Waystone

Privacy Policy

Last updated: June 12, 2026How Waystone collects, uses and protects your personal data.

Introduction

This policy describes how Waystone (published by Guillaume Cabrera, a sole trader) collects and processes your personal data when you use the Waystone mobile application (the "App") and the joinwaystone.com website (the "Site"), in accordance with Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act.

Data controller

The data controller is Guillaume Cabrera, a sole trader, reachable at contact@joinwaystone.com. No Data Protection Officer (DPO) has been appointed; this contact remains your single point of contact for any question relating to your data.

Data we collect

We collect the following categories of data:

  • Account data: email address, password (encrypted), first and last name.
  • Trip content: trips, stages, destinations, activities, dates, notes, links and photos you create or import.
  • Collaboration data: members associated with a trip you share.
  • Push notification token: only if you enable notifications; revocable at any time.
  • Subscription data: Premium status and purchase-receipt validation (no payment-card data is collected; payments are handled by Apple and Google).
  • Technical data: connection and security logs.
  • Site analytics: browsing data, only if you consent.

Purposes

  • Create and manage your account.
  • Enable the creation, sharing and collaboration on your trips.
  • Display destination information (descriptions, photos, maps, points of interest) and previews of the links you add.
  • Manage your Premium subscription and validate purchases.
  • Send you push notifications (with your consent).
  • Measure site audience (with your consent).
  • Ensure the security of the Service and prevent abuse.
  • Comply with our legal obligations.

Legal bases (GDPR)

  • Performance of the contract: account management, provision of trip features and the subscription (Art. 6(1)(b)).
  • Consent: push notifications and site analytics — withdrawable at any time (Art. 6(1)(a)).
  • Legitimate interest: security, fraud and abuse prevention (Art. 6(1)(f)).
  • Legal obligation: retention of certain records (Art. 6(1)(c)).

Storage and security

Your data is hosted on Supabase infrastructure located within the European Union (Ireland). We implement appropriate security measures: encryption in transit (HTTPS/TLS), password encryption, and database-level access isolation (Row Level Security) ensuring each user can only access their own trips and those shared with them.

Collaboration and third-party data

When you invite someone to collaborate on a trip, they must create their own account to access it and thereby accept this policy on their own behalf. You remain responsible for the content and data you share with other members of a trip.

Recipients and processors

We do not sell or rent your data. It may be processed by the following providers, solely to deliver the Service:

  • Supabase — database hosting, authentication and storage (European Union, Ireland).
  • Vercel — website hosting (United States).
  • Expo — delivery of push notifications (United States).
  • Apple — collection and validation of subscriptions via the App Store (United States).
  • Google — Android distribution and site analytics (United States).
  • Microlink — extraction of metadata from the links you add (United States).
  • Wikipedia / Wikimedia and OpenStreetMap (Nominatim, Overpass, map tiles) — destination information and mapping; only technical parameters (place name, coordinates, language) are transmitted, never your account data.

Data retention

Your data is retained for as long as your account is active. An account-deletion feature is available in the App: your data is then deleted within a maximum of 30 days, unless a legal retention obligation applies. Technical logs are kept for up to 12 months.

Transfers outside the European Union

The primary hosting of your data (Supabase) is located within the European Union. Some providers (Vercel, Expo, Apple, Google, Microlink, Wikimedia) are established in the United States. These transfers are framed by appropriate safeguards within the meaning of Articles 44 et seq. of the GDPR: the European Commission's Standard Contractual Clauses and/or adherence to the Data Privacy Framework (EU-U.S. DPF).

Minors

The Service is not intended for children. You must be at least 15 years old to create an account. If we learn that an account has been created by a child under 15 without the consent of the holder of parental authority, we will delete it. To report this: contact@joinwaystone.com.

Your rights (GDPR)

You have the following rights over your personal data:

  • Right of access: obtain a copy of the data we hold about you.
  • Right to rectification: correct inaccurate or incomplete data.
  • Right to erasure: request the deletion of your data.
  • Right to restriction of processing.
  • Right to portability: receive your data in a structured, machine-readable format.
  • Right to object to processing based on legitimate interest.
  • Right to withdraw your consent at any time, without retroactive effect.
  • Right to lodge a complaint with the CNIL (www.cnil.fr) or your local data protection authority.

To exercise these rights: contact@joinwaystone.com. We will respond within one month.

Cookies and trackers

The joinwaystone.com website uses analytics cookies (Google Analytics) that are only set after your consent, collected via a dedicated banner and withdrawable at any time. Cookies strictly necessary for the operation of the site do not require consent. The mobile application does not use advertising cookies.

Changes

This policy may be updated. Any substantial change will be notified to you through the Service, and the "last updated" date at the top of this page will be revised.

Contact

For any question or to exercise your rights: contact@joinwaystone.com