Privacy Policy
Wend is built around one promise: we don't sell anything to anyone, and we don't share what we don't have to. This page explains, in plain English, what data we collect, why, who we share it with, how long we keep it, and what you can do about it. It's designed to meet the requirements of the EU General Data Protection Regulation (GDPR) and the UK GDPR.
1 · Who we are
The data controller for Wend is [LEGAL_ENTITY_NAME], registered at [REGISTERED_ADDRESS], Ireland. We operate the Wend mobile app (iOS) and the website at wendapp.co. We are not currently required to appoint a Data Protection Officer under Article 37 GDPR. For all privacy enquiries, write to us at [email protected].
2 · The short version
- We collect the minimum data we need to run the app — almost everything lives on your device.
- If you sign in, we use Sign in with Apple. Apple gives us a stable pseudonymous identifier and (only if you choose) a relay email. We never see your real Apple ID password.
- We don't run third-party advertising or analytics SDKs. No Facebook pixel, no Google Analytics, no IDFA tracking.
- We don't sell your data. Ever. We don't share preferences or trip details with third parties beyond what's strictly required to provide the service.
- You can export, correct, or delete your data at any time — see Section 9.
3 · What we collect, and why
3.1 Data you give us directly
| Category | What it is | When |
|---|---|---|
| Account identifier | A pseudonymous user ID generated by Apple Sign in with Apple | When you create an account |
| Email (relay) | If you elect, Apple's "Hide My Email" relay address. We never see your real email unless you provide it directly. | Only if you opt in via Apple |
| Trip data | Destinations, dates, itinerary, budget entries, packing checklists, travel documents you log (passport numbers, visas, etc.) | When you create or edit a trip in-app |
| Bookmarks | Identifiers for destinations, trails, stays, eats and tips you save | When you tap the heart icon |
| Watched routes | Origin/destination route pairs you track for price drops | When you tap "Watch this route" |
| Community content | Tips, journals, journal entries, photos, locations, captions you post | Only if and when you publish |
| Preferences | Home passport country, home currency, distance units, dark-mode setting, reduce-motion setting, notification choices | When you change them in More → Settings |
3.2 Data we observe automatically
| Category | What it is | Purpose |
|---|---|---|
| Device and OS metadata | iOS version, device model, app version, locale, time zone | To deliver the right app version, debug crashes, format dates and currency correctly |
| Affiliate click events | Which outbound link you tapped (12Go, Hostelworld, Booking.com, Kiwi, Skyscanner, Rome2Rio) and at which timestamp | To attribute commission to Wend; never tied to your personal identity beyond your device session |
| Approximate location | Your device's coarse location, only when you grant the OS permission | To centre the map on you and surface "you are here" trails. Never written to our servers without your action. |
| Server logs | IP address, user agent, request path, response code, timestamp — for any request to wendapp.co or our Supabase backend | Security, abuse prevention, debugging |
3.3 Data we explicitly do not collect
- Your real Apple ID password (we never see it; Apple handles the entire sign-in flow).
- Your contacts, calendar, photo library, microphone, or health data.
- Your IDFA / advertising identifier — Wend does not request the App Tracking Transparency permission.
- Continuous background location.
- Behavioural advertising or cross-app tracking signals.
4 · Why we process it (purposes and lawful bases)
Under Article 6 GDPR we need a lawful basis for every type of processing. Here are ours:
| Purpose | Lawful basis |
|---|---|
| Provide the core app: account, sync, saved trips, bookmarks | Contract (Article 6(1)(b)) — necessary to deliver what you signed up for |
| Send local notifications you've enabled (price drops, trip countdown, community replies) | Consent (Article 6(1)(a)) — granted in the iOS prompt, withdrawable any time in iOS Settings |
| Keep the service secure, prevent abuse, debug crashes | Legitimate interest (Article 6(1)(f)) — running a reliable, safe app is in everyone's interest |
| Track affiliate clicks for commission attribution | Legitimate interest (Article 6(1)(f)) — keeps the app free; balanced against your privacy because no personal identity is shared with affiliates beyond your click |
| Comply with legal obligations (tax records, consumer protection) | Legal obligation (Article 6(1)(c)) |
5 · Who we share it with
We use a small number of trusted processors. Each is contractually bound by GDPR-aligned data processing agreements (DPAs).
| Processor | Role | Where |
|---|---|---|
| Apple Inc. | Sign in with Apple, push notifications, App Store distribution, iCloud Key-Value sync | EU + US (SCCs in place) |
| Supabase | Account, trip and bookmark storage; authentication backend | EU (Ireland — eu-west-1) |
| Cloudflare, Inc. | DNS, CDN and hosting for wendapp.co and the AASA universal-link manifest | Global edge network; data origin EU |
| Affiliate partners (12Go, Hostelworld, Booking.com, Kiwi.com, Skyscanner, Rome2Rio) | When you tap an outbound CTA, your browser is redirected to the partner with our publisher/affiliate ID. Their privacy policy then applies. | Various — see each partner's policy |
| Apple Maps / MapKit | Map tile rendering and place lookup inside the app | EU + US (SCCs in place) |
We do not share your data with advertisers, data brokers, or analytics resellers. We do not sell your personal data, and we have never received a price for it.
We will share data with law enforcement only when compelled by valid legal process, and we will tell you about it unless legally prohibited.
6 · International transfers
Wend's primary data store (Supabase) is hosted in Ireland. Some processors (Apple, Cloudflare) operate globally. Where data leaves the European Economic Area, transfers are governed by the European Commission's Standard Contractual Clauses (2021/914) or an equivalent GDPR-recognised safeguard. You can request copies of the relevant SCCs by writing to [email protected].
7 · How long we keep it
| Data | Retention |
|---|---|
| Account record (Apple user ID, settings) | Until you delete the account, then permanently erased within 30 days from production systems and backups |
| Trip data, bookmarks, watched routes, community posts | Until you delete them, or until 30 days after account deletion |
| Server access logs | 30 days, then aggregated or deleted |
| Crash reports | 90 days |
| Affiliate click records | 13 months (matches industry-standard commission cookie windows) |
| Records required by tax / consumer-protection law | Up to 7 years from the relevant transaction (Irish Revenue requirement) |
8 · Security
All connections to Wend's servers run over HTTPS with current TLS. Authentication tokens are stored in iOS Keychain. Database access uses row-level security so a user's records are only ever readable by that user (or by a moderator, for moderation actions). Backups are encrypted at rest. We review access on at least a quarterly basis.
No system is perfectly secure. If we ever discover a personal-data breach that is likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (Article 33 GDPR) and inform affected users without undue delay (Article 34).
9 · Your rights under GDPR
You have the following rights regarding your personal data. Most of them you can exercise directly inside the app (Profile → Account, or More → Data & privacy). For any you can't, email [email protected] and we will respond within one calendar month (extendable by two further months for complex requests under Article 12(3)).
- Right of access (Article 15). Confirmation of whether we hold data about you, a copy of it, and the information set out in this notice.
- Right to rectification (Article 16). Correct inaccurate or incomplete data.
- Right to erasure / "right to be forgotten" (Article 17). Delete your account and all linked records. Use Profile → Account → Delete account in-app, or email us.
- Right to restriction of processing (Article 18). Pause our use of your data while we resolve a dispute.
- Right to data portability (Article 20). Receive your data in a structured, machine-readable format (JSON). Use More → Data & privacy → Export trips, or email us for a full account export.
- Right to object (Article 21). Object to processing based on legitimate interests, including affiliate tracking — we will stop unless we have an overriding legitimate ground.
- Right not to be subject to solely-automated decisions (Article 22). We don't make any decisions about you using only automated means.
- Right to withdraw consent (Article 7(3)). Where we rely on consent (e.g. notifications), you can withdraw it at any time without affecting prior processing.
- Right to lodge a complaint (Article 77). If you believe we have mishandled your data, you can complain to your local supervisory authority. In Ireland, that's the Data Protection Commission, dataprotection.ie. You can complain in your country of residence, work, or where the alleged infringement took place.
10 · Children
Wend is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If we learn that we have, we will delete it promptly. If you believe a child has provided data to us, write to [email protected].
11 · Cookies and similar technologies
Our website (wendapp.co) uses a small number of strictly-necessary cookies set by Cloudflare to operate the site, mitigate abuse, and remember security choices. We do not run analytics cookies, advertising cookies, or third-party social-media cookies. We do not use a cookie consent banner because we do not set non-essential cookies — under the ePrivacy Directive and Irish ePrivacy Regulations, strictly-necessary cookies do not require consent.
The Wend mobile app does not use web cookies. Inside the app, our in-app browser (used to open affiliate booking partners) inherits whatever cookies those partners set when you visit them. That use is governed by the partner's privacy policy.
12 · Changes to this policy
When we change this policy in a way that materially affects your rights, we will notify you in-app and update the "Last updated" date at the top. Older versions are kept on file and available on request. We will not retroactively reduce your rights without your explicit consent.
13 · Contact
Questions, requests under any of the rights above, or just a general worry — write to:
[LEGAL_ENTITY_NAME]
[REGISTERED_ADDRESS]
Ireland
[email protected]
Document version 1.0 · Wend pre-launch privacy policy