Privacy Policy

1. Who we are and how to contact us

Waysa Systems is operated from the United Kingdom. For any questions about this policy or how your personal data is handled, contact us at waysasystems@gmail.com.

2. The personal data we collect

We collect and process the following categories of personal data:

2.1 Account & profile data

• Name, work email address and (optional) phone number
• The name of the firm or company you represent
• Your role within that firm (admin, manager, case handler)
• Authentication metadata: hashed password, magic-link tokens, session identifiers, last sign-in time

2.2 Customer content uploaded to the Service

When you use the Service to manage claims, cases, files and reports, you may upload documents and notes that contain personal data about third parties — for example claimants, witnesses, medical professionals and opposing parties. Waysa processes that content only as a processor, on behalf of the customer firm, under a Data Processing Agreement.

We do not use customer content to train any machine-learning model, ours or a third party’s.

2.3 Operational data

• Audit-log entries (who did what, when) generated as you use the Service
• Technical logs: IP address, browser user agent, timestamps, request identifiers, error traces
• Usage analytics: pages visited, features used, performance metrics — collected with privacy-preserving tooling where possible

2.4 Demo & marketing enquiries

If you submit our “Request a demo” form we collect the details you provide (name, work email, phone, company, role, company size, sector and any free-text message) so we can respond and book a walkthrough.

3. Legal bases for processing

We rely on the following lawful bases under UK GDPR:

• Contract — to provide the Service to you and your firm under our Terms of Service.
• Legitimate interests — to keep the Service secure, prevent abuse, improve our product, and respond to demo enquiries. You can object to processing on this basis at any time.
• Legal obligation — to keep records we are required to keep (for example, tax records or in response to lawful requests).
• Consent — for non-essential cookies and marketing communications. You can withdraw consent at any time.

4. How we use personal data

• Provide, operate and secure the Service and the Site
• Authenticate users and maintain audit trails
• Generate AI summaries, reports and other outputs you request, using the third-party AI subprocessors listed in section 8
• Send service notifications (e.g. password resets, invitations)
• Respond to support, sales and privacy enquiries
• Detect, investigate and prevent fraud or abuse of the Service
• Comply with our legal and regulatory obligations

5. Where personal data is stored

The Service is hosted on infrastructure located in the European Union:

• Database, authentication and file storage: Supabase, hosted in an EU region.
• Web application hosting: Vercel, in an EU region.

AI processing is currently performed by OpenAI, whose APIs run on infrastructure in the United States. Where personal data is transferred outside the UK or EEA, we rely on the UK International Data Transfer Addendum or the EU Standard Contractual Clauses, together with supplementary technical measures.

6. How long we keep personal data

We keep personal data for as long as needed to provide the Service and to satisfy our legal obligations:

• Customer content — for the lifetime of your account and, on termination, for up to 30 days before deletion (subject to our customer’s contractual instructions).
• Audit logs — for at least 12 months to support security investigations and regulatory queries.
• Demo enquiry data — for up to 24 months from your last interaction, after which it is deleted unless you have become a customer.
• Technical logs — typically 30 to 90 days.

7. Your rights

You have rights under UK GDPR to: access your personal data; have inaccurate data corrected; have data erased in certain circumstances; restrict or object to processing; data portability; and not be subject to solely automated decision-making that produces legal effects.

To exercise any of these rights, email waysasystems@gmail.com. If the personal data sits inside a customer firm’s workspace, we will typically forward your request to that firm (the controller) and assist them in responding.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.

8. Subprocessors we use

We use the following subprocessors to deliver the Service. Each is bound by data-protection terms equivalent to our own:

• Supabase — database, authentication and file storage (EU region).
• Vercel — web application hosting (EU region).
• OpenAI — large-language-model API used for document summarisation, case analysis and report drafting (US). OpenAI does not use API content to train its models.

For full details of how AI is used within the Service, see our AI Usage Policy.

9. Cookies

We use a small number of strictly necessary cookies to keep you signed in and to remember your preferences. We do not use advertising cookies. See our Cookie Policy for the full list.

10. Security

We apply technical and organisational measures to protect personal data, including encryption in transit, encryption at rest, role-based access controls, audit logging and the principle of least privilege. For a full description, see our Security page.

11. Changes to this policy

We may update this policy from time to time. When we do, we will revise the “Last updated” date above and, where the change is material, notify you by email or in-product banner before it takes effect.

12. Contact

Privacy questions, data-subject requests and complaints can be sent to waysasystems@gmail.com.