This policy explains what data Waypath collects when you use waypath.app, platform.waypath.app, docs.waypath.app, and our APIs. We collect what we need to run the agents and the workspace — nothing more. If you've used a product before, this should feel short.
01Scope
Applies to all visitors of Waypath sites, signed-in users of platform.waypath.app, and API consumers. Customer data your agents read from connected sources is governed by your Terms of Service and our Security page — not this policy.
02What we collect
Account data
- Name, work email, company, role you select at signup
- Workspace URL, billing email (separate, optional)
- OAuth identity provider you used (Google · Microsoft · GitHub · SAML)
Usage data
- Pages visited inside the platform; agent actions you take (fire, queue, mute)
- API calls — method, path, status, IP, timestamp; never request bodies
- Crash reports + performance traces; PII scrubbed before storage
Connector data
When you connect a source (CRM, billing, product analytics), Waypath receives the data you grant the connector access to. We hold the minimum derived state needed to run agents — see Data Model.
03How we use it
| Purpose | Data | Basis |
|---|---|---|
| Provide the service | account · connector · usage | contract |
| Security · abuse detection | usage · IP | legitimate interest |
| Improve the agents | derived state, aggregated | opt-in only |
| Send service email | contract | |
| Send marketing | opt-in only |
We do not sell your data. Ever. Model training on customer data is strictly opt-in and aggregated.
04How we share it
We share data with sub-processors that help us run Waypath. Each is contractually bound to our same standards.
| Provider | Purpose | Region |
|---|---|---|
| AWS | Hosting · storage | US-East-1 · EU-West-1 |
| Stripe | Billing | US |
| Vercel | Marketing site CDN | Global edge |
| Resend | Service email | US |
| Sentry | Error monitoring | US |
05Retention
- Account data — for as long as the workspace exists, plus 90 days after deletion request
- Connector data — held only while the connector is active; revoked → deleted within 30 days
- Logs — 90 days rolling
- Billing records — 7 years (US tax requirement)
06Your rights
Under GDPR, CCPA, and similar laws you have the right to access, correct, port, or delete your data. Email privacy@waypath.app from the address on file. We respond within 30 days.
07Cookies
The marketing site uses a single first-party cookie for session continuity. No analytics scripts, no ad pixels, no third-party trackers. The platform uses cookies required for auth + workspace state.
08International transfers
Data is hosted in the US by default. EU customers may select an EU region at workspace creation. Cross-border transfers rely on Standard Contractual Clauses + supplementary technical measures.
09Children
Waypath is a B2B product. We do not knowingly collect data from anyone under 18.
10Changes
We update this policy when material changes occur. Account admins receive 30 days' notice by email before any change becomes effective.
11Contact
Privacy: privacy@waypath.app
Data Protection Officer: dpo@waypath.app
Mail: Waypath Inc., 88 Lafayette St, New York, NY 10013, USA