Regulation (EU) 2016/679 – General Data Protection Regulation
Effective Date: 02/04/2026
Last Updated: 11/04/2026
theversevoyager.com
1. Data Controller
The controller of your personal data is:
THE VERSE VOYAGER S.R.L.
Registered office: București, Sectorul 1, Strada Pitar Moș, Nr. 27, Etaj 5, Ap. 17, Romania
Company number (CUI): 54415570
Email: contact@theversevoyager.com
Website: https://theversevoyager.com
Throughout this Privacy Policy, “we,” “us,” and “our” refer to THE VERSE VOYAGER S.R.L. “You” and “your” refer to any individual whose personal data we process.
2. Scope of This Policy
This Privacy Policy applies to all personal data we collect and process through:
- Our main website: theversevoyager.com
- Our online shop: shop.theversevoyager.com
- Our personality assessment platform: personality-assessment.theversevoyager.com
- Contact forms, discovery call bookings, and email correspondence
- Email marketing communications via GetResponse
- Our social media presence on Facebook, Instagram, and Pinterest
This policy does not apply to third-party websites linked from our website. We encourage you to read the privacy policies of any third-party services you interact with.
3. Personal Data We Collect
3.1 Data You Provide Directly
a) Contact and Inquiry Data
When you contact us via our contact form, email, or book a discovery call, we collect:
- First name and last name
- Email address
- Your inquiry or message content (free text)
- Discovery call scheduling information (via Google Calendar)
b) Personality Assessment Data
When you create an account on our personality assessment platform (personality-assessment.theversevoyager.com), we collect:
- Email address and password (encrypted)
- First name and last name
- Age
- Gender
- Country and city of residence
- Your responses to the Big Five personality questionnaire
- Your computed personality profile (Openness, Conscientiousness, Extraversion, Agreeableness, Neuroticism scores)
Your personality assessment data is considered sensitive personal data because it reveals psychological characteristics. We process this data exclusively on the basis of your explicit consent (see Section 4 below).
c) Service and Client Data
When you purchase a travel planning service, we additionally collect:
- Travel preferences, destinations, dates, and constraints discussed during your discovery call
- Budget indications and accommodation preferences
- Any other information you voluntarily share to help us design your itinerary
- Feedback and revision requests on itinerary drafts
d) Purchase and Payment Data
When you make a purchase through our online shop (shop.theversevoyager.com, powered by WooCommerce) or pay for a service, we collect:
- Billing name and address
- Email address
- Products or services purchased, amounts, and transaction dates
Payment card details are processed directly by Stripe and are never stored on our servers. See Section 7 for more information about Stripe.
e) Email Marketing Data
When you subscribe to our newsletter or request a free itinerary (lead magnet), we collect:
- Email address
- Name (if provided)
- Subscription preferences and consent records
3.2 Data We Collect Automatically
a) Website Usage Data (Google Analytics 4)
With your consent, we use Google Analytics 4 to collect:
- IP address (anonymized)
- Browser type and version, operating system, screen resolution
- Pages visited, time spent on pages, referral source
- Approximate geographic location (city-level, derived from IP)
- Device type (desktop, mobile, tablet)
Google Analytics uses cookies to collect this information. These cookies are only placed after you provide consent via our cookie banner. See Section 6 (Cookies) for details.
b) Server Log Data
Our hosting provider (Hostinger) automatically collects server access logs, which may include:
- IP address
- Date and time of access
- Pages requested
- HTTP status codes
This data is collected for security and server maintenance purposes based on our legitimate interest (Art. 6(1)(f) GDPR).
3.3 Data from Third Parties
We may receive limited data from third-party platforms:
- Google Calendar: confirmation of booked discovery calls (name, email, chosen time slot)
- Stripe: payment confirmation and transaction status (we do not receive your full card number)
- Social media platforms: if you contact us via Facebook, Instagram, or Pinterest, we receive the content of your message and your public profile name
4. Purposes and Legal Bases for Processing
We process your personal data only when we have a valid legal basis under the GDPR. The following table sets out each processing activity, its purpose, and the legal basis on which we rely:
| Processing Activity | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Contact form submissions | Responding to your inquiry and potential service delivery | Art. 6(1)(b) – pre-contractual measures at your request |
| Discovery call booking | Scheduling and conducting the consultation | Art. 6(1)(b) – contract performance / pre-contractual steps |
| Personality assessment | Creating your Big Five personality profile to personalize destination recommendations | Art. 6(1)(a) – your explicit consent; Art. 9(2)(a) for psychological data |
| Custom itinerary creation | Designing your personalized travel plan | Art. 6(1)(b) – contract performance |
| AI-assisted itinerary design | Using AI tools to assist in researching and drafting your itinerary (all output is manually reviewed and curated by a human) | Art. 6(1)(b) – contract performance; Art. 6(1)(a) – consent for personality data input |
| Payment processing (Stripe) | Processing your payment securely | Art. 6(1)(b) – contract performance |
| Invoicing and accounting | Issuing invoices and complying with Romanian fiscal law | Art. 6(1)(c) – legal obligation (Law 82/1991, Romanian Fiscal Code) |
| Email marketing (GetResponse) | Sending newsletters, travel tips, and promotional content | Art. 6(1)(a) – your consent (opt-in) |
| Free itinerary lead magnet | Delivering the free mini itinerary and adding you to our mailing list | Art. 6(1)(a) – your consent |
| Google Analytics 4 | Analyzing website usage to improve our content and services | Art. 6(1)(a) – your consent (via cookie banner) |
| Server log files | Ensuring website security, detecting abuse | Art. 6(1)(f) – legitimate interest (IT security) |
| WooCommerce shop orders | Fulfilling your product orders and managing your purchase history | Art. 6(1)(b) – contract performance |
| Social media interaction | Responding to messages and managing our public pages | Art. 6(1)(f) – legitimate interest (customer communication) |
5. Profiling and Automated Decision-Making
Our Personality-Driven Destination Matching service involves profiling within the meaning of Art. 4(4) GDPR: we evaluate your personal aspects (specifically, your Big Five personality traits) to make personalized travel recommendations.
Important: No fully automated decisions are made about you. Your personality assessment results are always reviewed, interpreted, and applied by a human travel designer (Andrei). AI tools may assist in researching destinations and drafting itinerary content, but every recommendation is curated and finalized by a human before delivery to you. You are never subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22 GDPR).
You have the right to:
- Object to profiling at any time (see Section 10)
- Request information about the logic involved in the profiling
- Withdraw your consent for personality data processing at any time, which will result in the deletion of your personality profile
6. Cookies and Tracking Technologies
Our website uses cookies. A cookie is a small text file stored on your device when you visit a website. We categorize cookies as follows:
6.1 Strictly Necessary Cookies
These cookies are essential for the website to function and cannot be disabled. They include WordPress session cookies, WooCommerce cart cookies, and cookie consent preference cookies. These cookies do not require your consent.
6.2 Analytics Cookies
We use Google Analytics 4 to understand how visitors use our website. These cookies are placed only after you provide consent via our cookie banner. You may refuse or withdraw consent at any time by adjusting your cookie preferences.
Google Analytics cookies include: _ga, _ga_[container-id]. These cookies collect anonymized usage data and are retained for up to 14 months.
6.3 Marketing/Advertising Cookies
If we use social media pixels (e.g., Meta Pixel, Pinterest Tag) or advertising cookies in the future, these will only be placed with your explicit prior consent. As of the date of this policy, we will clearly indicate in the cookie banner which marketing cookies, if any, are active.
6.4 Your Cookie Choices
When you first visit our website, a cookie consent banner will appear allowing you to:
- Accept all cookies
- Reject all non-essential cookies
- Customize your preferences by category
You can change your cookie preferences at any time by clicking the cookie settings link in the footer of our website. You can also delete cookies directly through your browser settings.
7. Data Recipients and Processors
We share your personal data with the following categories of recipients, acting as data processors on our behalf under Data Processing Agreements (DPAs) in accordance with Art. 28 GDPR:
| Processor / Service | Purpose | Location | Safeguard |
|---|---|---|---|
| Hostinger (UAB Hostinger) | Website hosting and server infrastructure | EU (Lithuania) | GDPR-compliant; DPA in place |
| Google LLC (Analytics, Calendar, Maps) | Website analytics, discovery call scheduling, itinerary maps | USA | EU-US Data Privacy Framework; SCCs |
| Stripe, Inc. | Payment processing for services and shop purchases | USA | EU-US Data Privacy Framework; SCCs; PCI DSS certified |
| GetResponse S.A. | Email marketing, newsletters, and automated email sequences | Poland (EU) | GDPR-compliant; DPA available in-app; Bureau Veritas certified |
| WooCommerce / Automattic, Inc. | Online shop platform and order management | USA | EU-US Data Privacy Framework; SCCs |
| Gravatar / Automattic, Inc. | Displaying commenter profile pictures (if applicable) | USA | EU-US Data Privacy Framework |
| AI service providers | Assisting with destination research and itinerary drafting (data is anonymized/pseudonymized where possible; all output is human-reviewed) | USA/EU | DPA and SCCs; data minimization applied |
| Akismet / Automattic, Inc. | Comment spam detection (if blog comments are enabled) | USA | EU-US Data Privacy Framework; SCCs |
We do not sell your personal data to any third party. We do not share your data with third parties for their own marketing purposes.
We may also disclose personal data to competent authorities (e.g., ANAF for tax records, courts) when required by Romanian or EU law.
8. International Data Transfers
Some of the data processors listed in Section 7 are located outside the European Economic Area (EEA), primarily in the United States.
For each transfer, we ensure an adequate level of protection through one or more of the following safeguards (Art. 46 GDPR):
- EU-US Data Privacy Framework (DPF): We verify that the US-based provider is certified under the DPF, which has been recognized by the European Commission as providing an adequate level of protection (Adequacy Decision of 10 July 2023).
- Standard Contractual Clauses (SCCs): Where DPF does not apply, we use the European Commission’s standard contractual clauses as approved by Implementing Decision (EU) 2021/914.
- Supplementary measures: Where necessary, additional technical safeguards (encryption in transit and at rest, pseudonymization, access controls) are applied.
You may request a copy of the applicable safeguards by contacting us at contact@theversevoyager.com.
9. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The specific retention periods are:
| Data Category | Retention Period | Reason |
|---|---|---|
| Contact form inquiries (no service purchased) | 12 months from last contact | Legitimate interest; deleted if no engagement |
| Discovery call notes and pre-contractual data | 12 months if no service purchased | Pre-contractual purpose expires |
| Personality assessment data | Duration of your account + 6 months after account deletion or last service delivery, whichever is later | Consent-based; you may request earlier deletion |
| Client itinerary files and travel planning data | 3 years after service completion | Contract performance; potential warranty claims (Romanian Civil Code, Art. 2517) |
| Invoices, payment records, and fiscal data | 10 years | Romanian fiscal law (Law 82/1991, Art. 25) |
| Email marketing subscriber data | Until you unsubscribe + 30 days for processing | Consent; withdrawal processed promptly |
| WooCommerce order and purchase data | 5 years from order date | Legal obligation (fiscal records); contract |
| Google Analytics data | 14 months (anonymized) | Consent; anonymized data is not personal data |
| Server log files | 90 days | Legitimate interest (security) |
| Cookie consent records | 3 years | Accountability obligation (Art. 5(2) GDPR) |
| Blog comments (if applicable) | Until you request deletion | Consent; you may request erasure at any time |
After the applicable retention period expires, your data is securely deleted or anonymized. If deletion is technically not immediately possible (e.g., data in backups), we ensure the data remains protected and inaccessible until deletion is completed.
10. Your Rights as a Data Subject
Under the GDPR, you have the following rights regarding your personal data. You may exercise any of these rights free of charge by contacting us at contact@theversevoyager.com.
10.1 Right of Access (Art. 15)
You have the right to obtain confirmation as to whether we process your personal data and, if so, to receive a copy of that data along with information about how it is processed.
10.2 Right to Rectification (Art. 16)
You have the right to have inaccurate personal data corrected and incomplete data completed.
10.3 Right to Erasure / Right to Be Forgotten (Art. 17)
You have the right to request the deletion of your personal data when it is no longer necessary for the purpose for which it was collected, when you withdraw consent, or when processing is unlawful. This right does not apply where retention is required by law (e.g., fiscal records).
10.4 Right to Restriction of Processing (Art. 18)
You have the right to request that we restrict the processing of your data in certain circumstances, such as when you contest the accuracy of the data or when processing is unlawful but you do not wish erasure.
10.5 Right to Data Portability (Art. 20)
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV), and to transmit it to another controller.
10.6 Right to Object (Art. 21)
You have the right to object to processing based on legitimate interest (Art. 6(1)(f)). Upon receiving your objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You have an absolute right to object to processing for direct marketing purposes at any time.
10.7 Right to Withdraw Consent (Art. 7(3))
Where processing is based on your consent (e.g., personality assessment, email marketing, analytics cookies), you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
To withdraw consent:
- Email marketing: click the “Unsubscribe” link in any email, or contact us
- Personality assessment: contact us to request deletion of your account and personality data
- Cookies: adjust your preferences via the cookie settings on our website
10.8 Right Not to Be Subject to Automated Decision-Making (Art. 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you. As described in Section 5, we do not make fully automated decisions about you.
10.9 Right to Lodge a Complaint
If you believe that we have violated your data protection rights, you have the right to lodge a complaint with the Romanian supervisory authority:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
Address: B-dul G-ral. Gheorghe Magheru, Nr. 28–30, Sector 1, 010336 București, Romania
Website: www.dataprotection.ro
Email: anspdcp@dataprotection.ro
You also have the right to lodge a complaint with the supervisory authority of the EU Member State where you reside, work, or where the alleged infringement occurred.
10.10 How to Exercise Your Rights
To exercise any of the above rights, please send an email to contact@theversevoyager.com with the subject line “Data Subject Request.” We will acknowledge your request within 72 hours and respond substantively within 30 days. If we need additional time due to the complexity of your request, we will inform you of the extension (up to an additional 60 days) within the initial 30-day period, explaining the reasons for the delay.
We may ask you to verify your identity before processing your request. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.
11. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction (Art. 32 GDPR). These measures include:
- HTTPS/TLS encryption for all data transmitted between your browser and our websites
- Encrypted password storage for personality assessment accounts (hashing)
- Access controls limiting personal data access to authorized personnel only
- Regular software updates for WordPress, plugins, and server software
- Two-factor authentication for administrative accounts
- Secure backup procedures with encrypted storage
- Data Processing Agreements with all processors ensuring equivalent security standards
While we strive to protect your personal data, no method of transmission over the internet or electronic storage is completely secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately.
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ANSPDCP within 72 hours of becoming aware of the breach, in accordance with Art. 33 GDPR.
If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Art. 34 GDPR), informing you of the nature of the breach, the likely consequences, and the measures we have taken or propose to take.
13. Children’s Data
Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe that a child under 18 has provided us with personal data, please contact us at contact@theversevoyager.com and we will promptly delete the data.
14. Social Media
We maintain public pages on Facebook, Instagram, and Pinterest. When you interact with our pages on these platforms, the respective platform operator acts as a joint controller with us for certain data processing activities. Each platform has its own privacy policy:
- Facebook/Instagram (Meta): https://www.facebook.com/privacy/policy
- Pinterest: https://policy.pinterest.com/privacy-policy
We are not responsible for the data processing practices of these platforms beyond what is under our direct control.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or business operations. When we make material changes, we will:
- Update the “Last Updated” date at the top of this policy
- Post a notice on our website
- Where required, seek your renewed consent for any new processing activities
We encourage you to review this Privacy Policy periodically. The current version is always available at theversevoyager.com/privacy-policy.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
THE VERSE VOYAGER S.R.L.
Email: contact@theversevoyager.com
Phone: +40 745 088 208
Address: Str. Pitar Moș, Nr. 27, Etaj 5, Ap. 17, Sector 1, București, Romania
CUI: 54415570
Note: This Privacy Policy has been prepared to comply with Regulation (EU) 2016/679 (GDPR), Romanian Law 190/2018, and Law 506/2004. It is recommended that this policy be reviewed by a qualified legal professional before publication. This document does not constitute legal advice.
— End of Privacy Policy —