Privacy Policy
This text was prepared to be accurate for WayChat, but it is not legal advice. We recommend having it reviewed by a lawyer before launch.
1. Who processes your data (Data Controller)
The data controller is WayMaker, the provider of the WayChat app ("we", "us"). For any request regarding this policy or your data, write to: jett@waymakeragent.com.
No Data Protection Officer (DPO) has been formally appointed, as the conditions under Art. 37 GDPR do not apply. If this changes, we will update this policy.
2. What WayChat is (in short)
WayChat is a private, invite-only operations tool ("messaging cockpit") for WayMaker's travel managers and administrators. It brings guest conversations, trip itineraries, FAQs, and to-dos together in one place, and offers AI-assisted suggestions (draft replies and to-dos) that a human reviews before use.
WayChat is not a consumer app for the general public: access is granted by invitation to authorized staff and partners. There are no in-app purchases or subscriptions. Guests (travelers) do not log into WayChat; they communicate with WayMaker over WhatsApp, and their messages appear inside WayChat for authorized managers to handle.
3. Whose data, and what data we process
a) App users (managers and administrators)
- Account data: your email address and authentication credentials, used to sign up and log in via password or via an email sign-in link ("magic link"). Authentication is handled through Supabase Auth.
- Profile data: your full name, optional phone number, optional profile photo (avatar), and onboarding status.
- Role and access: your role (manager or administrator) and the trips or guests assigned to you.
- Content you create: notes, internal notes, to-dos, message drafts and edits, mentions, FAQ entries, uploaded itineraries and trip resources, and your personal message-style profile used to tailor AI-drafted replies.
- Device and push data: push notification tokens and the device platform (iOS/Android), used to deliver notifications.
- Essential technical identifiers: your account identifier, session tokens stored securely on the device, and minimal technical information needed for operation and security.
b) Guests / travelers (data of WayMaker's customers)
To let managers do their job, WayChat stores personal data about the guests WayMaker serves. This is data WayMaker processes as controller in the course of running its travel service:
- Guest identity and contact: name, WhatsApp phone number, language preference, and the trip and manager they are assigned to.
- Conversation history: the messages exchanged over WhatsApp (inbound and outbound), any attachments (e.g. documents or images and their file name/type/size), message status, WhatsApp message identifiers, and the templates used.
- Trip content: itineraries, resources, FAQs, and to-dos related to the guest's trip.
Guests provide this data by contacting WayMaker over WhatsApp and through their booking. If you are a manager entering data about a guest or a third party, you must have a lawful basis to do so and are responsible for the accuracy of what you enter.
c) AI-related data
When AI-assisted suggestions are generated, relevant content — such as the conversation, the itinerary/FAQ context, and the manager's style profile — is processed to produce a draft reply or to-do suggestion. We also create text embeddings (numeric representations) of FAQs and itineraries so managers can search them. We keep the original AI draft and a measure of processing volume (token count) for quality and auditing. AI suggestions are drafts only and are reviewed by a human before anything is sent.
4. Why we process it and on what legal basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide the app to authorized users, manage accounts, and let managers handle guest conversations, itineraries, and to-dos | Performance of a contract / legitimate interest — Art. 6(1)(b) & 6(1)(f) |
| Communicate with guests over WhatsApp and keep a record of those conversations to deliver the travel service | Performance of a contract with the guest / legitimate interest — Art. 6(1)(b) & 6(1)(f) |
| Generate AI-assisted draft replies and to-do suggestions and enable search over trip content | Legitimate interest in operational efficiency — Art. 6(1)(f) |
| Send operational push notifications (new messages, uploads, FAQ changes) | Legitimate interest — Art. 6(1)(f) |
| Ensure security, prevent abuse and fraud, detect and fix errors, and keep records for auditing | Legitimate interest — Art. 6(1)(f) |
| Comply with legal obligations (e.g. authority requests), where applicable | Legal obligation — Art. 6(1)(c) |
Providing your email and the content managers enter is necessary to use the app: without it the service cannot work.
5. Who processes data on our behalf (providers and sub-processors)
To provide the service we rely on trusted providers that process some data on our behalf, as processors or as independent controllers for their part:
| Provider | Role |
|---|---|
| Supabase | Database, authentication, and file storage (stores accounts, guest data, conversations, and uploads) |
| 360dialog | WhatsApp Business API provider — routes messages between WayChat and guests on WhatsApp |
| Meta Platforms (WhatsApp) | The messaging channel itself; guest messaging is also subject to WhatsApp's own terms and privacy policy |
| n8n (workflow automation, self-hosted on Elestio / Hetzner infrastructure) | Orchestrates WhatsApp message routing and AI suggestion requests; processes guest messages and conversation content. Hosted in the United States. |
| AI model provider [[confirm vendor]] | Generates AI-assisted draft replies and to-do suggestions and creates text embeddings for search |
| Monday.com [[confirm if used]] | Imports trip / project data into WayChat |
| Apple | App distribution via the App Store and push notification delivery (APNs) |
| Expo / EAS (Expo, Inc.) | App delivery, over-the-air updates, and push token infrastructure |
We do not sell your data and do not share it with third parties for marketing.
6. Where data is processed (transfers outside the EU)
Our primary database and authentication (Supabase) hold your data, and some of the providers listed above may process data outside the European Union / European Economic Area, for example in the United States. In particular, our workflow-automation layer (n8n), which routes WhatsApp messages and AI requests, is hosted in the United States, so guest conversation content is processed there. In such cases the transfer takes place with the appropriate safeguards required by Articles 44 et seq. of the GDPR, such as the Standard Contractual Clauses approved by the European Commission or any applicable adequacy decision. You can ask us for more information by writing to the controller.
7. How long we keep data
We keep account and content data for as long as your account is active and for as long as WayMaker needs it to operate the travel service. Guest conversations and trip data are retained for operational, quality, and record-keeping purposes and then deleted or anonymized. When an account is deleted, the associated user data is removed (see section 9). Some residual technical copies (e.g. backups or logs) may persist for a short time before final deletion, within the limits set by our providers.
8. Automated processing and AI
WayChat uses AI to suggest draft replies and to-dos and to power search. These suggestions do not produce legal or similarly significant effects on their own: a human manager reviews and decides what is actually sent or done. WayChat does not use your data for advertising or for profiling unrelated to operating the service.
9. Your rights
As a data subject you have the right to:
- access your data (Art. 15);
- rectification of inaccurate data (Art. 16) — managers can correct most data directly in the app;
- erasure ("right to be forgotten", Art. 17);
- restriction of processing (Art. 18);
- portability of your data (Art. 20);
- object to processing based on legitimate interest (Art. 21);
- withdraw consent, where processing is based on it, without affecting the lawfulness of prior processing.
To exercise these rights, write to jett@waymakeragent.com. If you are a guest and want to access or delete your data, contact WayMaker at the same address and we will act on it. You also have the right to lodge a complaint with a supervisory authority: in Italy, the Garante per la protezione dei dati personali (garanteprivacy.it).
10. How to delete your account and data
App users can request account deletion from within the app or by writing to jett@waymakeragent.com. Deletion removes your user account and personal profile data. Guest data and shared trip records that WayMaker must keep to run its service may be retained or reassigned as described in section 7, and can be deleted on request subject to legal retention limits.
11. No advertising, no ad tracking
WayChat does not show advertising, does not use your data to track you across other companies' apps or websites, and does not build advertising profiles. We do not use your data for purposes other than those described in this policy.
12. Security
We use industry-standard measures to protect data, including encrypted transport (HTTPS), access controls that limit each manager to the guests and trips they are authorized for, and secure storage of session tokens on the device. No system is perfectly secure, but we work to keep your data safe.
13. Children
WayChat is a professional tool intended for authorized adult staff and partners. It is not directed at children and does not knowingly collect their data. Guests interact with WayMaker over WhatsApp under WayMaker's booking terms.
14. Changes to this policy
We may update this policy over time. For significant changes we will update the date at the top of the page and, where appropriate, notify affected users. Please review it periodically.
15. Contact
Data controller: WayMaker — jett@waymakeragent.com