Legal

Privacy Policy

We take your privacy seriously. This policy explains what data we collect, how we use it, and your rights as a WayPal user.

Effective: January 1, 2025 · Last updated: April 10, 2026

Overview

WayPal ("we", "our", or "us") is a mobile application designed to help drivers track mileage, manage expenses, and access smart driving tools. We are committed to protecting your personal information and being transparent about what data we collect and why.

This Privacy Policy applies to the WayPal mobile application (iOS and Android), the WayPal website, and any related services we provide. By using WayPal, you agree to the collection and use of information described in this policy.

If you do not agree with the terms of this policy, please do not use our services.

Information We Collect

We collect the following categories of information when you use WayPal:

Account Information

  • Your name and email address, provided during registration
  • A securely hashed password — we never store your password in plain text
  • Account creation date and last activity timestamp

Trip & Mileage Data

  • Origin and destination addresses or location names (entered manually or detected automatically)
  • GPS coordinates for trip start and end points
  • Encoded route polyline (the path driven) when auto-tracking is used
  • Trip distance (kilometres or miles), date, and purpose
  • Trip type (e.g. work start, client visit, personal) and notes you add
  • Whether a trip was auto-tracked by the app or entered manually
  • Calculated mileage value based on your configured rate

Vehicle Information

  • Vehicle nickname, make, model, and year
  • Odometer readings (start of year and current/end of year)

Expense Data

  • Vendor name, expense category (e.g. fuel, maintenance, parking), and item description
  • Amounts (subtotal, fees, tax, and total)
  • Payment method and business purpose
  • Notes you add to an expense record

Receipt Images

WayPal allows you to attach receipt photos to expense records. When you do so:

  • Camera: If you photograph a receipt directly in the app, WayPal requests access to your device camera solely to capture that image. The photo is uploaded to our secure servers and linked to your expense record.
  • Photo library: If you choose an existing image from your photo library, WayPal requests read access to your photos solely to retrieve the selected image. We do not scan, index, or access any other photos on your device.
  • Storage: Receipt images are stored securely on our servers and are associated with your account. They are accessible only to you.
  • Deletion: Removing a receipt from an expense record or deleting your account will permanently delete the associated image from our servers within 30 days.
  • No automated processing: Receipt images may be used to pre-fill expense fields (vendor name, amount, date) using on-device or server-side OCR processing. This processing is performed solely to populate your expense record and the image data is not used for any other purpose.

User Preferences

  • Distance unit preference (kilometres or miles)
  • Currency preference (e.g. CAD, USD, GBP)
  • Mileage rate per unit
  • Display preferences such as theme, text size, and density

Technical & Usage Data

  • Device type, operating system, and app version
  • IP address and approximate geographic region (for security and fraud prevention only)
  • Authentication tokens and session data
  • Error logs and crash reports (anonymised)

Location Data

Location access is central to WayPal's auto-tracking feature, which automatically records trips while you drive. We take extra care with this data.

What we collect and why

  • Precise GPS coordinates: Used to determine trip start and end points, calculate distance, and draw your route on the map.
  • Route polyline: A compressed representation of the path you drove, stored to display your route in the app and in reports.
  • Background location (iOS/Android): When you start a shift, the app accesses your location in the background to detect when a trip begins and ends — even if the app is not in the foreground. Background access stops when your shift ends.

How location data is used

  • To auto-detect trip start and end based on movement
  • To calculate trip distance accurately
  • To display your route on the in-app map (rendered using OpenStreetMap)
  • To generate mileage reports for tax or reimbursement purposes

What we do not do with location data

  • We do not share your GPS data or routes with advertisers or data brokers
  • We do not use your location to build profiles for advertising purposes
  • We do not access your location outside of active shifts
  • Location data is associated only with your account and is never sold

Your control

You can revoke location permissions at any time in your device's Settings app. Without location access, auto-tracking will not function, but you can still add trips manually. You can also delete any auto-tracked trip from within the app.

On iOS, WayPal requests "Always Allow" location permission to enable background tracking during a shift. You are free to grant only "While Using" instead; this will limit background trip detection. The app will always prompt you before accessing location and explain why it is needed.

Biometric Authentication

WayPal supports Face ID and Touch ID on iOS devices as a convenient and secure way to sign in. Here is exactly how this works:

  • We never receive or store biometric data. Face ID and Touch ID authentication is handled entirely by iOS, on your device. Apple's Secure Enclave processes your biometric data and WayPal only receives a yes/no result — we never have access to your face geometry, fingerprint data, or any biometric information.
  • What we store: When biometric authentication succeeds, your existing authentication token (stored securely on your device) is used to identify you. No new data is created or transmitted as a result of biometric sign-in.
  • Optional: Biometric sign-in is entirely optional. You can always sign in using your email and password instead.
  • Your control: You can disable biometric sign-in at any time in your device's Settings app under Face ID & Passcode or Touch ID & Passcode.

How We Use Your Data

We use the data we collect for the following purposes:

  • Providing the service: Storing your trips, expenses, and vehicle data so you can access and manage them across sessions and devices.
  • Auto-tracking trips: Using your GPS location during an active shift to automatically detect, record, and measure trips without requiring manual input.
  • Generating reports: Producing monthly, yearly, and on-demand summaries of your mileage, expenses, and business-use percentage for your own records.
  • Personalisation: Remembering your preferences (units, currency, mileage rate) to provide a consistent experience.
  • Security: Detecting and preventing unauthorised access, fraud, and abuse of our services.
  • Communications: Sending transactional emails such as account verification, password resets, email address change confirmations, and important service notices. If you opt in, we also send a weekly summary email every Monday with a snapshot of your driving stats for the prior week. You can opt out of the weekly summary at any time from the Account section of the app. We do not send marketing emails without your explicit consent.
  • Service improvement: Analysing aggregated, anonymised usage patterns to understand how the app is used and where improvements can be made.
  • Legal compliance: Fulfilling our legal obligations and responding to lawful requests from authorities where required.

We do not use your data for advertising purposes. We do not build advertising profiles or share your data with advertising networks.

Data Storage & Security

Your data is stored on secure servers. We implement industry-standard security measures to protect your information from unauthorised access, alteration, disclosure, or destruction.

Security measures we use

  • All data in transit is encrypted using TLS (HTTPS)
  • Passwords are hashed using bcrypt — your actual password is never stored
  • Authentication uses Laravel Sanctum with short-lived session tokens
  • Database access is restricted by strict firewall rules and access controls
  • Regular backups are taken with encryption at rest

Data retention

We retain your data for as long as your account remains active. If you delete your account, we will permanently delete your personal data within 30 days, except where we are required to retain it for legal or compliance reasons.

Anonymised, aggregated data (e.g. usage statistics that cannot identify you) may be retained indefinitely for service improvement purposes.

Data Sharing

We do not sell your personal data. We do not share your personal information with third parties for their marketing purposes.

We may share data in the following limited circumstances:

  • Service providers: We use trusted third-party service providers (such as hosting and email providers) who process data on our behalf. These providers are bound by data processing agreements and may not use your data for any other purpose.
  • Legal requirements: We may disclose your information if required to do so by law, court order, or in response to a valid request from a government authority.
  • Business transfers: If WayPal is acquired by or merged with another company, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
  • With your consent: We may share data in any other way with your explicit consent.

Your Rights

You have the following rights regarding your personal data:

  • Access: You can request a copy of all personal data we hold about you.
  • Correction: You can update or correct inaccurate data directly within the app settings, or by contacting us.
  • Deletion: You can request deletion of your account and all associated data at any time. We will process this within 30 days.
  • Export: You can export your trips and expenses as CSV or PDF from the Reports section of the app, or export a full JSON backup of all your data from Settings → Data & Backup.
  • Restriction: You can request that we restrict processing of your data in certain circumstances.
  • Portability: You can request your data in a structured, machine-readable format.
  • Objection: You can object to processing based on legitimate interests.

To exercise any of these rights, contact us at privacy@waypal.app. We will respond within 30 days.

Cookies & Local Storage

The WayPal mobile app uses local device storage (not browser cookies) to store authentication tokens and your display preferences (such as theme and text size). This data stays on your device and is not transmitted to our servers except as part of normal API authentication.

The WayPal website uses a session cookie for CSRF (cross-site request forgery) protection, which is a standard security measure. We do not use tracking cookies, analytics cookies, or third-party advertising cookies on our website.

Third-Party Services

WayPal uses the following third-party services in connection with its operations:

  • Hosting infrastructure: Our backend servers and file storage (including receipt images) are hosted with reputable cloud providers who are bound by strict data processing agreements. Receipt images are stored in access-controlled, encrypted object storage and are not publicly accessible.
  • Transactional email: We use a transactional email provider to send account verification, password reset, email change confirmation, and weekly summary emails. These providers only receive the email address and message content required to deliver the email.
  • OpenStreetMap: In-app trip maps are rendered using map tiles served by OpenStreetMap (openstreetmap.org). When you view a trip map, your device makes tile requests to OpenStreetMap's servers; this is subject to the OpenStreetMap Foundation Privacy Policy. Your GPS coordinates or route data are not transmitted to OpenStreetMap — only the tile coordinates needed to display the map area.
  • Apple App Store / Google Play: App distribution is handled by Apple and Google. Their privacy practices are governed by their own policies.

We do not integrate with social media platforms, advertising networks, or data brokers. Any future integrations will be disclosed in an update to this policy.

Children's Privacy

WayPal is not directed to children under the age of 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children.

If you believe a child has provided us with personal information, please contact us immediately at privacy@waypal.app and we will delete the information promptly.

Policy Changes

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by:

  • Updating the "Last updated" date at the top of this page
  • Sending a notification to your registered email address
  • Displaying a notice in the WayPal app

Your continued use of WayPal after changes become effective constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

We aim to respond to all privacy-related enquiries within 5 business days.

Have a question about your data?

Contact Privacy Team