Sign In

Privacy Policy

Last updated: February 10, 2026

1. Overview

WayLucid ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform. We are designed from the ground up to be a first-party data platform — meaning businesses own their customer data, and we do not sell personal information to third parties.

2. Information We Collect

Account Information: Name, email address, and profile details you provide during registration.

Location Data: GPS coordinates collected during check-ins and treasure hunts, used solely for visit verification and geofence notifications. Location data is only collected when you actively use location-based features.

Activity Data: Check-in history, campaign participation, rewards earned and redeemed, leaderboard activity, and treasure hunt progress.

Business Data: For business account holders — business profile information, campaign configurations, team member details, and subscription information.

Device Information: Browser type, operating system, and device identifiers for security and service optimization.

3. How We Use Your Information

We use collected information to:

  • Verify your visits to business locations using dual-factor (GPS + QR) verification
  • Deliver rewards, track campaign participation, and maintain your rewards wallet
  • Provide businesses with aggregated analytics and customer intelligence (never individual-level data without consent)
  • Send geofence-triggered notifications about nearby deals and campaigns
  • Maintain leaderboards, XP progression, and gamification features
  • Improve and optimize the platform experience
  • Process payments and manage subscriptions for business accounts

4. First-Party Data Principles

WayLucid is built on first-party data principles. Business account holders own the customer engagement data generated through their campaigns. We do not use cookies for cross-site tracking. We do not sell, rent, or share personal information with third-party advertisers. Customer data shared with businesses is limited to verified visit data and campaign interactions.

5. Data Sharing

We share information only in these circumstances:

  • With Businesses: When you check in at a business location, that business receives your visit verification data and any campaign-related interactions.
  • Service Providers: We use trusted third-party services for payment processing (Stripe), hosting, and analytics. These providers are contractually bound to protect your data.
  • Legal Requirements: We may disclose information when required by law, court order, or governmental authority.

6. Location Data

Location data is central to our verification system. GPS coordinates are collected only during active check-ins and when geofence notifications are enabled. You can disable location services at any time through your device settings or notification preferences. We retain location data for verification purposes and aggregate it for business analytics. Individual location history can be deleted upon request.

7. Data Security

We implement industry-standard security measures including encryption in transit (TLS 1.3), encrypted data at rest, secure authentication via OAuth 2.0, and regular security audits. We do not store payment card information — all payment processing is handled by Stripe. Access to user data is restricted to authorized personnel on a need-to-know basis.

8. Your Rights

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your account and associated data
  • Portability: Export your data in a standard format
  • Opt-Out: Disable notifications, location tracking, or specific data collection
  • Restrict Processing: Limit how we use your data

9. CCPA & GDPR Compliance

WayLucid complies with the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). California residents and EU/EEA users have additional rights under these regulations. We do not sell personal information as defined by CCPA. For GDPR purposes, WayLucid acts as a data processor for business account data and a data controller for consumer account data.

10. Children's Privacy

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal information, we will delete it immediately.

11. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Business analytics data is retained for the duration of the business subscription plus 90 days. After account deletion, we retain anonymized, aggregated data for platform analytics. Backup copies may persist for up to 30 days after deletion.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related questions or to exercise your rights, contact us at [email protected].