WAYG
    Legal · Privacy

    Privacy
    Policy.

    How WAYG collects, uses, protects, and shares your personal and financial information.

    Effective July 1, 2026
    Last updated July 1, 2026

    1. Introduction and Company Identity

    Effective July 1, 2026. This Privacy Policy supersedes all prior versions.

    WAYG ("Company," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit wayg.co, use our services, or otherwise interact with us.

    WAYG is a Florida-based professional services firm providing bookkeeping, tax preparation, payroll, and advisory services to individuals and businesses. As a financial services provider, we comply with applicable privacy laws including the Gramm-Leach-Bliley Act (GLBA), the FTC Safeguards Rule, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and the General Data Protection Regulation (GDPR) where applicable.

    Data Controller:
    WAYG
    1701 Ponce De Leon Blvd, Suite 305
    Coral Gables, FL 33134
    Email: hello@wayg.co
    Phone: (305) 396-2000
    Toll-free: (888) 561-1915

    2. Information We Collect

    Personal Identifiers

    • Full legal name, aliases, date of birth
    • Social Security Number (SSN) or ITIN
    • Driver's license, passport, or government ID
    • Home address, mailing address, email, phone numbers
    • Employment information and employer identification

    Financial Information

    • Bank account numbers and routing numbers
    • Income documents (W-2s, 1099s, K-1s)
    • Investment and retirement account statements
    • Business financial records and profit/loss statements
    • Real estate records and property tax statements
    • Prior tax returns and IRS correspondence

    Automatically Collected Information

    • IP address and approximate geographic location
    • Browser type, version, and device type
    • Pages visited, time spent, and navigation path
    • Referring website, source, and UTM/campaign parameters
    • Security-related signals used to detect fraud and abuse

    Interactions and Uploads

    • Documents you upload to our client portal (currently Assembly)
    • Messages exchanged with your WAYG team
    • Chat transcripts with our on-site AI assistant "Gia"
    • Booking, call, and support-ticket metadata

    3. Cookies and Tracking Technologies

    We use cookies and similar tracking technologies. When you first visit our site, you will see a cookie consent banner allowing you to accept or reject non-essential cookies. We honor the Global Privacy Control (GPC) browser signal as an opt-out of cross-context behavioral advertising for browsers that send it.

    Category Purpose Required
    Strictly Necessary Session management, security, cookie consent Yes
    Analytics Google Analytics 4, Microsoft Clarity No
    Marketing Meta Pixel, Google Ads conversion No
    Functional Calendly scheduling, Assembly portal session No

    4. How We Use Your Information

    • Service delivery: Preparing tax returns, bookkeeping, payroll, and advisory work
    • Client portal & communications: Delivering documents, messages, reminders, and reports through Assembly and email
    • Billing: Processing subscriptions and one-time invoices through Assembly (Portal Technologies, Inc.)
    • AI-assisted workflows: Accelerating research, drafting, and data extraction, always with human professional review
    • Legal compliance: Complying with tax laws and responding to legal process
    • Security & fraud prevention: Detecting abuse, preventing unauthorized access, and protecting our systems
    • Marketing (with consent): Product updates, tax deadline reminders, and educational content

    5. Information Sharing and Subprocessors

    We share personal information only with vetted subprocessors under written terms, and only as needed to deliver services.

    • Assembly (Portal Technologies, Inc.): Client portal, secure document exchange, and subscription billing
    • Canopy: Legacy client portal, being migrated to Assembly
    • QuickBooks Online (Intuit) and Xero: Accounting platforms, only when you connect them
    • Gusto: Payroll processing for payroll-service clients
    • Google Workspace: Email, calendar, and internal document collaboration
    • Resend: Transactional email delivery
    • Cloudflare: DNS, CDN, and edge security
    • Supabase-hosted infrastructure (AWS US East): Database and serverless functions
    • Enterprise AI providers: Model inference for our "Gia" assistant and internal workflows, under enterprise agreements that prohibit training on our inputs
    • Government agencies: IRS and state tax authorities as required for filings
    • Legal process: In response to subpoenas, court orders, or valid legal process
    • Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected clients

    We do not sell your personal information, and we do not share it for cross-context behavioral advertising in exchange for money.

    6. AI and Automated Processing

    WAYG uses artificial intelligence tools, including our "Gia" assistant on wayg.co and internal AI-assisted workflows, to accelerate research, drafting, document classification, and data extraction.

    • Human review: All tax returns, financial statements, and advisory deliverables are reviewed by a qualified human professional before release.
    • No third-party model training: Client data is not used to train third-party foundation models. AI providers operate under enterprise agreements that prohibit training on our inputs.
    • Chat logging: Conversations with Gia may be logged for quality, compliance, and product improvement.
    • No solely automated decisions: We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing.
    • Right to opt out: Active clients may request that their engagement work be handled without AI assistance by writing to hello@wayg.co.

    7. Data Security & Breach Notification

    We maintain a Written Information Security Program (WISP) aligned with IRS Publication 4557 and the FTC Safeguards Rule. Safeguards include:

    • TLS encryption for data in transit; AES-256 encryption at rest for sensitive fields
    • Multi-factor authentication and least-privilege access for staff
    • Role-based access controls in our client portal, scoped to your engagement team
    • Vendor due diligence and written terms with subprocessors
    • Ongoing staff training on privacy and security
    • Documented incident-response and breach-notification procedures

    In the event of a confirmed security incident affecting your personal information, we will notify you without undue delay and, where feasible, within seventy-two (72) hours of confirmation, in accordance with applicable state and federal breach notification laws.

    8. GLBA Compliance

    As a financial services provider, we comply with the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations. We do not disclose nonpublic personal information about current or former clients to nonaffiliated third parties, except as permitted or required by law. We maintain a comprehensive information security program to protect your nonpublic personal information, as described in Section 7.

    9. Your Privacy Rights

    California Residents (CCPA/CPRA)

    • Right to Know: Request disclosure of personal information collected, sources, purposes, and third parties
    • Right to Delete: Request deletion of your personal information, subject to legal retention requirements
    • Right to Correct: Request correction of inaccurate information
    • Right to Data Portability: Receive a copy of your personal information in a portable format
    • Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising
    • Right to Limit Use of Sensitive Personal Information
    • Right to Non-Discrimination: No penalty for exercising rights
    • Right to Appeal: If we deny your request, you may appeal in writing to hello@wayg.co

    You may exercise these rights yourself or through an authorized agent (proof of authorization required). We will respond within 45 days and may extend once by an additional 45 days when reasonably necessary.

    European & UK Users (GDPR / UK GDPR)

    • Right of access, rectification, and erasure
    • Right to data portability
    • Right to restriction of processing
    • Right to object to processing (including direct marketing)
    • Right to withdraw consent where processing is based on consent
    • Right to lodge a complaint with your supervisory authority

    To exercise any right, contact hello@wayg.co. We will verify your identity before responding.

    10. Data Retention

    • Tax records: 7 years minimum (IRS regulations)
    • Financial records and engagement files: 7 years after engagement ends
    • Marketing leads: Deleted after 24 months of inactivity or on opt-out request
    • Website analytics: Up to 26 months
    • Gia chat transcripts: 12 months, unless part of an active engagement record
    • Backups: Rolling backup windows aligned with the categories above

    When retention periods end, data is deleted or de-identified.

    11. International Data Transfers

    WAYG operates from the United States, and our infrastructure and subprocessors are primarily located in the United States. If you access our services from the EEA, UK, or another jurisdiction outside the US, your personal information may be transferred to and processed in the US under appropriate safeguards, including Standard Contractual Clauses where applicable.

    12. Children's Privacy

    Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected such information, we will delete it promptly.

    13. Changes to This Policy

    We may update this Privacy Policy from time to time. Material changes will be communicated to active subscribers by email at least thirty (30) days before they take effect, and posted on our website with an updated "Effective" date at the top of this page.

    14. QuickBooks Online Integration and Third-Party Data Processors

    To deliver bookkeeping, tax, and advisory services, WAYG integrates with several third-party platforms that process your data on our behalf. This section explains how each integration works, what data is shared, and how you can revoke access at any time.

    QuickBooks Online (Intuit Inc.)

    When you authorize WAYG to connect to your QuickBooks Online account, our application acts on your behalf via Intuit's standard OAuth 2.0 authorization flow. Specifically:

    • What we read: Profit and Loss, Balance Sheet, Cash Flow, Aged Receivables, Vendor Expenses reports; open invoices and account balances; company profile information.
    • What we write: Nothing. Our integration is read-only. We do not create, modify, or delete any records inside your QuickBooks Online account.
    • Where data goes: QuickBooks data is fetched on demand when you (or your assigned WAYG team member) open your client portal dashboard. Numerical and report data is processed in-memory during the request and is not persisted in our database.
    • Token storage: Only the OAuth access token, refresh token, realm ID, and connecting user identity are persisted in our PostgreSQL database, encrypted at rest with AES-256 and accessible only to authorized WAYG backend services. Tokens never appear in URLs, browser-visible code, or application logs.
    • Token rotation: Access tokens are refreshed automatically just before expiration using Intuit's standard refresh flow. Refresh tokens are rotated on each use per Intuit's policy.

    Intuit's privacy practices are governed by Intuit's Privacy Statement.

    Backend infrastructure and email

    Other third-party processors that handle your data on our behalf:

    • Supabase, Inc. provides PostgreSQL database hosting and serverless edge function infrastructure. Runs on Amazon Web Services in the US East (N. Virginia) region. SOC 2 Type II certified. Stores OAuth connection records, lead data, and engagement metadata. Their privacy practices are governed by Supabase's Privacy Policy.
    • Assembly (Portal Technologies, Inc.) hosts the client portal where the QuickBooks Command Center dashboard is embedded as a Custom App. Stores client profile information, messages with WAYG team, and uploaded documents. Their privacy practices are governed by Assembly's Privacy Policy.
    • Stripe, Inc. processes subscription billing for Core, Advisory, and Executive plans. Stripe is PCI-DSS Level 1 certified and we never see or store full payment card details. Their privacy practices are governed by Stripe's Privacy Policy.
    • Resend, Inc. delivers transactional emails (welcome messages, trial reminders, monthly reports). Receives only your email address, name, and message content. Their privacy practices are governed by Resend's Privacy Policy.
    • Cloudflare, Inc. provides CDN and DNS for our website and edge function hosting. Receives standard request metadata (IP address, user agent, requested URL).

    Who can see your QuickBooks data inside WAYG

    Once your QuickBooks Online account is connected, your financial data is visible to:

    1. You, through the WAYG client portal (currently Assembly).
    2. Your assigned WAYG team, typically your client success manager, lead accountant, and any advisor on your engagement. Internal access is governed by Assembly's role-based permissions and is limited to the clients each team member is explicitly assigned to.

    Your QuickBooks data is never:

    • Sold, licensed, or rented to third parties
    • Used for advertising, marketing, or analytics outside the engagement scope
    • Shared with other WAYG clients
    • Aggregated, anonymized, or used to train any AI or machine learning model
    • Accessed by WAYG personnel not assigned to your engagement

    How to revoke access and delete your data

    You can disconnect your QuickBooks Online integration at any time through any of three paths:

    1. From QuickBooks Online directly. Sign in to QuickBooks Online → click the gear icon → "Manage Apps" → find WAYG → click "Disconnect."
    2. From your client portal. Open your QuickBooks Command Center dashboard inside the WAYG portal → click the "Disconnect" button.
    3. By email. Send a request to hello@wayg.co with the subject line "QuickBooks Disconnect Request" and include your account email.

    Upon disconnection, our application immediately calls Intuit's token revocation endpoint to invalidate the OAuth refresh token at the source, then deletes the local connection record from our database. Cached report data, if any was retained, is purged within 30 days. Tax records, financial records, and engagement files are subject to the retention periods in Section 9 above to comply with IRS regulations and professional standards.

    If you have questions about how WAYG handles your QuickBooks Online data, contact us at hello@wayg.co or (305) 396-2000.

    15. Contact Us

    If you have questions about this Privacy Policy or want to exercise your privacy rights, please contact us:

    Address

    1701 Ponce De Leon Blvd, Suite 305
    Coral Gables, FL 33134

    Phone

    (305) 396-2000
    Toll-free: (888) 561-1915

    Email

    hello@wayg.co

    We use cookies to enhance your experience, analyze traffic, and personalize content.

    Your privacy matters. You can customize your preferences anytime. Privacy Policy