Privacy Policy

Wayfinder ("we", "us", "our") is a college admissions advisory service. This policy explains what information we collect, how we use it, and your rights.

What we collect

• Account info: name, email, password (hashed), user type (student / pre-college / parent / advisor).
• Profile context you provide: grade level, target schools, AP exams, career interests, anything you share in chat.
• Conversation history: your chats with the AI advisor, essay submissions, FRQ responses, and tool searches. Stored to provide context across sessions.
• Usage telemetry: feature usage counts, response latencies, error rates. Used to improve the product. Not sold.

What we do not collect

• We do not collect Social Security numbers, financial account numbers, or government IDs.
• We do not use cookies for advertising tracking.
• We do not sell your data to third parties.

How we use your information

• To provide personalized college admissions guidance based on your profile and history.
• To improve the quality of our AI advisor (with your consent at signup).
• To send you account-related messages (password reset, deadline reminders if you opt in).

Minors

Wayfinder is built for high school and pre-college students, many of whom are under 18. If you are under 13, you may not use Wayfinder without verifiable parental consent. Parents of users under 18 may review, modify, or delete their child's account by emailing the contact below. We do not knowingly collect more information from users under 13 than is necessary to provide the service.

Data retention

We retain your account and conversation data for as long as your account is active. If you delete your account, your data is soft-deleted for 30 days (in case of accidental deletion) and then permanently removed.

Your rights

• Export: You can download all your account data anytime from Settings → Export My Data.
• Delete: You can delete your account anytime from Settings → Delete My Account.
• Correct: You can update your profile information from Settings.
• EU/UK users (GDPR): You have the right to access, rectify, port, restrict processing, and object. Contact us to exercise these rights.
• California users (CCPA/CPRA): You have the right to know, delete, and opt out of sale (we do not sell). Contact us to exercise these rights.

Security

Passwords are hashed with bcrypt. JWT auth tokens are HTTPS-only. Data is stored on managed infrastructure with encryption at rest. No system is 100% secure, but we follow industry-standard practices.

Third-party AI

To provide AI-generated advice, we send portions of your conversation to Anthropic's Claude API and a self-hosted SLM. Anthropic does not retain your data for training (per their API terms). Our self-hosted SLM runs on private infrastructure.

Cookies

We use a small number of strictly necessary cookies (session token, JWT). We do not use advertising or analytics cookies that share with third parties. You will be asked to acknowledge cookie use on your first visit.

Changes to this policy

We may update this policy. Material changes will be communicated via email and an in-app notice.

Contact

Questions? Email danielyungkim@hotmail.com.