— Last updated · June 24, 2026
Privacy.
We're a small team building a tool for planning group trips with friends. We collect the smallest amount of data we can to make the product work, never sell it, and run analytics in a way that can't identify any single person.
The short version.
We collect: your email, the trip details you enter, payment confirmations from Stripe (we never see your card), and emails forwarded to your trip's inbox.
We use this to: run the product, deliver trip-related emails, and compute aggregate trends for our investors and our team.
We don't: sell your data, share it with advertisers, run ad-tech tracking pixels, or train AI models on your private content.
Your rights: access, correct, export, or delete your data. privacy@wegoingapp.com.
What we collect, and why.
Account data · email, display name, password hash (we never store the plaintext), optional phone, avatar, home country, hometown, work type, hourly rate (used by our date-ranking algorithm — Patent B — to weigh lost wages against PTO). Lawful basis: contract (we need this to provide the service).
Trip data · trip name, destination, dates, party size, currency, dropout policy, itinerary items, lodging options, invite codes. Visible only to other members of the same trip. Lawful basis: contract.
Response data · the availability windows, budget ranges, room preferences, and flight details each traveler submits to plan a trip. Aggregated for the organizer; individual numbers (like your exact budget) are never shown to other travelers without your explicit choice. Lawful basis: contract.
Payments · deposit + payment-plan amounts, timestamps, status, currency. We use Stripe in test mode during beta · charges are simulated. When we launch live, we still never store your card · Stripe handles all of that. Lawful basis: contract.
Inbound mail (per-trip inbox)· when you forward a confirmation email (flights, hotels, Airbnb, Viator etc.) to your trip's unique @inbound.wegoingapp.comaddress, we parse it to extract relevant details (cost, dates, vendor) and attach them to the trip. The original email body is retained for 30 days then deleted. Lawful basis: contract.
Feedback· when you tap the 👍/👎 widget, we record your sentiment + any comment you wrote, the route you were on, your viewport size, your theme (light/neon), your scroll position, your device pixel ratio, your browser's user-agent string, your page title, any recent JavaScript errors your browser logged, and a screenshot of the visible pagetaken at the moment you tapped a thumb. The screenshot helps us reproduce visual bugs. It captures only what was on your screen at that moment — never another tab, the keyboard you typed, or anything that scrolled off-screen. Screenshots are stored in a private storage bucket and only the WeGoing! team can view them. They're deleted when you delete your account, or sooner on request. Lawful basis: legitimate interest (improving the product).
Analytics· we capture pseudonymous events (e.g. "a trip was created in country X with party size bucket Y") to build the trends dashboard our team and investors use. The events table has no link back to your identity on its own — the link lives in a separate, service-role-only table that an attacker would have to compromise in additionto the events to identify anyone. Events are bucketed (e.g. budget rounded to a range like $1k-$2k, not the exact amount) before they're ever written. Lawful basis: legitimate interest. See The privacy architecture, in detail below.
The privacy architecture, in detail.
We designed our analytics to be GDPR-grade by default, not US-grade with a GDPR retrofit. Here's what that means in practice:
Pseudonymous IDs. Every user gets an opaque analytics_id UUID. Our events table only carries that UUID. The mapping profile_id → analytics_idlives in a separate, service-role-only table. Compromising one without the other reveals nothing useful.
Bucketed values.Before any value goes into the events table, it's normalized into a range. A $4,237 budget becomes "3.5–5k." A trip to "Sapporo, Japan" becomes country = "Japan" (we drop the city). Names, emails, phones, and free-text fields never reach the events table.
90-day retention. Raw events are hard-deleted after 90 days. Only the pre-aggregated daily rollups (which are already deidentified) persist longer.
k-anonymity floor.Any aggregate we publish externally (press, reports, pitch decks) is gated at k≥5 — no bucket with fewer than 5 unique users contributing is ever shown. Cells below the floor render as "—".
Right to erasure.Hard-deleting your account severs the mapping. Your past events become orphan rows pointing at an unmappable UUID — they still contribute to aggregates (so our trends don't lie about history), but they can never be re-tied to you.
Aggregate publication.
We may publish aggregate insights about how WeGoing! is used — total trips planned, popular destinations, budget distributions, group-size patterns — in marketing materials, press, pitch decks, or industry reports. Every aggregate we publish is bound by the k≥5 floor described above. No individual user, trip, or transaction can be identified from any aggregate we publish. We do not, and will not without your explicit opt-in consent, sell or license your individual data to third parties.
Third-party processors.
We use the following companies to run WeGoing!. Each is contractually bound to handle your data only as instructed by us:
Supabase (Postgres database, auth) · supabase.com/privacy
Vercel (web hosting) · vercel.com/legal/privacy-policy
Stripe (payments) · stripe.com/privacy
Postmark (transactional + inbound email) · postmarkapp.com/eu-privacy
Google (Places + Maps APIs for destination search, photos, and the map tab; OAuth sign-in) · policies.google.com/privacy
SerpAPI (flight price lookups via Google Flights) · serpapi.com/legal/privacy-policy
Viator (a Tripadvisor company) (excursion search + booking deeplinks) · viator.com/privacy
Your rights.
Under GDPR (and similar regimes elsewhere) you have the right to:
Access · request a copy of the data we hold about you.
Correct· ask us to fix anything that's wrong.
Erase · delete your account and the data tied to it. Self-service via Settings → Delete my account, or email us.
Port · receive your data in a machine-readable format.
Object· opt out of our legitimate-interest analytics. Email us and we'll honor it within 30 days.
All requests: privacy@wegoingapp.com. We'll respond within 30 days as required by GDPR.
Retention.
Active accounts · we keep your data as long as your account exists.
Inactive accounts· accounts with no activity for 24 months are flagged for review and may be deleted; we'll email you first.
After account deletion · we remove your personal data within 30 days. We retain payment records as long as required by law (typically 7 years for tax purposes), but those records contain only what the law requires, not your full profile.
Analytics events · 90 days raw, then aggregated into rollups that retain no personally identifiable information.
Inbound mail · raw forwarded emails retained 30 days; parsed structured data attached to your trip stays with the trip.
International transfers.
We're based in the United States and our hosting (Vercel), database (Supabase), payment processor (Stripe), and email processor (Postmark) all operate primarily in the US. If you're in the EU/UK and use WeGoing!, your personal data will be transferred to and processed in the US under the standard contractual clauses our processors have in place. If you have concerns, email us.
Children.
WeGoing! is not directed at children under 16. We don't knowingly collect data from anyone under 16. If you believe we have, email us and we'll delete it.
Changes to this policy.
We'll update this page when we change how we handle data. Material changes get an in-app notice. The "last updated" date at the top of the page is the source of truth.
Contact.
Privacy questions, GDPR requests, or anything else data-related: privacy@wegoingapp.com. General support: hello@wegoingapp.com.