypted connections (HTTPS), HTTP-only authentication cookies, and secure password hashing.
However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.
4. Data Sharing
We do not sell, trade, rent, or otherwise share your personal information with third parties for their marketing purposes. We may share information only in the following circumstances:
- Third-party service providers: We use Google OAuth for authentication and Google Maps Platform for location services. These services receive only the data necessary to provide their functionality and are governed by their own privacy policies.
- Legal requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities.
- Protection of rights: We may disclose information when we believe it is necessary to protect our rights, your safety, or the safety of others.
5. Cookies and Session Management
We use HTTP-only cookies exclusively for authentication and session management. Specifically:
- auth_token: A JSON Web Token (JWT) cookie used to maintain your authenticated session. This cookie is HTTP-only and cannot be accessed by client-side scripts.
- oauth_state: A temporary cookie used during the Google OAuth authentication flow to prevent cross-site request forgery (CSRF) attacks. This cookie is deleted after authentication completes.
We do not use cookies for tracking, analytics, or advertising purposes. We do not use any third-party tracking cookies.
6. Data Retention
We retain your personal information and User Content for as long as your account is active or as needed to provide you with the Service. If you delete a trip, all associated data (locations, groups, expenses, participants, and checklists) is permanently removed from our database through cascading deletes.
7. Your Rights
You have the right to:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate personal data
- Deletion: Delete your trips and associated data at any time through the Service. To request complete account deletion, please contact us
- Portability: Request your data in a structured, machine-readable format
- Objection: Object to the processing of your personal data in certain circumstances
8. Children's Privacy
The Service is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information.
9. International Data Transfers
Your information may be transferred to and maintained on servers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to such transfers.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by updating the "Last updated" date at the top of this page. You are advised to review this Privacy Policy periodically for any changes. Continued use of the Service after changes are posted constitutes acceptance of the revised policy.
11. Contact
If you have any questions about this Privacy Policy or our data practices, please contact us.
