Data Processing Agreement
Between WeWander UAB and Tour Operator
Under GDPR Article 26 (Joint Controllers)
Last Updated: February 16, 2026
Effective Date: Upon Operator acceptance of main Terms and Conditions
Governing Law: Republic of Lithuania, EU General Data Protection Regulation (GDPR)
1. Purpose and Scope
1.1 Joint Controller Relationship
This Data Processing Agreement ("DPA") is incorporated into the WeWander Operator Terms and Conditions ("Main Terms") and governs the processing of personal data where WeWander UAB ("WeWander") and the Tour Operator ("Operator") act as Joint Controllers under Article 26 of the GDPR.
Joint Controller Determination:
- WeWander and Operator jointly determine the purposes and means of processing Traveler personal data in connection with tour bookings
- Both parties are independently responsible for GDPR compliance within their respective domains
- This DPA defines respective responsibilities, contact points, and data subject rights handling
1.2 Categories of Data Processed
Personal Data Shared Between WeWander and Operator:
(a) Traveler Booking Data:
- Name, email address, phone number
- Nationality, age (if required for tour)
- Special requests or accessibility needs (if provided)
- Booking confirmation number
- Payment confirmation status (not payment card details)
(b) Booking Transaction Data:
- Booking date and time
- Tour date, time, location
- Number of participants
- Total booking value
- Booking status (confirmed, cancelled, completed)
(c) Communication Data:
- Messages exchanged between Traveler and Operator via Platform messaging
- Booking confirmations, reminders, updates
Exclusions (Not Shared with Operator):
- Payment card details (processed exclusively by payment processors)
- WeWander Account passwords
- Internal Platform analytics data
1.3 Data Subjects
- Primary: Travelers who book tours through the WeWander Platform
- Secondary: Operator employees or representatives who create Accounts (see Section 4)
1.4 Processing Purposes
(a) Primary Purpose:
Enable Operator to deliver booked tours to Travelers, including:
- Confirming bookings and sending pre-tour information
- Communicating with Travelers about tour logistics
- Managing tour capacity and participant lists
- Handling cancellations and refunds
- Responding to customer service inquiries
(b) Secondary Purposes:
- Compliance with legal obligations (tax, anti-money laundering)
- Fraud prevention and dispute resolution
- Quality assurance and safety compliance
2. Respective Responsibilities
2.1 WeWander's Responsibilities as Joint Controller
(a) Platform Data Collection:
- Collect Traveler data via booking forms with transparent privacy notices
- Maintain Privacy Policy describing data processing practices
- Implement technical and organizational measures to secure Platform databases
- Process payments via PCI-DSS compliant payment processors (not sharing card data with Operator)
(b) Data Provision to Operator:
- Provide Operator with Traveler booking data necessary for tour delivery (Section 1.2)
- Ensure data transmitted to Operator is accurate and up-to-date
- Notify Operator of any Traveler data corrections or deletions
(c) Traveler Privacy Notices:
- Inform Travelers in Privacy Policy that their data will be shared with Operators for tour delivery
- Include clear consent mechanisms for data sharing
- Provide Travelers with links to Operator privacy policies (where available)
(d) Data Security:
- Encrypt data in transit (TLS 1.2+) and at rest (AES-256)
- Implement access controls limiting WeWander staff access to data on need-to-know basis
- Conduct regular security audits and vulnerability assessments
- Notify Operator of any data breaches affecting shared data within 24 hours
(e) Data Retention:
- Retain booking data for 7 years (Lithuanian tax law requirement)
- Delete or anonymize Traveler data upon request (see Section 3.3)
- Notify Operator when Traveler data is deleted from Platform
2.2 Operator's Responsibilities as Joint Controller
(a) Lawful Processing:
- Process Traveler data only for purposes described in Section 1.4
- Not use Traveler data for marketing or unrelated purposes without explicit Traveler consent
- Comply with GDPR principles (lawfulness, fairness, transparency, data minimization, accuracy, storage limitation, integrity, confidentiality)
(b) Privacy Notice:
- Maintain a Privacy Policy (or Data Protection Notice) on Operator's own website (if applicable)
- If Operator does not have separate privacy policy, WeWander's Privacy Policy covers shared processing (Operator acknowledges this by accepting these Terms)
(c) Data Security:
- Implement appropriate technical and organizational measures to protect Traveler data:
- Minimum Required: Password-protected devices, secure email, physical document security
- Recommended: Encryption, access controls, regular software updates, staff training
- Not share Traveler data with unauthorized third parties
- Immediately notify WeWander of any data breach involving Traveler data (within 24 hours)
(d) Data Retention:
- Retain Traveler data only as long as necessary for tour delivery and legal compliance
- Delete Traveler data within 90 days after tour completion unless:
- Legal obligation requires longer retention (e.g., tax records: 7 years)
- Traveler has explicitly consented to longer retention (e.g., for repeat bookings)
- Securely delete data (permanent deletion, not just archiving)
(e) Third-Party Processors:
If Operator uses third-party service providers (e.g., calendar sync, CRM tools) that process Traveler data:
- Operator remains fully responsible for third party's GDPR compliance
- Operator must ensure third party has adequate data protection safeguards
- Operator must have written contract with third party (Article 28 controller-processor agreement)
(f) Staff Training:
- Ensure staff handling Traveler data understand basic GDPR obligations
- Implement confidentiality obligations for staff with access to Traveler data
2.3 Prohibited Uses of Data
Operator Must Not:
- Use Traveler data to contact Travelers for marketing unrelated to booked tour
- Sell, rent, or license Traveler data to third parties
- Use Traveler data to circumvent Platform (e.g., re-booking same Traveler outside Platform)
- Combine Traveler data with other datasets for profiling or automated decision-making
- Transfer Traveler data outside EU/EEA without appropriate safeguards (Article 44-50)
3. Data Subject Rights
3.1 Allocation of Responsibility
General Principle:
The party that receives a data subject request (DSR) is responsible for responding, but must coordinate with the other party if request affects shared data.
3.2 WeWander-Led Responses
WeWander will handle the following requests:
(a) Access Requests (Article 15):
- Traveler requests copy of all data held about them
- WeWander provides: Account data, booking history, Platform activity
- WeWander notifies Operator if Traveler specifically requests data held by Operator
(b) Rectification (Article 16):
- Traveler requests correction of inaccurate data
- WeWander updates Platform records and notifies Operator within 2 business days
(c) Erasure/"Right to be Forgotten" (Article 17):
- Traveler requests deletion of data
- WeWander deletes Platform data and notifies Operator within 2 business days
- Operator must delete Traveler data within 14 days unless legal obligation requires retention
(d) Restriction of Processing (Article 18):
- Traveler requests temporary restriction on data use
- WeWander restricts Platform processing and notifies Operator
- Operator must comply with restriction
(e) Data Portability (Article 20):
- Traveler requests data export in machine-readable format
- WeWander provides export and notifies Operator if Traveler also wants Operator-held data
3.3 Operator-Led Responses
Operator will handle the following requests:
(a) Objection to Processing (Article 21):
- Traveler objects to specific use of data (e.g., post-tour follow-up emails)
- Operator must cease that processing unless compelling legitimate grounds exist
- Operator notifies WeWander of objection if it affects Platform functionality
(b) Operator-Specific Requests:
- Requests about Operator's own privacy practices
- Requests to unsubscribe from Operator marketing (if any)
3.4 Response Timelines
- Initial Response: Within 1 month of receiving request (Article 12(3))
- Complex Requests: May extend by 2 additional months with explanation to data subject
- Operator Assistance: If WeWander requests Operator assistance with DSR, Operator must respond within 7 business days
3.5 DSR Request Forwarding
If either party receives a DSR that should be handled by the other:
- Forward request within 2 business days
- Notify data subject of forwarding
- Provide contact details of correct party
3.6 Contact Point for Data Subjects
Travelers should submit data subject requests to:
- Email: privacy@wewander.tours
- WeWander will coordinate with Operator as needed
Supervisory Authority:
- State Data Protection Inspectorate of Lithuania (https://vdai.lrv.lt)
4. Operator Employee Data
4.1 Scope
When Operator creates an Account on WeWander Platform, Operator provides personal data of Operator's employees or representatives ("Operator Users").
4.2 WeWander as Sole Controller
For Operator User data (name, email, Account activity), WeWander is the sole controller:
- WeWander determines purposes and means of processing (Platform access, communications)
- Operator is the data subject (or employer of data subjects)
- WeWander's Privacy Policy applies
4.3 Operator Consent
By registering Operator Users, Operator represents that:
- Operator has obtained necessary consents from Operator Users
- Operator Users are aware their data will be processed by WeWander for Platform operations
- Operator will inform Operator Users of their rights under GDPR
5. Data Security
5.1 Technical and Organizational Measures
WeWander's Measures:
- Encryption: TLS 1.2+ in transit, AES-256 at rest
- Access Control: Role-based access, multi-factor authentication for admin accounts
- Monitoring: Automated intrusion detection, activity logging
- Backups: Daily encrypted backups with 30-day retention
- Incident Response: Security incident response plan with <24-hour breach notification
Operator's Minimum Required Measures:
- Device Security: Password/PIN protection on devices accessing Traveler data
- Email Security: Secure email provider (not plaintext unencrypted email)
- Physical Security: Secure storage for any printed Traveler data
- Access Limitation: Only authorized staff access Traveler data
- Confidentiality: Staff bound by confidentiality obligations
Operator's Recommended Measures:
- Full-disk encryption on devices
- Two-factor authentication on accounts with Traveler data
- Regular software updates and antivirus protection
- Staff GDPR training (e.g., free online courses)
- Incident response plan
5.2 Data Breach Notification
Operator Obligations:
If Operator experiences data breach involving Traveler data:
(a) Immediate Notification to WeWander:
- Deadline: Within 24 hours of becoming aware of breach
- Method: Email to security@wewander.tours with "DATA BREACH" in subject line
- Information Required:
- Nature of breach (e.g., lost laptop, email hack, unauthorized access)
- Categories and approximate number of affected Travelers
- Likely consequences and risks to Travelers
- Measures taken or proposed to mitigate breach
(b) WeWander Coordination:
- WeWander will assess whether breach must be reported to supervisory authority (within 72 hours under Article 33)
- WeWander will determine whether affected Travelers must be notified (Article 34)
- Operator must cooperate with investigation and remediation
(c) Regulatory Reporting:
- If breach meets Article 33/34 thresholds, WeWander will handle supervisory authority and Traveler notifications
- Operator must provide all requested information for regulatory filings
Penalties for Non-Compliance:
- Failure to report breach within 24 hours: Up to €10,000 fine (Main Terms Section 10.6)
- Breach caused by Operator negligence: Full indemnification liability (Main Terms Section 15.8)
5.3 Sub-Processors
WeWander's Sub-Processors:
WeWander uses the following sub-processors (all EU-based or with Standard Contractual Clauses):
- Supabase (Database Hosting): EU region, GDPR-compliant
- Stripe (Payment Processing): PCI-DSS Level 1 certified
- Email Service Provider: Resend
- Cloud Infrastructure: Supabase (EU region)
WeWander will notify Operator of changes to sub-processors via email to Account email address. Operator may object within 30 days if new sub-processor raises GDPR concerns.
Operator's Sub-Processors:
Operator must notify WeWander of any sub-processors handling Traveler data:
- Email list of sub-processors to legal@wewander.tours within 30 days of these Terms acceptance
- Notify WeWander of new sub-processors before engagement
- Ensure all sub-processors have Article 28 agreements in place
6. International Data Transfers
6.1 Default: EU/EEA Processing
Both parties agree to process Traveler data within the EU/EEA unless:
- Traveler is located outside EU/EEA (data originates outside EU)
- Transfer is necessary for tour delivery (e.g., tour in non-EU country)
- Appropriate safeguards are in place (Section 6.2)
6.2 Permitted Transfers Outside EU/EEA
Operator may transfer Traveler data outside EU/EEA only if:
(a) Adequacy Decision (Article 45):
- Destination country has EU Commission adequacy decision (e.g., UK, Switzerland, Japan)
OR
(b) Standard Contractual Clauses (Article 46):
- Operator implements EU Standard Contractual Clauses (SCCs) with data recipient
- Operator conducts Transfer Impact Assessment (TIA) if recipient in country with government surveillance concerns
OR
(c) Derogations (Article 49):
- Transfer necessary for performance of contract with Traveler (e.g., delivering tour in USA)
- Traveler has explicitly consented to transfer
- Transfer necessary for establishment, exercise, or defense of legal claims
Prohibited Transfers:
- Ad-hoc transfers to non-adequate countries without safeguards
- Transfers for Operator's convenience (e.g., using non-EU CRM when EU option available)
Notification Requirement:
Operator must notify WeWander within 14 days of any non-EU data transfers, including:
- Destination country
- Legal basis for transfer (adequacy, SCCs, derogation)
- Copy of SCCs if applicable
7. Data Retention and Deletion
7.1 Retention Periods
WeWander Retention:
- Booking Data: 7 years from tour date (Lithuanian tax law)
- Account Data: Until Account deletion + 30 days
- Platform Activity Logs: 12 months
- Payment Records: 7 years (tax law)
Operator Retention:
- Tour Delivery Data: Delete within 90 days after tour completion
- Tax Records: Retain for period required by Operator's local tax law (typically 5-10 years)
- Legal Claims: Retain if necessary for active legal proceedings
7.2 Deletion Obligations
(a) Routine Deletion:
- Operator must implement automated or manual process to delete Traveler data after 90-day post-tour window
- Deletion must be permanent (not just archiving or soft-delete)
(b) Data Subject Erasure Requests:
- When WeWander notifies Operator of Traveler erasure request, Operator must delete data within 14 days
- Operator may retain data if legal obligation requires (e.g., tax records), but must restrict processing to compliance-only use
(c) Termination of Main Terms:
- Upon termination, Operator must delete all Traveler data within 30 days unless legal retention applies
- Operator must certify deletion in writing if requested by WeWander
7.3 Proof of Deletion
WeWander may request proof of deletion during audits (Main Terms Section 12). Operator must be able to demonstrate:
- Deletion schedule and procedures
- Logs or records showing data was deleted
- Staff training on deletion protocols
8. Audits and Compliance Verification
8.1 WeWander Audit Rights
WeWander may audit Operator's data protection practices under Main Terms Section 12:
- Frequency: Up to once per year (or after data breach)
- Scope: Data security measures, retention practices, sub-processor agreements
- Notice: 14 days' advance notice (or immediate if breach suspected)
8.2 Operator Cooperation
Operator must:
- Provide access to relevant records, policies, and documentation
- Allow interviews with staff handling Traveler data
- Respond to audit findings within 30 days
- Implement corrective measures for identified deficiencies within 60 days
8.3 Audit Costs
- Routine Audits: Operator bears own costs (staff time)
- Breach-Triggered Audits: Operator pays WeWander's reasonable audit costs if breach was caused by Operator negligence
9. Liability and Indemnification
9.1 Joint and Several Liability
Under GDPR Article 82:
- WeWander and Operator are jointly and severally liable to data subjects for damages caused by GDPR violations
- If one party pays compensation to data subject, that party may claim back contribution from other party based on fault allocation
9.2 Internal Allocation of Liability
Between WeWander and Operator:
(a) WeWander Liable:
- Breaches caused by WeWander's Platform security failures
- WeWander's failure to notify Operator of data corrections/deletions
- WeWander's sub-processor breaches
(b) Operator Liable:
- Breaches caused by Operator's data security failures
- Unauthorized use of Traveler data by Operator
- Operator's failure to notify data breaches
- Operator's sub-processor breaches
- Operator's failure to delete data as required
9.3 Indemnification
Main Terms Section 15.8 applies. In summary:
- Operator indemnifies WeWander for GDPR fines/penalties caused by Operator's violations
- Operator indemnifies WeWander for third-party claims arising from Operator's data misuse
Caps:
- General data protection breaches: €100,000 per incident
- No cap for willful misconduct or fraud
10. Term and Termination
10.1 Term
This DPA remains in effect for as long as Operator processes Traveler data obtained via WeWander Platform.
10.2 Effect of Main Terms Termination
If Main Terms are terminated:
- Operator must delete all Traveler data within 30 days (subject to Section 7.2(c))
- Operator must certify deletion if requested
- Sections 9 (Liability) and 7.2(c) (Legal Retention) survive termination
10.3 Data Return
Upon WeWander's request, Operator must return or securely destroy:
- Copies of Traveler data
- Documentation containing Traveler personal data
11. Amendments
11.1 GDPR Law Changes
If GDPR is amended or replaced, or if Lithuanian data protection laws change:
- WeWander may update this DPA by providing 30 days' notice via email
- Updated DPA will be posted on WeWander website
- Continued use of Platform after 30-day notice period constitutes acceptance
11.2 Regulatory Guidance
WeWander may update this DPA to reflect guidance from:
- European Data Protection Board (EDPB)
- State Data Protection Inspectorate of Lithuania
- Court of Justice of the European Union (CJEU)
11.3 Material Changes
Material changes (e.g., significant expansion of data sharing) require Operator's affirmative consent.
12. Contact and Cooperation
12.1 Data Protection Contacts
WeWander:
- Email: privacy@wewander.tours
- Responsible for coordinating DSRs, breach notifications, and compliance inquiries
Operator:
- Email: the email address registered to the Operator's Account
- Operator must respond to WeWander data protection inquiries within 7 business days
12.2 Supervisory Authority Inquiries
If either party receives inquiry from supervisory authority regarding shared processing:
- Notify other party within 2 business days
- Cooperate in preparing responses
- Not make statements binding on other party without prior consent
12.3 Dispute Resolution
Disputes regarding this DPA are governed by Main Terms Section 16 (Dispute Resolution).
13. Acknowledgment
By accepting the Main Terms, Operator acknowledges that:
- Operator has read and understood this Data Processing Agreement.
- Operator agrees to act as Joint Controller with WeWander under GDPR Article 26.
- Operator will implement appropriate technical and organizational measures to protect Traveler data.
- Operator will comply with data retention, deletion, and breach notification obligations.
- Operator understands that failure to comply with this DPA may result in:
- Suspension or termination of Account (Main Terms Section 14)
- Financial penalties (Main Terms Section 10.6)
- GDPR fines from supervisory authority (up to €20 million or 4% of annual turnover)
- Liability for damages to data subjects (Article 82)
- Operator will immediately notify WeWander at privacy@wewander.tours if Operator has questions or becomes unable to comply with this DPA.