Datenschutzerklärung
Information on the processing of your personal data · Art. 13 DSGVO
Controller · Verantwortlicher
The controller responsible for the processing of your personal data on this website (Art. 4 Z 7 DSGVO) is:
Dominik Ferstl
Maria-Telkes-Weg 9/4, 8200 Gleisdorf, Österreich
E-Mail: hello@wandr.ing
A statutory data protection officer (Datenschutzbeauftragter) is not required and has not been appointed. For any data-protection matter, contact the address above.
Overview · Überblick
WANDR builds a portrait of a person from a conversation and, on that basis, sources a physical object for them. We only process the data we need to run that service, and we name every processor below. We do not sell your data, and we do not use it for cross-site advertising.
Hosting & server logs
The site is hosted on Vercel. When you load a page, Vercel automatically processes technical access data (including your IP address, timestamp, requested URL, referrer, and user-agent) in server logs, as is technically necessary to deliver the site securely.
Legal basis · Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in a secure, functioning service).
Waitlist · the "notify me" field
If you enter your email into the waitlist, we email you a confirmation link and add you only once you click it (double opt-in). Until you confirm, the address stays unconfirmed and receives nothing further. After you confirm, your email is added to our email tool (Resend) so we can notify you when access opens.
As evidence that the address owner consented, we retain the signup and confirmation timestamps and the IP address used, together with your email (Art. 5 Abs. 2, Art. 7 Abs. 1 DSGVO — accountability).
You can withdraw at any time — reply to any email or write to hello@wandr.ing and we delete you from the list. Withdrawal does not affect processing already carried out.
Legal basis · Art. 6 Abs. 1 lit. a DSGVO (consent, evidenced by confirmed double opt-in).
The conversation · chat & profiling
The core of WANDR is a conversation. What you type is stored (the full transcript, a structured profile, and a short summary) and is sent to our AI provider, Anthropic (Claude), to generate the replies and build your portrait. The portrait is reused to source and personalise what we find for you.
Please do not share special-category data (Art. 9 DSGVO — e.g. health, religion, political views, sexuality). We never ask for it. If you volunteer such details in the free-text of the chat, we process them only as part of the message you chose to send, and you can have them erased at any time.
Legal basis · Art. 6 Abs. 1 lit. b DSGVO (steps toward and performance of the service you request); for any special-category data you volunteer, Art. 9 Abs. 2 lit. a DSGVO (your explicit, voluntary disclosure).
Security & abuse prevention
To keep the service usable and stop automated abuse, we process your IP address for rate-limiting (short-lived counters). We are additionally preparing a bot check (Cloudflare Turnstile) for the first message of a conversation; it is not yet active. When enabled it will receive your IP address and a verification token, run invisibly for normal browsers, set no advertising cookies, and this notice will be updated.
Legal basis · Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in preventing abuse, fraud and automated attacks).
Orders, payment & delivery
When you place an order, payment is handled by Stripe. You enter your payment details directly with Stripe; we do not see or store full card numbers. We store your name, email, shipping address, order amount and payment status to process and account for the order.
To deliver the object, your shipping address is passed to the vendor or carrier that ships it. Shipments are sent blind (without WANDR branding), but the delivery address itself is necessarily disclosed to the party that hands over the parcel.
Legal basis · Art. 6 Abs. 1 lit. b DSGVO (performance of the contract); Art. 6 Abs. 1 lit. c DSGVO (retention of invoices/records under tax and commercial law).
Outbound email (receipts, login, service messages) is sent via Resend. Inbound email to any @wandr.ing address is forwarded by ImprovMX to a Google (Gmail) mailbox we read. If you email us, we process the content to answer you.
Legal basis · Art. 6 Abs. 1 lit. b / lit. f DSGVO (contract, or our legitimate interest in answering enquiries).
Account access · magic link
Passwordless login by emailed one-time link is prepared but not yet active. Once enabled, the login email and a short-lived, single-use token are processed solely to sign you in, and this section will be updated accordingly.
Analytics
We use Vercel Web Analytics and Vercel Speed Insights to understand aggregate traffic and page performance. Both are cookieless, do not use cross-site identifiers, and do not build a profile of you across other websites.
Legal basis · Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in a functioning, well-performing site).
Cookies & local storage
We use only what is strictly necessary: a functional cookie to remember that you have access, and browser localStorage to keep your current session on this device. During checkout, Stripe sets its own cookies for fraud prevention. Because these are essential, no consent banner is required; we set no advertising or tracking cookies.
Legal basis · Art. 6 Abs. 1 lit. f DSGVO; § 165 Abs. 3 TKG 2021 (storage strictly necessary for the service you requested).
Recipients & processors · Empfänger und Auftragsverarbeiter
We work with the following processors, each bound by a data processing agreement (Auftragsverarbeitervertrag, Art. 28 DSGVO):
USA · SCCs / EU-US Data Privacy Framework
Data hosted in the EU (eu-central, Frankfurt) · provider Supabase Inc., USA, SCCs
USA · SCCs / Data Privacy Framework
Ireland / USA · SCCs / Data Privacy Framework
USA · SCCs / Data Privacy Framework
EU / USA · SCCs
USA · SCCs / Data Privacy Framework
The vendor or carrier that ships a purchased object receives your delivery address as an independent recipient, solely to deliver it.
International data transfers · Drittlandübermittlung
Some processors are located in the USA. Where personal data is transferred outside the EU/EEA, the transfer is safeguarded by the EU Standard Contractual Clauses (SCCs) and/or the provider’s certification under the EU-US Data Privacy Framework.
Retention · Speicherdauer
- Waitlist email — until access opens or you withdraw.
- Conversation & portrait — kept to source and personalise for you; erased on request.
- Order, invoice & payment records — 7 years (§ 132 BAO, tax/commercial law).
- Security counters (IP) & bot-check tokens — short-lived; no message content.
Your rights · Ihre Rechte
You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and to object (Art. 21). Where processing rests on consent, you may withdraw it at any time (Art. 7 Abs. 3) with effect for the future. To exercise any of these, email hello@wandr.ing.
You also have the right to lodge a complaint with the supervisory authority:
Österreichische Datenschutzbehörde
Barichgasse 40-42, 1030 Wien
dsb@dsb.gv.at · www.dsb.gv.at
Changes · Änderungen
We update this notice when our processing changes (for example, when magic-link login or a new provider goes live). The current version always applies; see the date above.
Last updated · Stand: 1 July 2026