WAYPOINT

PRIVACY POLICY

Last Updated: May 29, 2026

This Privacy Policy explains how Waypoint Automation Inc. ("Waypoint", "we", "us", "our") handles personal information when we provide our service (the "Service") to small business subscribers ("Subscribers"). It also explains how we handle the personal information of Subscribers' own customers and prospects ("End-Customers") that flows through the Service.

The Service is governed by the Subscription Agreement at waypointautomation.com/subscription-agreement and the Terms of Service at waypointautomation.com/terms. The SMS Policy at waypointautomation.com/sms-policy describes how SMS works for End-Customers (when they interact with a Waypoint-powered business) and for internal recipients (Account Owners and Authorized Users of a Subscriber business who receive operational lead-alert SMS from Waypoint). This Privacy Policy is incorporated into and forms part of those agreements. Capitalized terms used but not defined in this Privacy Policy have the meanings given in the Subscription Agreement §1 (Definitions).

If you are a Subscriber, this Privacy Policy describes both (i) how we collect and use your information as a customer of Waypoint, and (ii) how we process your End-Customers' personal information on your behalf.

If you are an End-Customer (i.e., you called, texted, web-chatted, emailed, or submitted a form to a business that uses Waypoint), this Privacy Policy describes how Waypoint processes your information on the Subscriber's behalf, and points you to the Subscriber's privacy notice (which may be the Subscriber's own privacy policy or a Waypoint-hosted notice referencing this Privacy Policy) for the Subscriber-as-controller decisions about your data.

Quebec note. Subscribers (the businesses that use Waypoint) must be located in Canada outside the Province of Quebec, per Subscription Agreement §2(4). End-Customers may be located in any province (including Quebec) or in any other jurisdiction; the geographic restriction is on Subscribers, not End-Customers. Where Waypoint processes personal information of Quebec End-Customers, Waypoint has direct obligations under Quebec's Act respecting the protection of personal information in the private sector (as amended by Law 25), addressed at §7.4.

Not for emergency response. The Service is not designed for, and should not be relied upon for, emergency response. The Service is designed to surface an automated reminder to contact 911 or local emergency services directly when it detects life-safety language in an End-Customer's SMS or web chat message. This reminder is not Subscriber-configurable. For inbound email and Zapier-form channels, the Service does not send an automated reply to the End-Customer; instead, an emergency-flagged alert is sent internally to the business so they can follow up. Because the Service relies on automated detection, it may not identify every situation and should not be relied upon — in an emergency, contact 911 directly.

1. Scope and Roles

Privacy law in Canada distinguishes between an organization that decides why and how personal information is processed (the "controller") and an organization that processes personal information on a controller's instructions (the "processor"). Waypoint plays both roles:

1.1 Waypoint as Controller of Subscriber-Account Data

For data Subscriber provides to Waypoint about Subscriber and Subscriber's Account — including Subscriber's business name, owner contact information, billing data, business description, Authorized User credentials, and the Account Owner's and each Authorized User's SMS-alert consent records — Waypoint is a controller. Waypoint decides why and how this data is processed. Subscribers have rights described in §7.2 with respect to this data. Where Subscriber-Account data (such as the canonical business summary, Subscriber's pricing-posture and address-collection toggles, or Subscriber's quick-response templates) is used as input to Waypoint's AI system prompt that handles End-Customer interactions, Waypoint executes that AI call on Subscriber's configured behalf; the controller relationship between Subscriber and End-Customer remains as set out in §1.2.

1.2 Waypoint as Processor of End-Customer Data

For End-Customer personal data we process on Subscriber's behalf via the Service — including phone numbers, voice content, voicemail audio, SMS content, web chat content, email content, Zapier-inbound form data, image attachments, and AI-derived inferences about End-Customers — Subscriber is the controller and Waypoint is a processor acting under Subscriber's instructions. Subscriber decides why End-Customer data is processed (because Subscriber chose to use the Service for the Subscriber's business) and Waypoint processes that data on Subscriber's behalf.

1.3 Subscriber's Notice and Consent Responsibilities

Because Subscriber is the controller of End-Customer data, Subscriber is responsible for providing notices to and obtaining consents from End-Customers required by applicable privacy law (including PIPEDA, BC PIPA, and any applicable provincial regime) for Waypoint to lawfully process End-Customer personal information under Subscriber's instructions. The full obligation is at Subscription Agreement §5.3 and §5.4. For the Waypoint Link web chat surface specifically, Waypoint operates a click-through acceptance gate at the start of each chat session under which the End-Customer affirmatively agrees to the Terms of Service and this Privacy Policy; the acceptance is timestamped and recorded as a forensic artifact in Waypoint's consent ledger (see Terms of Service §9A). Waypoint is the controller of the click-through consent ledger — the ledger is Waypoint's own CASL / PIPEDA compliance-defence evidence, retained per the schedule at §6.1; End-Customer deletion requests (whether routed through Subscriber or submitted directly to Waypoint per §7.1) do not override Waypoint's retention of this consent record.

2. What We Collect

2.1 Subscriber-Account Data (Waypoint as Controller)

We collect the following categories of data about Subscribers:

2.2 End-Customer Data (Waypoint as Processor on Subscriber's Behalf)

The data we collect about End-Customers depends on the channel through which the End-Customer reached Subscriber.

SMS / Voice channel. When an End-Customer calls Subscriber's business, we collect: the End-Customer's phone number; Twilio's call-detail record (call timestamps, duration, disposition); voicemail audio if the End-Customer left a voicemail with audible content; the voicemail transcript if Subscriber has voicemail AI triage enabled (see §12); SMS message content for any conversation that follows a missed call; MMS images attached to SMS conversations; extracted qualification fields (customer name, service type, urgency, job description, optional service address); AI-derived inferences for SMS qualification (model reasoning text and a short conversation summary); AI-derived inferences for AI-triaged voicemails (a revenue-likelihood signal, a binary urgency signal, model reasoning text, and a short summary); a caller-recognition flag (new caller, returning caller, known contact); and the End-Customer's opt-out status.

Waypoint Link web chat channel. When an End-Customer interacts with the Waypoint Link web chat (wypt.ca/<slug> or an embedded widget on Subscriber's site), we collect: an anonymous browser session ID (retained per the web-session-metadata schedule at §6.1); typed message content; extracted fields (name, phone, email, optional service address — the browser carries no transport identifier, so all four fields are extractable); uploaded photos (stored for display to Subscriber; not analyzed by AI per §13.1); the browser's user-agent string (which identifies the browser and device type) and the embedding site's origin host; IP address (used only for rate-limiting and abuse detection); and cookies (see §2.3). To flip a web chat inquiry to qualified status, the chat must capture a contactable identifier — a phone number, or an email address if the End-Customer volunteers one; absent a normalizable phone number or a usable email, the inquiry remains in pre-qualified state and may be force-closed with a polite redirect to call the business directly.

Email inbound channel. When an End-Customer emails Subscriber and the email forwards to Subscriber's Waypoint inbound address, we collect: sender email address and display name; the Sinch (Mailgun) transport sender and the extracted original sender if the email was forwarded; the subject line; the plaintext body (up to 64 KB stored in our database); the sanitized HTML body (stored in object storage); the raw .eml (or a synthesized .eml envelope if Sinch (Mailgun) delivered the payload urlencoded); thread metadata (thread ID, In-Reply-To, References); image attachments (filename, MIME type, file size, and the actual image bytes stored in object storage; not analyzed by AI per §13.1); and AI-triage output (classification across nine categories, sender resolution, extracted facts, body-citation evidence used to ground the classification, PII flags, summary, model and version metadata).

For inbound emails with non-image attachments — PDFs, DOCX, XLSX, and similar — we do not store the attachment bytes. We record only the filename, MIME type, and file size as metadata, and the dashboard displays a "Not processed" indicator. See §13.2.

Zapier inbound channel. When an End-Customer fills out Subscriber's source form (a Facebook Lead Ad form, a Google Form, a website form builder, a Thumbtack or HomeStars form, etc.) and Subscriber has piped the lead through Zapier or comparable integration to Waypoint's inbound webhook, we collect: whatever Subscriber's source form collected (typically the End-Customer's name, phone number, email address, service description, address if collected, and any marketing-attribution fields); a payload-hash record (for deduplication), received-at timestamp, source IP, internal trace ID, and payload-bytes count; and AI-triage output (extracted fields, urgency level, summary, title, is-lead flag).

Cross-channel canonical model. Once a lead enters the Service from any channel, we maintain canonical contact records: a contacts row per unique person per Subscriber, with multiple identity rows (one per phone, email, web session, or integration ID); contact interactions (write-once, append-only); contact merge candidates when phone/email recycle is detected; Subscriber-applied tags and notes on contacts; an immutable event ledger of system-level events; and per-attempt SMS/email delivery audit records.

2.3 Cookies and Similar Technologies

The Service uses a small set of cookies and similar technologies, all governed by the principle of "use the minimum necessary":

We do not use marketing or advertising cookies. We do not use cross-site tracking pixels.

3. What We Do With the Data

3.1 Operational Uses

We process data to (a) operate the Service for Subscriber, (b) qualify and classify End-Customer inquiries via the AI qualification and quality-control pipeline, (c) deliver operational lead-alert SMS to the Subscriber's Account Owner and Authorized Users, (d) display qualified leads on the Lead Inbox dashboard, (e) operate the Compliance Engine, (f) bill Subscriber, (g) provide customer support, (h) detect and prevent fraud, abuse, and security incidents, (i) diagnose technical issues, monitor the Service's availability and reliability, and improve Service quality, and (j) comply with applicable law.

Waypoint operates content classifiers and deterministic rules as quality-control layers on AI Output before delivery to End-Customers. These layers operate on the Service's own output and do not, themselves, render decisions about End-Customers.

3.2 AI-Derived Inferences — Use, Storage, Subscriber Decision-Making, and Rectification

For each qualified End-Customer conversation and each AI-triaged voicemail, we generate AI-derived inferences about the End-Customer that go beyond what the End-Customer explicitly said. These include:

(a) model reasoning text — explaining the AI's qualification or classification rationale (named reasoning on SMS/web qualification surfaces; ai_reasoning on the voicemail-triage surface; classification_evidence on the email-triage surface); (b) summary — a short natural-language summary of the interaction; (c) for AI-triaged voicemails only, a binary urgency_flag and a revenue_hint (likely_job / unclear / unlikely_job) — structured signals supporting Subscriber's prioritization; (d) for email-triage and Zapier-triage surfaces only, an urgency level (emergency / urgent / routine / low for email; emergency / urgent / normal / unknown for Zapier); (e) other structured-extraction fields — service type, customer name, service address, job description; (f) the lead-vs-not-lead determination (named is_lead on the Zapier surface; the email-triage 9-category classification serves the same function on the email surface; the SMS/web qualification status enum (continue / qualified / message / not_a_lead) serves the same function on those surfaces).

These inferences are presented to the Subscriber at the time the lead enters the Lead Inbox. Subscriber may use them to decide which leads to follow up on first and what tone to take. They are not Waypoint's final determinations of fact about the End-Customer; they are workflow signals (see Subscription Agreement §6.2 and §6.3).

End-Customer rectification. End-Customers who believe an AI-derived inference about them is incorrect may contact privacy@waypointautomation.com. Waypoint will work with the Subscriber to consider the request and, where appropriate, annotate the AI-derived inference with the End-Customer's correction (rather than deleting the original inference, which is an audit-trail artifact). The decision whether to re-run AI classification or supersede an inference is made on a case-by-case basis depending on the nature of the inference and the Subscriber's instruction. Subscribers may use the dashboard's per-lead notes feature to record corrections, disputes, or context that the AI-generated summary or classification missed. Where Waypoint relies on automated processing to make a decision about a Quebec End-Customer (notably the email triage classification and the AI-driven lead-vs-not-lead classification), the additional disclosure obligations in §7.4 apply.

We mention this here because we believe Subscribers and End-Customers are entitled to know that AI-generated inferences exist, persist on the record, and may be corrected.

3.3 What We Do Not Do With the Data

4. AI Models in the Critical Path

We use the following AI models to deliver the Service:

All AI calls use structured tool-use output — the AI is instructed to return a structured response of the form expected by the Service rather than free-form text. Anthropic, OpenAI, and AWS (via the Bedrock service terms) contractually prohibit training on data we submit via API; for Deepgram, we set the Model Improvement Partnership Program opt-out parameter on every transcription request, which excludes the request from training-data use and limits retention to the duration necessary to process the request (see §3.3 and Subscription Agreement §6.7).

AI provider failover. Each AI surface above is structured for reliability with a primary provider and, where engineered, a secondary failover provider. Routing between primary and secondary is determined automatically by Waypoint's availability-detection logic in response to upstream provider availability. Both primary and secondary providers are subject to the no-training framework at §3.3 and the cross-border-transfer commitments at §5 and §7.4. Customer-facing AI behavior — including hard-commitment customer-facing surfaces (AI identity disclosure, pricing deflection, 911 redirect) — is identical regardless of which provider serves a given call. If both the primary and secondary providers are unavailable for a customer-facing real-time channel (SMS qualification or Waypoint Link web chat), the Service does not generate an AI reply; the End-Customer instead receives a brief service-unavailable message directing them to contact the business directly by phone.

5. Cross-Border Data Transfers

Most personal information processed under this Privacy Policy stays in Canada. Specifically, our primary database and application hosting are at DigitalOcean's Toronto (TOR1) data centre. Some data crosses borders for the operational reasons set out below.

We contractually require each Sub-Processor to provide a level of protection comparable to that required under PIPEDA, consistent with the Office of the Privacy Commissioner of Canada Guidelines for Processing Personal Data Across Borders. Where Waypoint processes personal information of Quebec residents, additional cross-border-transfer assessment obligations under Quebec Law 25 article 17 also apply (see §7.4).

DataLocation
Primary Postgres database (Subscriber accounts, End-Customer data, audit logs, event ledger), managed Valkey cache and queue layer (job payloads — including transient End-Customer phone numbers and message text — held for the lifetime of each queued job, typically seconds to minutes)Canada (DigitalOcean Toronto data centre)
Object storage (MMS images, web-chat photo uploads, email-attachment images, voicemail audio, sanitized HTML email bodies, raw .eml files)United States (Cloudflare R2 object storage, US East region)
AI processing — qualification, triage, content-compliance classifiers (Anthropic primary; AWS Bedrock secondary failover)United States (Anthropic Claude API + AWS Bedrock US-region inference)
Voicemail audio transcription — only when voicemail AI triage enabled (Deepgram primary; OpenAI secondary failover)United States (Deepgram API + OpenAI API)
SMS and voice carrier transitUnited States (Twilio)
Email inbound routingUnited States (Sinch (Mailgun))
BillingUnited States (Stripe — no End-Customer data flows here)
Error monitoringUnited States (Sentry — with phone-number and email-address scrubbing applied at capture time)
Uptime monitoringEuropean Union (Germany) (BetterStack — no End-Customer data)
Cloudflare edge services (Waypoint Link, dashboard, and widget loader compute; Tunnel; Web Application Firewall; and Turnstile bot-protection token validation)Global edge — Cloudflare's services run on a globally distributed network of points of presence (PoPs); a given request may transit through any country in which Cloudflare operates a PoP, including the United States, Canada, the United Kingdom, EU member states, Australia, Singapore, Japan, and many others. Data processed in transit at the edge is not retained at the edge; persistent storage of any personal information takes place in the locations specified for the relevant data category in this table.

Where personal information is transferred outside Canada (including to the United States and the European Union as identified in the table above), it may be subject to the laws of the recipient jurisdiction, including the potential for lawful-access requests by government, regulatory, or law-enforcement authorities of that jurisdiction. Waypoint contractually requires each Sub-Processor to provide a level of protection comparable to that required under PIPEDA, and where Waypoint's transfer-impact assessment (see §7.4(b) for Quebec residents and the principles described above for all other End-Customers) identifies residual risk that cannot be mitigated through additional safeguards, Waypoint will not transfer personal information to that Sub-Processor for that purpose.

Alert SMS content cross-border note. Subscriber-side operational alert SMS (sent to Account Owners and Authorized Users when the Service processes an inbound lead — see SMS Policy §3A) may carry operationally necessary lead content in the SMS body: End-Customer name (when known), End-Customer phone number, service type, urgency classification, and where collected, service address and a short AI-derived inquiry summary. This alert-SMS content traverses Twilio's US carrier infrastructure on its way to the recipient, as set out for SMS in the table above. AI processing that produces the summary / urgency / service-type classification occurs at Anthropic (US, primary) and AWS Bedrock (US, secondary failover) per §4 and §8.

6. Retention and Deletion

6.1 Retention Schedule by Category

CategoryRetention periodNotes
Voicemail audio (master file)90 daysObject-storage lifecycle plus database sweep. During Subscriber suspension, no voicemail recording occurs (per Subscription Agreement §15.2); this row applies to voicemail audio recorded while the Account was active
Voicemail transcript (when AI triage enabled)365 days
MMS images and Waypoint Link web-chat photo uploads365 daysObject-storage lifecycle
Email-attachment images365 daysObject-storage lifecycle
Email body — actionable categories (new lead, quote request, urgent existing-job follow-up, unknown)365 daysSubject to extension only under a §6.3 legal hold
Email body — silent categories (scheduling, billing, spam, personal, auto-reply, non-urgent existing-job follow-up)30 daysAggressive deletion; threading metadata is retained longer per the email-thread-metadata row below to preserve thread continuity
Email-attachment metadata (non-image)365 daysFilename, MIME, size only — no bytes
Email thread metadata (thread ID, In-Reply-To, References, subject line)730 days (2 years)Thread message content (body and HTML) follows the applicable email-body row (actionable or silent); metadata is retained longer to preserve thread continuity for ongoing inquiries
SMS message events and SMS conversations365 days
Web chat conversation content365 daysIncludes typed messages and structured extracted fields; aligned with SMS conversation retention
Onboarding conversation transcripts730 days (2 years)Audit-trail for canonical business summary capture and revision. Onboarding transcripts may incidentally capture End-Customer references in Subscriber's natural-language responses; Waypoint reviews onboarding transcripts for incidental End-Customer references in response to End-Customer DSAR requests under §7.1, and any End-Customer personal information identified is redacted from the retained transcript
Contact interactions365 days (database row) + 730 days (JSONL archive in object storage)Database rows are deleted at 365 days; archive copies in object storage are retained for an additional 730 days (total horizon: 1095 days from creation) then deleted
Session audit events (PIPA s.34 compliance)365 days
Trusted-device tokens (trusted_devices — new-device email step-up enrollment)90 daysToken hash only (no device fingerprint), row-level-security-locked; bounded-trust window after which a device must re-verify at login
Feed items (soft-deleted)90 days
Email-channel records flagged for PII review90 daysAggressive deletion
Event ledger (immutable system events)730 days (2 years)Two carve-outs apply: (i) CASL opt-out records are retained for 1095 days from the date the opt-out was recorded, supporting the CASL section 33 due-diligence defence; (ii) safety-event records (events created when the platform detected a potential safety risk — for example, when the Tier-1 safety screening question fired or when an emergency lead alert was dispatched to a Subscriber's Account Owner) are retained indefinitely as forensic records and are not subject to standard event-ledger sweep. Either carve-out may be extended further under a §6.3 legal hold
Consent artifacts (CASL audit records)1095 days (3 years)Retained from the date the consent was first established; CASL section 33 due-diligence-defence retention
Click-through consent ledger (Waypoint Link web chat acceptance records — see §1.3)1095 days (3 years) from acceptanceWaypoint-as-controller compliance-defence evidence; not subject to End-Customer deletion requests (whether routed through Subscriber or submitted directly to Waypoint per §7.1)
Signup-reaper audit records (hashed PII)1095 days (3 years)Signup-attempt ledger; PII is hashed at write-time per §2.1; quarterly purge cron scrubs hashes after horizon
Contact records (contacts row)Retained while at least one child interaction is still within retention horizon; effective horizon ~1095 days from last interaction. Orphan contacts (rows with zero identities, created as race-condition leftovers from concurrent identity-resolution) are swept on a 7-day grace window.Not swept directly when identities are present. Contacts are removed bottom-up via cascade as their child interactions (conversations, voicemails, emails, web chats) reach their own retention horizons, preserving the audit lattice through the schema's foreign-key structure. Aligned with PIPEDA Principle 4.5
Contact identity rows (contact_identities)Retained alongside parent contactTied to parent contact via foreign-key cascade; same effective horizon as the parent contact
Contact tags and notes (Subscriber-applied)Retained alongside parent contactSubscriber-applied configuration; tied to parent contact
Contact merge candidates (contact_merge_candidates)365 daysOperational diagnostic for phone/email recycle detection
Per-attempt SMS, email, and SSE delivery audit records (delivery_audit_log)365 daysCASL audit-trail window; aligned with conversation/message retention
Web session metadata (user-agent string, IP address, embedding-site origin host, anonymous session ID)Retained alongside web chat conversationsNot swept directly; web sessions age out via cascade from conversations and uploads. Aligned with web chat conversation content retention (365 days)
IP addresses (rate-limiting, abuse defense)24 hours (Valkey sliding window)In-memory rate-limit defense store; not persisted to durable storage. Sliding-window TTL implemented via sorted-set keys in Waypoint's managed Valkey cache
Webhook payload log (webhook_log — Zapier, Twilio, Sinch (Mailgun), and Stripe inbound payloads)365 daysInbound integration audit trail; native partitioning by month
Webhook idempotency-key dedup records (idempotency_keys — all four providers: Twilio, Sinch (Mailgun), Zapier, Stripe)90 daysOperational dedup; safety buffer over Twilio retry maximum (~4 hours)
Failed-job forensic ledger (dead_jobs — payloads of jobs that exhausted all retries, retained for post-mortem analysis; may incidentally include End-Customer phone numbers, message text, or other content from the originating channel)90 daysOperational post-mortem window. Subject to the same DSAR-purge and legal-hold framework as the underlying data
Call-event metadata (call_events — caller phone number, call timestamp, call duration, disposition, Greeting SMS dispatch event)1095 days (3 years)CASL section 10(9)(a) read with 10(10)(e) inquiry-evidence retention; aligned with consent-artifact retention. Bifurcated from voicemail audio (90 days above) per PIPEDA Principle 4.5 — audio is operational; metadata is evidentiary

Image thumbnail variants generated for dashboard display follow the same retention schedule as the originals they reference.

6.2 Post-Termination Retention

When a Subscriber's Account terminates (whether by Subscriber cancellation under Subscription Agreement §10.2 or by Waypoint termination under §10.3):

6.3 Legal Holds

Where Waypoint is required by law, regulation, or court order to retain Subscriber or End-Customer data, retention extends as required by the applicable obligation. Records of legal holds are maintained in our internal compliance log.

7. Data Subject Rights and Requests

7.1 End-Customer Requests

Because Subscriber is the controller of End-Customer data and Waypoint is the processor, the most efficient path for an End-Customer to exercise rights of access, correction, deletion, portability, or to withdraw consent is typically to contact the Subscriber directly (the business they were communicating with). The Subscriber decides how to respond and instructs Waypoint accordingly. On Subscriber's instruction, Waypoint provides the tooling described in §7.3 to fulfill the request.

An End-Customer may also contact Waypoint directly at privacy@waypointautomation.com to exercise these rights. Waypoint will acknowledge receipt of an End-Customer request promptly, and will substantively respond to the End-Customer within thirty days of receipt (consistent with the statutory floors at PIPEDA section 8(3), the Act respecting the protection of personal information in the private sector article 32, and BC PIPA section 29, where applicable), unless extended as permitted by the applicable privacy law. The substantive response will, as appropriate to the request, either (a) acknowledge receipt and route the request to the Subscriber for first-line response, where appropriate and where the End-Customer has not requested otherwise, or (b) respond to the request directly where Subscriber routing is not appropriate (for example, where the End-Customer is unable to identify the Subscriber, where the End-Customer prefers a Waypoint-direct response, or where the request relates to data-handling that is Waypoint's responsibility under this Privacy Policy). End-Customers in Quebec may also exercise rights directly against Waypoint as set out in §7.4.

For End-Customers using the Waypoint Link web chat, a "Data rights" link is visible in the chat surface footer at all times during the chat session; clicking it opens a brief explainer of access, correction, deletion, and withdrawal-of-consent paths, with privacy@waypointautomation.com as the operative contact.

7.2 Subscriber Requests

Subscribers may exercise rights of access, correction, deletion, portability, or consent-withdrawal in respect of their own Account data by contacting privacy@waypointautomation.com. We will respond within thirty days unless extended as permitted by applicable privacy law.

7.3 Waypoint DSAR Tooling

To support DSAR fulfillment, we operate three internal admin endpoints, gated to authorized administrators only:

All three operations log to the audit trail before the operation begins, and the audit record is retained for three years.

7.4 Quebec Personal Information

Subscribers (the businesses that use the Service) must be located in Canada outside Quebec, per Subscription Agreement §2(4). End-Customers, however, may be located in Quebec. Where Waypoint processes personal information about a Quebec resident on a Subscriber's behalf, Waypoint is itself subject to Quebec's Act respecting the protection of personal information in the private sector (as amended by Law 25), including without limitation:

(a) Automated-decision disclosure (Law 25, article 12.1). The article 12.1 obligations apply where personal information is used to render a decision about a Quebec End-Customer based exclusively on automated processing. The Service uses AI to characterize End-Customer inquiries (lead-vs-not-lead classification, email-channel triage, qualification field extraction); these characterizations feed Subscriber's review, and any decision producing a legal or significantly-affecting effect on the End-Customer is made by the Subscriber as a human reviewer, not by Waypoint's AI alone. Where Waypoint relies on automated processing to make a decision about a Quebec End-Customer (notably the email triage classification and the AI-driven lead-vs-not-lead classification, both of which determine whether the End-Customer's inquiry surfaces to the Subscriber), the affected Quebec End-Customer must be informed at or before the time of the decision and on request must be given (i) the principal personal information used to render the decision, (ii) the reasons leading to the decision and the principal factors and parameters that led to it, (iii) the right to have the personal information used to make the decision rectified, and (iv) the opportunity to submit observations to a member of Waypoint's personnel who is in a position to review the decision, as required by article 12.1, fourth paragraph. Waypoint operationalizes the (iv) observation-and-review right through privacy@waypointautomation.com: a Quebec End-Customer who wishes to contest an automated decision may submit observations to that address, and Waypoint's Privacy Officer or a designated reviewer will consider the observations and confirm, modify, or reverse the decision as appropriate. Waypoint's operational delivery of this disclosure is the hosted per-Subscriber notice page at waypointautomation.com/sub/<slug>/privacy-notice, which carries the automated-decision disclosure + Subscriber identity + access/rectification rights + automated-decision review rights + cross-border processing disclosure for each Subscriber's End-Customers regardless of channel. The Compliance Engine described in §3.1 operates as quality control on the Service's own output (deciding whether an AI reply meets safety and accuracy thresholds before it leaves the platform); it does not, itself, render decisions about End-Customers in the article-12.1 sense.

(b) Cross-border-transfer assessment (Law 25, article 17). Before transferring personal information about a Quebec resident outside Quebec, Waypoint must assess the adequacy of protection in the recipient jurisdiction. Waypoint's Sub-Processor list at §8.1 transfers Quebec End-Customer data to the United States (Anthropic, AWS Bedrock, Deepgram, OpenAI, Twilio, Cloudflare R2 ENAM, Sentry), to the United States (Sinch (Mailgun)) for email inbound routing, and to other jurisdictions (Stripe processes Subscriber-account data only and is excluded from this enumeration per SA §13.1(k)). Waypoint maintains a transfer-impact assessment addressing, at minimum: (i) the nature and sensitivity of the personal information transferred and the categories of Quebec residents affected; (ii) the legal regime of the recipient jurisdiction, including any government-access laws and the recipient jurisdiction's data-protection framework, evaluated against the principles of PIPEDA and Quebec Law 25; (iii) the contractual safeguards in place (the Sub-Processor's data-processing terms, training-prohibition commitments, security commitments, and incident-notification obligations); (iv) the technical safeguards in place (encryption at rest and in transit, access controls, isolation guarantees); (v) the organizational safeguards in place at Waypoint (least-privilege access, audit logging, retention discipline, incident-response procedure); and (vi) the residual risk to Quebec End-Customers after these safeguards are applied, weighed against the operational necessity of the transfer.

Waypoint maintains the transfer-impact assessment internally, with version control. The current version is dated and reviewed periodically and on the addition of any new Sub-Processor or on any material change in an existing Sub-Processor's data-processing terms, residency, or jurisdiction. Waypoint's Privacy Officer (see §7.4(d)) is responsible for the assessment, its periodic refresh, and version-history retention. Copies may be made available on reasonable request to a Quebec End-Customer or to the Commission d'accès à l'information du Québec, subject to reasonable preparation time and any redaction required to protect Sub-Processor confidentiality. Where the assessment identifies residual risk that cannot be mitigated through additional safeguards, Waypoint will not transfer Quebec End-Customer personal information to that Sub-Processor for that purpose.

Article 17 assessment before emergency substitution. Consistent with the article 17 requirement that the assessment be conducted before personal information is communicated outside Quebec, where an emergency Sub-Processor substitution under Subscription Agreement §13.4 would communicate Quebec End-Customer personal information outside Quebec, Waypoint will complete the article 17 transfer-impact assessment for the proposed substitute before routing Quebec End-Customer personal information to it. Until that assessment is complete, the affected Quebec End-Customer personal information will be queued, processing degraded, or routed only through an already-assessed Sub-Processor.

(c) French-language right of access (Quebec Law 25 + Charter of the French Language). Where a Quebec End-Customer contacts Waypoint directly to exercise a right under this §7, Waypoint will respond in the language of the request: a request submitted in French receives a French response; a request submitted in English receives an English response. A Quebec End-Customer who wishes to receive a French response regardless of the language of their request may indicate that preference in their submission (for example, by including the subject line "Demande en français" or equivalent French wording, or by stating the preference in the body of the request). On receipt of a French-language request or a French-language preference indication, Waypoint will route the request to its Privacy Officer (see §7.4(d)), respond in French — as required by the Charter of the French Language — within thirty days, consistent with the access/rectification response timeline at the Act respecting the protection of personal information in the private sector article 32 and the substantive timeline commitment at §7.1, and provide any data exported, summary information, or correspondence in French. Where translation of operational records (for example, English-language SMS or email content originally exchanged with the Subscriber) is reasonably necessary for the Quebec End-Customer to meaningfully exercise the right, Waypoint will arrange for translation, subject to a reasonableness limit that reflects the scope of the request and the size of the operational record set.

(d) Privacy officer designation (Quebec Law 25, article 3.1; PIPEDA Principle 4.1). Waypoint designates a Privacy Officer who serves as the person within Waypoint responsible for Waypoint's compliance with applicable privacy law (PIPEDA, BC PIPA, and Quebec Law 25 toward Quebec End-Customers), for handling data-subject requests under §7, for receiving and responding to privacy complaints, and for maintaining Waypoint's transfer-impact assessment under §7.4(b) and incident-notification records under §10. The Privacy Officer role is held by the individual then exercising the highest authority within Waypoint Automation Inc., consistent with Quebec Law 25 article 3.1 (which designates the person exercising the highest authority as Privacy Officer unless the function is delegated in writing). Where the Privacy Officer delegates Privacy Officer functions in writing, this Privacy Policy will be updated to reflect the delegation. Where the Privacy Officer is unavailable, no longer holds office, or is otherwise unable to perform Privacy Officer duties, a deputy is designated by the person then exercising the highest authority within Waypoint Automation Inc., and the deputy serves as acting Privacy Officer until a successor is named in writing and this Privacy Policy is updated to reflect the successor. The Privacy Officer (or acting Privacy Officer) may be reached at privacy@waypointautomation.com or by mail at the address in §17.

Quebec End-Customers may exercise the rights described in this §7.4 by contacting privacy@waypointautomation.com. Where the request relates to data Subscriber controls, Waypoint will work with Subscriber to facilitate a response. Waypoint's Law 25 compliance program operates independently of the Subscriber-Quebec eligibility carve-out at Subscription Agreement §2(4); Quebec End-Customer rights under §7.4 apply regardless of which Subscriber processed the End-Customer's information.

Subscribers acknowledge that, where Subscriber's End-Customer interactions involve Quebec residents, both Subscriber (as controller) and Waypoint (as processor) may have Law 25 obligations toward those End-Customers, and the parties will cooperate to facilitate Quebec End-Customer rights.

8. Sub-Processors and Change Notice

8.1 Current Sub-Processor List

We engage the following Sub-Processors to deliver the Service. The list is identical to Subscription Agreement §13.1.

(a) Anthropic, PBC (United States) — primary AI provider for AI qualification, voicemail triage, email triage, web qualification, onboarding-time business-profile capture, and content-compliance classifiers. (b) Amazon Web Services, Inc. (United States) — AWS Bedrock secondary failover provider for the Anthropic-served AI surfaces in (a); engaged automatically when the primary provider is unavailable. Bedrock invokes Anthropic-published foundation models via AWS-managed infrastructure under cross-region inference profiles confined to United States regions; the model provider does not have access to prompts or completions routed through Bedrock. (c) Deepgram, Inc. (United States) — primary provider for voicemail audio transcription, only when Subscriber has voicemail AI triage enabled. (d) OpenAI, L.L.C. (United States) — secondary failover provider for voicemail audio transcription, engaged automatically when the primary provider is unavailable, only when Subscriber has voicemail AI triage enabled. (e) Twilio Inc. (United States) — SMS and voice carrier transit, voicemail recording pre-storage. (f) DigitalOcean, LLC (Canada — Toronto/TOR1 region) — primary Postgres database, managed Valkey (Redis-compatible) cache and queue layer (job payloads, including transient End-Customer phone numbers and message text, are held in Valkey for the lifetime of each queued job — typically seconds to minutes — before deletion), and application hosting. (g) Cloudflare, Inc. (United States — ENAM region for object storage; global edge for compute) — object storage (R2 ENAM), edge compute (Workers), network protection (Tunnel, Web Application Firewall), and bot protection (Turnstile, validating End-Customer browser tokens at signup and web-chat entry). (h) Sinch (Mailgun) (United States) — email inbound routing. (i) Sentry, Inc. (United States) — error monitoring and exception capture (with phone-number and email-address scrubbing applied at capture). (j) BetterStack (European Union — Germany) — uptime monitoring and incident routing (no End-Customer data). (k) Stripe, Inc. (United States) — billing and payment processing for Subscriber-account data only; no End-Customer data is routed to Stripe.

Zapier is not listed above because it is not a Waypoint Sub-Processor: it is an integration the Subscriber configures on its own side to deliver leads into the Service (see §14). Waypoint is the recipient of data sent through the Subscriber's Zapier integration, not Zapier's customer; Zapier acts as the Subscriber's own service provider. Waypoint logs the inbound Zapier payload for the audit and deduplication purposes described in §6.1.

8.2 Sub-Processor Responsibility

Waypoint requires each Sub-Processor to commit to protecting personal information at a level comparable to that required under applicable Canadian privacy law, and Waypoint remains accountable under PIPEDA for personal information it transfers to a Sub-Processor for processing. Waypoint is not, however, a guarantor of any Sub-Processor's performance; as between Waypoint and Subscriber, Waypoint's responsibility for a Sub-Processor's acts and omissions is governed by, and subject to the limitations of liability in, the Subscription Agreement (see Subscription Agreement §11 and §13.2). Subscriber may also have a direct claim against the Sub-Processor where applicable law permits.

8.3 Change Notice

We will provide at least thirty days' prior written notice — by email to Subscribers' Primary Email Addresses and by updating the list above — before adding a new Sub-Processor or replacing an existing Sub-Processor with one that materially differs in residency or function. The Subscriber's right to object and the affected-portion termination remedy are set out at Subscription Agreement §13.3.

8.4 Emergency Substitution

We may substitute a Sub-Processor without thirty days' prior notice if (a) the existing Sub-Processor becomes insolvent or unavailable, (b) the existing Sub-Processor is the source of an active security incident, or (c) the existing Sub-Processor unilaterally pulls service. We will notify Subscribers as soon as commercially reasonable, and the change-notice and right-to-object mechanics in §8.3 apply prospectively.

9. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. Our safeguards are calibrated to the sensitivity of the information processed, in accordance with PIPEDA Principle 4.7, and reflect that the Service processes elevated-sensitivity categories including voicemail audio, photos, AI-derived inferences, account credentials, and Sub-Processor session data.

Our current safeguards include:

Specific controls evolve as security best practices advance. Subscribers requiring additional detail for their own security review may contact security@waypointautomation.com.

No security regime can guarantee absolute protection. If a breach occurs, our response is governed by §10.

10. Security Incident Notification

10.1 Statutory Reporting

If we become aware of a breach of security safeguards involving personal information that creates a real risk of significant harm to an individual, we will:

(a) notify the affected individual or, where Waypoint acts as a processor, notify the Subscriber-as-controller so that the Subscriber may notify the affected individual; (b) notify the Office of the Privacy Commissioner of Canada as required by PIPEDA section 10.1; and (c) maintain a record of the breach as required by PIPEDA section 10.3,

all in accordance with the timeframes prescribed by applicable law.

10.2 Subscriber Notification SLA (Processor-Role Data)

Where the security incident involves End-Customer personal information that Waypoint processes on Subscriber's behalf, Waypoint will notify the affected Subscriber without undue delay after Waypoint confirms the incident, by (i) email to the Account Owner's Primary Email Address and (ii) where the incident is critical, telephone contact to the Account Owner. The notice will include the known facts of the incident, the affected categories of data, the mitigation steps Waypoint has taken or will take, and a contact point for follow-up. Waypoint will provide rolling updates as the investigation continues.

10.3 Quebec Reporting

Where the security incident involves personal information of a Quebec resident, Waypoint will report to the Commission d'accès à l'information du Québec and notify affected Quebec residents (or, in processor capacity, the Subscriber-as-controller) in accordance with article 3.5 of the Act respecting the protection of personal information in the private sector (as amended by Law 25) and any other applicable Law 25 requirements, in addition to any obligations under §10.1 or §10.2.

11. Children and Minors

The Service is not directed at children. We do not knowingly collect personal information directly from individuals under the age of sixteen, except as End-Customer data on Subscriber's behalf where the Subscriber-as-controller has determined the appropriate consent mechanism applicable to that End-Customer. Where Quebec's Act respecting the protection of personal information in the private sector (as amended by Law 25) applies, separate Quebec rules govern: under article 4.1, an organization may not collect personal information directly from a minor under 14 without consent of a person having parental authority or of the tutor (unless collection is clearly for the minor's benefit); for minors 14 years of age and over, the minor may consent personally, the person having parental authority may consent, or the tutor may consent. In all provinces, the Subscriber-as-controller is responsible for determining whether direct collection from a minor is appropriate for Subscriber's business and for obtaining required parental or guardian consents in accordance with applicable law. Separately, the Waypoint Link web chat and SMS messaging programs are not intended for individuals under the age of eighteen, as set out in the SMS Policy at §12.

Subscribers operating in industries that primarily serve minors are addressed at Subscription Agreement §3.6 (Hard-Exclusion Categories) and §3.7 (Industry-Regulated Subscribers). Subscribers whose services involve direct collection of personal information from minors are responsible for obtaining required parental or guardian consents in accordance with applicable law. Where the Subscriber's customer is a parent or guardian acting on behalf of a minor (including parents booking tutoring, lessons, coaching, or comparable services for their children), the parent or guardian is the End-Customer for purposes of this Privacy Policy and provides consent on the child's behalf as part of the parent's normal commercial interaction with Subscriber's business.

12. Voicemail AI Triage Toggle

Each Subscriber may enable or disable AI processing of voicemails left for that Subscriber's business. The default is enabled. When enabled:

(a) voicemail audio is transcribed by our voicemail transcription AI Sub-Processors (see §4 and §8.1 for vendor identity); and (b) the transcript and audio are classified, summarized, and routed to Subscriber as an AI-generated alert by our AI Sub-Processors (see §4 and §8.1 for vendor identity).

When the Toggle is disabled:

(a) voicemail audio is stored only for Subscriber's playback in the dashboard; (b) no transcription occurs; (c) no AI-generated summary or alert is produced; and (d) Subscriber receives a minimal "new voicemail" notification SMS pointing to the dashboard for playback.

The state of the Toggle at the time the voicemail is recorded governs processing. Voicemails recorded while the Toggle was disabled remain in audio-only state and are not retroactively processed by AI if the Toggle is later enabled.

Pre-recording notice to End-Customers (recording, AI processing, cross-border data transfer) is provided through the Subscriber's voicemail greeting. The Subscriber is the data controller for its own voicemail interactions and is responsible for the content of its greeting; see Subscription Agreement §5.5.

Voicemail AI processing requires the Subscriber to have set up a voicemail greeting. If a Subscriber has not recorded or uploaded a greeting, the Service refuses to take voicemail recordings — callers receive a busy signal rather than reaching voicemail, and no recording or AI processing of voicemail content occurs. This structural gate ensures that an End-Customer's voicemail can never reach AI processing without first traversing a Subscriber-authored greeting that carries the Subscriber's pre-recording notice.

The full operative provision is at Subscription Agreement §6.6.

13. Image Handling

13.1 Images We May Receive

End-Customers may submit images via three channels: as MMS attachments to inbound SMS conversations; as uploads to the Waypoint Link web chat; or as image attachments to inbound emails. In each case, the same handling applies:

The "no analysis" commitment refers to AI-driven content classification or AI-derived inferences from photo content. It does not preclude human review of an image where Waypoint becomes aware of a credible CSAM or abuse-complaint signal, or where human review is required to respond to law-enforcement contact, as set out in Terms of Service §4.2.

13.2 Non-Image Email Attachments

When an inbound email includes attachments other than images — PDFs, DOCX files, XLSX files, ZIP archives, and similar — we do not store the attachment bytes. We record only the filename, MIME type, and file size as metadata, and the dashboard displays a "Not processed" indicator for that attachment. We make this honesty statement so Subscribers (and any End-Customers reading this Privacy Policy) know that we do not retain copies of non-image attachments and cannot return them as part of a data-subject request beyond the metadata we hold.

14. Zapier Inbound Channel — CASL-Safe Posture

When a Subscriber routes inbound leads to Waypoint via the Zapier inbound webhook, we receive lead data from Zapier — typically the End-Customer's name, phone, email, and inquiry details — we triage the lead via AI classification, and we surface the lead to Subscriber via the Lead Inbox dashboard and a Subscriber-facing alert SMS to Subscriber. We do not send any SMS to the End-Customer from this channel. End-Customers reaching Subscriber via a Zapier-piped form did not opt in to Waypoint's number — they opted in to Subscriber's form. Subscriber-initiated outbound contact to such End-Customers, if any, is Subscriber's responsibility under Subscriber's own consent basis.

15. Marketing Site and Public Website

The marketing website at waypointautomation.com describes the Service. We do not use marketing cookies, advertising cookies, or cross-site tracking on the marketing website. If we add a contact form, blog, or other data-collection surface in the future, we will update this Privacy Policy to disclose what we collect and why.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes (changes that adversely affect Subscribers' or End-Customers' rights, expand the categories of data we collect, expand the purposes for which we use data, or add a Sub-Processor in a materially different residency or function) will be notified to Subscribers by email to Subscribers' Primary Email Addresses and posted on Waypoint's website at least thirty days before the effective date. For End-Customers, who do not have a direct contractual relationship with Waypoint, the Website posting and the updated "Last Updated" date at the top of this Policy are the operative notice mechanism. The "Last Updated" date reflects the most recent revision.

17. Contact

For questions about this Privacy Policy, or to exercise a right under §7, please contact our Privacy Officer at privacy@waypointautomation.com, or by mail to:

Waypoint Automation Inc.
1354 Pandora Avenue
Victoria, British Columbia V8R 1A2
Attention: Privacy Officer

If your request concerns an End-Customer inquiry handled for a Subscriber, please include the phone number, email address, approximate date of the inquiry, and the business name (if known) so we can identify the relevant Subscriber and record. Quebec End-Customers may exercise rights under §7.4 by the same email or mail contact.

Subscribers and End-Customers may also contact regulators directly: