Privacy Policy

1. Introduction

Wayden, Inc. (“Wayden,” “we,” “us,” or “our”) is committed to protecting the privacy and security of information entrusted to us. This Privacy Policy describes how we collect, use, disclose, and safeguard information in connection with the Wayden platform and associated AI agent services (collectively, the “Service”) provided to licensed insurance agencies and brokerages (“Agency,” “you,” or “your”).

This Policy should be read in conjunction with our Terms of Service and, where applicable, our Data Processing Addendum (“DPA”). Capitalized terms not defined here have the meanings given in our Terms of Service.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described here, you should not use the Service.

2. Who We Are

2.1 Controller vs. Processor

Wayden operates in different privacy law capacities depending on the context:

• Controller: When we collect information about your Agency’s authorized users directly (such as account administrators and billing contacts) for purposes of providing, administering, and improving the Service, Wayden acts as a data controller under applicable privacy laws.
• Processor: When your Agency uploads or submits data about your clients, prospects, or third parties through the Service — including insurance submissions, policy data, or voice recordings — Wayden acts as a data processor on your Agency’s behalf. In that capacity, our Data Processing Addendum governs our handling of that data, and your Agency is the controller responsible for compliance with applicable privacy laws.

2.2 B2B Service

The Service is a business-to-business platform. We do not knowingly collect personal information from your clients or their insureds directly. Your Agency is responsible for ensuring that any personal data you submit through the Service is collected and processed in accordance with applicable privacy laws and any required notices or consents from the individuals whose data is processed.

3. Information We Collect

3.1 Account and Registration Information

When you register for and administer an account, we collect:

• Agency name, legal entity type, and principal place of business;
• State insurance license numbers and jurisdictions of operation;
• Account administrator name, email address, and phone number;
• Billing information (processed through our third-party payment processor — Wayden does not store full payment card numbers);
• Information about authorized users added to your account, including names, email addresses, and role assignments.

3.2 Insurance and Submission Data

Through your use of the Service, Wayden may process, on your behalf as your data processor, information that your Agency uploads or generates, including:

• Insurance submission documents, ACORD forms, applications, and associated data;
• Client and prospect business information, contact details, and insurance needs;
• Policy information, coverage details, renewal data, and claims history processed through AMS integrations;
• Communications and correspondence related to submissions and renewals;
• Any other data your Agency chooses to input into or process through the Service.

Wayden processes this data solely as instructed by your Agency in accordance with our Terms of Service and DPA.

3.3 Technical and Usage Information

We automatically collect certain technical and usage information when you access or use the Service, including:

• IP addresses, browser type, operating system, and device identifiers;
• Pages accessed, features used, session duration, and navigation paths within the Service;
• Log data, error reports, and diagnostic information;
• API access logs and agent action logs (including approval decisions and workflow events);
• Cookies and similar tracking technologies as described in Section 9.

3.4 Voice Agent Data

If your Agency uses the Voice Agent feature, we process:

• Voice recordings of calls conducted through the Service;
• Transcriptions and summaries generated from voice interactions;
• Caller identification information provided through telephony integrations;
• Metadata associated with calls (time, duration, outcome, disposition).

Your Agency is responsible for obtaining all required consents under the TCPA, applicable state wiretapping and recording laws, and any other applicable law before recording calls or initiating automated voice communications.

4. How We Use Information

4.1 To Provide and Operate the Service

We use the information we collect to:

• Provision, operate, maintain, and support the Service and your account;
• Process AI agent tasks in accordance with your configuration and approval workflows;
• Authenticate users and enforce access controls;
• Manage integrations with your AMS and third-party systems;
• Provide customer support and respond to inquiries.

4.2 To Improve and Develop the Service

We use aggregated, de-identified, and anonymized technical and usage information — which cannot reasonably be used to identify your Agency or your clients — to analyze Service performance, identify bugs and errors, understand feature adoption, and improve existing and develop new Service functionality. This does not include using identifiable Agency Data to train AI models, as described in Section 5.

4.3 To Communicate with You

We use account administrator contact information to:

• Send transactional communications, including account confirmations, invoices, and security notifications;
• Notify you of changes to the Service, these policies, or your subscription;
• Send product updates and service announcements that are reasonably necessary for your use of the Service;
• Provide optional newsletters or marketing communications, subject to your consent preferences.

4.4 To Comply with Legal Obligations

We may use and retain information as necessary to comply with applicable laws and regulations, respond to lawful requests from government authorities, enforce our Terms of Service, and protect the rights, property, or safety of Wayden, our customers, or the public.

5. No AI Model Training on Customer Data

Wayden will not use your Agency Data — including insurance submission data, client records, policy information, voice recordings, transcripts, or any other non-public information processed through the Service — to train, fine-tune, evaluate, or otherwise improve foundation AI or machine learning models for use by other customers or for Wayden’s general commercial purposes.

This commitment applies regardless of whether your data has been de-identified or aggregated, unless the resulting data is at a level of abstraction that it cannot reasonably be used to reconstruct information about your Agency, clients, or the transactions you process.

Any AI model customization or fine-tuning that Wayden performs specifically for your Agency’s deployment, using your Agency’s data, will be subject to the terms of a separate written agreement and will be performed solely for the benefit of your Agency.

6. How We Share Information

Wayden does not sell your personal information. We share information only in the following circumstances:

6.1 Service Providers

We engage third-party vendors and service providers that perform services on our behalf, such as cloud infrastructure providers, payment processors, telephony providers, email service providers, and security vendors. These providers are contractually obligated to process information only as directed by Wayden and to maintain appropriate security measures. A list of our key sub-processors is available upon request.

6.2 AMS and Integration Partners

When you enable integrations with your Agency Management System or other third-party platforms, information will be shared with those systems in accordance with your configuration. Your use of those integrations is subject to the privacy practices of the relevant third-party providers.

6.3 Business Transfers

In connection with a merger, acquisition, asset sale, financing, or other corporate transaction, information may be transferred to the acquiring entity or successor. We will provide notice of any such transfer that materially affects this Privacy Policy.

6.4 Legal and Safety

We may disclose information if we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation or lawful government request; (b) enforce our Terms of Service; (c) protect the rights, property, or safety of Wayden, our customers, or others; or (d) detect and prevent fraud or security incidents.

6.5 Aggregated and De-identified Data

We may share aggregate, de-identified, or statistical information about use of the Service that cannot reasonably be used to identify any individual or Agency, for purposes such as industry research or product marketing.

6.6 With Your Consent

We may share information with third parties when you have given us explicit consent to do so.

7. Data Retention

We retain Agency Data for the duration of your subscription and for thirty (30) days following termination or expiration, during which time your Agency may export its data. After this period, we will delete or de-identify Agency Data unless we are required to retain it by law.

We retain account and administrative information (such as billing records and account registration data) for a period of seven (7) years following account closure, or longer as required by applicable law or as necessary for legal defense purposes.

Voice recordings processed through the Voice Agent are retained for ninety (90) days by default, unless your Agency configures a shorter retention period or applicable law requires a different retention schedule. Transcripts and summaries may be retained for the duration of the subscription.

Audit logs of AI agent actions and approval decisions are retained for a minimum of three (3) years to support E&O documentation requirements, unless a longer period is required by applicable insurance regulations.

8. Data Security

Wayden implements commercially reasonable administrative, technical, and physical security measures designed to protect information against unauthorized access, disclosure, alteration, or destruction. Our security practices include:

• Encryption of data in transit using TLS 1.2 or higher;
• Encryption of data at rest using AES-256 or equivalent standards;
• Role-based access controls and least-privilege principles for internal staff;
• Regular security assessments and vulnerability management;
• Incident response procedures with notification obligations as required by applicable law;
• SOC 2 Type II compliance (or equivalent) for production infrastructure.

Detailed security documentation is available to customers under NDA upon request. No security system is impenetrable, and Wayden cannot guarantee that information will never be accessed, disclosed, altered, or destroyed by a breach of our security measures.

In the event of a security incident involving your Agency Data, Wayden will notify you without undue delay and in accordance with applicable breach notification laws, and will cooperate with your efforts to comply with your own notification obligations.

9. Cookies and Tracking

The Wayden platform uses cookies and similar tracking technologies to operate and improve the Service. Categories of cookies we use include:

• Strictly Necessary: Required for authentication, session management, and core Service functionality. These cannot be disabled without impairing Service operation.
• Functional: Remember user preferences and settings to improve the user experience within the Service.
• Analytics: Collect aggregated, anonymized usage information to help us understand how the Service is used and where improvements can be made. We use privacy-respecting analytics tools that do not share data with advertising networks.

We do not use third-party advertising cookies or sell data to advertising platforms. You can manage cookie preferences through your browser settings, though disabling certain cookies may affect Service functionality.

10. State Privacy Rights

10.1 California

The California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”) provides California residents with certain rights regarding their personal information. However, because the Service is a B2B platform and information processed through the Service generally relates to businesses and their employees in a commercial context, much of the data processed may qualify for B2B or employee exemptions under the CCPA/CPRA.

To the extent CCPA/CPRA applies to information we hold about California-based account administrators or users, those individuals have the right to:

• Know what personal information we collect, use, disclose, and sell (we do not sell personal information);
• Request deletion of personal information, subject to applicable exceptions;
• Request correction of inaccurate personal information;
• Opt out of the sale or sharing of personal information (not applicable — we do not sell or share for advertising);
• Non-discrimination for exercising privacy rights.

To exercise these rights, contact us at privacy@wayden.ai. We will respond within 45 days of a verifiable request.

10.2 Other States

Various states have enacted or are enacting comprehensive privacy laws, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and others. To the extent these laws apply to information we process about residents of those states in our capacity as a controller, we will honor applicable rights requests submitted to privacy@wayden.ai. Because the Service is B2B in nature, the scope of these laws as applied to most information we process may be limited.

10.3 Insurance-Specific Privacy Requirements

Insurance data processed through the Service may be subject to the Gramm-Leach-Bliley Act (“GLBA”) and state insurance privacy regulations, including state Department of Insurance rules implementing NAIC model privacy regulations. Your Agency, as the controller of client data processed through the Service, is responsible for compliance with GLBA and applicable insurance privacy laws. Wayden will support your compliance efforts as a data processor in accordance with our DPA.

11. Recording Consent and TCPA

The Voice Agent feature may involve recording telephone calls and initiating automated or pre-recorded voice communications. These activities are subject to extensive federal and state regulation, including the TCPA, state wiretapping and eavesdropping laws, and state Department of Insurance regulations.

Your Agency is solely responsible for:

• Determining the applicable consent requirements for all recordings and automated communications in the jurisdictions where your Agency operates;
• Obtaining prior express written consent from called parties where required by the TCPA or applicable state law before initiating automated or pre-recorded calls;
• Providing required call recording disclosures at the start of any recorded call;
• Maintaining records of consents obtained and honoring do-not-call requests promptly;
• Ensuring that all Voice Agent communications comply with applicable federal and state telemarketing and communications laws.

Wayden provides configurable disclosure and consent capture features to assist your compliance, but these features do not substitute for legal advice or guarantee compliance with applicable law.

12. Children’s Privacy

The Service is designed for and directed exclusively to business entities and their authorized professional employees. The Service is not directed to individuals under the age of 18, and we do not knowingly collect personal information from children. If you believe that we have inadvertently collected information from a child, please contact us at privacy@wayden.ai and we will promptly delete such information.

13. International Data Transfers

Wayden is based in the United States, and the Service is operated from US-based infrastructure. If you access the Service from outside the United States, or if your Agency Data includes information about individuals located outside the United States, you acknowledge that information may be transferred to and processed in the United States.

To the extent that Wayden transfers personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, such transfers will be conducted pursuant to Standard Contractual Clauses or other lawful transfer mechanisms recognized under applicable data protection law. Please contact us at privacy@wayden.ai for more information about international transfer safeguards.

14. Third-Party Links

The Service may contain links to or integrations with third-party websites, platforms, or services (such as carrier portals or AMS systems) that are not operated by Wayden. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you connect to or access through the Service. Wayden is not responsible for the privacy practices of third-party services.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will notify account administrators by email at least thirty (30) days before the changes take effect, and we will post the updated policy on our website with a revised effective date.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the revised policy, you should discontinue use of the Service and contact us to terminate your subscription.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data handling practices, please contact us:

For requests to exercise your privacy rights under applicable state law, please include “Privacy Rights Request” in the subject line of your email and specify the right you wish to exercise and the information to which your request relates. We will respond to verifiable requests within the timeframes required by applicable law.