Privacy Policy

1. Controller

Exerlyze UG (haftungsbeschränkt), represented by the managing director Mr. Markus Kurbel Stresemannallee 63, 60596 Frankfurt am Main, Germany

Contact email: mail@exerlyze.com

2. Scope / Overview

This Privacy Policy applies to the mobile app Waylore (iOS/Android).

For the website privacy policy, see exerlyze.com Privacy Policy.

Waylore is an AI-powered trip planning application that helps you discover and organize travel itineraries.

3. Data We Collect

3.1 Account Data

When you create an account, we collect:

Email address (for email/OTP authentication)
Google account information (if you sign in with Google): name, email, profile picture

Purpose: Account creation, authentication, and communication. Legal basis: Art. 6(1)(b) GDPR (contract performance).

3.2 Trip and Itinerary Data

When you use the app, we collect and store:

Trip destinations (geographic regions you want to visit)
Trip preferences (interests, kids-friendly, activity intensity, walking tolerance)
Generated itineraries (daily schedules, points of interest, activities)
Trip duration (number of days)

Purpose: Generating personalized travel itineraries and providing the core service. Legal basis: Art. 6(1)(b) GDPR (contract performance).

3.3 Chat and Conversation Data

When you use the AI chat feature:

Chat messages are stored encrypted (AES-256-CBC)
Conversation context (which trip or POI the chat relates to)

Purpose: Providing AI-assisted trip planning and maintaining conversation history. Legal basis: Art. 6(1)(b) GDPR (contract performance). Security: All chat messages are encrypted at rest using AES-256-CBC encryption with a master key stored securely in Supabase Vault.

3.4 Usage Data

We track anonymized usage for rate limiting and service operation:

API call counts (itinerary generation, chat messages)
Token usage for AI services

Purpose: Rate limiting, service stability, and cost management. Legal basis: Art. 6(1)(f) GDPR (legitimate interests).

3.5 Feedback Data

If you submit feedback or bug reports:

Your message content
Related trip/itinerary context (optional)

Purpose: Improving the service and resolving issues. Legal basis: Art. 6(1)(f) GDPR (legitimate interests).

3.6 Device Location

When you actively use the map's location feature, Waylore may access your device's approximate or precise location.

Data processed: Approximate or precise device location and, where available, an associated accuracy value
Purpose: Centering the map on you, showing your current position, and optionally following your position while the map is open
Optional use: Location access is optional, user-initiated, and not required for the core use of the app
Storage: Waylore does not store your device coordinates in its own database
No advertising / analytics use: Device location is not used for advertising or analytics and is not shared for advertising purposes

Legal basis: Art. 6(1)(b) GDPR (providing the map feature you requested); where required, your device permission / consent.

4. Third-Party Services

4.1 Supabase (Database and Authentication)

We use Supabase to store your data and handle authentication.

Data processed: All user data described above
Email delivery: For authentication and other service-related emails sent via Supabase, we use Resend as SMTP provider. For this purpose, Resend processes the recipient email address, the message content required for delivery, and technical email metadata that arises during transmission and delivery.
Location: EU (AWS eu-central-1 / Frankfurt)
Privacy Policy: supabase.com/privacy
SMTP provider privacy policy: resend.com/legal/privacy-policy

4.2 RevenueCat (Subscription Management)

We use RevenueCat to process in-app purchases and subscriptions.

Data processed: Subscription status, product IDs, purchase timestamps, user identifiers
Purpose: Managing subscriptions and payment processing
Privacy Policy: revenuecat.com/privacy

4.3 OpenRouter / AI Providers

We use OpenRouter as a proxy to AI language models for generating itineraries and chat responses.

Data processed: Trip preferences, destination information, chat messages (for inference only)
Purpose: AI-powered itinerary generation and chat assistance
Note: Data is processed for inference and not retained by AI providers beyond the request

4.4 OpenStreetMap

We use OpenStreetMap data for points of interest and geographic information.

Data processed: No personal data; only public POI data is retrieved
License: Open Database License (ODbL)

4.5 Stadia Maps

We use Stadia Maps to render the interactive base map.

Data processed: Requests for map tiles, fonts, sprites, and related map assets; IP address and technical request metadata that arise from those requests; the viewed map area may indirectly reflect location when the map location feature is used
Purpose: Rendering and operating the interactive map
Privacy Policy: stadiamaps.com/privacy/privacy-commitment/

4.6 Firebase Analytics and Firebase Crashlytics

On iOS/Android, we may use Firebase Analytics and Firebase Crashlytics if you enable them in the app.

Data processed: Analytics events, app and device information, crash diagnostics, and technical identifiers needed to operate these services
Purpose: Understanding app usage and improving app stability
Activation: Disabled by default and only activated after your consent; you can change this choice later in the app settings
Advertising: Not used for ad personalization
Privacy Policy: firebase.google.com/support/privacy

5. Data Retention

Account and trip data: Retained until you delete your account
Chat messages: Retained until you delete your account (encrypted at rest)
Usage logs: Retained for billing and rate limiting purposes
Device location for the map feature: Not stored in Waylore's own systems and therefore not retained by Waylore

6. Data Deletion

You can delete your account and all associated data at any time through the app settings. Upon account deletion, we permanently remove:

Your profile and account information
All trips and itineraries
All chat messages
Usage logs and rate limit data
Feedback submissions
Cached AI responses

Account deletion is immediate and irreversible. See our Data Removal page for instructions.

7. Data Security

We implement appropriate security measures:

Encryption in transit: All data transmitted over HTTPS/TLS
Encryption at rest: Chat messages encrypted with AES-256-CBC using a master key stored in Supabase Vault
Access control: Row-level security ensures users can only access their own data
Authentication: Secure JWT-based session management

8. Cookies and Tracking

We do not use advertising networks or ad tracking tools in Waylore.

The website does not use tracking cookies or advertising tools.

On iOS and Android, the mobile app can optionally use Firebase Analytics and Firebase Crashlytics to understand app usage and improve app stability. Both services are disabled by default and are only activated after you grant consent. You can change this choice later in the app settings.

Firebase Analytics and Firebase Crashlytics are not used for ad personalization. Device location is not used for advertising or analytics.

9. Children

Our service is intended for individuals aged 16 and older. We do not knowingly collect personal data from children under 16. If we become aware of such data, we will delete it promptly.

10. Your Rights

Under the GDPR, you have the right to:

Access your personal data (Art. 15)
Rectify inaccurate data (Art. 16)
Erase your data (Art. 17) - see Data Removal
Restrict processing (Art. 18)
Data portability (Art. 20)
Object to processing (Art. 21)
Withdraw consent where applicable (Art. 7(3))
Lodge a complaint with a supervisory authority (Art. 77)

To exercise these rights, contact us at mail@exerlyze.com.

11. Changes to This Policy

We may update this Privacy Policy when our practices change. We will notify you of significant changes through the app or by email.

Last updated: April 9, 2026