Privacy Policy

Last updated: January 5, 2025

Your privacy is important to us. This Privacy Policy explains how Wurora collects, uses, and protects your personal data in compliance with the EU General Data Protection Regulation (GDPR) and Italian data protection laws.

Quick Navigation

→ Data Controller → Data We Collect → Legal Basis → How We Use Data → Third Parties → Data Retention → Your Rights → Cookies

1. Data Controller

Wurora is the data controller responsible for your personal data.

Service: Wurora Travel Guide Platform

Website: wurora.com

Email: privacy@wurora.com

DPO Contact: dpo@wurora.com

2. Data We Collect

2.1 Account Information

When you register for an account, we collect:

Name: Your full name for personalization
Email address: For account authentication and communication
Password: Securely hashed using bcrypt (we never store plain text passwords)
Profile picture: Optional, from OAuth providers (Google, GitHub)

2.2 OAuth Authentication Data

When you sign in with Google or GitHub, we receive:

OAuth provider ID (e.g., Google ID, GitHub ID)
Email address (primary email)
Name and profile picture URL
OAuth access tokens (encrypted, not shared with third parties)

2.3 Usage and Preference Data

Saved places: Attractions, stays, and food & beverage places you bookmark
City preferences: Your selected cities and browsing history
User notes: Optional notes you add to saved places
Session data: JWT tokens for authentication (stored in HTTP-only cookies)

2.4 Technical and Analytics Data

With your consent (analytics cookies), we collect:

IP address: Hashed with SHA-256 + salt for pseudonymisation
Device information: Browser type, operating system, screen resolution
Page views: Pages visited, session duration, interaction events
Anonymous ID: Randomly generated identifier for tracking (wurora_anon_id)

ℹ️ All analytics data is anonymous and stored for a maximum of 90 days.

2.5 User-Submitted Reports

When you submit a place report, we collect:

Report message (required)
Optional images (uploaded to our server)
Your name (optional, can be anonymous)
Email (if authenticated)
IP address (hashed for abuse prevention)

2.6 Consent Records

To comply with GDPR Article 7 (proof of consent), we log:

Consent action (accept all, reject all, customize)
Timestamp of consent
Consent version and preferences
Session ID (temporary identifier)
IP address hash
User agent string

ℹ️ Consent records are retained for 3 years and automatically deleted thereafter.

3. Legal Basis for Processing

Under GDPR Article 6, we process your data based on the following legal grounds:

📄 Contract (Article 6(1)(b))

Processing necessary to provide our service to you:

Account creation and authentication
Storing your saved places and preferences
Providing personalized recommendations

✅ Consent (Article 6(1)(a))

Processing based on your explicit consent:

Analytics and usage tracking (analytics cookies)
Functional features like city preferences (functional cookies)
Affiliate tracking for bookings (affiliate cookies)
Marketing communications (if opted in)

ℹ️ You can withdraw consent at any time through Privacy Settings.

⚖️ Legitimate Interest (Article 6(1)(f))

Processing necessary for our legitimate interests:

Security and fraud prevention (IP hashing in reports)
Platform improvement and bug fixes
Legal compliance and responding to lawful requests

ℹ️ We balance our interests against your rights and only process data when necessary.

4. How We Use Your Data

✓ To Provide Our Service

Create and manage your account
Display personalized content and recommendations
Save your place bookmarks and preferences
Process and respond to your reports

✓ To Improve Wurora

Analyze usage patterns to improve user experience
Identify and fix bugs
Develop new features based on user behavior

✓ For Security and Fraud Prevention

Detect and prevent abuse (e.g., spam reports)
Secure user accounts from unauthorized access
Comply with legal obligations

✓ For Affiliate Revenue

Track bookings made through partner links (GetYourGuide, Expedia)
Earn commissions to keep Wurora free (8-15% from GetYourGuide, 4-6% from Expedia)
No additional cost to you

5. Third-Party Services

We share data with the following trusted third parties. Each has their own privacy policy:

📦 MongoDB Atlas (Database Hosting)

Purpose: Stores all user data, places, and reports

Data shared: All user account data, saved places, reports

Location: EU region (Frankfurt, Germany) for GDPR compliance

🚀 Vercel (Hosting & CDN)

Purpose: Hosts the Wurora website and API

Data shared: Request logs, IP addresses (temporary), user agent

Location: Global CDN with EU presence

🎫 GetYourGuide (Affiliate Partner)

Purpose: Activity booking widget (with your consent)

Data shared: Partner ID (9RM1C7C), booking referrals

Cookies: Requires affiliate consent

🏨 Expedia (Affiliate Partner)

Purpose: Hotel booking affiliate links

Data shared: Affiliate ID, booking referrals

Cookies: Requires affiliate consent

🔐 Google OAuth (Authentication)

Purpose: Sign in with Google (optional)

Data shared: Email, name, profile picture (only if you choose Google login)

🔐 GitHub OAuth (Authentication)

Purpose: Sign in with GitHub (optional)

Data shared: Email, name, profile picture (only if you choose GitHub login)

ℹ️ International Transfers: Some third parties (MongoDB, Vercel) have servers outside the EU. We ensure adequate safeguards through Standard Contractual Clauses (SCCs) as required by GDPR Article 46.

6. Data Retention

We only retain your data for as long as necessary:

Data Type	Retention Period
Account data	Until you delete your account
Saved places & preferences	Until you delete your account
Reports (anonymous)	Indefinite (for content moderation)
Analytics data	90 days (then automatically deleted)
Consent records	3 years (legal requirement)
Session tokens	30 days or until logout

7. Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data:

📥 Right to Access (Article 15)

You can request a copy of all your personal data in machine-readable JSON format.

Export My Data

🗑️ Right to Erasure (Article 17)

You can permanently delete your account and all associated data at any time.

Delete My Account

📦 Right to Data Portability (Article 20)

When you export your data, you receive a structured JSON file that can be used with other services.

🔄 Right to Withdraw Consent (Article 7(3))

You can change your cookie preferences or withdraw consent at any time.

Manage Cookie Preferences

⚖️ Other Rights

Right to Rectification (Article 16): Request correction of inaccurate data
Right to Restriction (Article 18): Request limited processing of your data
Right to Object (Article 21): Object to processing based on legitimate interest
Right to Lodge a Complaint: Contact the Italian Data Protection Authority (Garante)

To exercise any of these rights, contact us at privacy@wurora.com

8. Cookies and Tracking

We use cookies to provide and improve our service. You have full control over non-essential cookies.

Essential Cookies (Always Active)

Authentication, security, consent storage

Functional Cookies (Optional)

City preferences, saved places, language settings

Analytics Cookies (Optional)

Anonymous usage tracking (stored max 90 days)

Affiliate Cookies (Optional)

GetYourGuide & Expedia booking tracking

→ Read Full Cookie Policy

9. Security Measures

We implement industry-standard security practices:

Password Security: Bcrypt hashing with salt (never plain text)
HTTPS Encryption: All data transmitted over TLS 1.3
IP Hashing: SHA-256 + salt for pseudonymisation
HTTP-Only Cookies: Session tokens not accessible to JavaScript
Regular Security Audits: Code reviews and vulnerability scanning
Access Controls: Role-based access (admin/user separation)

⚠️ Note: No system is 100% secure. If you discover a security vulnerability, please report it to security@wurora.com.

10. Children's Privacy

Age Requirement: You must be at least 16 years old to create a Wurora account (GDPR Article 8 - Italian implementation).

We do not knowingly collect data from children under 16. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@wurora.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

We will update the "Last updated" date at the top
For significant changes, we will notify you via email
Continued use of Wurora after changes constitutes acceptance

Contact Us

Questions about this Privacy Policy or how we handle your data?

Email: privacy@wurora.com

Data Protection Officer: dpo@wurora.com

Security Issues: security@wurora.com

Italian Data Protection Authority (Garante):
If you are unsatisfied with our response, you have the right to lodge a complaint with the Garante:
Website: www.garanteprivacy.it