Privacy Policy
This policy explains what personal data TravelWavi collects, how we use it, who we share it with, and what your rights are. It applies to the TravelWavi iOS app and the website travelwavi.com. It is drafted to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the Israeli Privacy Protection Law, 5741-1981 (in particular Amendment 13, 5784-2024), and the California Consumer Privacy Act (CCPA / CPRA) where applicable.
1. Who we are
TravelWavi is operated by Avi Yair, Israel (sole proprietor). For privacy questions: privacy@travelwavi.com. Database type: hybrid manual + automated. Database purpose: managing a community travel-companion service. Data is stored in cloud infrastructure (see §4 sub-processors).
2. What data we collect
| Category | Examples | Purpose |
|---|---|---|
| Account | Email, display name, avatar, country, optional birthday, gender, preferred language | Service operation |
| Activity | Pins you posted, tips you wrote, chat messages, saved places, itineraries, expenses, achievements | Service operation |
| Location | Coarse (country) and precise (with permission) | Showing nearby pins; auto country detection |
| Photos | Photos you attached to pins or tips. EXIF metadata (including GPS coordinates) is stripped at upload before storage. | Displaying your content |
| Third-party identity | OAuth identifiers from Apple / Google / Instagram | Authentication |
| Diagnostics | Crash reports, performance metrics, anonymized usage events | Operation, troubleshooting, product improvement |
3. Lawful bases (GDPR Art. 6 + Israeli Privacy Protection Law §1)
- Consent:location, photos, analytics. You may withdraw consent at any time per §11 of the Israeli Privacy Protection Law.
- Contract:managing your account per the Terms of Service.
- Legitimate interest:fraud prevention, abuse monitoring, basic security telemetry.
- Legal obligation:CSAM detection and reporting under 18 U.S.C. §2258A and EU DSA Article 18; subscription verification logs under tax retention rules.
4. Sub-processors
We share data with the following service providers under written data-processor agreements:
- Google Firebase:authentication, database, file storage, crash reporting (US, EU-US Data Privacy Framework).
- Google Gemini:AI summaries and itinerary generation (US; paid tier configured to NOT retain customer data for model training).
- Google Cloud Translation:automatic translation of community content (US).
- Apple:Sign in with Apple, App Store payments, push notifications.
- Meta / Instagram:optional Instagram OAuth login (only used if you connect).
5. Data retention (Israeli Privacy Protection Law §17ד)
- Profile data: until you delete your account.
- Chat messages: 24 months, then automatically purged.
- Place pins and tips: until you delete the content or your account.
- Diagnostic data: 90 days.
- AI telemetry (
aiCallTelemetry): user identifiers are SHA-256 hashed before storage, so the user cannot be identified from telemetry alone. - Subscription records: retained 7 years for tax / accounting law compliance.
6. Your rights (Israeli Privacy Protection Law §13 + GDPR Articles 15–22)
Depending on your location, you may have rights under GDPR (EU / EEA / UK), the Israeli Privacy Protection Law, or CCPA / CPRA (California). Specifically:
- Access:request a copy of your data (in-app: Settings → Request my data; returns a structured JSON file).
- Rectification:correct inaccurate data via Settings → Profile or by emailing us.
- Erasure (right to be forgotten):delete your account in-app: Settings → Delete my account. We complete cascade deletion within 30 days, including Storage photos, AI feedback entries, and group-split member references.
- Portability:request a machine-readable export (covered by Access above).
- Objection:to processing based on legitimate interest.
- Withdrawal of consent:for analytics, location, or notifications, in Settings.
- Complaint:to the Israeli Privacy Protection Authority, your local EU Data Protection Authority, or the UK Information Commissioner's Office.
To exercise these rights, email privacy@travelwavi.com. We respond within 30 days.
7. International data transfers (Israeli Privacy Protection Law §17ב + GDPR Art. 44)
Most processing occurs on Google Cloud (US) under the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs). Israeli users benefit from Israel's EU adequacy decision (2011, renewed 2024). Transfers from Israel to the US are made under Israeli Privacy Protection Law §17ב(1)(ה).
8. Children (Israeli Privacy Protection Law §1; GDPR Art. 8)
TravelWavi is intended for users aged 16 and over worldwide. We do not knowingly collect personal data from anyone under 16, regardless of jurisdiction. This policy is stricter than the US COPPA threshold (age 13) and matches the GDPR Art. 8 default for the EEA. If you believe a minor under 16 has registered, email privacy@travelwavi.com and we will delete the account within 30 days.
9. Security (Israeli Privacy Protection Law §17 + Privacy Protection (Information Security) Regulations, 5777-2017)
We use TLS 1.3 in transit, encrypted cloud storage at rest, Firebase App Check to deter unauthorized clients, and server-side rate limits enforced on AI calls. EXIF GPS metadata is stripped from uploaded photos. User identifiers in telemetry are SHA-256 hashed at write. No system is fully secure; please use a strong password and enable biometric authentication on your device.
10. Security incident notification (Israeli Privacy Protection Law §17ה, Amendment 13)
In the event of a security incident involving sensitive personal data (children's data, health, biometric data, precise location), we are committed to notifying the Israeli Privacy Protection Authority within 24 hours of discovery, and affected users as soon as reasonably possible per the law. For other GDPR-covered breaches we notify the relevant supervisory authority within 72 hours per GDPR Art. 33.
11. Content moderation and CSAM
As a user-generated content platform, we are subject to the legal obligation under 18 U.S.C. §2258A (US) and EU Digital Services Act Article 18 to detect, preserve, and report Child Sexual Abuse Material (CSAM) to the National Center for Missing & Exploited Children (NCMEC) within 24 hours of becoming aware. Reports are routed via the founder's critical-alert push pipeline and triaged via the workflow documented in our internal Incident Response procedure.
12. CCPA / CPRA · California residents
California residents have additional rights under CCPA / CPRA: the right to know, delete, correct, opt out of sale or sharing of personal information, and non-discrimination. TravelWavi does not sell or share personal information for cross-context behavioral advertising. To exercise CCPA rights, email privacy@travelwavi.com; we will not discriminate against you for exercising any right.
13. Changes to this policy
We post material changes here and notify users in-app at least 14 days before they take effect.
14. Contact
Email: privacy@travelwavi.com or postal address: TravelWavi, Israel.
15. Key legal citations
- Israeli Privacy Protection Law, 5741-1981, §§1, 11, 13, 17, 17ב, 17ד, 17ה.
- Privacy Protection (Information Security) Regulations, 5777-2017.
- Israeli Consumer Protection Law, 5741-1981, §§14, 14ג, 14ג1.
- EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679.
- UK GDPR and Data Protection Act 2018.
- EU Digital Services Act, Regulation (EU) 2022/2065, Article 18.
- 18 U.S.C. §2258A (US CSAM reporting).
- California Consumer Privacy Act (CCPA, Cal. Civ. Code §1798.100 et seq.) as amended by CPRA.