Privacy Policy

WAYSTONE SOFTWARE, INC.

1. INTRODUCTION AND SCOPE

1.1 About Waystone Software, Inc.

Waystone Software, Inc. (“Waystone,” “we,” “us,” or “our“) is a Utah corporation that provides the Altitude Stack Platform, a conversational marketing and practice management automation platform designed specifically for the wealth management industry. Our platform includes the Pathfinder AI assistant, which transforms complex tasks into simple interactions, enabling financial advisors to focus on building client relationships and growing their business.

1.2 Purpose of This Privacy Policy

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you access or use our Altitude Stack Platform, including the Pathfinder AI assistant, and all associated services (collectively, the “Services“). It also describes your choices regarding the use, access, and correction of your personal information and how to contact us with privacy inquiries.

1.3 Who This Policy Applies To

This Privacy Policy applies to financial advisors, wealth management professionals, and their associated team members who access or use our Services. Our Services are intended for professional use and are not designed for consumer use. If you are entering into this Privacy Policy on behalf of an entity, this Privacy Policy also governs the use of our Services by your affiliates using the same email domain.

1.4 Information Covered by This Policy

This Privacy Policy covers all personal information that you provide to us or that we collect through your use of our Services, including:

Information you provide directly to us
Information we collect automatically when you use our Services
Information we receive from third parties
Information related to your clients that you input into our Services

1.5 Applicable Privacy Laws

We comply with applicable privacy laws and regulations, including:

California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA)
Virginia Consumer Data Protection Act (VCDPA)
Colorado Privacy Act (CPA)
Connecticut Data Privacy Act (CTDPA)
Utah Consumer Privacy Act (UCPA)
Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada

While we primarily operate in the United States and Canada, we respect the privacy rights of individuals from all jurisdictions.

1.6 Relationship with Terms of Service

This Privacy Policy is incorporated by reference into our Terms of Service. By using our Services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your information as described herein.

2. INFORMATION WE COLLECT

2.1 Categories of Personal Information

Waystone collects various types of personal information from financial advisors, wealth management professionals, and their team members who use our Services. The categories of personal information we collect include:

2.1.1 Information You Provide Directly

Contact Information: Name, email address, phone number, physical address, and other contact details.
Account Credentials: Username, password, and other authentication information used to access the Services.
Payment Information: Credit card details, billing address, and other financial information necessary for processing payments.
Professional Information: FINRA registration numbers, professional licenses, certifications, and other information related to your status as a financial advisor or wealth management professional. Your professional credentials, including FINRA registration numbers, are collected solely to verify your status as a financial professional and comply with industry regulations. This information is stored securely, accessed only by authorized personnel, and is never shared with third parties except as required by law or regulatory authorities.
Account Data: Information you input, upload, or collect through the Platform, including information about your clients, prospects, and business operations.

2.1.2 Information Collected Automatically

Device Information: Information about the devices you use to access our Services, including device type, operating system, browser type, IP address, device identifiers, and mobile network information.
Usage Data: Information about how you use our Services, including log data, clickstream data, features used, time spent on the platform, and other analytics data.
Location Data: General location information derived from IP addresses or mobile device settings.

2.2 Methods of Collection

We collect personal information through various methods, including:

2.2.1 Direct Collection

Forms and Registration: Information you provide when you create an account, fill out forms, or register for our Services.
Transactions: Information you provide when making purchases or subscribing to our Services.
Communications: Information you provide when contacting us for customer support, participating in surveys, or responding to our communications.

2.2.2 Automated Collection

Cookies and Similar Technologies: Information collected through cookies, web beacons, pixels, and similar technologies when you use our Services.
Analytics Tools: Information collected through third-party analytics tools, including Microsoft Clarity, Google Analytics, Google Ads, Google Tag Manager, Microsoft Ads, and LinkedIn Ads.
Social Media Integrations: Information collected when you interact with our social media integrations or log in using social media accounts.

2.2.3 Third-Party Sources

Information we receive from third-party partners, service providers, and publicly available sources.

2.3 Client Data

As a financial advisor or wealth management professional using our Services, you may input, upload, or collect information about your clients through the Platform. This client data may include:

Contact information
Financial information
Investment preferences
Account details
Communication history
Other information relevant to the services you provide to your clients

You are responsible for ensuring that you have the necessary rights and permissions to share this client data with us and that you have provided appropriate notices and obtained any required consents from your clients.

2.3.1 Client Financial Data

When you input information about your clients’ financial situations, investment preferences, or financial goals, we implement additional safeguards for this sensitive information. This data is encrypted both in transit and at rest using industry-standard encryption protocols. We do not use client financial data for any purpose other than providing the Services to you. We never use client financial data for marketing, analytics, or AI training purposes, even in anonymized form.

2.4 Cookies and Tracking Technologies. For comprehensive information about the cookies and tracking technologies we use, including their types, purposes, and how you can manage your preferences, please refer to Section 8 (Cookies and Tracking Technologies).

2.5 Information We Do Not Collect

2.5.1 Children’s Data

We do not knowingly collect personal information from children under the age of 18. Our Services are intended for use by financial advisors, wealth management professionals, and their team members, and are not directed to children.

2.5.2 Sensitive Personal Information

We do not intentionally collect sensitive personal information, such as:

Race or ethnic origin
Religious or philosophical beliefs
Political opinions
Trade union membership
Genetic data
Health data
Sexual orientation
Criminal history

If you believe we have inadvertently collected sensitive personal information, please contact us immediately as outlined in Section 13 (Contact Information).

2.6 AI and Machine Learning Data

2.6.1 Use of Account Data for AI Model Training

While we use artificial intelligence and machine learning technologies in our Services, including the Pathfinder AI assistant, we do not use your personal data to train our AI models. When we use data for AI model training, we only use aggregated and anonymized data that cannot be linked back to any individual user or their clients. You grant Waystone a limited, non-exclusive license to use, reproduce, and process your Account Data solely to provide and maintain the Services, prevent or address technical or security issues, comply with legal obligations, and to improve and enhance the Services, including the training and fine-tuning of Waystone’s AI models.

2.6.2 Aggregation and Anonymization Process

When Account Data is used for the purpose of improving and training Waystone’s AI models, we ensure that such data is first aggregated and anonymized. This process involves combining your Account Data with data from other users and removing or altering any personally identifiable information, names, and sensitive client data, such that the resulting dataset cannot reasonably be used to identify you or your clients. This ensures that no personal data is used in the training process.

We employ industry-standard practices for anonymization, encryption, access control, and auditing to ensure data protection and compliance.

2.6.3 Data Exclusions from Training

Waystone will not use any unanonymized or unaggregated Account Data for the purpose of training its AI models. Specifically, direct client communications, sensitive financial details, or any data that could directly identify an individual client will not be used in their original, identifiable form for AI model training.

2.6.4 Opt-Out Mechanism

If you wish to opt out of having your Account Data, even in aggregated and anonymized form, used for AI model training purposes, you may do so by contacting Waystone’s support team as outlined in Section 13 (Contact Information). Please note that opting out may, in some limited circumstances, affect the personalized performance or future enhancements of certain AI-powered features for your Account.

2.6.5 Data Retention for Training

Account Data used for AI model training, once aggregated and anonymized, may be retained by Waystone for as long as necessary to continuously improve and refine its AI models and the Services, consistent with Waystone’s data retention policies and applicable laws.

3. HOW WE USE YOUR INFORMATION

3.1 General Purposes

Waystone collects and uses your personal information for various purposes related to providing, maintaining, and improving our Services. We use your information in the following ways:

3.1.1 Providing and Managing the Services

Service Delivery: To provide, operate, and maintain the Altitude Stack Platform and Pathfinder AI assistant.
Account Management: To create and manage your account, including authenticating your identity and maintaining your user profile.
Customer Support: To provide technical assistance, respond to your inquiries, and resolve issues related to the Services.
Transaction Processing: To process payments, subscriptions, and other financial transactions related to your use of the Services.
Communication: To send administrative messages, updates, security alerts, and support messages related to your use of the Services.

3.1.2 Improving and Developing the Services

Product Improvement: To enhance, optimize, and improve the functionality, performance, and features of our Services.
Analytics and Research: To analyze usage patterns, conduct research, and gather demographic information to better understand how users interact with our Services.
Troubleshooting: To diagnose and fix technical issues, bugs, and other problems with our Services.
New Features Development: To develop new features, products, and services based on user feedback and market trends.

3.1.3 Marketing and Communication

Marketing Communications: To send marketing communications, newsletters, and promotional materials about our Services, subject to your communication preferences and applicable laws.
Targeted Advertising: To deliver personalized advertisements and content based on your interests, preferences, and usage patterns.
Events and Webinars: To invite you to and manage your participation in events, webinars, and other promotional activities related to our Services.
Surveys and Feedback: To request feedback and conduct surveys to improve our Services and user experience.

3.1.4 Legal and Compliance Purposes

Legal Compliance: To comply with applicable laws, regulations, and legal processes, such as responding to lawful requests from public authorities.
Enforcing Terms: To enforce our Terms of Service, including investigating potential violations.
Protecting Rights: To protect our rights, privacy, safety, or property, and that of our users and third parties.
Preventing Fraud: To detect, prevent, and address fraud, security breaches, and other harmful or illegal activities.

3.2 Specific Uses of Different Data Types

3.2.1 Contact and Account Information

We use your contact and account information to:

Create and manage your account
Authenticate your identity
Communicate with you about your account and our Services
Provide customer support
Send important notices and updates

3.2.2 Payment Information

We use your payment information to:

Process transactions and subscription payments
Detect and prevent fraudulent transactions
Maintain records of your billing history
Comply with tax and financial reporting requirements

3.2.3 Device and Usage Information

We use device and usage information to:

Ensure the proper functioning of our Services on your devices
Analyze how you interact with our Services
Identify and address technical issues
Improve the performance and user experience of our Services
Protect against fraudulent or unauthorized access

3.2.4 Client Data

We use client data that you input into our Services to:

Provide the core functionality of our Services, including the Pathfinder AI assistant
Enable you to manage your client relationships effectively
Facilitate communication and workflow automation
Generate insights and recommendations to help you grow your practice

3.3 Automated Processing and Profiling

3.3.1 Customer Personas

We may use automated processing to create customer personas based on the information you provide and your usage patterns. These personas help us understand user needs and improve our Services.

3.3.2 Content Personalization

We may use automated processing to personalize your experience with our Services, including:

Product recommendations
Content curation
User interface customization
Search result ranking

3.3.3 AI-Powered Features

Our Pathfinder AI assistant and other AI-powered features process your inputs and Account Data to:

Transform complex tasks into simple interactions
Assist with notetaking and information updates
Schedule tasks and meetings
Interact with CRM systems through natural language
Identify opportunities and assign tasks

3.4 Right to Object to Automated Processing

You have the right to object to automated processing, including profiling. To exercise this right, contact us as outlined in Section 13 (Contact Information). If you object, we will no longer process your personal information for such purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

3.4 Legal Basis for Processing (Where Applicable)

Depending on your location and applicable privacy laws, our legal basis for processing your personal information may include:

Performance of Contract: Processing necessary to provide the Services you have requested and to fulfill our obligations under the Terms of Service.
Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our Services, preventing fraud, and ensuring security, provided these interests are not overridden by your rights and freedoms.
Consent: Processing based on your specific consent, such as for marketing communications or certain types of data collection.
Legal Obligation: Processing necessary to comply with our legal obligations, such as responding to lawful requests from authorities or maintaining financial records.
Vital Interests: In rare circumstances, processing necessary to protect someone’s life or safety.

3.5 Data Retention and Processing Limitations

We retain and process your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

We implement appropriate technical and organizational measures to ensure that your personal information is processed securely and in accordance with this Privacy Policy. These measures include data minimization, pseudonymization, and encryption where appropriate.

3.6 Cross-Device Tracking

We may track users across devices to link browsing behavior across platforms. This helps us provide a more seamless and personalized experience across your devices and enables us to better understand how you interact with our Services.

4. INFORMATION SHARING AND DISCLOSURE

4.1 Categories of Third Parties

Waystone may share your personal information with the following categories of third parties:

4.1.1 Service Providers and Vendors

We share information with third-party service providers and vendors who perform services on our behalf, such as:

Cloud infrastructure providers that host our platform
Customer relationship management and support software providers
Payment processing services
Email and communication service providers
Security and fraud prevention services
Professional services firms including legal, accounting, and consulting services

These service providers are authorized to use your personal information only as necessary to provide services to us and are contractually obligated to maintain the confidentiality and security of your information.

4.1.2 Payment Processors

We share payment information with third-party payment processors (e.g., Stripe) to process transactions related to your subscription and use of our Services. These payment processors have their own privacy policies that govern how they use your information.

4.1.3 Marketing Partners

We may share certain information with marketing partners who help us promote our Services, analyze marketing effectiveness, and deliver targeted advertisements.

4.1.4 Analytics Providers

We share information with analytics providers, including Microsoft Clarity, Google Analytics, Google Tag Manager, and others, to help us understand how users interact with our Services, improve user experience, and optimize our marketing efforts.

4.1.5 Advertising Networks

We participate in online advertising networks, such as the Google Display Network, and may share information with these networks to deliver relevant advertisements to you.

4.1.6 Social Media Platforms

If you interact with our social media integrations or log in using social media accounts, we may share information with those social media platforms.

4.2 Business Transfers

If Waystone is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

4.3 Legal Requirements and Protection

We may disclose your personal information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency). We may also disclose your personal information when we believe disclosure is necessary to:

Comply with applicable laws, regulations, legal processes, or governmental requests
Enforce our Terms of Service, including investigating potential violations
Detect, prevent, or address fraud, security, or technical issues
Protect the rights, property, or safety of Waystone, our users, or others

4.4 With Your Consent

We may share your personal information with third parties when you have given us your consent to do so. We will obtain your consent before sharing your personal information for purposes not covered by this Privacy Policy.

4.5 International Data Transfers

Waystone primarily operates in the United States but may transfer your personal information to Canada and other countries where we do business. When we transfer personal information across national borders, we take appropriate safeguards to ensure that your information is protected in accordance with this Privacy Policy and applicable data protection laws. See Section 10 (International Data Transfers).

4.5.1 Data Transfer Mechanisms

For transfers of personal information outside of the jurisdiction where it was collected, we implement appropriate safeguards, which may include:

Standard contractual clauses approved by relevant data protection authorities
Binding corporate rules
Other legally approved transfer mechanisms

4.5.2 Data Localization Options

For customers located outside the United States, Waystone may, at its discretion, offer data localization options to store and process data within specific geographic regions (e.g., EU, Canada, Australia) to comply with local data residency requirements. This means that your personal information, including client data, would be stored and processed on servers located within the chosen geographic region, rather than in the United States. Such options, if available, will be specified in your order form or a separate data localization addendum, which will detail the scope of localized data, any associated costs, and implementation timelines. For Canadian users, this can include options to ensure data remains within Canada to comply with PIPEDA and other provincial privacy laws.

To inquire about available data localization options or to request data localization for your account, please contact our support team as outlined in Section 13 (Contact Information). Upon receiving your inquiry, we will assess your specific needs and provide information on the feasibility, process, and any potential implications (e.g., service features, performance, or pricing) associated with data localization. We will work with you to determine if a suitable data localization solution is available to meet your specific needs and regulatory requirements.

4.6 Aggregated and Anonymized Information

We may share aggregated and anonymized information that does not identify any individual user with third parties for industry analysis, demographic profiling, marketing, analytics, and other business purposes.

4.7 No Sale of Personal Information

Waystone does not sell your personal information for monetary consideration. However, we may ‘share’ personal information with third-party advertising partners for the purpose of cross-context behavioral advertising, as defined by the California Privacy Rights Act (CPRA). You have the right to opt out of this sharing.

4.8 Subprocessors

Waystone may engage subprocessors to assist in providing the Services. We maintain appropriate contracts with these subprocessors that require them to protect your personal information. Upon request, we will provide you with a list of our current subprocessors.

4.9 Client Data Sharing

As a financial advisor or wealth management professional using our Services, you may input, upload, or collect information about your clients through the Platform. We will not share your clients’ personal information with third parties except as necessary to provide the Services or as otherwise described in this Privacy Policy.

You are responsible for ensuring that you have the necessary rights and permissions to share your clients’ personal information with us and that you have provided appropriate notices and obtained any required consents from your clients.

5. DATA RETENTION AND DELETION

5.1 General Retention Principles

Waystone retains your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. We implement data minimization principles and regularly review our data retention practices to ensure we only retain personal information for appropriate periods.

5.2 Specific Retention Periods

Different types of personal information are subject to different retention periods:

5.2.1 Account Information

We retain your account information for as long as your account remains active plus seven (7) years after account closure.

5.2.2 Cookies and Analytics Data

We retain cookies and analytics data for 90 days.

5.2.3 Payment Information

We retain payment information for seven (7) years after the last transaction for tax and financial record-keeping purposes.

5.2.4 Communications

We retain records of communications between you and Waystone for three (3) years after the last interaction for customer service, training, and quality assurance purposes.

5.2.5 AI Training Data

5.3 Data Deletion

Waystone has established policies and procedures for the deletion of personal information when it is no longer needed for the purposes for which it was collected.

5.3.1 Automatic Deletion

We automatically delete or anonymize certain information after specified periods, including:

Inactive accounts that have not been accessed for an extended period
Cookies and tracking data after 90 days
Temporary logs and system files after they are no longer needed for security and operational purposes

5.3.2 Account Termination

Upon termination of your account, Waystone will:

Retain your Account Data for a period of thirty (30) days, during which you may request a copy of such data
Delete or anonymize your Account Data after such period, except as required by law or as necessary for legitimate business purposes
Securely dispose of any physical media containing your Account Data

5.3.3 Transition Assistance

Upon termination or expiration of your agreement with Waystone, we will provide transition assistance for a period of thirty (30) business days to facilitate the orderly transition of your Account Data. This assistance may include:

Providing a copy of your Account Data in a standard format
Assisting with the migration of your Account Data to another platform
Answering reasonable questions regarding the transition

5.4 Data Deletion Requests

You have the right to request deletion of your personal information. To request deletion of your personal information, please contact us as outlined in Section 13 (Contact Information).

When we receive a verifiable deletion request, we will delete your personal information from our records unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service providers to:

Complete the transaction for which we collected the personal information
Provide a good or service that you requested
Take actions reasonably anticipated within the context of our ongoing business relationship with you
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities
Debug products to identify and repair errors
Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law
Comply with legal obligations
Make other internal and lawful uses of that information that are compatible with the context in which you provided it

5.5 Data Retention for Legal and Compliance Purposes

We may retain certain personal information for longer periods as required by law, regulation, or legal process. For example, we may need to retain information to:

Comply with financial record-keeping requirements
Respond to regulatory examinations
Establish, exercise, or defend legal claims
Comply with data retention requirements under applicable privacy laws

5.6 Secure Disposal

When we dispose of personal information, we use secure deletion methods to ensure the data cannot be reasonably recovered or reconstructed. These methods may include:

Secure overwriting of digital files
Physical destruction of storage media
Anonymization techniques that permanently transform data so that it can no longer be used to identify an individual

5.7 Retention of Anonymized Data

We may retain and use anonymized or aggregated data indefinitely. Once data has been anonymized, it is no longer personal information and is not subject to data protection laws or this Privacy Policy.

5.8 Regulatory Compliance

Waystone’s Services are designed to support financial advisors and wealth management professionals in meeting their regulatory obligations under SEC, FINRA, and state securities regulations. We understand the importance of compliance in the financial industry and strive to provide a platform that assists in these efforts.

5.8.1 Platform Capabilities

Our platform offers key recordkeeping capabilities, including detailed audit trails of user activities and secure storage of data. We aim to support compliance with rules governing electronic recordkeeping, such as SEC Rule 17a-4 and FINRA Rule 4511.

5.8.2 Data Retention for Regulatory Purposes

Waystone’s data retention practices align with applicable regulatory requirements, ensuring that certain records are retained for periods consistent with financial industry standards. This includes supporting the longer retention periods often mandated by SEC and FINRA rules for specific types of data.

5.8.3 Cooperation with Regulatory Examinations

In the event of a regulatory examination or inquiry, Waystone is committed to cooperating with users to facilitate the provision of requested data. We can assist by providing access to your stored data and supporting data export requests in standard formats.

5.8.4 User Responsibilities for Compliance

While Waystone provides a compliance-supportive platform, ultimate responsibility for regulatory compliance rests with you, the user. You are responsible for understanding and adhering to all applicable SEC, FINRA, state, and other relevant financial industry regulations.

6. SECURITY MEASURES AND SAFEGUARDS

6.1 Our Commitment to Security

Waystone is committed to protecting the security, confidentiality, and integrity of your personal information. We implement and maintain reasonable administrative, technical, and physical safeguards designed to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction.

6.2 Technical Safeguards

We employ various technical security measures to protect your personal information, including:

Encryption. We encrypt sensitive data both in transit and at rest using industry-standard encryption protocols and technologies.
Access Controls. We implement strict access controls and authentication mechanisms to ensure that only authorized personnel have access to personal information.
Network Security. We employ firewalls, intrusion detection systems, and other network security technologies to protect our systems and data.
Monitoring and Logging. We continuously monitor our systems for suspicious activities and maintain detailed logs of system access and usage.
Vulnerability Management. We regularly scan our systems for vulnerabilities and promptly address any identified security issues.

6.3 Administrative Safeguards

We implement administrative safeguards to ensure the security of your personal information, including:

Security Assessments. We conduct regular security assessments and penetration testing to identify and address potential security vulnerabilities.
Employee Training. We provide security training to our employees and ensure they understand their responsibilities regarding data protection.
Background Checks. We conduct background checks on employees who have access to sensitive personal information.
Security Policies. We maintain comprehensive security policies and procedures that are regularly reviewed and updated.
Vendor Management. We assess the security practices of our vendors and service providers and require them to maintain appropriate security measures to protect your personal information.

6.4 Physical Safeguards

We implement physical security measures to protect our facilities, equipment, and data, including:

Facility Security. We maintain physical security measures for our data centers and facilities, including access controls, surveillance systems, and security personnel.
Equipment Security. We implement measures to protect our equipment from unauthorized access, damage, or theft.
Media Disposal. We securely dispose of physical media containing personal information when it is no longer needed.

6.5 Compliance and Certification

Waystone has designed its security program to align with the SOC 2, Type 2 framework. We are currently in the pre-certification phase and are actively working with independent auditors to achieve formal certification by January 1, 2026. During this process, we maintain all security controls required by the SOC 2 framework. We continuously work to align our security practices with industry standards and best practices.

6.6 Data Protection for AI and Machine Learning

When using personal data for AI and machine learning purposes, we employ industry-standard practices for anonymization, encryption, access control, and auditing to ensure data protection and compliance.

6.7 Security Incident Response

6.7.1 Definition of Security Incident

A “Security Incident” means any actual or reasonably suspected unauthorized access, use, disclosure, modification, or destruction of Account Data, or any actual or reasonably suspected breach of Waystone’s security measures that could compromise the confidentiality, integrity, or availability of Account Data.

6.7.2 Response Procedures

In the event of a Security Incident involving your Account Data, Waystone will:

Notify you without undue delay and, where feasible, within seventy-two (72) hours of determining that a breach requiring notification has occurred. Notification timing will comply with all applicable legal requirements, which may vary by jurisdiction.
Provide you with timely information about the Security Incident as it becomes known
Cooperate with your reasonable requests for information regarding the incident
Take reasonable steps to mitigate the effects of the Security Incident and to minimize any damage resulting from it

6.7.3 Data Breach Response Plan

Waystone maintains a comprehensive data breach response plan that outlines the steps we will take in the event of a Security Incident.

6.8 Disaster Recovery and Business Continuity

Waystone maintains a disaster recovery plan designed to ensure service availability in the event of a disaster. This includes:

Regular backups of all customer data
Redundant infrastructure across multiple geographic locations
Automated failover capabilities
Regular testing of disaster recovery procedures

6.9 Limitations

While we implement reasonable security measures, no security system is impenetrable, and we cannot guarantee the absolute security of your personal information. Factors beyond our control, such as the security of your devices and internet connection, may affect the security of your personal information.

6.10 Your Role in Security

You play an important role in protecting your personal information. We recommend that you:

Create strong, unique passwords for your account
Implement appropriate access controls for Authorized Users
Immediately notify Waystone of any unauthorized use of your account or any other breach of security
Ensure that all Authorized Users log out at the end of each session

6.11 Security Updates

We regularly review and update our security measures to address new and evolving threats. We may modify our security practices over time, but we will maintain a level of security protection that is at least as strong as what is described in this Privacy Policy.

7. YOUR PRIVACY RIGHTS AND CHOICES

7.1 Overview of Your Rights

Depending on your location and applicable privacy laws, you may have various rights regarding your personal information. Waystone respects these rights and provides mechanisms for you to exercise them.

7.2 Specific Privacy Rights

You may have the right to:

7.2.1 Access

You have the right to request access to the personal information we have collected about you. This includes the right to know the categories of personal information we have collected, the sources from which we collected it, the purposes for which we use it, and the categories of third parties with whom we share it.

7.2.2 Correction

You have the right to request that we correct inaccurate personal information we maintain about you.

7.2.3 Deletion

You have the right to request deletion of your personal information, subject to certain exceptions. Please see Section 5.4 for more information about data deletion requests and applicable exceptions.

7.2.4 Portability

You have the right to request a copy of your personal information in a structured, commonly used, and machine-readable format, and to request that we transmit this information to another service provider where technically feasible.

7.2.5 Restriction of Processing

You have the right to request that we restrict the processing of your personal information under certain circumstances, such as when you contest the accuracy of your personal information or when you have objected to processing.

7.2.6 Objection to Processing

You have the right to object to the processing of your personal information under certain circumstances, such as when the processing is based on our legitimate interests or when your personal information is used for direct marketing purposes.

7.2.7 Withdrawal of Consent

Where we process your personal information based on your consent, you have the right to withdraw that consent at any time. Withdrawing your consent will not affect the lawfulness of processing based on your consent before its withdrawal.

7.2.8 Opt-Out of Sale

You have the right to opt out of the sale of your personal information. However, as stated in Section 4.7, Waystone does not sell or rent your personal information to third parties.

7.3 How to Exercise Your Rights

You can exercise your privacy rights by contacting us as outlined in Section 13 (Contact Information).

7.4 Verification Process

To protect your privacy and security, we may need to verify your identity before processing your request. Our verification methods may include:

Email verification
Account login verification
Other authentication methods as appropriate

We will only use the information you provide in your request to verify your identity and process your request, unless you provide consent for other purposes.

7.5 Response Timeline

We will respond to your request within the timeframe required by applicable law, which is typically within 45 days of receiving your request. If we need additional time to respond, we will inform you of the reason and the extension period in writing.

7.6 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. If you use an authorized agent, we may require:

Proof of your written permission authorizing the agent to make the request on your behalf
Verification of your identity directly with us
Proof of the agent’s registration with the appropriate state authority (if applicable)

7.7 Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. This means we will not:

Deny you goods or services
Charge you different prices or rates for goods or services
Provide you with a different level or quality of goods or services
Suggest that you may receive different prices, rates, or quality of goods or services

7.8 Additional Privacy Choices

7.8.1 Marketing Communications

You can opt out of receiving marketing communications from us by:

Clicking the “unsubscribe” link in our marketing emails
Adjusting your communication preferences in your account settings
Contacting us directly as outlined in Section 13 (Contact Information)

7.8.2 Cookies and Tracking Technologies

You can manage your cookie preferences through your browser settings. Most web browsers allow you to control cookies through their settings, including blocking or deleting cookies. Please note that if you choose to block certain cookies, you may not be able to use all features of our Services.

7.8.3 Do Not Track Signals

We honor Do Not Track signals from your browser. When we detect a Do Not Track signal, we will adjust our data collection and tracking practices accordingly.

7.8.4 AI Training Opt-Out

7.9 California Privacy Rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). These rights include:

The right to know what personal information we collect, use, disclose, and sell
The right to delete personal information
The right to opt-out of the sale of personal information
The right to non-discrimination for exercising your rights
The right to limit the use and disclosure of sensitive personal information (if applicable)
The right to correct inaccurate personal information
The right to opt-out of the ‘sharing’ of your personal information for cross-content behavioral advertising

7.10 European Privacy Rights

Although Waystone primarily operates in the United States and Canada, we respect the privacy rights of individuals from all jurisdictions, including those in the European Economic Area (EEA), the United Kingdom, and Switzerland.

If you are located in these regions, you may have additional rights under the General Data Protection Regulation (GDPR) or similar laws, including:

The right to be informed about our data processing activities
The right to access your personal data
The right to rectification of inaccurate personal data
The right to erasure of your personal data
The right to restrict processing of your personal data
The right to data portability
The right to object to processing of your personal data
Rights related to automated decision-making and profiling

7.11 State-Specific Privacy Notices

7.11 Your State Privacy Rights

If you are a resident of Virginia, Colorado, Connecticut, or Utah, you have specific rights regarding your personal data under your state’s privacy laws. These rights commonly include:

The right to access your personal data.
The right to correct inaccurate personal data.
The right to delete your personal data.
The right to obtain a copy of your personal data in a portable format.
The right to opt out of the processing of personal data for targeted advertising, sale, or profiling.

In Colorado, you also have the right to appeal our decision regarding your consumer rights request.

To exercise these rights, contact us using the methods in Section 13 (Contact Information).

7.12 Data Protection Officer

For security-related inquiries, you can contact our Data Protection Officer, Jeff Luck, as outlined in Section 13 (Contact Information).

8. COOKIES AND TRACKING TECHNOLOGIES

8.1 What Are Cookies and Tracking Technologies?

Cookies are small text files that are placed on your device when you visit a website. Tracking technologies include cookies, web beacons, pixels, tags, scripts, and similar technologies that help us understand how users interact with our Services, personalize content, and improve user experience.

8.2 Types of Cookies We Use

Waystone uses various types of cookies and similar tracking technologies on our Services, including:

8.2.1 Essential/Necessary Cookies

These cookies are required for the operation of our Services and enable core functionality such as security, network management, and account authentication. You cannot opt out of these cookies as the Services cannot function properly without them.

8.2.2 Preference/Functionality Cookies

These cookies allow our Services to remember choices you make and provide enhanced, personalized features. They may be set by us or by third-party providers whose services we have added to our pages.

8.2.3 Analytics/Performance Cookies

These cookies help us understand how visitors interact with our Services by collecting and reporting information anonymously. They allow us to recognize and count the number of visitors and see how visitors move around our Services. We use third-party analytics tools including Microsoft Clarity, Google Analytics, Google Ads, Google Tag Manager, Microsoft Ads, and LinkedIn Ads. We also participate in online advertising networks, such as the Google Display Network. We honor Do Not Track signals from your browser. When we detect a Do Not Track signal, we will adjust our data collection and tracking practices accordingly.

8.2.4 Marketing/Advertising Cookies

These cookies are used to track visitors across websites to display relevant advertisements. They are set by us or our advertising partners and help us measure the effectiveness of our advertising campaigns.

8.2.5 Social Media Cookies

These cookies enable integration with social media platforms, allowing you to share content from our Services on social media or log in using your social media credentials.

8.3 Third-Party Analytics and Advertising

8.3.1 Analytics Tools

We use third-party analytics tools to help us understand how users interact with our Services. These tools include:

Microsoft Clarity
Google Analytics
Google Ads
Google Tag Manager
Microsoft Ads
LinkedIn Ads

These tools may use cookies, web beacons, and other tracking technologies to collect information about your use of our Services. These analytics tools collect information about how you interact with our Services, including pages visited, features used, and time spent on the platform.

To opt out of specific analytics tracking:

For Google Analytics, you can install the Google Analytics Opt-out Browser Add-on available at https://tools.google.com/dlpage/gaoptout.

For Microsoft Clarity, you can opt out through Microsoft’s Privacy Dashboard at https://account.microsoft.com/privacy.

8.3.2 Advertising Networks

We participate in online advertising networks, such as the Google Display Network. These networks use cookies and similar technologies to collect information about your activities on our Services and other websites to provide you with targeted advertising based on your browsing activities and interests.

8.4 How We Use Tracking Technologies

We use cookies and tracking technologies for various purposes, including:

Authenticating users and maintaining user sessions
Remembering user preferences and settings
Analyzing how users interact with our Services
Improving our Services and user experience
Delivering relevant content and advertisements
Measuring the effectiveness of our marketing campaigns
Preventing fraud and enhancing security
Facilitating social media integration

8.5 Cross-Device Tracking

8.6 Cookie Retention

We retain cookies and analytics data for up to 90 days. This retention period allows us to analyze user trends, measure the effectiveness of our marketing campaigns over a standard business quarter, and improve your experience, while also respecting your privacy by not holding the data indefinitely.

8.7 Managing Your Cookie Preferences

8.7.1 Browser Settings

Most web browsers allow you to control cookies through their settings. You can typically find these settings in the “Options,” “Preferences,” or “Settings” menu of your browser. You can:

Delete existing cookies
Block or allow cookies
Choose which cookies to accept
Configure your browser to notify you when a website attempts to set a cookie

Please note that if you block or delete certain cookies, some features of our Services may not function properly.

8.7.2 Opt-Out Mechanisms

Many third-party analytics and advertising providers offer opt-out mechanisms:

Google Analytics: You can opt out by downloading and installing the Google Analytics Opt-out Browser Add-on
Google Ads: You can opt out through Google’s Ad Settings
Microsoft Clarity and Microsoft Ads: You can opt out through Microsoft’s Privacy Dashboard
LinkedIn Ads: You can adjust your advertising preferences in your LinkedIn account settings

8.7.3 Do Not Track Signals

We honor Do Not Track signals from your browser. When we detect a Do Not Track signal, we will adjust our data collection and tracking practices accordingly.

8.8 Cookies and Similar Technologies Used by Third Parties

Third parties may use cookies and similar technologies through our Services to collect information about your online activities over time and across different websites. These third parties may include analytics providers, advertising networks, and social media platforms.

We do not control these third parties’ tracking technologies or how they may be used. If you have questions about an advertisement or other targeted content, you should contact the responsible provider directly.

8.9 Mobile Device Tracking

In addition to cookies, we may use other technologies to track and collect information on mobile devices, such as:

Mobile advertising identifiers (such as Apple’s IDFA and Android’s Advertising ID)
Device identifiers
Location data (with your consent)

You can manage these tracking technologies through your mobile device settings.

8.10 Updates to This Cookie Policy

We may update this Cookie Policy from time to time to reflect changes in technology, regulation, or our business practices. Any changes will become effective when we post the revised policy on our Services. We encourage you to periodically review this section for the latest information on our use of cookies and tracking technologies.

9. THIRD-PARTY SERVICES AND INTEGRATIONS

9.1 Overview of Third-Party Services

The Altitude Stack Platform may allow you to access, use, or integrate with third-party applications, services, or platforms. These third-party services may collect, use, and share your personal information according to their own privacy policies and practices.

9.2 Types of Third-Party Integrations

9.2.1 Social Login Providers

We may offer the ability to sign in to our Services using social login providers, including:

Google
Facebook/Meta
Apple
Microsoft
LinkedIn
Twitter/X

When you use social login, the provider may share certain information from your social media account with us, such as your name, email address, profile picture, and other permitted information based on your privacy settings with that provider.

9.2.2 Payment Processors

We utilize third-party payment processors (e.g., Stripe) for billing and payment processing. When you make a payment through our Services, your payment information is collected and processed directly by these third-party payment processors. We do not store your full credit card details on our servers.

9.2.3 Customer Service Platforms

We may use various customer service platforms to provide support and assistance, including:

Live chat widgets
Help desk software
Chatbots/AI assistants
Phone support systems

These platforms may collect information you provide when seeking customer support.

9.2.4 CRM Integrations

As a CRM platform ourselves, we may integrate with other applications and services to enhance functionality. These integrations may involve the exchange of data between our Services and the integrated service.

9.2.5 Analytics and Marketing Services

We use third-party analytics and marketing services as described in Section 8.3.

9.3 How Third-Party Services Access Your Information

When you connect our Services with a third-party service, you may be asked to grant us permission to access your information from that service. For example:

When you connect a social media account, we may access your profile information
When you integrate with another CRM or marketing platform, we may exchange contact and account data
When you use a third-party payment processor, they collect payment information directly from you

9.4 Our Relationship with Third-Party Services

Waystone does not own or control these third-party services, and they have their own privacy policies and terms of service. Your use of such third-party offerings is subject to separate terms between you and the third-party provider.

9.5 Your Responsibility Regarding Third-Party Services

You are responsible for:

Reviewing the privacy policies and terms of service of any third-party services you connect to our Services
Understanding how these third parties collect, use, and share your information
Configuring appropriate privacy settings on third-party services
Determining whether to grant permissions requested by third-party services
Revoking access to third-party services when no longer needed

9.6 Third-Party Websites and Links

Our Services may contain links to third-party websites or services that are not owned or controlled by Waystone. We are not responsible for the privacy practices or content of these third-party websites or services. We encourage you to review the privacy policies of any third-party websites or services you visit.

9.7 API Usage

Waystone may provide application programming interfaces (APIs) as part of the Services. These APIs may be used by third-party developers to create applications that interact with our Services. When you use a third-party application that connects to our Services through our APIs, that application may access and use your information as permitted by your settings and the application’s privacy policy.

9.8 Subprocessors

As mentioned in Section 4.8, Waystone may engage subprocessors to assist in providing the Services. We maintain appropriate contracts with these subprocessors that require them to protect your personal information. Upon request, we will provide you with a list of our current subprocessors.

9.9 Third-Party Cookies and Tracking

Third parties may use cookies and similar technologies on our Services as described in Section 8.8.

9.10 Changes to Third-Party Services

Third-party services may change their features, functionality, or privacy practices over time. While we strive to maintain integrations with reputable third-party services, we are not responsible for changes to their privacy practices or features. We encourage you to regularly review the privacy policies of any third-party services you use in connection with our Services.

9.11 Disconnecting Third-Party Services

You can typically disconnect a third-party service from our Services through your account settings. When you disconnect a third-party service, we will no longer access or use information from that service, but we may retain information previously received in accordance with this Privacy Policy and our data retention practices.

10. INTERNATIONAL DATA TRANSFERS

10.1 Global Operations

Waystone primarily operates in the United States and Canada. Our servers and data centers are primarily located in the United States, and your personal information may be transferred to, stored, and processed in the United States and other countries where we or our service providers operate. For transfers to Canada, we ensure compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) through appropriate safeguards, including contractual provisions that maintain an equivalent level of protection for your data. These safeguards include data processing agreements with standard contractual clauses, privacy impact assessments where required, and ongoing monitoring of data protection practices to ensure continued compliance with PIPEDA requirements

10.2 Cross-Border Data Transfers

When you use our Services, your personal information may be transferred to countries other than the one in which you reside. These countries may have data protection laws that are different from those of your country of residence.

10.3 Data Transfer Mechanisms

When we transfer personal information across national borders, we implement appropriate safeguards to ensure that your information is protected in accordance with this Privacy Policy and applicable data protection laws. These safeguards may include:

10.3.1 Standard Contractual Clauses

For transfers of personal data outside the European Economic Area (EEA), the United Kingdom, or Switzerland, we may rely on standard contractual clauses (SCCs) approved by relevant data protection authorities.

10.3.2 Binding Corporate Rules

In some cases, we may use binding corporate rules (BCRs) for intra-group transfers of personal data.

10.3.3 Other Transfer Mechanisms

We may also use other legally approved transfer mechanisms as they become available or as required by applicable law.

10.4 Data Localization Options

Such options, if available, will be specified in your order form or a separate data localization addendum. Regardless of the storage location, Waystone maintains consistent security and data protection standards globally.

10.5 Privacy Shield

While Waystone does not currently participate in the EU-U.S. or Swiss-U.S. Privacy Shield frameworks, we monitor developments in international data transfer mechanisms and may update our practices as new frameworks become available.

10.6 International Privacy Laws

Waystone complies with applicable privacy laws and regulations in the jurisdictions where we operate, including:

California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA)
Virginia Consumer Data Protection Act (VCDPA)
Colorado Privacy Act (CPA)
Connecticut Data Privacy Act (CTDPA)
Utah Consumer Privacy Act (UCPA)
Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada

10.7 Data Subject Rights for International Users

If you are located outside the United States, you may have specific rights regarding your personal information under local data protection laws. Please refer to Section 7 (Your Privacy Rights and Choices) for information about these rights and how to exercise them.

10.8 International Data Protection Officer

For questions or concerns about international data transfers or data protection matters, you can contact our Data Protection Officer, Jeff Luck, as outlined in Section 13 (Contact Information).

10.9 Subprocessors and International Transfers

When we engage subprocessors who may process your personal information internationally, we ensure that appropriate data transfer mechanisms are in place. Upon request, we will provide you with information about our subprocessors, including their locations and the data transfer mechanisms we use.

10.10 Changes to International Transfer Mechanisms

The legal frameworks governing international data transfers are evolving. We monitor these developments and may update our data transfer mechanisms to comply with changing requirements. We will notify you of any material changes to our international data transfer practices as required by applicable law.

11. CHILDREN’S PRIVACY

11.1 Age Restrictions

Our Services are intended for professional use by financial advisors, wealth management professionals, and their team members, and are not directed to children under the age of 18. You must be at least 18 years of age to use our Services. We do not knowingly collect personal information from children under 18 years of age.

11.2 Inadvertent Collection and User Responsibilities

If we learn that we have inadvertently collected personal information from a child under the age of 18, we will take steps to delete that information as soon as possible. As a financial advisor or wealth management professional using our Services, you may input information about your clients’ families, which could include information about children. You are responsible for ensuring that you have the necessary rights and permissions to share this information with us, providing appropriate notices, and obtaining any required consents from parents or guardians, and complying with all applicable laws regarding the collection, use, and disclosure of children’s information.

12. CHANGES TO THIS PRIVACY POLICY

12.1 Right to Modify

Waystone reserves the right to modify this Privacy Policy at any time in its sole discretion. Modifications may include, but are not limited to:

Changes to our data collection, use, or sharing practices
Updates to reflect changes in laws or regulatory requirements
Changes to our Services or business operations
Updates to address security or privacy concerns

12.2 Notice of Modifications

We will provide notice of material modifications to this Privacy Policy by:

Posting the updated Privacy Policy on our website
Sending an email to the email address associated with your account
Providing a notification within the Services
Other reasonable means

For material changes that significantly affect your rights or our obligations, we will provide at least thirty (30) days’ advance notice before such changes take effect.

12.3 Effective Date of Modifications

Modifications will become effective upon the earlier of:

The date specified in the notice; or
Thirty (30) days after we provide notice of the modifications

12.4 Acceptance of Modified Privacy Policy

Your continued use of the Services after the effective date of any modifications to this Privacy Policy constitutes your acceptance of the modified Privacy Policy. If you do not agree to the modified Privacy Policy, you must stop using the Services and terminate your account before the effective date of the modifications.

12.5 Material Changes

If we make material changes to this Privacy Policy that significantly reduce your rights or increase our obligations regarding your personal information, we will provide at least thirty (30) days’ advance notice before such changes take effect. During this period, you may continue to use the Services under the previous version of the Privacy Policy.

12.6 Special Provisions for Fixed-Term Subscriptions

If you have purchased a fixed-term subscription, material changes to this Privacy Policy will not take effect for your account until the start of your next subscription renewal term, unless the changes are required by law or address security concerns. If you renew your subscription after receiving notice of modified terms, such renewal constitutes acceptance of the modified Privacy Policy.

12.7 Archive of Previous Versions

We maintain an archive of previous versions of this Privacy Policy, which will be made available upon request. To request a copy of a previous version, please contact us as outlined in Section 13 (Contact Information).

12.8 Review of Privacy Policy

We encourage you to periodically review this Privacy Policy to stay informed about our collection, use, and disclosure of your personal information. The date of the last update will be indicated at the top of the Privacy Policy.

12.9 Notification of Significant Changes

For significant changes to our privacy practices, such as:

New types of personal information being collected
New purposes for processing personal information
New categories of third parties with whom we share personal information
New rights or options regarding your personal information

We will make reasonable efforts to notify you directly, such as through a prominent notice on our website or by sending you an email notification.

13. CONTACT INFORMATION

13.1 General Contact Information

For all inquiries, questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us using one of the following methods:

Email: legal@waystonesoftwareinc.com
Online Form: https://gainaltitude.ai/terms/
Physical Mailing Address: 10610 S Jordan Gtwy, Ste 300, South Jordan UT 84095

13.2 Data Protection Officer

For security-related inquiries, suspected security incidents, or matters related to data protection, you can contact our Data Protection Officer:

Name: Jeff Luck
Email: security@gainaltitude.ai

13.3 Exercising Your Privacy Rights

To exercise your privacy rights as described in Section 7 (Your Privacy Rights and Choices), please submit a verifiable request to us using the general contact methods outlined in Section 13.1.

13.4 AI Training Opt-Out

If you wish to opt out of having your Account Data, even in aggregated and anonymized form, used for AI model training purposes, please contact Waystone’s support team at support@waystonesoftwareinc.com.

13.5 Notices to Waystone

All notices to Waystone under this Privacy Policy shall be in writing and shall be deemed to have been given upon:

Personal delivery
The second business day after mailing
The second business day after sending by confirmed facsimile
The first business day after sending by email

Notices to Waystone shall be addressed to:

Waystone Software, Inc. 10610 S Jordan Gateway, Suite 300 South Jordan, UT 84095 Attention: Legal Department Email: legal@waystonesoftwareinc.com

13.6 Response Time

We will respond to your inquiries, concerns, or requests within the timeframe required by applicable law, which is typically within 45 days of receiving your communication. If we need additional time to respond, we will inform you of the reason and the extension period in writing.

13.7 Dispute Resolution

Before filing a claim against Waystone, you agree to attempt to resolve the dispute informally by contacting Waystone at legal@waystonesoftwareinc.com. Waystone will attempt to resolve the dispute informally by contacting you via email. If a dispute is not resolved within thirty (30) days of submission, either party may proceed with formal dispute resolution as outlined in our Terms of Service.

13.8 Updates to Contact Information

We may update our contact information from time to time. The most current contact information will always be available in this Privacy Policy. If our contact information changes, we will update this section accordingly.

13.9 Accessibility

If you have a disability and need this Privacy Policy in an alternative format, please contact us using one of the methods listed above, and we will provide you with the Privacy Policy in a format that meets your needs.

Stay in the Loop