Privacy policy

Mon CGP SAS 49, rue de Ponthieu — 75008 Paris — France SIREN: 880 295 696 Contact: admin.wowiin-app@moncgp.fr

When you register, we collect: • Your first name — to personalize your experience within the application • Your email address — to create and secure your account and send you service-related emails We do not collect last names. This is a deliberate choice based on the principle of data minimization (Article 5, §1(c) of the GDPR).

You may enter information about your trips: • Destinations, departure and return dates • Itinerary steps • First name and issuing country of the travel document of your travel companions (no last name — GDPR minimization) This data is used to provide travel management features, document alerts, and — for paying subscribers — security alerts related to your declared destinations.

• Issuing country of the travel document — to determine the validity rules applicable to your passport based on your destination • Expiry dates of your travel documents — only dates are collected: no scan, no image, and no document number of any kind are ever collected by Wowiin APP • Uploaded files (paying subscribers only) — travel documents stored securely in your personal space. You are solely responsible for the files you choose to upload. You are strongly advised not to upload documents containing highly sensitive data beyond what is strictly necessary for use of the Service (see Article 5 of the Terms of Service).

Departure time zone, preferred currency, dietary preferences, mobility needs, pet-related information, interests, preferred embassies, interface language and alert language. This data is used exclusively to personalize your experience and the AI concierge’s responses. It is not shared with third parties for commercial purposes.

If you explicitly consent during onboarding, we record that consent in order to send you security alerts related to your declared destinations. This consent may be withdrawn at any time from your settings.

IP address and connection logs — automatically collected by our technical infrastructure (Vercel, Supabase) to ensure the security and proper functioning of the service. Not used to identify or profile you. Session data — authentication token stored in your browser to maintain your login session.

• Account creation and management — Performance of contract (Art. 6, §1(b)) • Provision of travel features — Performance of contract (Art. 6, §1(b)) • Document alerts — Performance of contract (Art. 6, §1(b)) • Security alerts — Consent (Art. 6, §1(a)) • Marketing communications (opt-in) — Consent (Art. 6, §1(a)) • Security and fraud prevention — Legitimate interest (Art. 6, §1(f)) • Legal and accounting obligations — Legal obligation (Art. 6, §1(c))

Your data is never sold to third parties. It may be shared with the following technical processors: • Supabase Inc. (database and storage) — data hosted in the EU (Frankfurt). supabase.com/privacy • Vercel Inc. (application hosting) — see section 5. vercel.com/legal/privacy-policy • Resend Inc. (email delivery) — email data only. resend.com/legal/privacy-policy • Anthropic, PBC (AI concierge — paying subscribers only) — questions and minimal profile context transmitted to Anthropic API. No document data transmitted. anthropic.com/privacy • Stripe, Inc. (payments) — secure payment processing. Card data never transits through our servers. stripe.com/privacy

Vercel Inc. and Resend Inc. are US companies. These transfers are governed by the European Commission’s Adequacy Decision of July 10, 2023 on the EU–US Data Privacy Framework (DPF — Decision 2023/1795). Vercel Inc. and Resend Inc. are certified under this framework. Anthropic, PBC is also a US company. Transfers to Anthropic are governed by Standard Contractual Clauses (SCCs — Commission Decision 2021/914) in accordance with Article 46 of the GDPR. Supabase stores data in the EU region (Frankfurt, Germany): no transfer outside the EU for database data.

• Account data (email, first name) — duration of subscription + 3 years after account closure • Travel and document data — duration of active subscription • Uploaded files (paying subscribers) — deleted immediately and automatically upon expiry or cancellation of the paying subscription • Destination data linked to security alerts — 1 month after the declared return date • Technical logs — maximum 90 days • Consent data — duration of subscription + 5 years

Under the GDPR and French data protection law, you have the following rights: • Right of access (Art. 15) • Right to rectification (Art. 16) • Right to erasure (Art. 17) • Right to data portability (Art. 20) • Right to object (Art. 21) • Right to restriction of processing (Art. 18) • Right to withdraw consent at any time To exercise your rights: admin.wowiin-app@moncgp.fr. We will respond within one month. To lodge a complaint: Commission Nationale de l’Informatique et des Libertés (CNIL) — cnil.fr/en/complaints

We implement appropriate technical and organizational measures: • Encrypted connections (HTTPS/TLS) throughout the application • Secure authentication via Supabase Auth • Data access control via Row Level Security (RLS) policies: each user can only access their own data • Database hosted in the European Union

We reserve the right to modify this policy at any time. In the event of a material change, we will notify you by email or via an in-app notification.