VOL · I · ISSUE 01 RIGA · 56°56′ N
legal

Privacy Policy

last updated · 2026-05-15

What we collect, why we collect it, who we share it with, and how to opt out. We treat your trip data as yours — full stop.

1 · Who is responsible

Wayivo OÜ, headquartered in Riga, Latvia, is the data controller of personal data processed when you use Wayivo. Reach our data team at privacy@wayivo.app.

2 · What we collect

account

  • Email address, display name, optional public handle.
  • OAuth identifiers if you sign in with Apple, Google or GitHub.
  • Bearer tokens stored hashed server-side.

trip + workspace

  • Places, routes, expenses and activities you add — including coordinates you pick or coordinates from imported ICS files.
  • Voice memos and uploaded documents (passports, tickets) only if you upload them. Stored encrypted at rest.
  • Comments and threads with other trip participants.

usage

  • API request counts, AI provider and model used, token totals, file sizes.
  • Approximate IP-derived location for security (kept ≤ 30 days, hashed afterwards).
  • Browser, OS and device identifiers for anti-abuse.

opt-in location sharing

Live cursor and "near me" features only run after you explicitly toggle them on per trip. Coordinates are kept in memory with a 1-hour TTL and never written to permanent storage.

3 · Why we process it

  • Contract — to provide the Service you signed up for (planning trips, sharing with collaborators, syncing iCal).
  • Legitimate interest — fraud prevention, abuse detection, plan-limit enforcement, anonymous aggregate analytics.
  • Consent — community marketplace publication, location sharing, marketing email — all opt-in.
  • Legal obligation — tax records, government data-request compliance.

4 · Third parties we share with

We share strictly what each provider needs to power its feature. No selling, no advertising profiles.

  • Anthropic / Mistral / OpenAI — your AI prompts and the relevant trip context, only when you trigger an AI feature. None of these providers train on Wayivo traffic by default.
  • Stripe — payment details (handled directly by Stripe; we receive only success / metadata).
  • OpenStreetMap / Nominatim / Open-Meteo / ECB — geocoding, weather and FX lookups (anonymous).
  • Apple, Google, GitHub — only at sign-in. We don't post on your behalf.
  • Cloud infra — hosted in EU regions (Hetzner / OVH). No data leaves the EU unless you ask the AI provider to.

5 · How long we keep it

  • Active accounts: as long as you use Wayivo.
  • Inactive accounts: deleted automatically after 24 months of no activity (you get a warning email first).
  • Audit logs: 18 months.
  • Backups: encrypted, 30-day rotation.
  • Deleted accounts: data is purged within 30 days, except where retention is required by law.

6 · Your rights (GDPR + analogous)

  • Access, correct or delete your data.
  • Export everything via the in-app data-export tool (GDPR Article 20 — portability).
  • Object to processing or restrict it.
  • Withdraw consent at any time for opt-in features.
  • Lodge a complaint with your local supervisory authority. Ours is the Latvian Data State Inspectorate.

Email privacy@wayivo.app to exercise any right. Response within 30 days.

7 · Cookies + storage

  • Strictly necessary — session cookie, bearer token in localStorage. Set only after you sign in.
  • Preferences — theme, language, panel layout. Local only, never sent to us.
  • Analytics — first-party, IP-anonymised. No third-party trackers, no Facebook pixel, no Google Analytics.

8 · Children

Wayivo is not directed at children under 16. If you believe a child has signed up, write to us and we will remove the account.

9 · Changes

Material changes will be announced in-app and by email at least 14 days in advance. Historical versions of this policy are stored in our public repository.

10 · Contact

Questions, complaints or data requests: privacy@wayivo.app. Postal mail accepted at the address on our company filing.