What we collect, and why.

Worldfarer is operated by Astraeus Technology Limited, a company registered in England and Wales (Company Number: 15162283), as the data controller for personal data we hold. We collect what we need to run the service: your account, the trips you create, and a small amount of usage telemetry. We don't sell your data, we don't train AI models on it, and you can export or delete it any time.

This policy covers four groups of people:

• People who sign up for a Worldfarer account.
• Collaborators added to someone else's trip, and recipients of share links.
• Visitors to the website who don't sign in.
• People who email us at hello@worldfarer.app.

From you directly: sign-in email, the name and profile photo provided by Google or Apple if you used those, and the preferences you set during onboarding (home airports, pace, accommodation tier, daily budget, group size). When you create a trip we store the title, notes, stops, dates, journal entries, and any URLs you paste in as sources.

Automatically: minimal device and browser information from your visits (user agent, approximate country from IP), and product analytics events through PostHog if you've consented to analytics. These cover the pages you view, the links and buttons you click, how you navigate, and a replay of your session that helps us debug and improve the product. Text you type into the app is masked in the replay; the plans we generate for you are shown so we can see what landed. If you've consented and arrived from a Google Ads click, we also record the click identifier (gclid) so we can attribute the purchase you make back to that click.

From other services we use: Resend (email delivery), better-auth (sign-in state), Stripe (payment processing for credits and subscriptions), our OAuth providers (Google, Apple) for the basic profile they pass to us when you sign in.

We don't collect or store payment card numbers ourselves. Stripe handles the card form on a domain they control; we only see invoice-level metadata (amount, currency, transaction reference, customer email, any coupon applied). We don't store user-uploaded photos, journal photo links point at external URLs that you provide and that you remain responsible for. We don't ask for location permission in the browser.

To provide the service:

• Show you your trips and let you collaborate, share, or clone them.
• Generate trip plans using your destination, notes, and profile preferences as context.
• Send you three kinds of email:
  • Transactional — magic-link sign-in, purchase receipts, and share notifications. You can't opt out of these while your account is active.
  • Service-related lifecycle — a welcome email when you sign up, a nudge if you haven't planned your first trip in a while, or a reminder if you started a checkout but didn't finish. Every one has a one-click unsubscribe link.
  • Newsletters or product announcements — only if you've explicitly subscribed to them.
• Detect abuse, debug errors, and improve product reliability via Sentry.
• Measure how the product is used in aggregate via PostHog (consented analytics only).
• Measure which marketing campaigns reach people who go on to sign up or buy credits. When you've consented to analytics, we send a purchase event to Google Ads (via PostHog as an intermediate processor) containing a transaction reference, the amount paid, and a one-way hash of your email so Google can match the conversion to the original ad click. Google receives the hash, not your raw email.

Under UK GDPR we rely on:

• Contract: running your account, storing your trips, generating plans you've asked for.
• Legitimate interests: security, fraud prevention, error monitoring (Sentry), limited service analytics where consent isn't required, and service-related lifecycle email after you sign up (welcome messages, activation nudges, checkout follow-ups) — you can opt out via the unsubscribe link in any of those.
• Consent: product analytics (PostHog), advertising attribution (the Google Ads conversion upload described above), and any newsletter or product-announcement emails you've opted in to.
• Legal obligation: retaining records we're required to keep (tax, compliance).

When you ask Worldfarer to generate or regenerate a plan, we send your destination, notes, stops, profile preferences, and a selection of relevant source excerpts to Anthropic's Claude (routed via the Vercel AI Gateway). When we save a source URL we ask OpenAI to extract a structured representation of it. Both providers are configured to not retain inputs for training their foundation models.

The AI Gateway is operated by Vercel in the EU. Anthropic and OpenAI inference endpoints are reached internationally; transfers rely on Standard Contractual Clauses with the UK addendum.

AI output is not used to take significant automated decisions about anyone within the meaning of Article 22 UK GDPR. Plans are decision-support; you choose what to do with them.

Our sub-processors are the operational stack we use to run Worldfarer. Each is bound by appropriate data protection terms.

• Vercel (United States, EU region for our deployment), web hosting.
• Railway (United States, EU region), API and worker hosting.
• Neon (United States, EU region), Postgres database.
• Resend (United States, EU region), transactional email delivery.
• Loops (United States), lifecycle and marketing email delivery (welcome, activation, abandoned checkout). Only contacts who've signed up.
• Stripe (United States and Ireland), payment processing, billing, and the customer record needed to bill you.
• Anthropic and OpenAI, AI inference, via the Vercel AI Gateway. No training on inputs.
• Google and Apple, OAuth sign-in (only if you choose those methods).
• PostHog (EU instance, eu.posthog.com), product analytics and the conduit for our advertising attribution to Google Ads, only if you've consented.
• Google Ads (United States), advertising attribution. Only if you've consented to analytics. Google receives a hashed email plus the transaction reference and amount of any purchase, so it can match the sale back to the ad click that brought you here. Google does not receive your trip data.
• Sentry (EU instance, eu.sentry.io), error tracking.

We also share data with the people you choose to share trips with: collaborators you add, and anyone with a share link you've enabled.

Some outbound links on Worldfarer (for booking accommodation, travel insurance, eSIMs, or activities) are affiliate links. When you click through, the partner receives the standard referral information their program uses to attribute a sale back to us. We don't pass your trip data or account details.

Our primary processing is in the EU (Frankfurt and Amsterdam). Some sub-processors are US-based companies operating EU regions for us. Where data does leave the UK or EEA, typically for AI inference, we rely on Standard Contractual Clauses with the UK International Data Transfer Addendum.

• Account data: while the account is active, and up to 30 days after you request deletion (recovery window) before permanent removal.
• Trips, plans, journal: until you delete them or your account.
• Magic-link tokens: 15 minutes, single use.
• Server logs: up to 30 days.
• Error reports (Sentry): up to 90 days.
• Session replays (PostHog): 30 days.
• Product analytics events (PostHog): up to 12 months.

You can delete your Worldfarer account from your profile at any time. When you do, your account is locked immediately: you're signed out of every device, your trips and follows disappear from the public map, any share links you'd issued stop resolving, and we email you to confirm.

We then hold the account in this locked state for 30 days. If you sign in again before the 30-day window closes, we cancel the deletion and restore everything. No support ticket needed, just sign back in.

After 30 days the account is permanently removed. This cascades and deletes your trips, generated plans, journal entries, follows, and sessions. Travel sources you had added are kept for the wider community of Worldfarer users (so other people's plans that cite them keep working), but with your attribution removed.

This is in addition to your separate UK GDPR right of erasure, which you can exercise at any time by emailing hello@worldfarer.app.

Under UK GDPR you have the right to access, correct, delete, restrict, port, or object to processing of your personal data, and to withdraw consent at any time. Email hello@worldfarer.app and we'll respond within one month. You can also lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.

All traffic to the service runs over HTTPS. Database connections use TLS. Sessions use httpOnly cookies on the worldfarer.app parent domain. Sign-in is by magic link or OAuth; we never store a password. Access to production is limited to the people who operate the service.

No system is perfectly secure. If you spot something, please tell us at hello@worldfarer.app.

Worldfarer is not directed at people under 18. If you believe a child has registered an account, email hello@worldfarer.app and we will remove it.

We update this policy as the service changes. The "Last updated" date at the top reflects the current version. When we make material changes we'll surface them in the app and, where we hold an email for you, by email.

Email hello@worldfarer.app, or write to us by post: