What we collect, and what we don't do with it.
Plain English. No tracking pixels. No data sold. No fine print designed to confuse you.
This is the privacy notice for everything WeGoing!: the marketing website at wegoingapp.com, the web app at book.wegoingapp.com, and the WeGoing! iOS app. It covers what we collect, why we collect it, who else sees it, and how to get it back or delete it. One document, one source of truth.
The short version: we collect what we need to make group trips work — your profile, your trips, your private budget and availability, and the payments Stripe runs for you. We do not run behavioral ad networks, sell your data, or share data between trips except as needed for the trip itself. The privacy floors in our patents are baked into the product, not just promised in copy.
— Section 01Who we are
WeGoing! is operated by WeGoing, Inc., a Delaware corporation. We're the data controller for the information described in this notice. You can reach us at [email protected] for any privacy question.
— Section 02What we collect
We collect the categories of data below. Most of it you give us directly when you sign up, edit your profile, or join a trip. A small amount is technical (browser type, page views, errors).
Marketing website (wegoingapp.com)
If you only visit the marketing site without filling out a form, we collect almost nothing — see Section 11 on what's logged for security. If you submit our contact form, we collect your name, email, the topic of your inquiry, and your message.
Account & profile
- Email address and display name (required)
- Profile photo (optional)
- Phone number (optional)
- Hometown / home country (free-text profile field)
- Preferred departure airport (IATA code)
- Airline alliance preference and loyalty number
- Hotel chain loyalty preference and loyalty number
- Work type (hourly or salaried) and hourly rate, used by the app to estimate your cost of attending a given trip — never shared with other trip members
- Default PTO and unpaid time-off days
- Default trip spend (domestic and international ranges)
Per-trip responses (private to you — see Section 03)
When you join a trip, you'll be asked for information that only YOU see. The organizer and other members never see your individual answers — only the rolled-up aggregates the app computes for the group.
- Availability windows (date ranges you can travel)
- Budget range (a min and a max)
- Room arrangement preference (shared bed, shared room, or solo room) — including an optional link to a paired traveler if you want to share with someone specific
- PTO days available for this trip, and unpaid time off days you're willing to use
- Flight details if you book your own (origin airport, airline, flight number, times, cost)
- Your lodging vote and itinerary opt-ins (which excursions you're in or out on)
Trip data (shared with the rest of the trip)
Some information is, by definition, group-level. Trip members see this:
- Trip name, destination, date range, currency
- Lodging options the organizer adds and the itinerary the organizer curates
- Inspiration links (TikTok / Instagram embeds via oEmbed)
- The trip's selected header image
- The trip's dropout policy
- A snapshot of each member's profile that's visible inside that trip: photo, name, hometown, room arrangement for the active trip, total trip count, country count, and crew count
Payments (handled by Stripe)
Stripe is our payments provider. See Section 06 for the full picture. The data we hold tied to payments:
- Stripe customer ID
- Stripe cardholder ID (created when you pass identity verification for the Trip Card)
- Cardholder verification status
- Deposit intents, payment plans, and settled deposits
- Trip Card transactions, once the card is active and used for the trip
We do not store full payment card numbers or banking credentials. Those live with Stripe.
Social & pairing
- Bed-share or room-share requests between members
- Accepted pair links on room preferences
Email & notifications (sent via Postmark)
- A log of transactional emails we send you (invites, deposit reminders, share requests, nudges)
- Timestamps so we don't nudge you too often (cooldown enforcement)
Analytics & technical data
We collect a minimal amount of technical information so we can keep the app running and fix bugs:
- Page views and route changes within the app
- Error logs (what broke and where)
- Browser viewport, device pixel ratio, theme preference
- User agent string
- Feedback submissions, with an optional screenshot you choose to attach
- An audit log of sensitive admin actions on our side
What we don't run: behavioral advertising trackers, Meta Pixel, Google Analytics, or any third-party cross-site tracker. We don't sell data and we don't build advertising profiles of you.
— Section 03Privacy-by-design (the patent floors)
WeGoing! is built around a small number of privacy commitments that are enforced in code, not just promised in copy. These are the subject of pending U.S. patent applications and are core to how the product works:
- Patent A — Privacy floor. The trip organizer never sees individual budgets, individual availability ranges, or individual flight costs. The app only surfaces the rolled-up overlap and median figures the group needs to make a decision.
- Patent B — Aggregate date ranking. The five-lens scoring that ranks possible trip dates operates on aggregate signals, not member-identifying records.
- Patent C — Gated stages. Trip flow goes Availability → Budget → Policy → Deposit. This protects late-binders and prevents premature money pressure.
- Patent D — Per-trip inbox. The forwarded-confirmation-email parser is scoped per trip, not per account, so emails forwarded to one trip can't leak into another.
- Patent E — Anonymized conflict greyout. When the app shows that a date conflicts with another trip you're on, the conflicting trip is never named. Just "you have a conflict."
- Patent F — Versioned policy acceptance. Per-person target acceptance is versioned, so consent records are precise and auditable.
If any of those floors slip, we treat it as a bug, not a feature change.
— Section 04Why we collect it
Each piece of data has a specific job:
- Profile and contact info — so we can identify you, send you trip invitations, and let your crew find you.
- Travel preferences (airports, alliances, loyalty) — so the app can surface flight and hotel options that match how you actually travel.
- Work type, hourly rate, PTO defaults — used only to compute the cost-of-attendance figures the app shows you. Other members never see these.
- Per-trip budget and availability — used as inputs to the aggregate overlap calculation. The individual numbers stay private to you.
- Payment data — needed to collect deposits and issue the Trip Card. Stripe is the regulated party that holds and processes these.
- Email log and cooldown timestamps — so we send you the right notifications and stop nudging when we shouldn't.
- Analytics and error logs — so we know what to fix.
We will not repurpose your data for anything outside what's listed here without first asking you.
— Section 05Who else sees your data
We use a small number of established third-party services to run the product. Each one only receives the data it needs to do its job. We do not sell data, share with advertisers, or share with data brokers — ever.
Hosts our Postgres database, our authentication, and stored files (e.g. profile photos). Receives all the data described above. Supabase privacy policy.
Stripe collects deposits, holds them until the trip, processes refunds, and issues the Trip Card. Receives the name, email, and identity-verification information required for payments and card issuing. Stripe privacy policy.
Delivers your invites, sign-in links, deposit reminders, and trip notifications. Receives your email address, the email contents, and delivery metadata. Postmark privacy policy.
When the app searches for flights, we send the origin airport, destination, and dates. We do not send your identity. SerpAPI privacy policy.
When the app loads excursions for a destination, your IP address is shared with Viator (a standard part of any HTTP request). No identity, no profile data. Viator privacy policy.
When you search for a destination or lodging, the search string and your IP are sent to Google Places. No identity, no profile data. Google privacy policy.
The weather risk shown for a destination is generated by sending the destination's latitude and longitude (and your IP) to Open-Meteo. Open-Meteo terms.
When someone pastes a TikTok or Instagram link into a trip, we use the public oEmbed API to fetch the preview. The link is shared with the platform that owns it.
Destination images come from Wikimedia Commons. Standard HTTP request — your IP is exposed to Wikimedia in the normal way that loading any image works.
Vercel hosts our web app and processes server-side requests, including normal HTTP server logs (IP, user agent, response codes). Vercel privacy policy.
Used on signup to block bot traffic. Sees a privacy-preserving signal from your browser, not your identity. Cloudflare privacy policy.
Twilio delivers SMS messages for WeGoing!, but only after you opt in. If you opt in, Twilio receives your phone number, the message contents, and delivery metadata needed to send and manage those messages. SMS notifications are not live yet and will be enabled after carrier verification clears. See our SMS consent page for details. Twilio privacy policy.
If you submit the contact form on wegoingapp.com, the submission passes through Formspree before reaching our inbox. Formspree privacy policy.
That's the whole list. If we add another service, we'll list it here before it goes live.
— Section 06Payments & the Trip Card
This is the section regulators and Stripe reviewers care most about, so we're going to be explicit.
We use Stripe for all payments. Stripe is the regulated payments and card-issuing entity. We are a Stripe platform customer. WeGoing, Inc. is not a bank, not a money transmitter, and not operating its own deposit-holding service.
Deposits
When a trip enters the deposit phase, members pay into a Stripe-backed trip deposit account. Stripe holds each deposit until the trip. WeGoing! does not move, store, or commingle those funds on its own books.
The Trip Card
The Trip Card is a virtual card issued by Stripe via Stripe Issuing. It is used by the trip organizer to spend the trip's deposited funds on travel-related purchases (lodging, transit, dining). The card is funded directly by Stripe from the trip's collected deposits. Refunds and reversals are processed through Stripe.
Identity verification
Stripe requires identity verification (KYC) before a Trip Card can be issued to you. If you go through that flow, the identity documents and verification answers are collected and held by Stripe — not by WeGoing!. We see only the verification status (passed / pending / failed) and a cardholder ID.
What WeGoing! holds vs. what Stripe holds
- WeGoing! holds: your account, your trips, who's in them, your private budget and availability, your Stripe customer and cardholder IDs, deposit intents and transaction records (for app functionality), and an audit log of payment-related events on your trip.
- Stripe holds: your payment methods, identity-verification documents, the actual deposited funds, the issued Trip Card, and the underlying card-network transaction data.
If you want to know what Stripe specifically holds about you, see Stripe's privacy policy.
— Section 07Planned features
We're a small team shipping fast. To avoid surprising you when new things land, here's what's in active development and what those features will collect or share. If we ship something not on this list, we'll update this notice before it goes live.
Trip chat
A real-time chat thread inside each trip, plus direct-message threads between paired share-partners. Messages are stored in our database and may appear in digest emails sent through Postmark. Powered by Supabase Realtime.
AI assistant (opt-in)
An optional AI assistant powered by Anthropic's Claude API. Opt-in per user. If you turn it on, the trip context relevant to your question is sent to Anthropic to generate the response. Anthropic privacy policy.
Cross-trip social graph
Profile-level "Couples / Friends / Family" relationships you choose to set. Used to make inviting people to future trips faster. You can opt out (see Section 09).
iOS wrap and push notifications
The iOS app uses Capacitor to wrap the web experience. If you opt in to push notifications, your device's push token is registered with Apple's notification service (APNs). We use the token to send you trip notifications only — same content as our emails.
SMS notifications
When carrier verification clears, we may offer optional SMS notifications through Twilio. These texts are transactional trip coordination messages only, not marketing messages.
If you opt in, we may send SMS messages for trip invites, join codes, availability reminders, budget submission reminders, deposit reminders, and trip status updates. Message frequency varies based on your trip activity. Message and data rates may apply.
You can opt out at any time by replying STOP. You can get help by replying HELP or by emailing [email protected].
SMS is optional. You can use WeGoing! without opting into SMS. WeGoing! does not use SMS for behavioral advertising, purchased lists, scraped contacts, cold outreach, or promotional marketing.
Twilio delivers SMS messages for WeGoing! and receives the phone number, message contents, and delivery metadata needed to send and manage those messages. Twilio privacy policy.
Inbound email parse to itinerary
Each trip will have its own dedicated inbox address. Forwarded confirmation emails (flights, hotels, reservations) sent to that address will be parsed into itinerary items. The inbox is scoped to one trip — emails forwarded to one trip's inbox cannot leak into another trip (this is the Patent D protection).
Image proxy
To keep third-party photos (Wikimedia, Viator, Google Places) rendering reliably across browsers, we route them through our domain at /api/img-proxy. We do not retain or scan the image bytes — the proxy is a pass-through.
— Section 08How long we keep it
- Active account data — for as long as your account is active.
- Trip data — kept as long as the trip exists in your account, so you can revisit past trips. When you delete a trip, the trip and its derived data are removed.
- Payment records — kept as long as required by Stripe and by applicable tax / financial recordkeeping rules. Some payment records persist after account deletion for legal reasons we don't control.
- Email logs — kept for up to 12 months for delivery diagnostics, then automatically deleted.
- Marketing-site contact form submissions — kept as long as needed to reply to your inquiry and for normal correspondence afterward. You can ask us to delete them.
- Server / error logs — kept for up to 30 days, then deleted.
When you delete your account, your profile and trip data are removed (cascaded through our database). Some technical and payment records may persist as noted above. See Section 09 for how to request deletion.
— Section 09Your rights
You can exercise the rights below at any time. The fastest path is to email [email protected]. We aim to respond within a few business days.
- Access — request a copy of all data we hold about you.
- Correction — edit any profile field at any time from inside the app. For anything you can't edit yourself, email us.
- Deletion — delete your account and have all derived data removed (cascaded through our database). Some payment and tax records may persist where we are legally required to retain them.
- Portability — export your trip data as JSON.
- Privacy-graph opt-out — your profile has a
commitment_graph_opt_insetting. Turning it off disables the cross-trip availability conflict feature for you. The app will stop using your other trips as inputs to availability calculations. - Opt out of marketing emails — every list email has an unsubscribe link. Transactional emails (sign-in links, deposit confirmations) cannot be turned off while your account is active because they're needed to run the product.
If you're in the EU, UK, California, or another jurisdiction with specific data-protection rights (GDPR, UK GDPR, CCPA, CPRA, etc.), all of the above applies — email us and we'll handle it the same way.
— Section 10Children
WeGoing! is intended for adults (18+). We do not knowingly collect information from anyone under 13. If we learn we've collected data from a child under 13, we'll delete it. If you believe a child has signed up, email us.
— Section 11Security
Everything is served over HTTPS. Authentication is handled by Supabase with industry-standard hashing. Payments and identity verification are processed by Stripe; we never see or store full payment card numbers. Database access uses row-level security so members can only see the trips and people they're entitled to see. No system is perfectly secure, but we collect what we need and no more — the safest data is data we don't have.
— Section 12International transfers
WeGoing, Inc. is based in the United States. The third-party services we use (Supabase, Stripe, Postmark, Vercel, Cloudflare, and the others listed in Section 05) operate infrastructure in multiple regions. If you use WeGoing! from outside the United States, your data will be transferred to and processed in the United States and in any region where our service providers operate. Where required, our service providers maintain standard contractual safeguards for cross-border data transfers.
— Section 13Changes to this notice
If we materially change how we collect, use, or share data, we will update this page and change the "Updated" date at the top. For material changes that affect existing users, we will email active users so the change isn't a surprise. Minor edits (typo fixes, link updates) won't trigger an email.
— Section 14Contact
For any privacy question — including a data request, a correction, a deletion, or just a curiosity — email [email protected]. A real person responds.
Questions, or want your info removed?
Email [email protected]. A real person will respond. We aim to reply within a couple of business days.