Waymaker Privacy Policy

1.1 Platform Coverage

This Privacy Policy applies to all Waymaker applications and services, including:

• •Academy: Learning management system and training platform
• •Advisor: AI-powered strategic guidance and business consulting tools
• •Commander: Executive dashboard, analytics, and reporting suite
• •Help: Documentation and support portal
• •Waymaker One: Central platform hub, user management, and administration
• •Waymaker One API: API services for AI coordination and integrations
• •Waymaker Website: Our marketing website at waymaker.io

1.2 Who This Policy Applies To

This policy applies to:

• •Individual Users: Anyone who creates an account or uses Waymaker
• •Organization Members: Users who access Waymaker under an organization account
• •Guests: External collaborators invited to specific projects or documents
• •Partners: Business consultants and advisors using our partner program
• •API Developers: Users who access our API services
• •Website Visitors: Anyone who visits waymaker.io or related properties

2.1 Information You Provide Directly

3.1 Core Platform Services

4.1 Our AI Philosophy

Waymaker's OneAI Philosophy is built on transparency and user control:

"AI enhances but never requires."

• •All Waymaker features work without AI when credits are exhausted
• •You control your AI spending through credit-based consumption
• •No vendor lock-in—your software remains fully functional
• •We route requests to the most appropriate AI model automatically

4.2 What We DO with Your AI Data

Request Routing and Processing:

• •We receive your prompts and inputs to our AI features
• •We route requests through our Waymaker One API to appropriate AI models
• •We process responses to integrate them into your workflows
• •We track token consumption for billing purposes

4.4 AI Model Provider Relationships

OpenAI Integration:

• •We use OpenAI's API for AI capabilities (GPT-4o and GPT-4o Mini)
• •OpenAI's API does NOT use customer data for training per their API policies
• •Your inputs and outputs are processed transiently and not stored by OpenAI
• •We maintain Business Associate Agreement with OpenAI for data protection

5.1 Within Your Organization

Your organization administrators can access billing information and usage analytics. Team members can access content shared within the organization's workspace.

5.2 Service Providers and Processors

We share information with trusted third-party service providers:

Infrastructure and Hosting:

• •Supabase: Database, authentication, storage, and real-time services
• •Vercel: Web application hosting and deployment
• •Cloudflare: Content delivery and DDoS protection

Payment Processing:

• •Stripe: Payment processing, billing, and subscription management

AI and Machine Learning:

• •OpenAI: AI model inference and processing (API only, no training)

5.3 Legal Requirements and Safety

We may disclose your information when necessary to:

• •Comply with applicable laws, regulations, or legal processes
• •Enforce our Terms of Service or other agreements
• •Prevent fraud, abuse, or security incidents
• •Protect the safety of our users or the public

6.1 Data Storage and Processing Locations

Primary Locations:

• •Australia: Primary database hosting via Supabase (Sydney region)
• •United States: Secondary infrastructure via Supabase, Vercel, and service providers
• •Europe: CDN and edge computing via Cloudflare

6.2 Data Transfer Safeguards

Legal Mechanisms:

• •Standard Contractual Clauses (SCCs) for transfers from EU/EEA
• •Data Processing Agreements with all international service providers

Technical Safeguards:

• •Encryption in transit (TLS 1.3)
• •Encryption at rest (AES-256)

7.1 Security Measures

Technical Security:

• •Encryption in Transit: TLS 1.3 for all data transmission
• •Encryption at Rest: AES-256 encryption for stored data
• •Database Security: Row-level security (RLS) policies
• •Network Security: Firewalls, DDoS protection, intrusion detection

Access Controls:

• •Multi-Factor Authentication (MFA) available for all users
• •Role-Based Access Control (RBAC)
• •SSO Integration for enterprise customers

7.2 Your Security Responsibilities

• •Choose strong, unique passwords
• •Enable multi-factor authentication (MFA)
• •Do not share your credentials with others
• •Report suspicious activity to security@waymaker.io

8.1 Active Account Data

While your account is active, we retain your account information, content, usage logs, billing records, and communication history to provide ongoing service.

8.2 Retention After Account Termination

30-Day Grace Period:

• •Data enters a 30-day grace period for recovery
• •You can request data export or account reactivation

After 30 Days:

• •Deleted: Content, documents, files, personal configurations
• •Retained: Billing records, transaction history, legal documentation
• •Anonymized: Usage analytics and aggregated insights

8.3 Legal and Compliance Retention

• •Financial Records: 7 years (Australian tax law requirement)
• •Legal Documentation: Duration of agreement + 7 years

9.1 Access and Portability

You can access your personal information through your account settings and request a comprehensive data export in standard formats (Markdown, JSON, CSV).

How to Exercise: Account Settings → Privacy → Export Data, or email privacy@waymaker.io

9.2 Correction and Update

Update your profile information anytime or request we correct data we hold about you.

How to Exercise: Account Settings → Profile, or contact support@waymaker.io

9.3 Deletion and Erasure

Request deletion of your account and personal data. We will delete data within 30 days except where retention is required by law.

How to Exercise: Account Settings → Account → Delete Account, or email privacy@waymaker.io

9.4 Withdraw Consent

You can withdraw consent at any time for marketing emails, optional analytics, and third-party integrations.

10.1 What We Use

Essential Cookies (cannot be disabled):

• •Authentication: Session management and login persistence
• •Security: CSRF protection and fraud prevention

Analytics Cookies (can be disabled):

• •Usage analytics and performance monitoring

10.2 Managing Cookies

You can control cookies through your Cookie Consent Manager (accessible from footer or privacy settings) and browser settings.

11.1 Age Restriction

Waymaker is NOT intended for users under 18 years of age.

• •We do not knowingly collect information from individuals under 18
• •Our Terms of Service require users to be 18 or older

11.2 If We Learn of Children's Data

If we discover we have collected personal information from a child under 18, we will delete the information and terminate the associated account immediately.

If you believe your child under 18 has provided information to Waymaker, contact us at privacy@waymaker.io

12.1 Integrated Services

Waymaker may integrate with third-party services you choose to connect (productivity tools, project management, CRM systems, communication platforms).

• •These integrations require your explicit authorization
• •Third-party services have their own privacy policies
• •We are not responsible for third-party data practices
• •You can revoke integration access anytime in settings

12.2 Links to External Websites

Our platform and marketing may contain links to external websites. We do not control external websites and are not responsible for their privacy practices.

13.1 How We Update This Policy

We may update this Privacy Policy to reflect changes in our practices, services, applicable laws, or new features.

13.2 Notification of Changes

Material Changes:

• •Email notification to registered address
• •Prominent platform notice for 30 days
• •Summary of key changes

Continued use after changes constitutes acceptance of the updated Privacy Policy.

14.1 Privacy Inquiries

• •General Privacy Questions: privacy@waymaker.io (Response within 5 business days)
• •Data Rights Requests: privacy@waymaker.io (Response within 30 days)
• •Security Incidents: security@waymaker.io (Response within 24 hours)

14.2 Regulatory Authorities

If you are not satisfied with our response, you may lodge a complaint with:

• •Australia: Office of the Australian Information Commissioner (OAIC) - www.oaic.gov.au
• •European Union: Your local Data Protection Authority

15.1 Australian Privacy Principles (APPs)

For Australian users, we comply with the Privacy Act 1988 and APPs.

Your Rights:

• •Access your personal information
• •Correct inaccurate information
• •Make a complaint to the OAIC

15.2 European GDPR Rights

For EU/EEA users, we comply with the General Data Protection Regulation (GDPR).

Your GDPR Rights:

• •Right to access (Article 15)
• •Right to rectification (Article 16)
• •Right to erasure (Article 17)
• •Right to data portability (Article 20)
• •Right to lodge a complaint with supervisory authority

15.3 California Privacy Rights (CCPA/CPRA)

For California residents, we comply with the California Consumer Privacy Act (CCPA) as amended by CPRA.

Your CCPA Rights:

• •Right to Know: What personal information we collect, use, disclose
• •Right to Delete: Request deletion of your personal information
• •Right to Correct: Request correction of inaccurate information
• •Right to Non-Discrimination: Equal service regardless of privacy choices

15.4 UK GDPR Rights

For UK users, we comply with the UK GDPR and Data Protection Act 2018. Your rights are similar to EU GDPR rights.

Supervisory Authority: Information Commissioner's Office (ICO) - ico.org.uk