Privacy Policy

Your Data. Protected

How we collect, use, store, and safeguard personal information across our services.

Last Updated: 05 September 2025 Effective

This Privacy Policy explains how WandersVista Travel ("we", "us", "our") collects, uses, shares, retains, and protects personal information when you search for flights, create price alerts, complete bookings through partners, subscribe to communications, or otherwise interact with our website, mobile interfaces, or APIs (collectively the "Platform"). We act primarily as a flight search and fare comparison intermediary that links you to third‑party airlines and online travel agencies ("OTAs"). Some data is processed as a controller (e.g., analytics, marketing preferences); some on a joint or aligned basis with partners (e.g., redirect tracking). We do not operate aircraft nor provide carriage services directly.

1. Categories of Data We Collect

We collect and generate the following categories depending on your interactions:

  • Search Data: origin, destination, trip type, dates, passenger mix, cabin preference, filters applied (airlines, stops, times).
  • Device & Technical: IP (truncated/anonymized where required), user‑agent, language, referrer, screen resolution, approximate location (derived from IP), cookie identifiers, session IDs.
  • Interaction & Event Logs: clicks, page views, redirect URLs, error diagnostics, A/B test bucket identifiers.
  • Account & Contact (if you register / subscribe): name, email, hashed password, communication preferences, alert subscriptions.
  • Price Alert & Watchlist Data: tracked routes, threshold amounts, notification history.
  • Marketing & Attribution: campaign parameters (UTM), partner referral codes, consent flags, unsubscribe tokens.
  • Limited Booking Context: when you begin a booking hand‑off we may generate a transient trip reference and store partner ID plus timestamp to troubleshoot failures—no full payment card numbers are stored by us.
  • User Generated Feedback: ratings of redirect quality, voluntary surveys, support tickets.

2. Purposes & Legal Bases

Primary purposes and (for jurisdictions requiring it) legal bases:

  • Provide core search & comparison: execute queries, show fares, maintain session continuity (Legitimate interest / Performance of contract if you create an account).
  • Price alerts & notifications: monitor route prices and send email notifications (Consent; you can opt out anytime).
  • Fraud & abuse prevention: detect automated scraping, prevent denial of service (Legitimate interest / Legal obligation).
  • Analytics & product improvement: measure feature usage, run controlled experiments (Legitimate interest).
  • Marketing communications: newsletters, deal emails (Consent / soft opt‑in where allowed).
  • Regulatory & compliance: respond to lawful requests, enforce terms (Legal obligation / Legitimate interest).

3. Cookies, SDKs & Similar Technologies

We use: (a) strictly necessary cookies (session continuity, security), (b) performance/analytics (aggregate usage), (c) personalization (remember filters), and (d) marketing/attribution (measure campaign effectiveness). Third parties may set cookies when ads or embedded widgets load. You can control via browser settings or recognized consent tools. Rejecting some categories may degrade personalization but core search remains functional.

4. Data Sharing & Recipients

We disclose data only as needed:

  • Infrastructure & Hosting: cloud providers, CDN, managed database, email delivery platforms.
  • Analytics & A/B Testing: privacy‑aware analytics platforms using pseudonymous identifiers.
  • Marketing & Attribution: email service providers, affiliate networks (limited tracking IDs).
  • Security & Anti‑fraud: bot detection, threat intelligence vendors.
  • Customer Support Tools: ticketing & helpdesk SaaS—store your email and message history.
  • Regulatory / Legal: competent authorities when legally compelled or to defend rights.
  • Business Transfers: during restructuring, merger, or acquisition (with safeguards).

We do not sell personal information for monetary consideration.

5. International Transfers

Where data leaves your jurisdiction we rely on adequacy decisions, Standard Contractual Clauses, and technical measures (encryption in transit & at rest, access controls). Copies are regionally distributed for redundancy with least‑privilege access enforced.

6. Retention

Retention varies by category:

  • Search session logs: 18 months (aggregate analytics after 30 days).
  • Account & alert data: active period + 24 months after last activity or until deletion request.
  • Support tickets: 36 months for audit trail.
  • Marketing consent records: duration of subscription + 6 years (compliance documentation).
  • Security logs: 12 months (extended if under investigation).

7. Your Rights

Your rights (subject to regional laws): access, rectification, deletion, restriction, objection (including profiling for direct marketing), portability, withdraw consent, and lodge a complaint with a supervisory authority. We will verify identity (minimal additional data) before fulfilling sensitive requests.

8. Security Measures

Controls include: TLS 1.2+ enforced, HSTS, encryption at rest (AES‑256), segmented VPC networks, role‑based & MFA protected admin access, automated dependency scanning, annual penetration tests, anomaly & rate‑limit monitoring, zero‑trust access principles, and supplier due diligence.

9. Children

The Platform is not directed to children under 16. We do not knowingly create user accounts for minors. If we learn a child provided personal data without verifiable consent we will delete it.

10. Automated Decision Making & Profiling

We use limited rule‑based ranking (price, duration, number of stops, reliability of redirect partner) to order search results. No solely automated decisions producing legal or similarly significant effects are made about you.

11. Third‑Party Links & Partners

Clicking a booking link takes you to an airline or OTA whose own privacy policy governs subsequent processing. We encourage reviewing those policies; we do not control their cookies once you leave our domain.

12. Do Not Track & Global Privacy Controls

The Platform currently honors applicable Global Privacy Control (GPC) signals for marketing cookie opt‑outs where technically feasible.

13. Changes to This Policy

Material updates will be announced via banner or email (if subscribed) 30 days prior to effectiveness unless required sooner by law. The revision date will always reflect the latest version.

14. Contact & Data Protection Officer

Questions or rights requests: privacy@wandersvista.com (subject line: "Privacy Request"). Data Protection Officer: DPO, WandersVista Travel, Sunrise Travel LLC. We aim to respond within 30 days (or statutory period).

15. Regional Supplements

California (CCPA/CPRA)

We do not sell or share personal information as defined by CPRA. You may exercise access, deletion, correction, and limitation of sensitive data uses via email. Categories collected: identifiers, internet activity, geolocation (approximate), inferences (non‑sensitive usage segmentation).

EEA/UK

Controller: WandersVista Travel. Legal bases are detailed above. You may lodge complaints with your local supervisory authority (e.g., ICO in UK). Data Protection Officer contact listed above.

Canada

Consent implied for product operation; express consent required for marketing. Access/correction rights available—contact us.

16. Contact Summary

Primary Contact: privacy@wandersvista.com | If unresolved you may escalate to the relevant supervisory authority.

By using the Platform after the effective date you acknowledge this Policy.