Privacy Policy
Effective May 12, 2026
This Privacy Policy explains how Wayfare (“we”, “us”) collects, uses, stores, and discloses information about you when you use our travel-expense splitting application (the “Service”). By using the Service you consent to the practices described here.
1. Information We Collect
Account information. When you create an account we collect your email address, display name, and password (stored as a salted hash via Amazon Cognito; we never see the plaintext). If you sign in with Google, we receive your email, name, and a stable Google user identifier in lieu of a password.
Content you create. Groups, trips, expenses, settlement records, recurring expenses, activity history, and any metadata you attach to them (descriptions, categories, notes, receipt images, currency, dates, member assignments).
Usage data. Server logs (IP address, request paths, timestamps, user agent) used for security, abuse prevention, and debugging. We do not use third-party analytics or advertising trackers.
Device data. A randomly generated client identifier stored on your device to support offline sync. Forex rates and cached records stored in your browser’s IndexedDB to enable offline use.
2. How We Use Your Information
- Authenticate you and keep your session secure.
- Provide the core features of the Service (groups, expenses, settlements, trip planning, recommendations).
- Compute balances and produce expense analytics for groups you belong to.
- Send transactional emails (email verification, password reset, settlement notifications).
- Detect and prevent fraud, abuse, and security incidents.
- Comply with legal obligations.
We do not sell, rent, or share your personal data for advertising. We do not profile you for third-party marketing.
3. Service Providers and Third Parties
We use the following service providers strictly to operate the Service. Each receives only the data necessary for its function and is bound by its own privacy commitments:
- Amazon Web Services (Cognito, DynamoDB, S3, CloudFront, KMS) — hosting, authentication, storage.
- Google — Sign-in with Google (OAuth 2.0).
- Open Exchange Rates — currency conversion rates.
- Foursquare, Geoapify, Unsplash — destination data, place lookups, images.
- Aviationstack — flight tracking if you choose to track a flight.
- Anthropic — AI-generated itinerary suggestions, only when you explicitly request them.
We may disclose information to law enforcement or regulators if required by a valid legal process.
4. International Data Transfers
We are based in the Philippines. Our primary databases are hosted in AWS Asia Pacific (Tokyo). Some service providers process data in the United States, the European Union, and elsewhere. By using the Service you consent to this cross-border processing.
5. Data Retention
We retain account and content data for as long as your account is active. If you delete your account, we delete your personal identifiers within 30 days, except where retention is required by law (e.g., financial-record-keeping obligations) or to resolve disputes.
Aggregated, anonymized statistics that cannot be tied back to you may be retained indefinitely.
6. Your Rights
Under the Philippines Data Privacy Act of 2012 and applicable equivalents you may:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Export your data in a portable format.
- Delete your account and associated personal data.
- Object to specific processing.
- Withdraw consent at any time (some features may stop working).
- Lodge a complaint with the National Privacy Commission.
To exercise any of these rights, email us at hello@ctlyst.pro. You can delete your account directly from the in-app Settings page.
7. Security
We use TLS for all data in transit. Passwords are managed by Amazon Cognito and never stored or seen in plaintext by us. Refresh tokens are stored in httpOnly cookies. Access tokens are kept in memory and never persisted to local storage. We encrypt sensitive identifying information at rest using AWS KMS where applicable. We follow standard industry practices, but no system is perfectly secure — if you suspect your account has been compromised, contact us immediately.
8. Children
The Service is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, contact us and we will delete it.
9. Cookies and Similar Technologies
We use a small number of strictly necessary cookies: one for the refresh-token session (httpOnly, Secure, SameSite), and one for a CSRF token. We do not use advertising cookies or third-party analytics cookies. Your browser’s IndexedDB stores cached application data on your device to enable offline use; clearing it from your browser is safe and only forces a re-fetch from the server.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will revise the “Effective” date above and, when changes are material, notify you in-app or by email. Continued use of the Service after the effective date constitutes acceptance.
11. Contact
For privacy questions or to exercise any rights described above, contact us at hello@ctlyst.pro.