Privacy Policy

Who We Are

Waystone (“Waystone,” “we,” “our,” or “us”) is an AI-powered college counseling platform that helps students and families identify the right degree programs, schools, extracurricular strategies, and academic pathways to support their career goals. Our principal place of business is in the United States.

For purposes of applicable data protection law, Waystone is the “data controller” (or “business”) with respect to the personal information described in this policy.

Scope of This Policy

This Privacy Policy applies to all personal information collected through:

• The Waystone website and any subdomains (collectively, the “Site”)
• The Waystone web application and any related mobile applications
• Email, customer support, and other communications with us
• Any other service that links to or references this policy

This policy does not apply to third-party websites, services, or applications that may link to or be accessible from our platform, even if they are operated by our partners.

Information We Collect

3.1 Information You Provide Directly

When you create an account, use our application, or contact us, we may collect:

• Account information: name, email address, and password
• Student academic profile: student first name, current grade level, unweighted GPA, SAT/PSAT/ACT scores, state of residence, and intended career track
• Course and activity data: courses taken, extracurricular activities, certifications, sports, employment history, and other accomplishments you enter into the platform
• College preferences: school size, location preferences, ownership type, honors program interest, and target schools
• Payment information: when you purchase a subscription or report, payment details are collected and processed by our third-party payment processor. We do not store full credit card numbers.
• Communications: messages you send us through contact forms, email, or customer support channels

3.2 Information We Collect Automatically

When you access our Site or application, we automatically collect certain technical information, including:

• Log data: IP address, browser type and version, operating system, referring URLs, pages visited, and timestamps
• Device information: device type, screen resolution, and general hardware identifiers
• Usage data: features used, tabs visited, analysis runs, time spent in application, and interaction patterns
• Cookies and similar technologies: as described in Section 7 below

3.3 Information from Third Parties

We may receive information from:

• College Scorecard API (U.S. Department of Education): publicly available institutional data used to display school statistics within the platform
• Analytics providers: aggregated and anonymized usage statistics
• Payment processors: transaction confirmation and billing-related information

3.4 Information Stored Locally

Certain profile data may be stored in your browser’s local storage to enable the application to function across sessions. This data remains on your device and is transmitted to our servers when you explicitly save yoru profile or run the AI analysis. You can clear browser data at any time through your browser settings or the application’s “Clear saved data” function.

How We Use Your Information

We use the information we collect to:

AI-generated analysis: Student profile data — including GPA, test scores, activities, and career target — is submitted to a large language model (currently Anthropic’s Claude) to generate a counseling analysis. This transmission occurs at the moment you request an analysis and is subject to Anthropic’s privacy and data processing terms in addition to this policy. We do not use your personal profile data to train or fine-tune AI models without your separate, explicit consent.

Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal information under the following legal bases:

• Performance of a contract: Processing necessary to provide the services you have requested, including generating analyses and delivering reports
• Legitimate interests: Operating and improving our platform, preventing fraud, and ensuring security — where these interests are not overridden by your rights
• Consent: Marketing communications and any optional processing we disclose to you at the point of collection
• Legal obligation: Where we are required to process data to comply with applicable law

You may withdraw consent at any time where consent is the legal basis. Withdrawal does not affect the lawfulness of processing before withdrawal.

How We Share Your Information

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes. We share information only in the following circumstances:

6.1 Service Providers

We work with trusted third-party companies to operate our platform. These providers are contractually obligated to protect your data and may only use it to perform services on our behalf. They include:

• AI processing: Anthropic, PBC (Claude API) — for generating counseling analyses
• Cloud infrastructure and hosting: (GoDaddy)
• Database services: PostgreSQL hosting providers
• Email delivery: SendGrid or Resend — for delivering analyses and transactional emails
• Payment processing: (Stripe) — for subscription and report purchases
• Analytics: aggregated, privacy-compliant analytics tools

6.2 Legal Requirements

We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to: comply with a legal obligation; protect and defend the rights or property of Waystone; prevent or investigate possible wrongdoing in connection with our service; protect the personal safety of users or the public; or protect against legal liability.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our platform before your personal information is transferred and becomes subject to a different privacy policy.

6.4 With Your Consent

We may share your information for other purposes with your explicit consent.

6.5 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data — which cannot reasonably be used to identify you — for research, benchmarking, marketing, or other purposes.

Cookies and Tracking Technologies

We use cookies and similar technologies (such as local storage and session storage) to operate and improve our platform. These fall into the following categories:

Most browsers allow you to control cookies through their settings. Disabling certain cookies may affect the functionality of our platform. We do not respond to browser “Do Not Track” signals at this time, but we do honor the rights mechanisms described in Section 11.

Data Retention

We retain your personal information for as long as is necessary to provide our services and fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

• Account and profile data: Retained for the life of your account, plus up to 3 years after account closure to comply with legal obligations and resolve disputes
• Analysis reports: Retained for 2 years after generation, or until you delete them, whichever is sooner
• Payment records: Retained for 7 years as required by U.S. tax and accounting law
• Log data: Retained for up to 90 days for security and debugging purposes, then purged or anonymized
• Support communications: Retained for 3 years from the date of last contact

You may request deletion of your account and associated personal data at any time as described in Section 11. Note that we may retain certain information for legal compliance, fraud prevention, or as required to resolve disputes or enforce agreements.

Data Security

We implement commercially reasonable technical and organizational security measures designed to protect your personal information from unauthorized access, disclosure, alteration, and destruction. These include:

• Encryption of data in transit using TLS (HTTPS)
• Encryption of sensitive data at rest
• Access controls limiting employee access to personal information to those with a legitimate business need
• API keys and credentials stored in server-side environment variables, never exposed in client-side code
• Regular security reviews of application code and infrastructure

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at the address in Section 18.

In the event of a data breach that triggers notification obligations under applicable law, we will notify affected users and relevant authorities as required.

Children’s Privacy and COPPA / FERPA

10.1 Age Requirements

Waystone is designed for use by students aged 13 and older and their parents or legal guardians. We do not knowingly collect personal information directly from children under the age of 13 without verifiable parental consent as required by the Children’s Online Privacy Protection Act (COPPA).

If you are a parent or guardian and believe that your child under 13 has provided personal information to us without your consent, please contact us immediately at the address in Section 18. We will promptly delete such information from our records.

10.2 Parental Consent for Minors

For students under 18, we strongly encourage a parent or legal guardian to review this policy and supervise the student’s use of the platform. By permitting a minor to use Waystone, parents and guardians consent to the collection and use of information as described in this policy.

10.3 FERPA Considerations

To the extent that any information provided through our platform constitutes “education records” under the Family Educational Rights and Privacy Act (FERPA), we acknowledge that:

• All information entered into Waystone is provided voluntarily by the student or parent — we do not receive education records from schools or educational institutions
• We do not function as a “school official” under FERPA and do not receive records from schools covered by FERPA
• Information you voluntarily share with us is governed by this Privacy Policy, not FERPA

If your school provides Waystone access as part of a licensed institutional program, a separate data processing agreement governs that relationship and FERPA obligations are addressed therein.

10.4 Sensitive Student Data

We treat academic performance data, test scores, and career aspirations as sensitive information. We do not sell this data, do not use it to serve behavioral advertising to students, and do not share it with third parties except as described in this policy and as necessary to deliver our services.

Your Rights and Choices

Depending on your location, you may have the following rights with respect to your personal information:

How to Exercise Your Rights

To exercise any of these rights, contact us at info@waystonecollegecounselor.com or through the contact information in Section 18. We will respond to verified requests within the timeframe required by applicable law (generally 30–45 days). We may ask you to verify your identity before fulfilling a request.

Marketing Opt-Out

You may opt out of marketing emails at any time by clicking the “unsubscribe” link in any marketing email or by contacting us directly. Transactional emails (analysis delivery, receipts, security notices) cannot be opted out of while your account is active.

Browser and Device Controls

You may control cookies through your browser settings and manage local storage through your browser’s developer tools or by using the platform’s built-in “Clear saved data” function.

California Residents — CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information.

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined under CCPA:

• Identifiers (name, email address, IP address)
• Personal records (GPA, test scores, activities, accomplishments)
• Internet or other electronic network activity (usage data, log data)
• Geolocation data (state of residence, inferred from IP)
• Inferences drawn from personal information (fit scores, school recommendations)

Your CCPA / CPRA Rights

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our business purpose for collection, and the categories of third parties with whom we share it
• Right to Delete: Request deletion of personal information we have collected, subject to legal exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. If this changes, we will add a “Do Not Sell or Share My Personal Information” link to our homepage.
• Right to Limit Use of Sensitive Personal Information: We use sensitive personal information (academic data) only as necessary to provide our services. We do not use it for additional purposes that would trigger CPRA’s limitation rights.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

How to Submit a CCPA Request

Submit a verifiable consumer request by emailing info@waystonecollegecounselor.com with the subject line “California Privacy Request.” You may authorize an agent to submit requests on your behalf with written permission. We will respond within 45 days, with a possible 45-day extension where necessary.

Shine the Light

California Civil Code Section 1798.83 permits California residents to request information about our disclosures of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes.

Nevada Residents

Nevada Revised Statutes Chapter 603A provides Nevada residents the right to opt out of the sale of covered information to third parties who will license or sell that information. We do not sell covered information as defined under Nevada law. If you nonetheless wish to submit an opt-out request, you may contact us at info@waystonecollegecounselor.com.

Virginia, Colorado, Connecticut, and Other U.S. State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and other states with comprehensive privacy laws may have rights similar to those described in Section 11, including rights to access, correct, delete, and obtain a portable copy of personal information, to opt out of the sale of personal information and targeted advertising, and to appeal our decisions regarding your rights requests.

To exercise these rights or appeal a decision, contact us at info@waystonecollegecounselor.com. We will respond within the timeframe required by applicable state law. For appeals, we will respond within 60 days of receipt and will provide a written explanation if we deny an appeal. If your appeal is denied, you may contact your state attorney general.

International Users

Waystone is based in the United States. If you are accessing our platform from outside the United States, please be aware that your personal information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For users in the European Economic Area, United Kingdom, or Switzerland, we rely on the following transfer mechanisms where applicable: Standard Contractual Clauses (SCCs) adopted by the European Commission; the UK International Data Transfer Agreement; or any adequacy decision issued by the relevant authority. By using our platform, you acknowledge that your information will be processed in the United States.

If you have questions about international data transfers, contact us at info@waystonecollegecounselor.com.

Third-Party Links

Our platform may contain links to third-party websites, tools, or resources — such as certification programs, college websites, government databases, and scholarship resources. We provide these links for your convenience and informational purposes only. We have no control over the content or privacy practices of those sites and are not responsible for their privacy policies or practices.

We encourage you to review the privacy policy of any third-party site you visit before providing any personal information.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other legitimate business reasons. When we make material changes, we will:

• Update the “Last Updated” date at the top of this policy
• Post a prominent notice on our website or application
• Send an email notification to registered users if the changes materially affect how we handle personal information

Your continued use of our platform after the effective date of any updated policy constitutes acceptance of those changes. If you do not agree to the updated policy, you should discontinue use and may request deletion of your account.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: