← Back to Waypath

Privacy Policy

Effective date: March 27, 2026

Waypath ("we," "our," or "us") operates the waypath.app platform and related services. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, website, and API services.

1. Information We Collect

1.1 Account Information

When you create a Waypath account, we collect:

• Full name
• Email address
• Company name (if provided)
• Password (stored as a salted hash; we never store plaintext passwords)

1.2 Usage and Analytics Data

We automatically collect information about how you interact with our platform, including:

• Pages visited and features used
• Graph queries executed and API endpoints called
• Session duration and frequency of use
• Browser type, operating system, and device information
• IP address and approximate geographic location

1.3 Integration Data

When you connect third-party platforms through our integration system, we may access data from those platforms on your behalf. This includes but is not limited to:

• CRM platforms (HubSpot, Salesforce, Twenty): contacts, companies, deals, and activity records
• Marketing platforms (Customer.io, Mailchimp, SendGrid): campaigns, email events, and subscriber data
• Commerce platforms (Stripe, Shopify): transaction and customer data
• Social platforms (LinkedIn, Facebook, Instagram): engagement metrics and audience data
• Analytics platforms (Google Analytics): website traffic and conversion data

We access this data only to the extent you authorize via OAuth or API key connections, and only for the purpose of building your engagement correlation graph.

1.4 Customer Data You Process

Your Waypath workspace may contain personal data about your own customers, including names, email addresses, phone numbers, and behavioral data. You are the data controller for this information; Waypath acts as a data processor on your behalf.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Waypath platform
• Build and update your engagement correlation graph
• Perform identity resolution and cross-platform customer matching
• Generate AI-powered insights, opportunity scoring, and recommendations
• Authenticate your account and manage API access
• Send transactional communications (account confirmations, security alerts)
• Improve our platform, fix bugs, and develop new features
• Comply with legal obligations

3. Cookies and Tracking

Waypath uses the following types of cookies and local storage:

• Authentication tokens: JWT stored in localStorage to maintain your session
• Theme preferences: Your dark/light mode setting stored in localStorage
• Analytics cookies: To understand aggregate usage patterns and improve the platform

We do not sell your data to third-party advertisers or use tracking cookies for cross-site advertising.

4. Third-Party Integrations

Waypath connects to third-party services through OAuth and API key authentication. When you connect an integration:

• OAuth tokens are managed securely through our integration partner (Composio) and are never exposed to client-side code
• API keys you provide are encrypted at rest and accessible only within your workspace
• We only request the minimum permissions necessary for each integration
• You can disconnect any integration at any time, which revokes our access

Each third-party platform has its own privacy policy. We encourage you to review those policies before connecting integrations.

5. Data Sharing and Disclosure

We do not sell your personal information. We may share information in the following circumstances:

• Service providers: With vendors who assist in operating our platform (hosting, authentication, OAuth management), bound by data processing agreements
• Legal requirements: When required by law, regulation, or legal process
• Safety: To protect the rights, safety, or property of Waypath, our users, or the public
• Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users

6. Data Retention

• Account data: Retained for as long as your account is active. Upon account deletion, personal data is removed within 30 days.
• Workspace data: Graph data, CRM records, and integration data within your workspace are retained until you delete them or close your account.
• Usage analytics: Aggregated and anonymized analytics data may be retained indefinitely for product improvement.
• Backups: Encrypted backups are retained for up to 90 days after deletion for disaster recovery purposes.

7. Your Rights

7.1 GDPR Rights (EEA Residents)

If you are located in the European Economic Area, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate personal data
• Request erasure of your personal data
• Restrict or object to processing of your personal data
• Data portability (receive your data in a structured, machine-readable format)
• Withdraw consent at any time
• Lodge a complaint with your local data protection authority

7.2 CCPA Rights (California Residents)

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Opt out of the sale of personal information (we do not sell personal information)
• Non-discrimination for exercising your privacy rights

7.3 Exercising Your Rights

To exercise any of these rights, contact us at support@waypath.app. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

8. Data Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS 1.3) and at rest (AES-256), secure authentication mechanisms, and regular security assessments. For more details, see our Security page.

9. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence. When we transfer data internationally, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) to ensure adequate protection.

10. Children's Privacy

Waypath is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. Your continued use of Waypath after changes take effect constitutes acceptance of the updated policy.

12. Contact Us