Wayspot

Privacy Policy

Last updated: May 11, 2026

Who runs Wayspot

Wayspot is a personal project built and maintained by John Xavier, an independent developer. It is not operated by a company. There is no team, no investors, and no advertising business behind it.

For the purposes of the EU GDPR, India's DPDP Act, the UK GDPR, and similar laws, John Xavier is the "data controller" for the information described below.

Contact: support@wayspot.in

What data is collected

Wayspot is intentionally minimal. There is no advertising, no analytics SDK, no crash-reporting SDK, and no tracking of any kind. Specifically:

Account data

When you sign in with Sign in with Apple or Sign in with Google, the following is stored on the Wayspot server:

  • Your name (from Apple on first sign-in, or from Google)
  • Your email address (or Apple's private relay address)
  • A stable user identifier from Apple or Google
  • Your profile photo URL (initially from Google, or one you upload)
  • An Apple refresh token, kept only on the server and never shown to anyone, used solely to revoke Apple access when you delete your account

If Apple withholds your email via Private Relay, the relay address is what we receive. If Apple provides no email at all, a placeholder address such as apple_<id>@noemail.invalid is generated so the account can exist; it is never used to contact you.

Content you create

  • Favourites — which destinations you saved.
  • Itineraries — itinerary name, start/end dates, the destinations in them, and any times you set.

Profile photo (optional)

If you tap your avatar in Profile and pick a photo, it is uploaded to Cloudinary (see Third parties). Cloudinary images are served from a public HTTPS URL — anyone who has that URL can view the image. The URL is not published anywhere, but treat the photo as you would any photo on a public link.

Location

If you grant location permission, the app reads your coarse location (kilometre-level accuracy) to sort destinations by distance. Today this happens entirely on your device — your location is not sent to the server and is not stored. If this ever changes in the future (for example, if sorting moves server-side for performance), this policy will be updated and the app will ask for your consent before any location data leaves your device.

Technical data

The hosting provider (Render) writes standard web-server logs — IP address, user-agent, request path, response status, timestamp — for every API call. These are managed by Render, not by Wayspot, and are not linked back to your account.

What is not collected

Date of birth, phone number, postal address, payment information, contacts, photos beyond the avatar you choose, calendar data, precise location, advertising identifiers, push tokens, crash data, analytics events, or any information about other apps on your device.

The iOS app's PrivacyInfo.xcprivacy manifest declares no tracking and no tracking domains. If crash reporting or analytics are ever added in the future, this policy will be updated, the App Store privacy declaration will be updated, and where consent is required, you will be asked in-app before any data is sent.

How the data is used

PurposeLegal basis (GDPR / DPDP)
Sign you in and keep you signed inPerformance of a contract
Sync your favourites and itineraries across devicesPerformance of a contract
Show your name and avatar in the appPerformance of a contract
Revoke our Apple Sign-In grant when you delete your accountLegal obligation (required by Apple)
Reply to support emailsLegitimate interest
Comply with a valid legal requestLegal obligation

Your data is not used for advertising, profiling, automated decisions, or training any AI model.

Third parties

Your data is shared only with the services that are strictly required to run Wayspot. Each one acts as a processor.
ProviderWhat they receiveWhyRegion
Apple Inc.Account data when you use Sign in with AppleAuthenticationUSA
Google LLC (Google Sign-In SDK)Account data when you use Sign in with GoogleAuthenticationUSA
Render Services, Inc.All API traffic, including account data, favourites, itineraries, and incidental technical dataApp hosting (web service and PostgreSQL)USA (Oregon)
Cloudinary Ltd.Avatar images you uploadImage hostingGlobal CDN
Apple App StoreStandard app-distribution data handled by AppleApp distributionUSA

Your data is not sold, and is not shared with advertisers, data brokers, or analytics providers.

International data transfers

The Wayspot server is hosted in the United States. If you use the app from outside the US — including from India, the EU, or the UK — your personal data is transferred to and processed in the United States. For EU and UK users, this transfer relies on the Standard Contractual Clauses offered by the processors above.

How long the data is kept

  • Account, favourites, itineraries: as long as your account exists. Deleted within 7 days of account deletion.
  • Avatar image on Cloudinary: deleted within 7 days of account deletion.
  • Apple refresh token: used once during account deletion to revoke Apple access, then removed with the account.
  • Render web-server logs: per Render's policy (typically 30 days). Not aggregated or analysed by Wayspot.

When you delete your account, the user row and all linked itineraries, itinerary destinations, and favourites are removed from the database. Any session token already on your device becomes useless on next use.

Security

  • Session tokens on your device are stored in the iOS Keychain (encrypted by the operating system).
  • All API traffic is HTTPS only (TLS).
  • The connection to the PostgreSQL database is TLS-encrypted.
  • The Apple refresh token is held only on the server, never sent to the app.

No system is perfectly secure. If a breach affecting your data ever occurs, affected users will be notified without undue delay, as required by law.

Your rights

You have the right to:
  • Access the data held about you
  • Correct inaccurate data (you can edit your name and avatar in the app)
  • Delete your account and all associated data
  • Export your data in a machine-readable format (on request)
  • Restrict or object to certain processing
  • Withdraw location consent at any time in iOS Settings
  • Lodge a complaint with your local data-protection authority (EU: any EU supervisory authority; UK: the ICO; India: the Data Protection Board)

To delete your account, in-app is fastest:
Profile → Account settings → Delete Account.

This triggers the server to revoke our Apple Sign-In grant (where applicable) and permanently remove your data. You can also email support@wayspot.in and the deletion will be actioned within 7 days.

For any other right, email support@wayspot.in. Responses are typically within a few days and always within 30.

Children

Wayspot is not directed to children under 13 and does not knowingly collect personal data from anyone under 13. The minimum age for the App Store account used to download Wayspot is enforced by Apple. If you believe a child under 13 has provided data, email support@wayspot.in and it will be deleted within 7 days.

Cookies

The iOS app uses no cookies. The website at wayspot.in uses only strictly-necessary cookies. There is no analytics and no tracking.

Changes to this policy

This policy may change. The "Last updated" date at the top reflects the latest revision. Material changes — especially any new data collection or new processor — will be announced in the app and, where the law requires it, will take effect only after fresh consent.

Contact

Questions about this policy or your data: support@wayspot.in

Wayspot is built and maintained by John Xavier as a personal project.