well travelled app | privacy policy
Last updated: May 5, 2026
This Privacy Policy explains how Emille Rosa Ltd, an Irish company with registered office at 192 South Circular Road, Dublin 8, D08 RD0X, Ireland, and Companies Registration Office (CRO) number 739102 ("Well Travelled", "we", "us", or "our"), collects, uses, shares, and protects personal data in connection with the Well Travelled mobile application (the "App").
This policy applies only to the App. Our website, store, magazine, community membership, and Substack newsletter are governed by separate notices.
This policy is designed to comply with the EU General Data Protection Regulation (GDPR), the Irish Data Protection Act 2018, the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, LGPD, Law 13.709/2018), and other applicable data protection laws.
1. Data Controller and Data Protection Officer
Data Controller: Emille Rosa Ltd 192 South Circular Road, Dublin 8, D08 RD0X, Ireland CRO: 739102
Data Protection Officer / Privacy Contact: Emille Rosa, Founder and CEO Email: dpo@welltravelled.global
2. Our Service Provider (Processor)
The App is developed and operated on our behalf by Ghost Ship Serviços em Tecnologia da Informação Ltda ME (CNPJ 08.650.890/0001-99), based in Curitiba, Brazil ("Ghost Ship"). Ghost Ship acts as our data processor / operator under a written Data Processing Agreement that includes EU Standard Contractual Clauses for transfers from the European Economic Area to Brazil. Ghost Ship processes personal data only on our documented instructions.
3. What Personal Data We Collect
3.1 Information You Provide
Account information: username, email address, and — if you provide them voluntarily — your full name and profile details. Authentication credentials (such as passwords for email-based sign-in) are managed by our authentication provider (Supabase) and are never stored on our own systems.Travel inputs: the travel-related text, dates, and location names you enter into the App to generate stickers (for example, the name of a city you visited or a date range for a trip)Customer support communications: messages you send us via email or in-app support
We do not require your date of birth. We confirm your eligibility through a one-time age confirmation (see Section 13).
3.2 Information from Third-Party Login Providers
If you sign in using Apple, Google, or Instagram, we receive a limited set of profile data from the provider you choose:
Apple Sign-In: a unique identifier and, if you allow it, your name and a relay or real email addressGoogle Sign-In: name, email address, and Google account identifierInstagram Login: username, account identifier, and basic profile fields permitted by Instagram
We do not access your contacts, posts, photos, or social graph from any of these providers, beyond what is required to authenticate you.
3.3 Information We Collect Automatically
Device and technical information: device model, operating system and version, app version, language and locale settings, advertising identifier (IDFA on iOS) where you have allowed trackingUsage data: features used, screens viewed, in-app events, session duration, crash logsIP address (used to derive approximate location, e.g. country and city level — we do not collect precise GPS location)
We do not collect or upload photos from your device. Stickers are rendered locally on your device.
4. Why We Process Your Data and Legal Basis
We process your data only for specific, legitimate purposes and only on a valid legal basis. The table below maps each purpose to the GDPR legal basis (Art. 6) and, where applicable, the LGPD legal basis (Art. 7).
Purpose
GDPR basis
LGPD basis
Creating and managing your account, providing the App and core sticker generation features
Contract (Art. 6(1)(b))
Execution of contract (Art. 7, V)
Saving your travel inputs so you can return to them
Contract (Art. 6(1)(b))
Execution of contract (Art. 7, V)
Improving the App, developing new features and templates, training and improving any AI/ML models we may use in the future
Legitimate interest (Art. 6(1)(f))
Legitimate interest (Art. 7, IX)
Generating anonymized and aggregated insights for analytics, research, public reporting, and product development
Legitimate interest (Art. 6(1)(f)); anonymized data falls outside GDPR
Legitimate interest (Art. 7, IX); anonymized data falls outside LGPD per Art. 12
Marketing communications (newsletter, product announcements, promotional offers)
Consent (Art. 6(1)(a))
Consent (Art. 7, I)
Personalized advertising on third-party platforms (e.g., Meta, TikTok) using device identifiers and matched audiences
Consent (Art. 6(1)(a)), and on iOS subject to App Tracking Transparency authorization
Consent (Art. 7, I)
Analytics and measuring marketing performance
Legitimate interest (Art. 6(1)(f))
Legitimate interest (Art. 7, IX)
Fraud prevention, security, abuse detection
Legitimate interest (Art. 6(1)(f)) / Legal obligation (Art. 6(1)(c))
Legitimate interest (Art. 7, IX) / Legal obligation (Art. 7, II)
Complying with law and responding to legal requests
Legal obligation (Art. 6(1)(c))
Legal obligation (Art. 7, II)
Defending and exercising legal rights
Legitimate interest (Art. 6(1)(f))
Regular exercise of rights (Art. 7, VI)
You can withdraw any consent at any time by contacting dpo@welltravelled.global or via the in-app settings where available. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
5. Sticker Generation and Use of Your Inputs
When you create a sticker, the travel text, dates, and location names you provide are saved to your account so you can edit, reuse, or recreate stickers later. Sticker rendering happens locally on your device — we do not generate or store the rendered sticker images on our servers.
Subject to your consent, we may also use your travel inputs and aggregated usage patterns to:
Improve our templates and design new featuresTrain, fine-tune, evaluate, and improve AI/ML models we may develop or use, including models that may continue to exist after your inputs are deleted from your accountDevelop anonymized datasets for research, analytics, and new products and services
This use is described in more detail in our Terms of Use (Section 6). It is based on legitimate interest under GDPR for non-sensitive data and on consent for any sensitive personal data you may provide. You can opt out at any time by contacting dpo@welltravelled.global.
We do not currently use AI to generate stickers or to process your inputs in real time.
6. How We Share Your Data
We share personal data only with the categories of recipients below, and only for the purposes described.
6.1 Our Processor
Ghost Ship Serviços em Tecnologia da Informação Ltda ME — develops and operates the App on our behalf, hosts user data, and provides technical support, all under a Data Processing Agreement
6.2 Sub-Processors and Service Providers
Through Ghost Ship and directly, we use the following service providers to operate the App:
Hostinger (United Kingdom) — application hostingSupabase (United States) — database, authentication, and file storagePostHog (European Union) — product analytics, feature usage, and crash reportingResend (United States) — transactional email (account confirmation, password reset, support)RevenueCat (United States) — subscription management and entitlements (for any future paid features)Apple — App Store account integration; in-app purchases (if and when subscriptions are introduced)
6.3 Advertising Partners
We use advertising platforms to reach potential users on third-party services. We share with them:
Meta (Facebook/Instagram Ads) — device identifiers (IDFA where allowed), hashed contact data, and aggregated audience data for lookalike targeting and ad measurementTikTok Ads — device identifiers (IDFA where allowed) and aggregated audience data for ad targeting and measurement
We do not display third-party ads inside the App at this time. We do not share your travel inputs, account password, or content of communications with advertising partners.
You can limit identifier-based ad targeting by declining the App Tracking Transparency prompt on iOS (or revoking it later under Settings > Privacy & Security > Tracking).
6.4 Marketing and Newsletter
If you opt in to marketing communications, we share your email address with the email service providers we use to send our newsletter (which may include Substack or similar platforms). These providers process your data on our behalf.
6.5 Legal and Safety
We may share data when we believe in good faith it is necessary to:
Comply with applicable law, regulation, or legal processRespond to lawful requests from public authorities (in Ireland, Brazil, or other jurisdictions)Protect the rights, property, or safety of Well Travelled, our users, or othersDetect, prevent, or address fraud, security, or technical issues
6.6 Business Transfers
If we are involved in a merger, acquisition, reorganization, or sale of assets, your data may be transferred as part of that transaction. We will notify you and ensure equivalent protections apply.
6.7 What We Do Not Do
We do not sell your personal data. We do not share your travel inputs or other identifiable content with advertising partners.
7. International Data Transfers
We are based in Ireland. Our processor and several of our sub-processors operate outside the European Economic Area (EEA), including in the United Kingdom (Hostinger), the United States (Supabase, Resend, RevenueCat, Meta, TikTok, Apple), and Brazil (Ghost Ship). Some of our processors are based within the EEA (PostHog).
For transfers outside the EEA we rely on:
Standard Contractual Clauses (SCCs) approved by the European Commission, including the SCCs for transfers from controller to processor for our agreement with Ghost ShipThe EU-U.S. Data Privacy Framework where the recipient is certified under itThe United Kingdom adequacy decision for transfers to the UKYour explicit consent, where applicableTransfers necessary for the performance of a contract with you, where applicable
For users outside the EEA, your data may also be transferred to and processed in countries outside your country of residence, including Ireland and Brazil.
You may request a copy of the safeguards in place by emailing dpo@welltravelled.global.
8. How Long We Keep Your Data
DataRetention periodAccount data (username, email, profile, travel inputs)While your account is activeCustomer support communicationsUp to 24 months from the last interactionMarketing consent recordsUntil you withdraw consent, plus 24 months to evidence complianceTechnical and security logsUp to 12 monthsBackupsUp to 90 days from the date of the most recent backupRecords required for tax, accounting, or legal complianceAs required by applicable law (typically 6 years in Ireland)
When you delete your account, we delete or anonymize your personal data within 30 days from active systems. Backups containing your data may persist for up to 90 days, after which they are overwritten or destroyed. Anonymized derivatives are retained as described in Section 5.
9. Your Rights
Subject to applicable law, you have the following rights with respect to your personal data.
9.1 Rights Under GDPR
Right of access (Art. 15)Right to rectification (Art. 16)Right to erasure / "right to be forgotten" (Art. 17)Right to restriction of processing (Art. 18)Right to data portability (Art. 20)Right to object to processing based on legitimate interest, including profiling for direct marketing purposes (Art. 21)Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22) — currently not applicable, as we do not make automated decisions of this kindRight to withdraw consent at any timeRight to lodge a complaint with your local data protection supervisory authority. In Ireland, this is the Data Protection Commission (https://www.dataprotection.ie). EEA users may also complain to the supervisory authority in their country of residence.
9.2 Rights Under LGPD (Brazilian Users)
Confirmation that we process your dataAccess to your dataCorrection of incomplete, inaccurate, or outdated dataAnonymization, blocking, or deletion of unnecessary or excessive dataPortability to another service providerDeletion of personal data processed based on consentInformation about the entities with which we share your dataInformation about the consequences of refusing consentWithdrawal of consentRight to file a complaint with the National Data Protection Authority (ANPD): https://www.gov.br/anpd
9.3 How to Exercise Your Rights
Email dpo@welltravelled.global. We will respond within 30 days for GDPR requests (extendable by up to 60 additional days for complex requests) and within 15 days for LGPD requests (extendable as permitted by law). We may need to verify your identity before fulfilling your request.
10. Account Deletion
You may request deletion of your account at any time:
Through the in-app account deletion option, where availableBy emailing dpo@welltravelled.global
We will process the request within 30 days, with backups overwritten within 90 days.
11. Security
We implement reasonable technical and organizational measures to protect your personal data, including:
Encryption in transit (TLS) for data sent to and from our serversEncryption at rest for stored data, provided by our infrastructure providers (Supabase encrypts user data at rest using AES-256; backups are encrypted by our hosting and database providers)Authentication and credential storage handled by Supabase Auth — we do not store passwords on our own systemsRestricted access controls and authentication for our infrastructureLogging and monitoring of administrative accessRegular review of security practices, including awareness of common vulnerabilities (such as those identified in the OWASP Top 10) when developing new features
No system is completely secure. If you become aware of any vulnerability or suspected breach, please contact dpo@welltravelled.global.
In the event of a personal data breach that creates risk to you, we will notify you and the relevant authority within the timeframes required by law (in the EU, generally within 72 hours of becoming aware of the breach).
12. Cookies and Similar Technologies
The App itself does not use web cookies but uses device identifiers as described in Sections 3 and 6. Our website (welltravelled.global) uses cookies; the website's separate cookie notice describes those.
13. Children
The App is intended for users aged 16 and over. When you create an account, you confirm that you are at least 16 years old. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided personal data to us, we will delete the account and associated data promptly. If you believe a child under 16 has used the App, please contact dpo@welltravelled.global.
14. Marketing Communications
If you opt in to marketing emails (newsletter, product announcements, promotional offers), we will send you communications based on your consent. Every marketing email includes an unsubscribe link, and you can opt out at any time by clicking it or contacting dpo@welltravelled.global. Opting out of marketing does not affect transactional emails (account, billing, security).
15. Future Subscriptions
We may introduce paid subscription features in the future. If we do, payments will be processed through Apple In-App Purchases (or another payment provider we may add), and we will update this policy to reflect any new processing activities before they take effect.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will revise the "Last updated" date and, for material changes, notify you (by email and/or in-app notification) before the changes take effect. Your continued use of the App after the effective date means you accept the updated policy.
17. Contact
For privacy questions, requests, or complaints, contact:
Emille Rosa Ltd Attn: Emille Rosa, Founder and CEO 192 South Circular Road, Dublin 8, D08 RD0X, Ireland CRO: 739102 Email: dpo@welltravelled.global
You also have the right to lodge a complaint with:
Ireland / EEA: Data Protection Commission (https://www.dataprotection.ie) or your local supervisory authorityBrazil: Autoridade Nacional de Proteção de Dados (ANPD) — https://www.gov.br/anpd
© 2026 Emille Rosa Ltd. All rights reserved.