1. Who we are and what Wondorah does
Wondorah is an AI-assisted travel-planning platform. We help you generate, verify, and manage collaborative trip itineraries, and we surface destination intelligence (weather, costs, safety advisories, crowd levels). When you choose to book travel, we link you out to third-party travel partners (for example Booking.com via Commission Junction, Stay22, LiteAPI/Nuitee, Tiqets, Klook, Kiwitaxi, GetRentacar, Aviasales, Skyscanner via Impact.com, GetYourGuide, Viator, OpenTable, and TheFork). Wondorah is an affiliate referrer — we are never the merchant of record. Bookings and payments happen on the partner's own site, under the partner's own terms and privacy policy. We never collect or process your payment-card details (see §3 and §8).
This policy explains what we collect, why, who we share it with, and your choices.
2. Our privacy posture in one paragraph
We intentionally collect as little personal data as possible. We collect your email address (to create and secure your account), the trip content you choose to create(destinations, dates, notes, and crew names you add), and product-analytics events (how the app is used) to make the product work and improve it. We do not collect or store payment-card numbers, Social Security numbers, government-ID numbers, health data, or financial-account data.
3. Information we collect
3.1 Information you provide
| Data | Examples | Why |
|---|---|---|
| Account email | The email you sign up with (managed via Amazon Cognito, our authentication provider) | Create your account, authenticate you, send essential service messages |
| Trip content | Destinations, dates, itinerary items, notes, and crew/companion names you choose to add | Provide the core planning, verification, and collaboration features |
| Communications | Messages you send us / in-product chat content | Provide AI planning assistance and support |
Crew names caution:When you add other people's names to a trip or invite crew, you are providing limited information about other people. Only add information you have a basis to share.
3.2 Information collected automatically
| Data | How | Why |
|---|---|---|
| Product-analytics events | PostHog (our product-analytics provider) — e.g. pages viewed, features used, button clicks such as outbound booking_clicked events | Understand usage, fix problems, improve the product |
| Device / log data | Standard web/server logs (e.g. IP address, browser type, timestamps) processed via our hosting (AWS — CloudFront/Lambda) | Security, abuse prevention, reliability, debugging |
| Cookies / similar | See §7 | Keep you signed in; measure and improve usage |
3.3 Information we do not collect or process
- Payment-card / PCI data — bookings and payments occur on partner sites; we are not in the payment path.
- Social Security numbers, government-ID numbers, health data, or financial-account data.
4. Why we use your information (purposes)
- Provide, secure, and maintain your account and the planning/verification features.
- Generate and verify itineraries and destination intelligence.
- Show relevant travel options and outbound affiliate links to partners (see §6).
- Measure, debug, and improve the product (analytics).
- Communicate essential service information and respond to support requests.
- Detect, prevent, and address security issues, fraud, and abuse.
- Comply with legal obligations.
5. Legal bases (EEA/UK) and a note for US users
Where the EU/UK GDPR applies, we rely on these legal bases:
| Purpose | Legal basis |
|---|---|
| Providing the service / your account | Performance of a contract with you |
| Analytics + product improvement, security/abuse-prevention | Legitimate interests (and consent where required for non-essential cookies — see §7) |
| Sending essential service messages | Performance of a contract / legitimate interests |
| Meeting legal requirements | Legal obligation |
US / California users:See §10 (Your rights). Based on current CCPA thresholds, Wondorah is well below the thresholds that define a covered “business,” so the CCPA's business obligations likely do not yet apply. We nonetheless honor the core rights in §10 as a matter of good practice. We do not “sell” or “share” your personal information (as those terms are used under the CCPA). Applicability will be confirmed with counsel as we grow.
6. Affiliate links and commissions (important disclosure)
Wondorah participates in affiliate / referral programs.When you click certain travel links and then book or take a qualifying action on a partner's site, the partner may pay Wondorah a commission at no extra cost to you. This does not change the price you pay.
- We are an affiliate referrer, not the merchant of record. The booking transaction and payment are between you and the partner, governed by the partner's own terms and privacy policy.
- When you follow an outbound link, the partner (and the affiliate network that tracks the referral) may set their own cookies and collect data per their privacy policy. We encourage you to review the privacy policy of any partner site you visit.
- See our FTC Affiliate Disclosure for the plain-language statement that appears across the product.
Affiliate/booking partners we link to: Booking.com (via Commission Junction), Stay22, LiteAPI/Nuitee, Tiqets, Klook, Kiwitaxi, GetRentacar, Aviasales, Skyscanner (via Impact.com), GetYourGuide, Viator, OpenTable, and TheFork. We don't display partners we haven't integrated. This list may change over time as we add or remove partners.
7. Cookies and similar technologies
We keep cookies to a minimum. We set one strictly-necessary cookie to keep you signed in, and one first-party analytics cookie so we can see how the app is used and fix what's broken. We do not use advertising cookies, and we do not let third-party ad networks track you across other sites through Wondorah.
| Category | Purpose | Cookie / storage | Duration |
|---|---|---|---|
| Strictly necessary | Keep you signed in and secure your session | Amazon Cognito authentication / session + refresh tokens | Session; refresh token up to 30 days |
| Analytics (first-party) | Measure usage so we can fix and improve the product | PostHog — ph_<project-key>_posthog, set as a first-party cookie and in local storage | Up to 12 months |
You can clear or block cookies anytime in your browser settings — blocking the authentication cookie will sign you out. If you'd rather we not count your usage at all, email privacy@wondorah.com and we'll turn analytics off for your account. (We don't yet show a cookie banner; we'll add a consent prompt before we begin marketing Wondorah in the EEA or UK.)
8. How we share information (third parties / sub-processors)
We do not sell your personal information. We share it only with service providers that help us run Wondorah, and as required by law:
| Recipient | Role | What they receive |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting & infrastructure (S3, CloudFront, Lambda, Aurora; us-east-1) + Amazon Cognito authentication | Account email, trip content, log data — stored/processed on our behalf |
| PostHog | Product analytics | Usage/event data, device/log identifiers |
| Amazon Bedrock (AWS) | AI model inference for itinerary generation, verification, and in-product chat — runs inside AWS in us-east-1 | Only the trip content and prompts needed to produce a response. AWS does not store these inputs/outputs after the request, and does not use them to train the underlying models |
| Affiliate / booking partners + networks | Travel inventory + referral tracking (e.g. Booking.com via Commission Junction, Stay22, LiteAPI/Nuitee, Tiqets, Klook, Kiwitaxi, GetRentacar, Aviasales, Skyscanner via Impact.com, GetYourGuide, Viator, OpenTable, TheFork) | Only what is necessary to follow an outbound link / attribute a referral; the booking + payment relationship and any data you enter on their site are governed by the partner's own policy |
| Legal / safety | Compliance | Information where required by law or to protect rights, safety, and security |
That table is our complete current list of sub-processors. We store and process data in the United States (AWS, us-east-1). When we receive personal data from the EEA or UK, we rely on the Standard Contractual Clauses (and the UK Addendum) with our providers to cover that transfer. We'll update this list here whenever it changes.
9. Data retention
We keep personal data only as long as needed for the purposes above:
| Data | Retention |
|---|---|
| Account email + account | While your account is active. After you delete your account, we remove or anonymize it within 30 days, and purge residual encrypted backups within a further 90 days — unless we must keep something to meet a legal obligation. |
| Trip content | While your account is active or until you delete it. Deleted content comes out of our live systems within 30 days and out of backups within 90 days. |
| Analytics events | Up to 24 months, then deleted or aggregated so it no longer identifies you |
| Server / security logs | Up to 90 days for routine logs; security-relevant logs may be kept up to 12 months to investigate abuse or fraud |
10. Your rights and how to exercise them
Depending on where you live, you may have rights to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your data (“right to be forgotten” where applicable).
- Export / portability of data you provided.
- Object to / restrict certain processing, and withdraw consent (where processing is consent-based).
- Non-discrimination for exercising privacy rights.
To exercise any right, contact privacy@wondorah.com. We will verify your request (typically via your account email) and respond within the period required by applicable law. You may also delete most data directly in-product where that option is available.
11. Children's data
Wondorah is not directed to children and is intended for users 18 and older. We do not knowingly collect personal information from children under 13(the threshold set by the US COPPA), and where local law sets a higher minimum age for online services — for example, 16 in parts of the EEA — we don't knowingly collect data from anyone under that age there. If you believe a child has given us personal information, email privacy@wondorah.com and we'll delete it.
12. Security
We use industry-standard safeguards — encryption in transit (TLS) and at rest, scoped access controls, and authentication via Amazon Cognito — to protect your information. No method of transmission or storage is 100% secure, but we work to protect your data and limit what we collect in the first place (see §2).
13. International users
Wondorah is operated from the United States and hosted on AWS in the us-east-1region. If you use Wondorah from outside the US, your information is processed in the US. If you're in the EEA or UK and we receive your personal data, we rely on the Standard Contractual Clauses (and, for the UK, the International Data Transfer Addendum) to protect that transfer.
14. Changes to this policy
We may update this policy from time to time. We will revise the “Last updated” date and, for material changes, provide a more prominent notice. Continued use after an update means you accept the revised policy.
15. Contact
Valeworth Holdings LLC d/b/a Wondorah
Privacy contact: privacy@wondorah.com
See also our Terms of Service and Affiliate Disclosure.