Legal

Privacy Policy

Website: https://waypoint-global.com

Controller / Company: Waypoint LLC

Privacy / Data Protection contact: Contact@waypoint-global.com

Last updated: September 22, 2025

1. Introduction

Waypoint LLC («Waypoint», «we», «us» or «our») operates https://waypoint-global.com (the «Site»). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, with whom we share it, how long we retain it, and the rights you have under applicable data protection laws (including the EU General Data Protection Regulation (GDPR), Colombia’s Habeas Data framework / Law 1581 of 2012, Singapore PDPA, and CCPA-style rights where applicable).

2. Scope and legal notice

This Policy applies to personal data collected through the Site and through our recruitment and vendor/contact pages, and to personal data we collect in the course of our business relationships (for example, with vendors and candidates). For employee data processed in an employer-employee relationship, a separate internal privacy notice may apply.

Waypoint maintains a Record of Processing Activities (ROPA) documenting processing categories, purposes, recipients, retention periods and safeguards. For high-risk processing (e.g., background checks, systematic monitoring) we perform a Data Protection Impact Assessment (DPIA) before starting the activity.

3. What personal data we collect

We collect different categories of personal data depending on the context. Examples include:

Comments / Contact messages: name, email address, company, message content, IP address, browser user-agent, and any files you attach.

Job applicants / CVs (resumes): name, contact details, CV/resume, cover letter, employment history, education, references, interview notes, background check results (where applicable and lawful), and any additional information you provide during recruitment.

Vendor & supplier contacts: name, role/title, company, email, phone number, invoicing details (company tax ID, bank details if provided), correspondence history.

Site usage data: cookies, device identifiers, IP addresses, pages viewed, referral URL, and analytics events.

Support / service requests: any information you send in support tickets or emails that is necessary to address the request.

4. Why we collect and how we use personal data (purposes)

We use personal data for legitimate business purposes, including:

to respond to contact messages, queries and support requests;

to manage recruitment, evaluate job applications, and conduct interviews and pre-employment checks;

to manage vendor onboarding, billing, and payments;

to operate, secure and improve our Site and services (analytics, troubleshooting, fraud prevention);

to comply with legal obligations (tax, accounting, employment law) and to exercise or defend legal claims;

to send administrative communications such as policy updates, security notices or other communications related to your relationship with us.

5. Lawful basis for processing (GDPR)

If you are in the EEA, the UK or otherwise covered by GDPR, our legal bases for processing include:

Performance of a contract: processing necessary to enter into or perform a contract (e.g., supplier onboarding, payroll, service delivery).

Legal obligation: compliance with tax, employment, or accounting obligations.

Legitimate interests: fraud prevention, security, Site operation and improvement, defending legal claims (we balance our interests vs your rights).

Consent: where we request consent (cookies or marketing communications), you can withdraw consent at any time.

6. Special section — Job applicants & CVs (resumes)

When you apply for a role with Waypoint, we collect and process your CV and supporting information to evaluate your suitability for the role. Key points:

Purpose: recruitment, background checks (where lawful), reference checks, and onboarding if hired.

Data minimization: we will only request information necessary for recruitment (we do not seek irrelevant sensitive personal data unless you voluntarily provide it or we have a lawful basis).

Retention: if you are not hired, we will keep your CV for up to 24 months from the date of application if you consent to be kept on file for future roles. You can withdraw that consent at any time by contacting Contact@waypoint-global.com.

Candidate rights: applicants may request access, correction, deletion or portability of their data. In jurisdictions with Habeas Data laws (e.g., Colombia), applicants may exercise ARCO rights. See «Your rights» section 11 for how to exercise these rights.

Background checks: where applicable and lawful, we may conduct employment background checks; we will obtain your consent where required by local law.

7. Special section — Vendor & supplier contact information

Vendor messages, quotes and onboarding information are processed to evaluate and maintain vendor relationships and to process payments. Key points:

Purpose: contracting, payment processing, compliance checks (KYC / AML), and communication regarding services or deliveries.

Banking details: if you provide bank account information for payments, we store it securely and only use it to effect payments and comply with tax/financial controls.

Retention: financial and contractual records are retained in accordance with legal and tax requirements (7 years), or longer if required by local law.

Habeas Data: vendors may exercise data subject rights under local law; see «Your rights» section11.

8. Cookies and similar technologies

We use cookies and similar technologies to provide functionality, analytics, and marketing. Where required by law, we ask for consent via a cookie banner. You can withdraw consent via the cookie settings or by deleting cookies in your browser.

Cookie categories and examples:

Essential: Site functionality (login, session) — session cookies, expires on browser close or 2 days.

Preferences: Remember display choices (language, screen) — 1 year.

Analytics: Track site performance & usage — 26 months (Google Analytics default).

Marketing: Deliver targeted advertising (where applicable) — varies by provider.

9. Third parties / processors

We share data with third-party service providers who perform services on our behalf (hosting, analytics, anti-spam, email, payment processing). These processors act on our instructions and are bound by contract to keep data secure. Current providers include:

Google Workspace — email and forms: https://policies.google.com/privacy

Microsoft 365 — email and collaboration (where used):

https://privacy.microsoft.com/

Data Processing Agreements (DPA).

Waypoint requires that all third-party processors who process personal data on our behalf enter into a Data Processing Agreement (DPA). The DPA includes processing instructions, confidentiality obligations, technical and organisational measures, subprocessors rules, audit rights and deletion/return obligations. A current list of subprocessors and executed DPAs is available on request at Contact@waypoint-global.com

10. International transfers

Our services and processors may transfer or store personal data outside your jurisdiction (for example, to the United States or other countries). Where such transfers occur, we implement appropriate safeguards (standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms) to protect your data. Contact Contact@waypoint-global.com if you require details of the specific safeguards used for a transfer.

Where personal data is transferred outside the EEA/UK/other protected jurisdictions, Waypoint relies on: (a) adequacy decisions; (b) EU Standard Contractual Clauses (SCCs) or equivalent mechanisms; and (c) additional technical/organizational safeguards (e.g., encryption, access controls). Copies of SCCs or transfer impact assessments are available on request at Contact@waypoint-global.com

11. Your rights

Subject to local law, you may have the following rights regarding your personal data:

Access: request a copy of the personal data we hold about you.

Correction: request rectification of inaccurate or incomplete data.

Erasure: request deletion of your personal data (right to be forgotten), where permitted.

Restriction: request restriction of processing in certain circumstances.

Portability: request a machine-readable copy of your data for transfer to another provider.

Objection: object to processing based on legitimate interests or for direct marketing.

Withdraw consent: where processing is based on consent, you can withdraw consent at any time.

Lodge a complaint with a supervisory authority or your local Data Protection Authority.

To exercise any of these rights, contact: Contact@waypoint-global.com. We will respond in line with applicable law and may request identity verification to protect your privacy.

12. Security

We implement technical and organizational measures to protect data (encryption, access controls, security testing). However, no online system is completely secure; if you suspect misuse of your personal data, contact Contact@waypoint-global.com immediately.

Security incidents / Breach notification.

In the event of a personal data breach likely to result in risk to individuals, Waypoint will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware. Affected individuals will be informed when required. Report incidents immediately to

Contact@waypoint-global.com

Technical & organizational measures:

encryption in transit (TLS) and at rest for sensitive data; role-based access control; multi-factor authentication for admin accounts; logging and monitoring; regular vulnerability scans and annual penetration tests; encrypted backups retained 180 days.

13. Data retention

We retain personal data only as long as necessary for the purposes set out in this Policy and to comply with legal obligations. Retention periods include:

Comments and comment metadata: retained indefinitely (or until you request deletion).

Applicant data (unsuccessful candidates): 24 months with option to retain longer with explicit consent for future roles.

Vendor and financial records: 7 years for tax and accounting purposes.

Analytics data: 26 months or per provider defaults.

Logs and security events: 90 days (or as required by law).

14. Children

Our Site is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have collected such data, please contact us so we can remove it.

15. Changes to this policy

We may update this Privacy Policy from time to time. The «Last updated» date at the top will show the latest revision. We will notify you about material changes where required by law.

16. Contact & How to make a data subject request (ARCO / Habeas Data)

Privacy / data protection contact: Contact@waypoint-global.com.

How to make a request (suggested steps):

Email Contact@waypoint-global.com with subject: «Data Subject Request» and describe the request (access, deletion, correction, portability).

Provide proof of identity (government ID) if required for verification.

We will acknowledge receipt within 5 business days and respond within the timeframe required by applicable law (typically 30 calendar days; extensions up to 60 days in complex cases).

If you are not satisfied with our response, you may lodge a complaint with a supervisory authority or your local Data Protection Authority.

To exercise rights, email Contact@waypoint-global.com with subject “Data Subject Request” including: full name, contact details, description of request and a scan of government ID. We will acknowledge within 5 business days and provide a substantive response within 30 calendar days (extension up to 60 days if complex). If a request is denied, reasons and appeal options will be provided.