Privacy Policy

Last updated 7 June 2026

This Privacy Policy explains how Weego (“we”, “us”) collects, uses, and protects your personal data when you use our travel-planning and journaling service at goweego.com (the “Service”). We are the data controller for the purposes of the EU General Data Protection Regulation (GDPR).

1. What we collect

  • Account data: your email address and display name.
  • Trip content: trip titles, dates, destinations, activities, notes, and journal entries you create.
  • Photos: images you upload, including any embedded EXIF metadata such as GPS coordinates (see §5).
  • AI assistant data: the conversation history and trip context you share with our AI planning assistant.
  • Technical data: IP address, browser type, and security-related events (see §8) needed to operate and protect the Service.

2. What we do not collect

  • Payment details: when paid plans launch, payments are handled by our payment processor; we never see or store your card number.
  • Your password: we store only a salted bcrypt hash, never the plaintext password.

3. How we use your data and our legal bases

  • To provide the Service (creating your account, storing and displaying your trips and photos) — performance of a contract, GDPR Art. 6(1)(b).
  • To power AI suggestions you request — performance of a contract, Art. 6(1)(b).
  • To keep the Service secure (rate limiting, abuse prevention, audit logging) — legitimate interest, Art. 6(1)(f).
  • To send transactional email (password resets, security notices) — performance of a contract and legitimate interest.

4. Where your data is stored

All application data is hosted within the European Union. Our backend and database run on Fly.io in the Amsterdam/Frankfurt region, and uploaded media is stored in Cloudflare R2 under EU jurisdiction. A small number of subprocessors may process limited data; see our subprocessor list.

5. Photos and location metadata

Photos often contain EXIF metadata, including GPS coordinates. We preserve this metadata by default because it powers the map view of your journals and the location accuracy of your trips. You choose what to upload, and you can delete any photo at any time. If you do not want location data shared, remove EXIF data before uploading.

6. Data retention

  • Active accounts: your data is kept for as long as your account is active.
  • Deleted accounts: when you delete your account, your data — including trips, photos, and AI conversation history — is permanently erased within 30 days.
  • Security logs: retained only as long as necessary for security and abuse prevention.

7. Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”).
  • Port your data — receive a copy in a portable format.
  • Restrict or object to certain processing.
  • Lodge a complaint with your competent data-protection supervisory authority.

To exercise any of these rights, contact us at [email protected].

8. Security and access logging

Data is encrypted in transit (TLS) and at rest. Passwords are hashed with bcrypt. To protect your account, we maintain an audit log of security-relevant events — including login successes and failures, password-reset requests, and any administrative access to a non-admin user’s data. Each entry records the event type, the user and (where applicable) administrator involved, an IP address, and a timestamp. The lawful basis for this logging is our legitimate interest in the security and integrity of the Service (Art. 6(1)(f)).

9. Breach notification

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (the Austrian Datenschutzbehörde) within 72 hours of becoming aware of it, and will inform affected users without undue delay (GDPR Art. 33–34).

10. Cookies

We use strictly necessary cookies to keep you signed in (secure, httpOnly authentication cookies). We do not use advertising or cross-site tracking cookies. Our product analytics, where used, are cookieless.

11. Children

The Service is not directed to children under 16. By creating an account you confirm that you are at least 16 years old. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you within the Service.

13. Contact

Questions about this policy or your data? Email [email protected].