Privacy Policy
Effective: April 6, 2026 | Last updated: April 6, 2026
1. Who We Are
WanderSafe is operated by Wandering With Pride Inc., a US 501(c)(3) nonprofit organization. Data controller: Michael Eisinger, michael@wanderingwithpride.com.
2. What We Collect
| Data | When | Purpose | Stored Where | Retention |
|---|---|---|---|---|
| Page visits (aggregate, no user identifiers) | All site visits — automatic | Analytics (Cloudflare Web Analytics — no cookies, no personal data) | Cloudflare | Rolling 30 days |
| Page visits (device, browser, session) | After accepting cookies via consent banner | Analytics (Google Analytics 4 — consent-gated) | Google (US) | Up to 14 months per GA4 default |
| Email address | Newsletter signup | Deliver safety alerts and updates | Buttondown (processor) | Until unsubscribe |
| Email address | Premium subscription | Payment + alert delivery | Stripe + Buttondown | Until cancellation + 30 days |
| Community report content | Submitting a safety report via Tally.so form | Publish anonymized safety intelligence | Cloudflare D1 | Indefinite (anonymized) |
| Reporter name + email | Submitting a report (optional) | Follow-up on critical reports only | Not stored in database | Deleted after follow-up or 30 days |
| Contact message content + email | Submitting the contact form | Respond to inquiries | Formspree (processor) | Per Formspree retention policy |
| Gender identity, citizenship (optional) | Enabling personalized safety scores (if active) | GDPR Article 9 explicit consent — personalize risk scoring | Browser localStorage only — not transmitted | Until cleared by user |
3. Sensitive Data (GDPR Article 9)
WanderSafe serves LGBTQ+ travelers. By using the platform, your browsing behavior may imply information about your sexual orientation or gender identity. We treat this with the highest level of care:
- We do not require identity disclosure to use the platform
- We do not track which destination pages you visit in any personally identifiable way
- Aggregate analytics (Cloudflare Web Analytics) do not include user identifiers
- Google Analytics 4 is only activated after you grant explicit cookie consent; it collects device and session data but does not receive your LGBTQ+ identity information
- If you choose to enable personalized safety scores, you may optionally provide gender identity and citizenship information. This data is used solely to adjust your score display and is stored in your browser's localStorage only — it is never transmitted to our servers or any third party. This processing relies on your explicit consent under GDPR Article 9(2)(a). You may withdraw consent and clear this data at any time via your browser settings.
- Any future demographic personalization features will require explicit, granular, purpose-specific consent before any data is collected — per GDPR Article 9(2)(a)
4. Community Report Privacy
Community reports are submitted through Tally.so. When you submit a report:
- Your name and email (if provided) are extracted for follow-up purposes only
- Name and email are not stored in the WanderSafe database
- Your report is anonymized before database insertion
- AI validation (Claude Haiku) scores report plausibility but does not receive your identity
- A human reviewer sees the anonymized report; they do not see your identity unless follow-up is needed for a critical safety report
- Published reports show destination, date, and content only -- never reporter identity
Threat model for reporters in hostile jurisdictions
We recognize that submitting a community report about LGBTQ+ safety in a country that criminalizes homosexuality carries real risk. Our protections:
- Reporter identity is never published, even with consent
- Reports do not contain IP addresses in the database
- Tally.so processes the form submission; their privacy policy applies to form processing
- We recommend submitting reports after leaving the destination, not while there
- We recommend using a VPN when submitting reports about high-risk destinations
5. Data Processors
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Cloudflare | Hosting, CDN, Workers, D1 database, and Cloudflare Web Analytics (automatic, cookieless, no personal data) | Page requests, database records | Global edge network |
| Google (GA4) | Site analytics — activated only after cookie consent | Session data, device type, pages visited (no LGBTQ+ identity data) | US |
| Buttondown | Email newsletter delivery | Subscriber email addresses | US |
| Stripe | Payment processing | Payment method, email | US |
| Tally.so | Community report form submissions | Form submissions (name/email stripped before database insertion) | EU (Belgium) |
| Formspree | Contact form submissions | Message content and sender email | US |
| Equaldex | Legal status data API (destination legal data only — no user data sent) | No user data transmitted | US |
| Anthropic (Claude) | AI classification of report validity | Anonymized report text only | US |
6. Your Rights
You may:
- Access your data -- email us to request what we hold
- Delete your data -- unsubscribe from newsletter; request community report removal
- Correct your data -- email us with corrections
- Object to processing -- email us; we will comply within 30 days
- Port your data -- we will provide your data in a standard format on request
For all requests: michael@wanderingwithpride.com
7. Data Retention
- Destination data (legal status, scores, alerts): retained indefinitely (public interest)
- Community reports (anonymized): retained indefinitely
- Subscriber email: retained until unsubscribe + 30 days
- Agent run logs: 90 days
- Reporter contact info: deleted after follow-up or 30 days, whichever is sooner
8. Cookies and Tracking
WanderSafe uses:
- A cookie consent banner (required for EU compliance) — you must accept before analytics cookies are set
- Cloudflare Web Analytics (automatic on all visits — privacy-preserving, no cookies, no personal data, no user identifiers)
- Google Analytics 4 (consent-gated — only loads and sets cookies after you accept via the cookie banner; not active if you decline)
- localStorage for user preferences (identity filter, personalized score settings, PWA state, cookie consent choice) — never transmitted to any server
We do not use Facebook Pixel, advertising cookies, retargeting pixels, or any tracking technology beyond those listed above.
9. Children
WanderSafe is not directed at children under 13. We do not knowingly collect data from children.
10. Changes
We may update this policy. Material changes will be noted with an updated effective date. For significant changes affecting data handling, we will notify newsletter subscribers.
11. Contact
Wandering With Pride Inc.
9437 Georgia Ave, Apt 6
Silver Spring, MD 20910
michael@wanderingwithpride.com