Privacy
Waylight Health Data Privacy Policy
DRAFT — counsel review required before launch. Effective date: TBD. Version: 0.1 (2026-07-05).
Standalone policy per Washington My Health My Data Act and similar state laws (NV SB 370, CT DPA, IN CDPA). Linked from the site footer and in-app. Written to be read by an actual person.
What this covers
"Health data" here means information that can reveal something about health: the care situation you describe to Waylight, photographs of letters about Medicaid or care programs, deadlines and stages drawn from them, questions you ask, and inferences those create. Income figures alone aren't health data, but when they arrive alongside health data we protect the whole record the same way.
What Waylight collects, and why
- What you tell us — your state, the situation you're navigating, answers in setup and the fit quiz. Why: to place you on the right journey and show next steps.
- Letter photos and what our AI reads from them — the letter type and dates, with the exact wording as evidence. Why: to explain the letter and set reminders you confirm.
- Deadlines, documents, notes you save. Why: the organizer is the product.
- Basic account and device information — email or phone for sign-in, notification tokens. Why: sign-in and reminders.
Waylight collects health data only with your separate opt-in consent, asked in plain language before the first feature that needs it. Declining leaves the rest of the app usable.
What Waylight never does
- Never sells your data. Never will.
- Never shares health data for advertising. There are no advertising or analytics trackers in the app.
- Never shares health data with anyone without a separate, specific yes from you at the moment of sharing.
- Never uses geofencing.
- Never asks for or stores Social Security numbers on our servers. If you use the packet builder, the SSN goes straight into the document on your device and is not kept by Waylight.
Who touches your data
- Supabase hosts our database and file storage (encrypted in transit and at rest).
- Google Cloud (Vertex AI) processes chat questions and letter photos to produce explanations, under an agreement that prohibits using your data to train models and requires prompt deletion.
- Resend (email) and Telnyx (text messages, only if you opt in) deliver notifications — message bodies never contain health details.
- Human support staff see what you send to support, to answer you.
That's the list. No data brokers, no ad networks, no "partners."
Retention (the short version — full schedule in the Privacy Policy)
Letter photos and AI outputs: deleted within 30 days. Generated packets: never stored by Waylight. SSN: never stored. Your saved journey, deadlines, and documents (including submission receipts, proof documents, and vault documents): for the life of your account — you can delete any document one at a time whenever you like, and deleting your account removes them all. Vault documents are stored as-is; Waylight does not read or classify their contents.
Your rights
- See it: export what Waylight holds about you (Settings → Request my data, or email below).
- Delete it: Settings → Delete my account removes everything, including from backups on their rotation schedule, promptly. Web path: askwaylight.com/delete-account.
- Withdraw consent: every consent has an off switch in Settings; withdrawing stops the related processing going forward.
- Complain or ask: support@askwaylight.com. Washington residents may also contact the Washington Attorney General; Indiana residents the Indiana Attorney General.
Changes
We'll post changes here with a new version number and, for material changes, tell you in the app before they apply. New uses of health data require new consent — always.
Waylight is a private service, not affiliated with any government agency. This policy is about privacy; nothing in it is legal advice.