Wanderin Privacy Policy

This Privacy Policy describes the privacy practices of Wanderin, Inc., a Delaware corporation ("Wanderin", "we", "us", or "our"), and how we handle personal information that we collect through our website (www.wanderin.ai), any mobile applications, and through any other services that link to this Privacy Policy (collectively, the "Service"). By accessing or using the Service, you agree to the practices described in this Policy.

- Contact and account info (e.g., name, email, login credentials) - Trip history and itinerary details - Travel preferences and profile data - Payment data (via Stripe only – not stored by us) - Messages, support queries, and communications - Device and usage data (IP address, OS, browser, activity, cookies)

We use your data to: - Operate and improve the Service - Personalize AI recommendations - Provide customer support - Communicate about updates, promotions, and support - Detect, prevent, and respond to fraud or legal issues

We may share data with: - Stripe (for payment processing) - Affiliate travel partners (for providing external links) - Hosting, AI, and analytics service providers - Legal authorities if required by law - Parties in a merger, acquisition, or sale

We use cookies, local storage, and similar tracking technologies to: - Analyze traffic and user behavior (through Google Analytics) - Improve user experience and site functionality - Remember your preferences and login status - Support security and fraud prevention

Google Analytics. We use Google Analytics to collect anonymized usage statistics (page views, session duration, device type, general geographic location). Google Analytics uses cookies and similar technologies. Data collected by Google Analytics is processed according to Google's privacy policy: https://policies.google.com/privacy

You can opt out of Google Analytics tracking by: 1. Installing the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout 2. Adjusting your browser settings to block cookies (note: this may affect site functionality) 3. Using browser privacy extensions that block analytics tracking

We do not use Google Analytics data in combination with Google OAuth user data for advertising purposes. We do not share Google user data with Google Analytics. We do not use Google Analytics data together with Google OAuth data, and we have not enabled Google Ads features. Google Analytics 4 does not log IP addresses.

Other Tracking. We may use other analytics and error monitoring tools that collect technical data (error logs, performance metrics) to improve the Service. These tools process limited, anonymized data.

Managing Cookies. You can manage cookie preferences through your browser settings. Most browsers allow you to block or delete cookies, though this may impact your ability to use certain features of the Service.

Cookie Banner. Users in the EU/EEA/UK will see a cookie banner to provide or withdraw consent for analytics cookies.

Wanderin integrates with third-party service providers to operate and improve our Service. These include:

Hosting & Infrastructure: We use hosting providers (such as Vercel, AWS, or GCP) to store and serve our Service. Their privacy policies govern their handling of data in their infrastructure.

Analytics: We use Google Analytics to understand how users interact with our Service. Google Analytics collects anonymized usage data (page views, session duration, device type). You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on or adjusting your browser settings. We do not combine Google user data from OAuth with Google Analytics data for advertising purposes.

Payment Processing: Stripe processes payment transactions securely. We do not store your full payment card details. Stripe's privacy policy applies to payment data: https://stripe.com/privacy

Error Monitoring: We use error monitoring and logging services to diagnose and fix technical issues. These services process limited technical data (error logs, performance metrics) under confidentiality agreements.

Email Services: We use email service providers to send transactional and support emails.

We do not sell Google user data to third parties. We share Google user data only with processors that enable the Service (hosting, error monitoring, analytics) under strict confidentiality and data-processing terms. We do not transfer Google user data to third parties for their independent use or for advertising purposes.

What We Access. If you choose "Continue with Google," we receive your Google account basic profile information (name, email address, profile image) to create and/or sign in to your Wanderin account. If you choose to connect your Google Calendar, we request the Calendar scope(s) listed below to create and update trip events in your Google Calendar at your request.

Scopes Requested and Purpose.

• openid, email, profile – Used for sign-in and account identification only. We use this to authenticate you and identify your account within our Service.

• https://www.googleapis.com/auth/calendar.events – Used to create, update, and delete only trip events that Wanderin has created in your Google Calendar. We do not read, modify, or delete existing calendar events that were not created by Wanderin. We request https://www.googleapis.com/auth/calendar.events only when you turn on calendar sync (incremental authorization).

How We Use This Data. We use Google data solely to (a) authenticate you and create/maintain your Wanderin account, and (b) sync selected itineraries to your Google Calendar at your explicit request. We do not use Google data for advertising, marketing profiling, or to build user profiles unrelated to trip planning. We do not combine Google user data with data from other sources for advertising purposes.

How We Share Google Data. We do not sell Google user data. We share it only with processors that enable the Service (hosting providers, error monitoring services, analytics platforms) under strict confidentiality and data-processing agreements. We do not transfer Google user data to third parties for their independent use, marketing purposes, or advertising.

Retention. Google basic profile data (name, email, profile image) is retained while your Wanderin account remains active. Calendar event content we create in your Google Calendar mirrors what you choose to sync through our Service. If you disconnect Google from your Wanderin account or delete your Wanderin account, we stop syncing and delete our stored copies of Google-sourced data (see Data Deletion below). Calendar events already written to your Google Calendar remain in your Google account unless you delete them directly in Google Calendar.

Revoking Access. You can revoke Wanderin's access to your Google account at any time by visiting https://myaccount.google.com/permissions, finding Wanderin in the list of connected apps, and clicking "Remove access." Once revoked, we cannot access your Google data or update your calendar. Existing calendar events created by Wanderin will remain in your Google Calendar unless you delete them manually.

Deletion. You can request deletion of your Wanderin account and associated data through our in-app settings (Account → Delete Account) or by emailing us at info@wanderin.ai with the subject line "Delete my account." After deletion, Wanderin no longer stores any Google-sourced data. Calendar events already written to your Google Calendar remain in your Google account unless you delete them there directly.

Scope Minimization. We request only the minimum scopes necessary to provide the Service. We limit calendar operations to calendars and events created by Wanderin where possible, and we do not access or modify your existing calendar events that were not created by our Service.

Security. Google OAuth tokens are stored encrypted at rest, transmitted exclusively over TLS/HTTPS, and restricted via least-privilege access controls. We implement industry-standard security measures to protect your Google account credentials.

Limited Use Compliance. Our use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including its Limited Use requirements.

Human Access. Human access to Google user data is prohibited except when required for security (e.g., abuse investigation), to comply with the law, or when you ask us to view data for support.

Our use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including its Limited Use requirements. We use Google data only to provide the features you request (sign-in and optional calendar sync), do not use Google data for advertising, and do not allow humans to read Google user data except for security, debugging, or legal compliance.

You have the following rights regarding your personal information: - Request access to your data - Request correction of inaccurate data - Request deletion of your data - Request export of your Wanderin data (including itineraries) by emailing info@wanderin.ai - Opt out of marketing emails (unsubscribe links are included in all marketing communications) - Delete your account at any time

For detailed step-by-step instructions on data deletion and revoking Google access, please see the "Data Deletion & Revocation" section below.

Email info@wanderin.ai to make a request. We will respond to all requests within 30 days (or sooner where legally required).

This section provides step-by-step instructions for revoking access and deleting your data.

Disconnect Google Access. To revoke Wanderin's access to your Google account: 1. Visit https://myaccount.google.com/permissions 2. Find "Wanderin" (or "Wanderin, Inc.") in the list of connected apps 3. Click "Remove access" or "Remove"

Once you revoke access, Wanderin can no longer access your Google data or update your Google Calendar. Any calendar events that Wanderin previously created in your Google Calendar will remain in your Google Calendar unless you delete them manually.

Delete Synced Calendar Items. If you want to remove calendar events that Wanderin created: 1. Open Google Calendar (calendar.google.com) 2. Find events created by Wanderin (they may be labeled as such) 3. Delete these events individually or in bulk as desired

Note: After disconnecting Google, Wanderin stops syncing new events, but events already created in your Google Calendar will remain unless you delete them.

Delete Your Wanderin Account and Data. To permanently delete your Wanderin account and all associated data: 1. Option 1: In-App Deletion - Log into your Wanderin account - Navigate to Account Settings - Select "Delete Account" - Follow the confirmation prompts

2. Option 2: Email Request - Email info@wanderin.ai with the subject line "Delete my account" - Include your account email address for verification - We will confirm deletion within 30 days (or sooner where legally required)

After account deletion, Wanderin permanently deletes: - Your account credentials and profile information - All trip data, itineraries, and preferences - All stored Google-sourced data - Any other personal information associated with your account

This deletion is irreversible. You will lose access to all your Wanderin data permanently.

The Service is not intended for children under 18 years of age. You must be at least 18 years old to use the Service. We do not knowingly collect personal information from individuals under 18. If we learn that we have collected personal information from a person under 18, we will delete that information promptly upon discovery. If you believe we have collected information from someone under 18, please contact us immediately at info@wanderin.ai.

Your data may be stored in the U.S. and other jurisdictions. By using the Service, you consent to data transfers as permitted under applicable law.

We implement industry-standard security measures to protect your personal information:

Encryption: All data in transit is encrypted using TLS/HTTPS. Sensitive data, including OAuth tokens and authentication credentials, is encrypted at rest using industry-standard encryption algorithms.

Access Controls: We implement least-privilege access controls, ensuring that only authorized personnel with a legitimate business need can access user data. All access is logged and audited.

Key Management: Encryption keys are managed securely and rotated regularly. We use secure key management practices to protect sensitive credentials.

Incident Response: In the event of a suspected data breach or security incident, we will investigate promptly, notify affected users and relevant authorities as required by law, and take appropriate remedial action.

While we strive to protect your data using industry-standard practices, no system or transmission method is 100% secure. Use the Service at your own risk, and please contact us immediately at info@wanderin.ai if you suspect any unauthorized access to your account.

Security Contact: If you discover a security vulnerability, please report it to info@wanderin.ai. We appreciate responsible disclosure and will work to address any confirmed issues promptly.

We retain your personal information only for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Account Data: We retain your account data, profile information, trip history, and preferences while your Wanderin account remains active. If you delete your account, we delete this data within 30 days (or sooner where legally required), except where we are required to retain certain information for legal, regulatory, or legitimate business purposes (e.g., dispute resolution, fraud prevention, tax records).

Google User Data: Google basic profile data (name, email, profile image) is retained while your account is active. If you disconnect Google or delete your account, we delete our stored copies of Google-sourced data within 30 days. Calendar events already written to your Google Calendar remain in your Google account unless you delete them directly.

Logs and Analytics: Server logs, error logs, and analytics data are retained for up to 90 days for troubleshooting, security, and service improvement purposes, after which they are deleted or anonymized.

Backups: Database backups may retain deleted account data for up to 30 days as part of our disaster recovery procedures. After this period, backups are purged and data is irreversibly deleted.

Legal Holds: If we are subject to a legal hold or investigation, we may be required to retain certain data beyond our standard retention periods until the hold is released or the investigation concludes.

After retention periods expire, data is permanently deleted or irreversibly anonymized so that it can no longer be associated with you.

If you are located in the EU/EEA or California, you may: - Request access to your data - Ask us to delete or correct it - Withdraw consent at any time

Email info@wanderin.ai for all GDPR or CCPA requests.

We do not sell or share personal information as those terms are defined under the California Consumer Privacy Act (as amended by the CPRA). If that changes, we will provide a "Do Not Sell or Share" link and update this Policy.

If we deny a privacy request and you disagree, you may appeal by replying to our decision email or contacting info@wanderin.ai with the subject line "Privacy Appeal."

Wanderin, Inc. Delaware, USA Email: info@wanderin.ai Mailing address available upon verified request.

We may update this Privacy Policy from time to time. If material changes are made, we will notify you via email or an in-app message.

If you have questions about this Privacy Policy or our data practices, contact us at: info@wanderin.ai