Privacy Policy — Wandercrafted

The short version: we collect only what we need to run the service, we never sell your data, and you can request deletion at any time by emailing hello@wandercrafted.app.

1. Who we are

Wandercrafted (wandercrafted.app) is an AI-powered travel itinerary service available via web and a native iOS application. References to "we", "us" or "Wandercrafted" in this policy refer to the operator of this service.

For privacy enquiries, contact us at hello@wandercrafted.app.

2. What data we collect

We collect the minimum data necessary to provide the service:

Account information: your email address when you create an account or sign in via magic link.
Trip preferences: destination, travel style, trip dates, flight details, and any "must experience" text you enter into the trip planner. This data is used to generate your itinerary.
Saved itineraries: if you choose to save a generated itinerary, the full itinerary JSON is stored against your account. This includes any user-added content such as day notes, custom packing items, accommodation details, and flight information you add to a saved trip.
Booking confirmation documents (Pro and Trip Pass): if you use the booking import feature, you may upload or paste the text of booking confirmation emails, PDF documents, or screenshots. This content is sent to the Anthropic API for data extraction and is not stored by us beyond the duration of the extraction request. Extracted data (hotel name, dates, confirmation number, flight details) is then stored as part of your saved itinerary in Supabase. You should only upload documents that relate to your own travel bookings.
Payment information — web: if you subscribe to Wandercrafted Pro or purchase a Trip Pass on the web, your payment details are collected and stored by Stripe. We never see or store your full card number — only a Stripe customer ID is stored in our database.
Payment information — iOS: if you subscribe to Wandercrafted Pro or purchase a Trip Pass through the iOS app, your payment is processed by Apple via the App Store and StoreKit. We never receive your payment method details. We receive a transaction receipt from Apple that we use to verify entitlement.
Usage metadata: basic analytics events (e.g. "itinerary generated") to understand how the service is used. No personally identifiable information is attached to these events.
Error logs: anonymised error reports to help us fix bugs, processed via Sentry.

3. How we use your data

To generate and display your travel itinerary.
To save and retrieve your itineraries when you are logged in.
To send transactional emails: account confirmation, magic sign-in links, and password reset emails via Supabase Auth.
To process subscription and Trip Pass payments and manage your billing via Stripe (web) or Apple (iOS).
To improve the service by understanding how features are used.
To identify and fix errors in the service.

We do not use your data for advertising, and we do not sell, rent, or share your personal data with third parties for their own marketing purposes.

4. Third-party services

Wandercrafted uses the following third-party services to operate. Each has its own privacy policy:

Anthropic — powers the AI itinerary generation and booking document extraction. Trip preference data and, where you use the booking import feature, the content of your uploaded booking confirmations, are sent to the Anthropic API. Anthropic does not use API inputs to train its models by default. Privacy policy
Supabase — provides authentication, database storage, and email delivery. Your email address and saved itineraries are stored in Supabase's hosted infrastructure (AWS, us-east-1). Privacy policy
Stripe — processes web subscription and Trip Pass payments. Stripe stores your payment method and billing details under their PCI-compliant infrastructure. Privacy policy
Apple (App Store and StoreKit) — processes iOS subscription and Trip Pass in-app purchases. Apple is the merchant of record for iOS purchases. Apple sends us a verification receipt and a transaction identifier; we do not receive your Apple ID or payment method. Privacy policy
Resend — used to send transactional and lifecycle emails (e.g. trip pass purchase confirmation, price-change notices). We send Resend the recipient email address and message content. Privacy policy
Pexels — provides destination photography displayed on day cards. Image requests include a search keyword (e.g. "Tokyo") but no personal data. Privacy policy
Google Maps — displays interactive maps of your itinerary locations. Google may collect usage data when maps are loaded. Privacy policy
Viator — displays bookable tours and activities as affiliate links. Destination and travel style data is used to show relevant experiences. Privacy policy
Frankfurter (ECB) — provides live exchange rate data for the currency converter. No personal data is sent. Website
AeroDataBox — used for optional flight number lookup. The flight number you enter is sent to AeroDataBox to retrieve flight details. Privacy policy
Sentry — collects anonymised error reports to help us fix bugs. Privacy policy
Google reCAPTCHA / Cloudflare Turnstile — used to protect the itinerary generator from automated abuse. Subject to the respective provider's privacy policy and terms of service.

5. Cookies and local storage

We use minimal cookies and browser storage:

Session cookies: Supabase Auth uses a session token stored in your browser to keep you logged in. This is strictly necessary for the service to function.
No tracking cookies: we do not use advertising cookies, cross-site tracking cookies, or analytics cookies.
Local storage: some preferences (e.g. selected travel styles) may be temporarily stored in your browser's local storage to improve your experience. This data never leaves your device.

You can clear cookies and local storage at any time through your browser settings. Clearing your session cookie will log you out.

6. Data retention

Account data: retained for as long as your account is active.
Saved itineraries and user-added content: retained until you delete the trip or close your account. This includes notes, packing items, and booking details you have added.
Booking confirmation content: uploaded document content is processed in real time and not stored by Wandercrafted. Extracted structured data is stored as part of your saved itinerary.
Payment records: Stripe and Apple retain billing history as required for financial and legal compliance. We retain a Stripe customer ID and Apple transaction identifier against your account for entitlement verification.
Trip Pass records: records of purchased and consumed Trip Passes are retained against your account so you can see remaining unused passes and so we can verify entitlement on future purchases.
Error logs: retained for 90 days in Sentry, then automatically deleted.

7. Booking documents and sensitive travel information

The booking import feature (available to Wandercrafted Pro subscribers and to users with an active Trip Pass applied to a trip) allows you to upload travel booking confirmations — including hotel, flight, and other travel documents — so that Wandercrafted can automatically extract and organise your trip details. Please be aware of the following:

What we extract: we extract only structured booking data — property names, dates, confirmation numbers, flight numbers, airports, and times. We do not extract or store payment card details, passport numbers, or other sensitive identity information from your documents.
Document content: the raw content of uploaded documents (PDF text or image content) is sent to the Anthropic API for processing. It is not stored on our servers beyond the request lifecycle.
Your responsibility: only upload documents that belong to you. Do not upload documents containing third-party personal data without their consent.
Deletion: extracted booking data stored in your itinerary can be deleted at any time by removing the booking from your trip, or by deleting the saved trip entirely.

8. Your rights and data deletion

You have the right to:

Access the personal data we hold about you.
Request correction of inaccurate data.
Request deletion of your account and all associated data.
Export your saved itineraries.
Object to processing in certain circumstances.

To exercise any of these rights, email hello@wandercrafted.app. We will respond within 30 days.

9. Data security

We take reasonable technical measures to protect your data, including:

All data in transit is encrypted via HTTPS/TLS.
Database access is restricted and authenticated.
Payment data is handled entirely by Stripe (web) or Apple (iOS) and never touches our servers.
Passwords are never stored — authentication uses Supabase's secure email-based flows.

10. International transfers

Wandercrafted is operated from Australia. Your data may be processed by third-party services in the United States and other countries. Where this occurs, we rely on those services' compliance frameworks (including EU Standard Contractual Clauses where applicable) to ensure adequate protection.

11. Compliance

We aim to comply with applicable privacy laws including the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles, and where applicable, the EU General Data Protection Regulation (GDPR).

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we'll update the "Last updated" date at the top of this page. For significant changes, we'll notify users by email.

13. Contact

For any privacy-related questions or requests, contact us at:
hello@wandercrafted.app