Privacy Policy
Last updated: March 21, 2026
This Privacy Policy explains how waypoints collects, uses, and protects your personal data when you use the waypoints API platform at waypoints.tech. waypoints is operated from Belgium and is subject to Belgian and EU data protection law, including the GDPR.
1. Introduction
waypoints ("we", "us", "our") is the data controller for all personal data processed through the waypoints API platform. We are based in Belgium and operate under Belgian law and the EU General Data Protection Regulation (GDPR).
By creating a waypoints account or using the waypoints API, you acknowledge that your personal data will be handled as described in this policy. If you do not agree with this policy, please do not use the platform.
For any privacy-related concerns, contact us at support@waypoints.tech.
2. Data We Collect
Account data
Your email address and display name, collected when you sign up via OAuth (GitHub or Google). We do not store passwords — authentication is delegated entirely to your OAuth provider via Better Auth.
Usage data
API call logs (endpoint, HTTP status code, module name, duration, credits consumed, output file URL), credit transaction history (monthly grants, top-ups, deductions), and module-level usage statistics used to populate your dashboard.
Payment data
Billing is processed entirely by Polar.sh. waypoints never receives, stores, or has access to your card number, bank details, or any raw payment instrument data. We store only your Polar customer ID and subscription ID to correlate your subscription to your account.
IP addresses
IP addresses are collected temporarily and used exclusively for trial abuse detection — specifically to enforce the one-trial-per-account-and-IP policy described in our Terms of Service. IP data is not used for advertising, profiling, or sold to any third party.
3. How We Use Data
- Provide and operate the waypoints API platform and its five modules (Render, Convert, Extract, Verify, Send).
- Authenticate users and manage sessions via Better Auth.
- Track API credit usage and enforce plan limits — ensuring the credit ledger is accurate and atomic.
- Detect and prevent trial abuse using IP-based heuristics (one free trial per account and IP address).
- Process billing events from Polar.sh webhooks — granting monthly credits on subscription renewal and crediting top-up pack purchases.
- Display usage analytics in your dashboard — request logs, credit balance history, module breakdowns.
- Send transactional emails: trial-start confirmations, low-credit warnings (at < 20% of monthly grant), billing receipts, and policy update notifications.
- Improve the platform — aggregate, anonymised usage patterns help us prioritise feature development.
4. Data Storage
Convex (database)
All structured data — user accounts, API keys (stored as SHA-256 hashes only, never raw), credit events, request logs, and email logs — is stored in Convex, which operates on EU-region infrastructure. Raw API keys are shown once at creation and are never persisted.
Coolify MinIO (file storage)
Files generated by the Render and Convert modules (screenshots, PDFs, converted documents) and email attachments processed by the Send module are stored in a self-hosted MinIO instance running on our EU-based VPS via Loowii/Coolify. All files are accessible only via presigned URLs with a 24-hour expiry. Files are automatically deleted after 24 hours.
Better Auth (session management)
Session tokens are managed by Better Auth and stored as a single secure HTTP-only cookie ( better-auth.session_token) in your browser. No session data is sold or shared with third parties.
5. Third-Party Services
waypoints integrates with the following third-party services to deliver the platform. Each service has its own privacy policy and data processing terms.
| Service | Purpose | Data shared |
|---|---|---|
| Convex | Database | All structured app data (users, keys, logs, credits) |
| Polar.sh | Billing & payments | Email, subscription status, customer ID |
| Anthropic Claude | Extract module AI | Documents you submit to the Extract endpoint |
| Postal (self-hosted) | Transactional email (Send module) | From/to/subject/body of emails you send via the API |
| GitHub / Google OAuth | Authentication | Email address and display name from your OAuth profile |
Important — Extract module: When you use the Extract module, the document you provide (base64-encoded) is transmitted to Anthropic's Claude API for AI-powered structured data extraction. Do not submit documents containing sensitive personal data unless you have a lawful basis to share that data with Anthropic. Review Anthropic's privacy policy before using this module.
6. Data Retention
| Data type | Retention period |
|---|---|
| API request logs | 90 days, then automatically purged |
| Credit events (ledger) | Indefinitely — required for accurate billing and dispute resolution |
| Uploaded / generated files (MinIO) | 24 hours — presigned URLs expire and files are deleted |
| Account data (email, name, OAuth info) | Until you delete your account |
| Session tokens | Session duration — invalidated on logout or expiry |
| IP addresses (trial abuse detection) | 30 days after collection |
7. Your Rights (GDPR)
As a resident of the EU or Belgium, you have the following rights under the GDPR. To exercise any of these rights, email us at support@waypoints.tech. We will respond within 30 days.
Right of access
Request a copy of all personal data we hold about you.
Right to rectification
Ask us to correct inaccurate or incomplete data.
Right to erasure
Request deletion of your account and associated personal data, subject to legal retention obligations (e.g. credit ledger for billing disputes).
Right to data portability
Receive your data in a machine-readable format (JSON export).
Right to object
Object to processing of your data for any purpose beyond service delivery.
Right to restriction of processing
Ask us to pause processing of your data while a dispute is investigated.
Right to lodge a complaint
You have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit — GBA) at gegevensbeschermingsautoriteit.be.
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at the address associated with your account at least 30 days before the changes take effect. The updated policy will also be published on this page with a revised "Last updated" date. Continued use of waypoints after the effective date constitutes acceptance of the revised policy.
10. Contact
For privacy inquiries, data subject requests, or any questions about this policy, please contact us: