What we collect, and why.

Worldfarer is operated by Sam Poate, a UK-based sole trader, as the data controller for personal data we hold. We collect what we need to run the service: your account, the trips you create, and a small amount of usage telemetry. We don't sell your data, we don't train AI models on it, and you can export or delete it any time.

This policy covers four groups of people:

• People who sign up for a Worldfarer account.
• Collaborators added to someone else's trip, and recipients of share links.
• Visitors to the website who don't sign in.
• People who email us at hello@worldfarer.app.

From you directly: sign-in email, the name and profile photo provided by Google or Apple if you used those, and the preferences you set during onboarding (home airports, pace, accommodation tier, daily budget, group size). When you create a trip we store the title, notes, stops, dates, journal entries, and any URLs you paste in as sources.

Automatically: minimal device and browser information from your visits (user agent, approximate country from IP), and product analytics events through PostHog if you've consented to analytics. We don't use third-party advertising trackers.

From other services we use: Resend (email delivery), better-auth (sign-in state), Stripe (payment processing if and when we introduce paid plans), our OAuth providers (Google, Apple) for the basic profile they pass to us when you sign in.

We don't collect or store payment card numbers ourselves; if we introduce paid plans, Stripe handles the card form and we only see invoice-level metadata. We don't store user-uploaded photos, journal photo links point at external URLs that you provide and that you remain responsible for. We don't ask for location permission in the browser.

To provide the service:

• Show you your trips and let you collaborate, share, or clone them.
• Generate trip plans using your destination, notes, and profile preferences as context.
• Send transactional email (magic-link sign-in, share notifications).
• Detect abuse, debug errors, and improve product reliability via Sentry.
• Measure how the product is used in aggregate via PostHog (consented analytics only).

Under UK GDPR we rely on:

• Contract: running your account, storing your trips, generating plans you've asked for.
• Legitimate interests: security, fraud prevention, error monitoring (Sentry), and limited service analytics where consent isn't required.
• Consent: product analytics (PostHog) and any non-transactional email.
• Legal obligation: retaining records we're required to keep (tax, compliance).

When you ask Worldfarer to generate or regenerate a plan, we send your destination, notes, stops, profile preferences, and a selection of relevant source excerpts to Anthropic's Claude (routed via the Vercel AI Gateway). When we ingest a source URL we ask OpenAI to extract a structured representation of it. Both providers are configured to not retain inputs for training their foundation models.

The AI Gateway is operated by Vercel in the EU. Anthropic and OpenAI inference endpoints are reached internationally; transfers rely on Standard Contractual Clauses with the UK addendum.

AI output is not used to take significant automated decisions about anyone within the meaning of Article 22 UK GDPR. Plans are decision-support; you choose what to do with them.

Our sub-processors are the operational stack we use to run Worldfarer. Each is bound by appropriate data protection terms.

• Vercel (United States, EU region for our deployment), web hosting.
• Railway (United States, EU region), API and worker hosting.
• Neon (United States, EU region), Postgres database.
• Resend (United States, EU region), transactional email.
• Anthropic and OpenAI, AI inference, via the Vercel AI Gateway. No training on inputs.
• Google and Apple, OAuth sign-in (only if you choose those methods).
• PostHog (EU instance, eu.posthog.com), product analytics, only if you've consented.
• Sentry (EU instance, eu.sentry.io), error tracking.

We also share data with the people you choose to share trips with: collaborators you add, and anyone with a share link you've enabled.

Our primary processing is in the EU (Frankfurt and Amsterdam). Some sub-processors are US-based companies operating EU regions for us. Where data does leave the UK or EEA, typically for AI inference, we rely on Standard Contractual Clauses with the UK International Data Transfer Addendum.

• Account data: while the account is active, and up to 30 days after deletion (recovery window) before permanent removal.
• Trips, plans, journal: until you delete them or your account.
• Magic-link tokens: 15 minutes, single use.
• Server logs: up to 30 days.
• Error reports (Sentry): up to 90 days.
• Product analytics (PostHog): up to 12 months.

Under UK GDPR you have the right to access, correct, delete, restrict, port, or object to processing of your personal data, and to withdraw consent at any time. Email hello@worldfarer.app and we'll respond within one month. You can also lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.

All traffic to the service runs over HTTPS. Database connections use TLS. Sessions use httpOnly cookies on the worldfarer.app parent domain. Sign-in is by magic link or OAuth; we never store a password. Access to production is limited to the people who operate the service.

No system is perfectly secure. If you spot something, please tell us at hello@worldfarer.app.

Worldfarer is not directed at people under 18. If you believe a child has registered an account, email hello@worldfarer.app and we will remove it.

We update this policy as the service changes. The "Last updated" date at the top reflects the current version. When we make material changes we'll surface them in the app and, where we hold an email for you, by email.

Email hello@worldfarer.app. Worldfarer is operated by Sam Poate, sole trader, United Kingdom.