Wantgo

Privacy Policy

Last updated: March 24, 2026

Information We Collect

We collect the following information to provide our service: • Account data — email address, name, and profile picture (via Google OAuth or email registration). Stored in Supabase (EU-hosted PostgreSQL). • Profile preferences — home airport, budget level, travel styles, currency. You control these in account settings. • Search conversations — your chat messages and AI responses when using the travel search. Stored to enable search history. • Saved destinations and trips — favorites, trip plans, and itinerary items you create. • Anonymous search logs — search queries and result counts for improving our AI. Not linked to your account. • Usage analytics — pages visited, clicks, scroll depth, and web vitals via PostHog (EU-hosted, GDPR-compliant). • IP address hash — a one-way hash of your IP for rate limiting anonymous users. We do not store raw IP addresses.

How We Use Your Information

We use your information to: • Provide AI-powered destination search results based on your interests • Personalize search with your saved preferences (home airport, budget) • Save and restore your search conversations and trip plans • Show real-time flight prices from partner APIs • Send newsletter emails (only if you opted in) • Improve our AI search quality and user experience • Prevent abuse through rate limiting We do not sell your personal data to third parties.

Data Sharing & Third-Party Services

We use the following third-party services: • Supabase (EU) — database, authentication, and file storage • Google (OAuth) — sign-in via Google account (only if you choose this method) • Google Gemini AI — processes your search queries to generate destination recommendations. Queries are sent to Google's API. • Anthropic Claude AI — fallback AI for search (used only if Gemini is unavailable) • PostHog (EU) — privacy-focused analytics. You can opt out via the cookie banner. • Travelpayouts/Aviasales — real-time flight price data and affiliate booking links • Unsplash — destination photos (via API, no personal data shared) • Heroku (EU region) — application hosting When you click affiliate links, the following partners receive your search context: • Aviasales/Kiwi.com — flights • GetYourGuide — activities and tours • Omio — trains and buses These partners have their own privacy policies.

Cookies & Local Storage

We use the following cookies and browser storage: • Authentication cookies (Supabase) — maintain your login session. Essential, cannot be disabled. • Analytics cookies (PostHog) — track page views, clicks, and performance. You can decline these via the cookie banner. • Cookie consent (localStorage) — remembers your cookie choice. • Rate limit cookie — tracks anonymous message count for fair usage. • Pending chat (localStorage) — temporarily stores your chat when redirecting to login. We do not use advertising or retargeting cookies.

Your Rights (GDPR)

Under GDPR and applicable privacy laws, you have the right to: • Access — view all personal data we hold about you • Rectification — update incorrect data via account settings • Deletion — delete your account and all associated data • Portability — request your data in a machine-readable format • Opt out — decline analytics cookies, unsubscribe from emails • Withdraw consent — revoke Google OAuth access at any time To exercise these rights, contact us at hello@wantgo.app. We respond within 30 days.

Data Retention

Account data — retained until you delete your account, then removed within 30 days • Search conversations — retained while your account is active • Anonymous search logs — retained for 90 days, then deleted • Analytics data (PostHog) — aggregated and anonymized, retained up to 12 months • IP hashes (rate limiting) — reset every 30 days • Email subscriptions — retained until you unsubscribe

Data Security

We protect your data with: • Encryption in transit (HTTPS/TLS on all connections) • Encryption at rest (Supabase managed encryption) • Row-Level Security (RLS) — you can only access your own data • Service role keys stored securely in environment variables, never exposed to clients • IP addresses hashed with SHA-256 before storage • No passwords stored — authentication delegated to Supabase Auth

Children's Privacy

Wantgo is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

International Data Transfers

Your data is primarily stored in the EU (Supabase EU region, PostHog EU). Some data may be processed by: • Google Gemini — US-based AI processing (search queries only, no personal data) • Anthropic Claude — US-based AI processing (fallback, search queries only) These transfers are covered by Standard Contractual Clauses (SCCs) and the providers' DPAs.

Changes to This Policy

We may update this policy when we add new features or services. Significant changes will be communicated via a banner on our website. The date at the top indicates when the policy was last updated.

Contact Us

For privacy-related questions or GDPR requests: Email: hello@wantgo.app Response time: within 30 days