The data controller is the operator of whostravel.ing. For data protection queries, contact us at privacy@whostravel.ing.
We collect only what is necessary to provide the service:
Account data: email address, hashed password.
Card data: first name, last name, country, city, phone, public email, description — only what you enter and mark as visible.
Technical data: IP address of QR scans, User-Agent header, date and time of scan.
Messages: message content from finders, their optional name and contact details, IP address.
Contract performance (Art. 6(1)(b) GDPR): creating and managing your card, delivering finder messages, generating QR codes.
Legitimate interest (Art. 6(1)(f) GDPR): scan logs for statistics and security, abuse prevention (rate limiting).
Your card data is visible only to whoever scans your QR code. You control which fields are visible — you can hide your email, description, or accommodation details.
The card URL (UUID) is random and impossible to guess — we do not maintain a public directory of cards.
We never sell, share, or use your data for marketing purposes.
Account and card data: until account deletion, or 90 days after account suspension.
Scan logs: 12 months.
Finder messages: until deleted by you.
Account UUID: reserved indefinitely — QR labels are physical and we cannot deactivate them.
We use only essential cookies:
PHPSESSID — login session, deleted when you close your browser.
lang — remembers your language choice, valid for 1 year.
We do not use advertising or tracking cookies. We do not integrate Google Analytics, Facebook or similar tools.
You have the right to: access your data, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection.
You can exercise these rights by logging into your dashboard (Settings → Delete account) or by writing to privacy@whostravel.ing.
You also have the right to lodge a complaint with your national data protection authority.
Passwords are stored only as hashed values (bcrypt). All connections use HTTPS encryption. Only fields you mark as visible are shown publicly. UUID addresses are random and cannot be enumerated.
For privacy and data protection queries, contact us at:
privacy@whostravel.ing