Privacy Policy

Effective Date: December 29, 2025

1. Information We Collect

We collect information you provide directly to us, such as when you create an account, use our services, or contact us for support.

Personal Information

  • Name and email address
  • Account credentials and authentication information
  • Financial data you choose to input (budgets, transactions, goals)
  • Communication preferences

Automatically Collected Information

  • Device information and IP address
  • Usage patterns and app interactions
  • Security logs and access attempts
  • Cookies and similar tracking technologies

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process transactions and manage your account
  • Send you technical notices and support messages
  • Respond to your comments and questions
  • Monitor and analyze usage patterns for security purposes
  • Detect and prevent fraud and abuse
  • Comply with legal obligations

AI Chat Feature - Local Storage Only

Important: Your conversations with Waypoint AI (Budget Coach) are stored exclusively in your browser's local storage and are never saved to our servers or database.

  • No server storage - Chat messages remain on your device only
  • Automatically cleared - Clearing your browser data will delete all chat history
  • Not backed up - Chat history is not included in any backups
  • Device-specific - Chat history is unique to each device/browser you use
  • Fresh start - Each new device or browser starts with a clean conversation

Note: While messages are sent to Google's Gemini AI for processing, they are not stored or retained after the response is generated.

3. Information Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties without your consent, except in the following circumstances:

  • Service Providers: We may share information with trusted third parties who assist us in operating our service, conducting our business, or serving our users
  • Legal Requirements: We may disclose information when required by law or to protect our rights, property, or safety
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of the transaction
  • Consent: We may share information with your explicit consent

Third-Party Service Providers

We use the following third-party service providers who may process your personal information:

Plaid Inc. (Bank Connection Service)

  • Purpose: Securely connects to your financial institutions to retrieve transaction data (Waypoint Plus subscribers only)
  • Data Shared: When you connect your bank, you provide your banking credentials directly to Plaid (not to us). Plaid then shares transaction details (date, amount, merchant, category) with us
  • Data Storage: Plaid stores your banking credentials securely. We never see or have access to your banking login information
  • Privacy Policy: plaid.com/legal/#consumers

Google Gemini AI (AI Budget Coach)

  • Purpose: Processes your chat messages to provide AI-powered budget advice and financial guidance
  • Data Shared: Chat messages and relevant budget context are sent to Google for AI processing
  • Data Storage: Messages are processed but not stored or retained by Google after generating a response (subject to Google's privacy policy)
  • Chat History: Stored locally in your browser only - we do not have access to your chat history
  • Privacy Policy: policies.google.com/privacy

Stripe, Inc. (Payment Processing)

  • Purpose: Processes subscription payments for Waypoint Plus
  • Data Shared: Email, billing address, and payment method information
  • Data Storage: Stripe securely stores your payment information. We never see your full credit card details
  • Retention: Stripe may retain anonymized transaction records for 7 years for legal compliance (tax reporting, audits)
  • Privacy Policy: stripe.com/privacy

Clerk (Authentication)

  • Purpose: Manages user authentication, account creation, and login sessions
  • Data Shared: Email, name, profile image (if provided), and authentication credentials
  • Data Storage: Clerk stores authentication data securely on your behalf
  • Privacy Policy: clerk.com/legal/privacy

Supabase (Database Hosting)

  • Purpose: Stores all your financial data, budgets, transactions, and account information
  • Data Location: Canadian servers (AWS Canada Central - Montreal region)
  • Data Shared: All user data entered into the application
  • Security: SOC 2 Type II certified for security and availability
  • Privacy Policy: supabase.com/privacy

PostHog (Product Analytics)

  • Purpose: Analyzes user behavior and product usage to improve the application
  • Data Location: US servers (PostHog Cloud - US region)
  • Data Shared: Pageviews, click events, user interactions, device information, IP address, geographic location
  • Consent Required: Yes - requires opt-in via cookie consent banner
  • Privacy Policy: posthog.com/privacy

Meta Pixel (Facebook Pixel)

  • Purpose: Tracks advertising conversions and user engagement from Facebook/Instagram ads
  • Data Shared: Pageviews, button clicks, sign-ups, bank connections, subscription purchases, device information, IP address, browser data
  • Data Storage: Meta (Facebook) servers worldwide
  • Consent Required: Yes - requires opt-in via cookie consent banner
  • Used For: Measuring ad campaign effectiveness, creating remarketing audiences, optimizing ad delivery
  • Privacy Policy: facebook.com/privacy/policy

Google Ads Conversion Tracking

  • Purpose: Tracks advertising conversions and measures Google Ads campaign performance
  • Data Shared: Pageviews, conversion events (sign-ups, subscriptions), device information, IP address, browser data
  • Data Storage: Google servers worldwide
  • Consent Required: Yes - requires opt-in via cookie consent banner
  • Used For: Measuring ad effectiveness, conversion tracking, remarketing
  • Privacy Policy: policies.google.com/privacy

Note: All third-party service providers are required to comply with applicable privacy laws and use your information only for the purposes described above.

4. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication systems
  • Monitoring and logging of system access
  • Employee training on data protection
  • Secure data centers and infrastructure

5. Data Retention and Account Deletion

We retain your personal information for as long as necessary to provide our services and fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

When You Delete Your Account

When you delete your account, we immediately remove your personal information from our systems, including:

  • Your profile information (name, email, preferences)
  • All budgets, transactions, and financial data you created
  • Connected bank account information and settings
  • Savings goals, financial goals, and custom categories
  • Chat history with our AI Budget Coach (stored locally on your device)

Payment and Subscription Data

Important: If you have an active subscription, deleting your account will automatically cancel all subscriptions and remove your payment information from our payment processor, Stripe.

  • Immediate cancellation - All active subscriptions are canceled when you delete your account
  • Payment data removed - Your payment methods (credit cards, etc.) are deleted from Stripe
  • Personal information cleared - Email, billing address, and customer profile are removed from Stripe
  • Financial records retained - Transaction history may be retained by Stripe for legal compliance (tax reporting, audits) as required by law, typically for 7 years
  • Anonymized records - Any retained financial records are anonymized and no longer linked to your identity

This retention of anonymized financial records is required by tax authorities and financial regulations in Canada and the United States, and is standard practice for all payment processors.

For any questions about data deletion or retention, please contact us at support@waypointbudget.com

6. Your Rights and Choices

You have the right to:

  • Access and update your personal information
  • Request deletion of your personal information
  • Opt out of certain communications
  • Request a copy of your data
  • Withdraw consent for data processing
  • File a complaint with privacy authorities

To exercise these rights, please contact us at support@waypointbudget.com

7. Analytics

We use analytics services to understand and improve your experience:

Vercel Analytics & Speed Insights

We use Vercel Analytics and Speed Insights to monitor basic website performance and traffic:

  • Anonymous page views and visit counts
  • Website performance metrics (load times, responsiveness)
  • General traffic sources and referrers
  • Device and browser types (aggregated)

No consent required: Vercel Analytics is privacy-first by design, uses no tracking cookies, collects no personal data, and cannot identify individual users. This is considered "strictly necessary" analytics for technical operation.

PostHog (Product Analytics)

  • Purpose: Product analytics and user behavior insights to improve app functionality and user experience
  • Data Collected: Pageviews, click events, user interactions, device information, IP address, geographic location (city/country), browser type, screen resolution, referrer URLs
  • User Identification: Anonymous by default. Only creates user profiles when you're logged in (identified users)
  • Features Enabled:
    • Autocapture: Automatically tracks clicks, button presses, and page interactions
    • Page Tracking: Records page visits and navigation patterns
    • Page Leave: Tracks when you leave a page
    • Session Recording: Disabled - we do NOT record your screen or keystrokes
  • Data Storage: PostHog stores analytics data on US servers (PostHog Cloud - US region)
  • Consent Required: Yes - PostHog analytics require your consent via our cookie banner. You can opt-out at any time
  • Cookies Used: PostHog uses cookies to track sessions and user behavior (see Cookie Policy for details)
  • Privacy Policy: posthog.com/privacy

Opt-Out: When you decline analytics cookies via our cookie banner, PostHog tracking is disabled. You can change your preferences at any time via our Cookie Policy page.

Meta Pixel (Facebook Pixel) - Advertising Analytics

  • Purpose: Measures effectiveness of our Facebook and Instagram advertising campaigns
  • Data Collected: Pageviews, conversion events (sign-ups, bank connections, subscriptions), button clicks, device information, IP address, browser data
  • Data Storage: Meta (Facebook) servers worldwide
  • Consent Required: Yes - requires opt-in via cookie consent banner
  • How We Use It: Track which ads bring visitors to our site, measure conversion rates, create remarketing audiences, optimize ad delivery
  • Privacy Policy: facebook.com/privacy/policy

Google Ads Conversion Tracking - Advertising Analytics

  • Purpose: Measures effectiveness of our Google advertising campaigns
  • Data Collected: Pageviews, conversion events (sign-ups, subscriptions), device information, IP address, browser data
  • Data Storage: Google servers worldwide
  • Consent Required: Yes - requires opt-in via cookie consent banner
  • How We Use It: Track Google Ads performance, measure conversion rates, create remarketing lists
  • Privacy Policy: policies.google.com/privacy

Important: All advertising analytics (Meta Pixel, Google Ads) are disabled by default. They only activate when you explicitly accept analytics cookies via our cookie banner. You can withdraw consent at any time.

For more details about cookies we use, see our Cookie Policy.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience, analyze usage, and improve our services. You can control cookie settings through your browser preferences.

We do not use cookies for advertising purposes or share cookie data with third parties for marketing purposes.

9. Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information.

10. Data Storage Location

Your Data Stays in Canada: Your data is stored on secure servers located in Canada (AWS Canada Central - Montreal region) through our database provider, Supabase.

  • Data Location: All user data, including budgets, transactions, and financial information, is stored on servers in Canada
  • Why: We use Supabase database hosting services for reliability, performance, and cost-effectiveness. Their Canadian data centers provide enterprise-grade infrastructure while keeping your data within Canada
  • Privacy Protection: By storing data in Canada, your information is subject to Canadian privacy laws (PIPEDA) and protected by Canada's strong privacy framework
  • No Cross-Border Transfers: Your financial data remains in Canada and is not transferred to other countries

Security Safeguards

We implement comprehensive security measures to protect your information:

  • Encryption in Transit: All data transmitted between your device and our servers is encrypted using industry-standard TLS/SSL protocols
  • Encryption at Rest: Your data is encrypted when stored in our database
  • Access Controls: Strict authentication and authorization controls limit who can access your data
  • SOC 2 Compliance: Our database provider (Supabase) maintains SOC 2 Type II certification for security and availability
  • Regular Audits: We conduct regular security assessments and vulnerability scans
  • Data Minimization: We only collect and store data necessary to provide our services

Your Rights Under Canadian Privacy Laws

Under PIPEDA and Canadian privacy laws, you have the right to:

  • Know where your data is stored (disclosed above)
  • Access and update your personal information
  • Request deletion of your account and all associated data
  • Request information about security measures protecting your data
  • File a complaint with the Privacy Commissioner of Canada if you have concerns

For questions about data storage or to exercise your privacy rights, contact us at support@waypointbudget.com

11. Data Breach Notification

In the unlikely event of a data breach that poses a real risk of significant harm to you, we are committed to transparent and timely communication.

Our Commitment

If a data breach occurs:

  • We will notify you as soon as reasonably possible via email to the address associated with your account
  • We will notify the Privacy Commissioner of Canada as required by PIPEDA (Personal Information Protection and Electronic Documents Act)
  • We will disclose:
    • What data was affected by the breach
    • What we are doing to address and contain the breach
    • Steps you should take to protect yourself
    • Contact information for questions or concerns

Your Rights

  • Right to be informed about data breaches that may affect your personal information
  • Right to file a complaint with the Privacy Commissioner of Canada if you believe your privacy rights have been violated
  • Right to seek remedies under PIPEDA for any harm caused by a privacy breach
  • Right to request details about the breach and the steps we are taking to prevent future incidents

Prevention Measures

We implement comprehensive security measures to prevent data breaches, including:

  • 24/7 security monitoring and intrusion detection systems
  • Regular security audits and penetration testing
  • Employee training on data protection and security best practices
  • Incident response plans and procedures
  • Encryption of sensitive data both in transit and at rest
  • Multi-factor authentication and access controls

If you believe your account may have been compromised, please contact us immediately at support@waypointbudget.com

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Effective Date". You are advised to review this Privacy Policy periodically for any changes.

13. Contact Us

If you have any questions about this Privacy Policy, please contact us at support@waypointbudget.com