Privacy Policy
Last updated: July 3, 2026 · Effective date: June 16, 2026
Geographic Applicability
This policy applies to users in the United States and the United Kingdom. Data is processed and stored in the US under federal and state privacy laws, including COPPA and CCPA/CPRA for California residents. UK users are additionally protected by the UK GDPR and Data Protection Act 2018; see section 12 below.
Introduction
Waypoint EF (“we,” “us,” “our”) provides a home executive-function practice and school-evidence platform. This Privacy Policy explains how we collect, use, and protect information when you use our website and services.
We take children’s privacy seriously. Our Service is designed for parents and guardians of children ages 3–18 (and for teens 13–18 who may use the Service on their own behalf). We comply with the Children’s Online Privacy Protection Act (COPPA), as amended effective April 22, 2026.
1. Information We Collect
What You Provide
| Email address | Account creation | Login via one-time password (OTP), transactional emails |
| Email address (letter page) | Only if you opt in to follow-ups | Follow-up emails while you wait — the letter itself and the form fields are never stored |
| Child's nickname or initials | Onboarding | Personalize activities and evidence summaries (max 20 chars) |
| Child's age band | Onboarding | Select age-appropriate activities (3-6, 7-12, or 13-18) |
| Daily observation logs | Each day you log | Status, support level (0-3), focus rating (1-5), optional note |
| Phone number | Not currently collected | Text reminders are paused (email-only for now) — no phone numbers are requested while paused |
| Payment info | Checkout | Processed by Stripe — we never see or store card numbers |
What We Automatically Collect
Hashed IP address at consent events only (SHA-256 one-way hash; raw IP never stored).
What We Never Collect
These fields do not exist in our systems: child’s full name, date of birth, school name, condition labels or health records, photos/videos, precise geolocation, biometric data, Social Security Numbers. We do not use advertising SDKs or tracking pixels on child-data pages.
2. How We Use Your Information
- Provide the daily structured practice program
- Generate trend charts and evidence summaries
- Process payments and manage your account
- Send transactional emails
- Maintain consent records as required by law
We never advertise to you or your child, build behavioral profiles, sell or share personal information, or make claims about your child’s abilities or conditions.
4. Children's Privacy (COPPA)
For children ages 3–12, the parent is the user — children do not interact with the Service directly. For teens 13–18, the teen may use the Service with both parental consent and their own assent.
We obtain verifiable parental consent before collecting any child information through: account holder attestation (parent/guardian affirmation) and payment verification.
We never disclose child data to unrelated third parties, enable children to make information public, condition participation on excess data collection, or use child data for advertising.
5. Data Retention
| Daily observation logs | 24 months from log date | Automatically deleted |
| Evidence summaries | Until you delete or close account | Permanently deleted |
| Account data | Until you request deletion | Deleted within 30 calendar days |
| Consent records | Account life + 3 years | Legal evidence, then deleted |
| Follow-ups list email | Until you unsubscribe or request deletion | One-click unsubscribe in every follow-up; unsubscribing deletes the record |
| Phone number | Until STOP or account deletion | Cleared immediately |
| Audit records | 3 years | Permanently deleted |
| Deletion cooldown record | 30 days from account deletion | One-way email hash only (anti-abuse signup cooldown); swept by the daily retention job |
6. Your Rights
- Review: View all data about your child anytime via Settings.
- Export: One-click JSON export of all data in Settings.
- Delete: One-click permanent deletion. Hard-deletes all children, logs, reports. Completed within 30 days.
- Stop SMS: Reply STOP to any message. Immediate.
- Leave the follow-ups list: One click on the unsubscribe link in any follow-up email. Immediate, and it deletes your email from the list.
- Withdraw consent: Contact us or use the in-app deletion feature.
7. California Residents (CCPA/CPRA)
Right to know, right to delete, right to correct, right to opt out of sale/sharing (we don’t sell or share — already satisfied), right to non-discrimination.
8. Consumer Health Data (Washington MHMD and similar state laws)
Some state laws — Washington’s My Health My Data Act, Nevada SB 370, and others — define “consumer health data” broadly enough to reach information that relates to seeking support for a child’s development. We apply the strictest reading to everyone, in every state. We count as potentially in scope: an email submitted on the letter page (it can imply your family is seeking an evaluation) and parent-reported observation logs.
What we collect and why
Collected directly from you, never from third parties or data brokers, and used only to deliver what you asked for: the letter you build, the tracking service you pay for, and — only with a separate, never-pre-checked opt-in — follow-up emails. We never store the letter text or the letter-form fields.
Sharing and sale
Never sold, never shared for advertising, no ad-platform audience syncs, no tracking pixels. Email open/click tracking is disabled on our sends. Service providers (section 3) process data under contract, only on our instructions.
Retention
The letter itself: never stored. Follow-ups list email: kept until you unsubscribe or ask us to delete it. Observation data: the windows in section 5.
Your rights and how to exercise them
One-click unsubscribe in every follow-up email (unsubscribing deletes your email from the list); one-click deletion of all account data in Settings; or email privacy@waypoint-ef.com. We respond within 30 days and don’t require you to create an account to be heard.
Global Privacy Control
We honor the Global Privacy Control signal. Because we never sell or share personal data, the opt-out GPC requests is already every visitor’s default state; an opt-in you make yourself is unaffected, and you can undo it any time.
Affiliates
We have none. No affiliate receives consumer health data.
9. Security
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Email OTP authentication — no passwords stored
- Row Level Security (RLS) — each family sees only their data
- Service-role key restricted to server-side only
- MFA required for administrative access
- No raw IP addresses stored
- All sensitive actions logged in audit trail
10. Changes to This Policy
Material changes → email notification before they take effect. Expanded child data collection → new verifiable parental consent obtained first.
11. Contact
Email: support@waypoint-ef.com
For COPPA-related inquiries, you may also contact the Federal Trade Commission at ftc.gov.
12. UK customers (UK GDPR + Data Protection Act 2018)
Public UK launch pending
This section describes our committed state from the public UK launch onward. Several items (sub-processor IDTA execution, UK representative appointment, ICO registration) are in progress. Until launch is announced, UK signups are not open.
If you access the Service from the United Kingdom after public UK launch, this section applies to you in addition to the sections above.
12.1 Who we are
Waypoint EF is the data controller for the personal data we process about UK users. Contact: privacy@waypoint-ef.com. A UK representative will be appointed before public UK launch as required by UK GDPR Article 27 where applicable.
12.2 Lawful basis (UK GDPR Article 6)
- Consent— for SMS reminders + processing observational data about a child under 13 (UK GDPR Article 8).
- Contract— for providing the paid pilot service.
- Legal obligation— for retaining payment records under HMRC requirements.
12.3 Your rights under UK GDPR
- Right of access (Article 15) — one-month response window.
- Right to rectification (Article 16).
- Right to erasure (Article 17) — self-serve via Settings.
- Right to restriction of processing (Article 18).
- Right to data portability (Article 20) — ZIP export available.
- Right to object (Article 21).
- Rights related to automated decision-making (Article 22) — we do not use automated decision-making.
- Right to withdraw consent at any time (Article 7(3)).
- Right to complain to the ICO — ico.org.uk/make-a-complaint.
12.4 Children’s data (Article 8 + AADC)
The Service is parent-account-only (18+ to create). Data about a child is processed under the parent’s lawful basis. Where consent is the basis, the parent confirms parental responsibility at signup. We follow the ICO Age Appropriate Design Code; we publish our full standard-by-standard assessment and will provide a copy on request to privacy@waypoint-ef.com.
12.5 International data transfers
We use sub-processors (Supabase, Vercel, Stripe, Twilio, Resend) located in the United States. Transfers are protected by the Standard Contractual Clauses (EU Commission Decision 2021/914) with the UK International Data Transfer Addendum issued by the ICO under section 119A of the Data Protection Act 2018. Sentry and Upstash are pinned to EU regions; no transfer mechanism is needed for them.
12.6 Retention
Same windows as section 5 above. Payment records are held for 6 years per HMRC requirements; this overrides the general account-deletion window for the payment record alone.
12.7 Breach notification
We commit to notifying the ICO within 72 hours of becoming aware of a personal data breach per Article 33, and to notifying affected UK users without undue delay where Article 34 applies.
12.8 DPIA
A Data Protection Impact Assessment is filed (UK GDPR Article 35) and reviewed before material changes to processing. Available on request to UK users for the parts that are not confidential.
12.9 EHCP context
For UK users, the evidence summary we generate is intended to support an Education, Health and Care needs assessment request to your local authority under the Children and Families Act 2014 and the SEND Code of Practice 2015. We are not a regulated SEND service; we are a parent observation tool.
Parent/self-reported observation data. Not a medical or psychological evaluation, not a diagnosis, and not an IEP or 504 plan. Use it as supporting documentation with your school team or a qualified evaluator. Crisis? Call or text 988.