Privacy Policy — Wandercrafted

The short version: we collect only what we need to run the service, we never sell your data, and you can request deletion at any time by emailing hello@wandercrafted.app.

1. Who we are

Wandercrafted (wandercrafted.app) is an AI-powered travel itinerary service. References to "we", "us" or "Wandercrafted" in this policy refer to the operator of this service.

For privacy enquiries, contact us at hello@wandercrafted.app.

2. What data we collect

We collect the minimum data necessary to provide the service:

Account information: your email address when you create an account or sign in via magic link.
Trip preferences: destination, travel style, trip dates, flight details, and any "must experience" text you enter into the trip planner. This data is used to generate your itinerary.
Saved itineraries: if you choose to save a generated itinerary, the full itinerary JSON is stored against your account.
Payment information: if you subscribe to Wandercrafted Pro, your payment details are collected and stored by Stripe. We never see or store your full card number — only a Stripe customer ID is stored in our database.
Usage metadata: basic analytics events (e.g. "itinerary generated") to understand how the service is used. No personally identifiable information is attached to these events.
Error logs: anonymised error reports to help us fix bugs, processed via Sentry.

3. How we use your data

To generate and display your travel itinerary.
To save and retrieve your itineraries when you are logged in.
To send transactional emails: account confirmation, magic sign-in links, and password reset emails via Supabase Auth.
To process subscription payments and manage your billing via Stripe.
To improve the service by understanding how features are used.
To identify and fix errors in the service.

We do not use your data for advertising, and we do not sell, rent, or share your personal data with third parties for their own marketing purposes.

4. Third-party services

Wandercrafted uses the following third-party services to operate. Each has its own privacy policy:

Anthropic — powers the AI itinerary generation. Trip preference data (destination, style, dates) is sent to the Anthropic API to generate your itinerary. Anthropic does not use API inputs to train its models by default. Privacy policy
Supabase — provides authentication, database storage, and email delivery. Your email address and saved itineraries are stored in Supabase's hosted infrastructure (AWS, us-east-1). Privacy policy
Stripe — processes subscription payments. Stripe stores your payment method and billing details under their PCI-compliant infrastructure. Privacy policy
Pexels — provides destination photography displayed on day cards. Image requests include a search keyword (e.g. "Tokyo") but no personal data. Privacy policy
Google Maps — displays interactive maps of your itinerary locations. Google may collect usage data when maps are loaded. Privacy policy
AeroDataBox — used for optional flight number lookup. The flight number you enter is sent to AeroDataBox to retrieve flight details. Privacy policy
Sentry — collects anonymised error reports to help us fix bugs. Privacy policy
Google reCAPTCHA — used to protect the itinerary generator from automated abuse. Subject to Google's privacy policy and terms of service.

5. Cookies and local storage

We use minimal cookies and browser storage:

Session cookies: Supabase Auth uses a session token stored in your browser to keep you logged in. This is strictly necessary for the service to function.
No tracking cookies: we do not use advertising cookies, cross-site tracking cookies, or analytics cookies.
Local storage: some preferences (e.g. selected travel styles) may be temporarily stored in your browser's local storage to improve your experience. This data never leaves your device.

You can clear cookies and local storage at any time through your browser settings. Clearing your session cookie will log you out.

6. Data retention

Account data: retained for as long as your account is active.
Saved itineraries: retained until you delete them or close your account.
Payment records: Stripe retains billing history as required for financial and legal compliance.
Error logs: retained for 90 days in Sentry, then automatically deleted.

7. Your rights and data deletion

You have the right to:

Access the personal data we hold about you.
Request correction of inaccurate data.
Request deletion of your account and all associated data.
Export your saved itineraries.
Object to processing in certain circumstances.

To exercise any of these rights, email hello@wandercrafted.app. We will respond within 30 days.

8. Data security

We take reasonable technical measures to protect your data, including:

All data in transit is encrypted via HTTPS/TLS.
Database access is restricted and authenticated.
Payment data is handled entirely by Stripe and never touches our servers.
Passwords are never stored — authentication uses Supabase's secure email-based flows.

9. International transfers

Wandercrafted is operated from Australia. Your data may be processed by third-party services in the United States and other countries. Where this occurs, we rely on those services' compliance frameworks (including EU Standard Contractual Clauses where applicable) to ensure adequate protection.

10. Compliance

We aim to comply with applicable privacy laws including the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles, and where applicable, the EU General Data Protection Regulation (GDPR).

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we'll update the "Last updated" date at the top of this page. For significant changes, we'll notify users by email.

12. Contact

For any privacy-related questions or requests, contact us at:
hello@wandercrafted.app