Privacy Policy

1. Introduction

WeWander operates an online marketplace connecting travelers with local tour operators and activity providers. We take your privacy seriously and are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

This Privacy Policy explains:

• What personal data we collect and why
• How we use and protect your data
• Your rights regarding your data
• How to contact us with questions

By using the WeWander Platform, you agree to the collection and use of your personal data as described in this Privacy Policy.

2. Data Controller & Contact Information

Data Controller:

MB "Wewander"

Company code: 307580758

Address: Kalvarijų g. 149-52, LT-08352 Vilnius, Lithuania

Contact:

Email: info@wewander.tours

Website: wewander.tours

Data Protection Officer:

For privacy-related questions or to exercise your rights, contact us at: info@wewander.tours

3. Who This Policy Applies To

This Privacy Policy applies to:

• Travelers: Individuals who browse, book, or participate in activities through the WeWander Platform.
• Operators: Tour operators and activity providers who offer their services on the WeWander Platform.
• Website Visitors: Anyone who visits our website, even without creating an account.

Important: When you book an activity, the Operator providing that activity acts as an independent data controller for the personal data they receive from you. Their processing of your data is subject to their own privacy practices, not this Privacy Policy. WeWander acts solely as an intermediary connecting you with Operators.

4. What Personal Data We Collect

4.1 Data Collected from Travelers

Account Information (if you register):

• Name
• Email address
• Phone number (optional)
• Password (encrypted)
• Profile photo (optional)

Booking Information:

• Participant names and ages
• Booking date and time
• Number of participants
• Special requirements or preferences
• Communication with Operators through our platform

Payment Information:

• Payment card details are processed by our payment service providers (Stripe, PayPal) and are not stored on WeWander servers
• We receive only:
  • First 6 and last 4 digits of card number
  • Payment confirmation status
  • Transaction amount and date

Communication Data:

• Messages sent through our platform
• Emails with customer support
• Survey responses and feedback

Technical Data:

• IP address
• Browser type and version
• Device type and operating system
• Pages visited and time spent
• Referral source
• Cookies and similar technologies (see Section 9)

4.2 Data Collected from Operators

Registration Information:

• Full name
• Email address
• Phone number
• Business name (if applicable)
• Business registration number (if applicable)
• Tax identification number

Verification Information:

• Bank account details (for payouts)
• Identity verification documents (if requested)
• Business licenses or permits (if applicable)

Activity Listings:

• Activity descriptions
• Photos and videos
• Pricing information
• Availability calendar
• Cancellation policies

Financial Data:

• Transaction history
• Commission fees
• Payout records

Communication Data:

• Messages with travelers
• Correspondence with WeWander support

Technical Data:

• Same as collected from Travelers (IP address, browser, etc.)

4.3 Data Collected from All Users

Cookies and Tracking Technologies:

See Section 9 for detailed information about cookies.

5. Why We Collect Your Data (Legal Basis)

Under GDPR, we must have a legal basis for processing your personal data. We process your data under the following legal grounds:

5.1 Performance of Contract (Article 6(1)(b) GDPR)

We process your data to:

• Create and manage your account
• Process bookings and reservations
• Facilitate communication between Travelers and Operators
• Process payments and issue refunds
• Provide customer support

5.2 Legitimate Interests (Article 6(1)(f) GDPR)

We process your data for our legitimate business interests:

• Improve our platform and user experience
• Detect and prevent fraud and security threats
• Analyze platform usage and performance
• Send service-related communications
• Enforce our Terms & Conditions

We always balance our interests against your rights and freedoms.

5.3 Legal Obligation (Article 6(1)(c) GDPR)

We process your data to:

• Comply with tax and accounting requirements
• Respond to legal requests from authorities
• Prevent money laundering and terrorist financing
• Maintain records as required by law

5.4 Consent (Article 6(1)(a) GDPR)

We ask for your explicit consent to:

• Send marketing emails and newsletters
• Use optional cookies for analytics and advertising
• Collect location data (if you enable it)

You can withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

6. How We Use Your Data

6.1 For Travelers

• Process your bookings and reservations
• Facilitate communication with Operators
• Send booking confirmations and reminders
• Process payments and refunds
• Provide customer support
• Send service updates and important notices
• Improve our platform based on your feedback
• Detect and prevent fraud
• Comply with legal obligations

With your consent:

• Send promotional offers and newsletters
• Personalize your experience based on preferences
• Show relevant activity recommendations

6.2 For Operators

• Create and manage your operator account
• List your activities on our platform
• Process bookings from travelers
• Transfer payments to your bank account
• Facilitate communication with travelers
• Provide business analytics and insights
• Send important platform updates
• Provide customer support
• Detect and prevent fraudulent activities
• Verify your identity and business legitimacy

With your consent:

• Send marketing tips and best practices
• Promotional opportunities

7. Who We Share Your Data With

WeWander does not sell your personal data to third parties. We share your data only in the following circumstances:

7.1 With Operators (for Travelers)

When you book an activity, we share necessary booking information with the Operator:

• Your name
• Number of participants
• Booking date and time
• Contact information (email/phone)
• Special requirements you provided

Important: Operators are independent data controllers. They process your data according to their own privacy policies to provide you with the booked activity.

7.2 With Travelers (for Operators)

We do not share your full personal details with travelers until a booking is confirmed. After confirmation, travelers receive:

• Your business name
• Contact information for activity coordination
• Meeting point details

7.3 With Service Providers

We share data with trusted third-party service providers who help us operate the platform:

Payment Processors:

• Stripe (payment processing)
• PayPal (payment processing)

These processors handle your payment card details. WeWander never stores full card numbers.

Email Services:

• Email delivery and communication services
• We use these to send booking confirmations, support responses, and (with your consent) marketing emails

Analytics Providers:

• Google Analytics (website analytics)
• We use analytics to understand how users interact with our platform and improve user experience

Customer Support:

• Customer support software to manage inquiries and provide assistance

All service providers are contractually required to:

• Process data only on our instructions
• Implement appropriate security measures
• Not use your data for their own purposes
• Comply with GDPR requirements

7.4 For Legal Reasons

We may disclose your data when required by law:

• To comply with legal obligations, court orders, or government requests
• To enforce our Terms & Conditions
• To protect the rights, property, or safety of WeWander, our users, or the public
• To detect, prevent, or address fraud, security issues, or technical problems

7.5 Business Transfers

If WeWander is involved in a merger, acquisition, or sale of assets, your personal data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

8. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this Privacy Policy.

8.1 Active Accounts

While your account is active, we retain your data to provide our services.

8.2 After Account Closure or Booking Completion

For Travelers:

• Transaction records: 5 years (tax and accounting requirements)
• Booking history: 5 years (legal and financial compliance)
• Account data: 30 days after account deletion (unless longer retention required by law)

For Operators:

• Transaction records: 5 years (tax and accounting requirements)
• Business records: 5 years (financial compliance)
• Account data: 3 years after account closure (for legal claims under statute of limitations)

For All Users:

• Customer support communications: 3 years (for quality assurance and legal protection)
• Marketing consent records: Until consent is withdrawn, then 30 days

8.3 Legal Hold

We may retain data longer if required by law, for legal proceedings, or to establish, exercise, or defend legal claims.

8.4 Data Deletion

After retention periods expire, we securely delete or anonymize your personal data so it can no longer identify you.

9. Cookies and Tracking Technologies

9.1 What Are Cookies?

Cookies are small text files placed on your device when you visit our website. They help us provide you with a better experience and allow certain features to function.

9.2 Types of Cookies We Use

Strictly Necessary Cookies:

• Essential for the website to function (e.g., login sessions, shopping cart)
• Cannot be disabled
• Legal basis: Legitimate interest (providing the service you requested)

Functional Cookies:

• Remember your preferences (e.g., language, currency)
• Improve your user experience
• Legal basis: Legitimate interest

Analytics Cookies:

• Help us understand how visitors use our website
• Provide statistics on pages visited, time spent, etc.
• We use Google Analytics
• Legal basis: Consent (can be disabled)

Advertising Cookies (if applicable):

• Used to show relevant advertisements
• Track ad effectiveness
• Legal basis: Consent (can be disabled)

9.3 Managing Cookies

On First Visit:

You will see a cookie banner asking for your consent to non-essential cookies. You can accept or reject these cookies.

Anytime:

• Browser Settings: You can block cookies through your browser settings. Note that disabling necessary cookies may prevent some website features from working.
• Cookie Preferences: You can update your cookie preferences at any time through our Cookie Settings (link in footer).

Third-Party Cookies:

Some cookies are placed by third-party services (like Google Analytics). These services have their own privacy policies.

9.4 Do Not Track

Our website does not currently respond to "Do Not Track" signals from browsers.

10. Your Rights

Under GDPR and EU data protection laws, you have the following rights regarding your personal data:

10.1 Right of Access (Article 15 GDPR)

You have the right to request:

• Confirmation of whether we process your personal data
• Access to your personal data
• Information about how we use your data

10.2 Right to Rectification (Article 16 GDPR)

You can request correction of inaccurate or incomplete personal data.

10.3 Right to Erasure / "Right to Be Forgotten" (Article 17 GDPR)

You can request deletion of your personal data when:

• The data is no longer necessary for the purposes it was collected
• You withdraw consent (where processing was based on consent)
• You object to processing and there are no overriding legitimate grounds
• The data was unlawfully processed
• Deletion is required by law

Exceptions: We may refuse deletion if we need the data to:

• Comply with legal obligations
• Establish, exercise, or defend legal claims
• Fulfill our contractual obligations

10.4 Right to Restriction (Article 18 GDPR)

You can request that we limit how we use your data while we:

• Verify the accuracy of your data
• Assess whether our legitimate interests override your objection to processing
• Determine whether we can delete data you've requested to be erased

10.5 Right to Data Portability (Article 20 GDPR)

You can request a copy of your data in a structured, commonly used, machine-readable format, and you can request that we transfer it to another service provider where technically feasible.

Applies to:

• Data you provided to us
• Processing based on consent or contract
• Processing carried out by automated means

10.6 Right to Object (Article 21 GDPR)

You can object to processing based on legitimate interests or for direct marketing purposes.

Direct Marketing: You can opt out at any time using the unsubscribe link in emails or by contacting us.

Legitimate Interests: We will stop processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

10.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

10.8 Right to Lodge a Complaint

If you believe we have violated your privacy rights, you can lodge a complaint with:

• WeWander: info@wewander.tours
• Your national data protection authority (supervisory authority in your EU country)

10.9 How to Exercise Your Rights

To exercise any of these rights:

Email us at: info@wewander.tours

Include:

• Your full name
• Email address associated with your account
• Description of your request
• Proof of identity (if required to verify your identity)

Response Time: We will respond to your request within 30 days (may be extended by 2 months for complex requests).

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

11.1 Security Measures

Technical Measures:

• Encryption of data in transit (SSL/TLS)
• Encryption of sensitive data at rest
• Secure password storage (hashed and salted)
• Regular security updates and patches
• Firewall and intrusion detection systems
• Access controls and authentication

Organizational Measures:

• Staff training on data protection
• Confidentiality agreements with employees and contractors
• Limited access to personal data (need-to-know basis)
• Regular security audits and risk assessments
• Incident response procedures

11.2 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware
• Notify affected individuals without undue delay if the breach poses a high risk
• Provide information about the breach and steps taken to mitigate harm

11.3 Your Responsibility

Travelers & Operators:

• Keep your password secure and confidential
• Log out after using shared or public devices
• Notify us immediately if you suspect unauthorized account access
• Use strong, unique passwords

Operators:

• Protect traveler data you receive through bookings
• Comply with GDPR requirements when processing traveler data
• Do not share traveler contact information for marketing purposes

11.4 Limitations

While we implement strong security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we work continuously to protect your data.

12. International Data Transfers

WeWander is based in Lithuania (European Union). We primarily process data within the European Economic Area (EEA).

12.1 Transfers Outside the EEA

Some of our service providers may be located outside the EEA. When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs):

We use EU-approved Standard Contractual Clauses with service providers in third countries.

Adequacy Decisions:

We may transfer data to countries that the European Commission has deemed to provide adequate data protection (e.g., UK, Switzerland).

Specific Services:

• Stripe (payment processing): May process data in the US; Stripe complies with applicable data protection laws
• Google Analytics: May process data in the US; Google provides appropriate safeguards

12.2 Your Rights

You have the right to obtain information about the safeguards we have in place for international transfers. Contact us at info@wewander.tours for details.

13. Children's Privacy

WeWander's services are not intended for children under 16 years of age.

We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at info@wewander.tours, and we will delete that information.

Activities involving minors:

When booking activities for children, the adult making the booking is responsible for providing accurate information and ensuring proper supervision during the activity.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons.

14.1 Notification of Changes

Material Changes:

If we make significant changes that affect your rights, we will notify you by:

• Email (to your registered email address)
• Prominent notice on our website
• In-app notification (if applicable)

Minor Changes:

For minor updates, we will post the revised policy on our website with a new "Last Updated" date.

14.2 Your Continued Use

Your continued use of the WeWander Platform after changes become effective constitutes acceptance of the updated Privacy Policy.

If you do not agree with the updated policy, you should stop using our services and contact us to close your account.

14.3 Review Regularly

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. The latest version is always available at: wewander.tours/privacy

15. Third-Party Links

Our website may contain links to third-party websites, services, or applications (e.g., social media platforms, payment processors, external tour booking systems).

We are not responsible for:

• The privacy practices of these third parties
• The content of third-party sites
• How these third parties collect, use, or share your data

Before providing personal data to third parties:

• Review their privacy policies
• Understand how they will use your information
• Exercise caution when sharing sensitive information

16. Automated Decision-Making

16.1 No Automated Decision-Making

WeWander does not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

16.2 Fraud Detection

We use automated tools to detect potentially fraudulent transactions or activities. These tools flag suspicious behavior for manual review by our team. No automated decisions are made that would deny you service without human intervention.

17. Specific Situations

17.1 Reviews and Public Content

If you write reviews or post content on our platform:

• Reviews are public and may be visible to anyone, including search engines
• Do not include sensitive personal information in reviews
• We may moderate or remove reviews that violate our Terms & Conditions
• You grant WeWander a license to display your review on our platform

17.2 Communication Between Travelers and Operators

Messages sent through our platform may be monitored for:

• Customer service purposes
• Fraud prevention
• Quality assurance
• Legal compliance

We do not use the content of your private messages for marketing purposes.

17.3 Operator Responsibilities

Operators must:

• Process traveler data lawfully and fairly
• Use traveler data only for providing the booked activity
• Not use traveler contact information for unsolicited marketing
• Comply with GDPR when processing traveler data
• Protect traveler data with appropriate security measures

Travelers:

If an Operator contacts you for purposes other than your booking, or if you have privacy concerns about how an Operator handles your data, please contact us at info@wewander.tours.

18. Marketing Communications

18.1 Consent

We will only send you marketing communications if:

• You have given explicit consent (opted in), OR
• We have a legitimate interest (e.g., you are an existing customer) and you have not opted out

18.2 What We Send

With your consent, we may send:

• Promotional offers and discounts
• New activity suggestions based on your interests
• Travel inspiration and tips
• Platform updates and new features
• Surveys and feedback requests

18.3 How to Opt Out

You can unsubscribe from marketing communications at any time:

• Click the "Unsubscribe" link in any marketing email
• Update your preferences in your account settings
• Email us at: info@wewander.tours

After opting out:

• We will stop sending marketing emails within 5 business days
• We will continue to send essential service communications (booking confirmations, account updates, legal notices)

Frequently Asked Questions

What personal data does WeWander collect?

WeWander collects account information (name, email, phone number), booking details (dates, participants, special requirements), payment confirmation data (transaction amount and status — full card details are handled by Stripe and PayPal), communications through the platform, and technical data (IP address, browser, device type). WeWander never stores full payment card numbers on its servers.

Does WeWander sell my personal data?

No. WeWander does not sell personal data to third parties. Data is shared only with operators (to fulfill bookings), payment processors (Stripe, PayPal), analytics providers (Google Analytics), and legal authorities when required by law. All service providers are contractually bound to GDPR compliance.

What are my GDPR rights on WeWander?

Under GDPR, WeWander users have the right to access, rectify, erase ("right to be forgotten"), restrict, port, and object to the processing of their personal data. You can also withdraw consent at any time and lodge a complaint with your national data protection authority. To exercise any right, email info@wewander.tours — WeWander responds within 30 days.

How long does WeWander keep my data?

Transaction and booking records are retained for 5 years (tax and accounting compliance). Traveler account data is deleted within 30 days of account deletion. Operator account data is retained for 3 years after closure (statute of limitations). Marketing consent records are deleted within 30 days of consent withdrawal.

What cookies does WeWander use?

WeWander uses four types of cookies: strictly necessary cookies (login sessions, essential features — cannot be disabled), functional cookies (language and preference settings), analytics cookies (Google Analytics — requires consent), and advertising cookies (if applicable — requires consent). You can manage cookie preferences via the cookie banner on first visit or through browser settings at any time.

How do I delete my WeWander account and data?

To delete your account and personal data, email info@wewander.tours with the subject line "Data Request." Include your full name and the email address associated with your account. WeWander will process the deletion within 30 days. Some data (transaction records) may be retained longer where required by law.

What happens if there is a data breach?

In the event of a data breach posing a risk to your rights and freedoms, WeWander notifies the relevant supervisory authority within 72 hours and affected individuals without undue delay. WeWander implements SSL/TLS encryption, firewalls, intrusion detection systems, and access controls to minimize breach risk.

19. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data:

20. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority if you believe we have violated your privacy rights.

Lithuania (where WeWander is based):

Your country:

You may also contact the supervisory authority in your EU member state. Find your local authority at: edpb.europa.eu