Who this covers
This policy applies to anyone who visits our marketing sites, signs up for an account, joins the waitlist, uses PostWyse or OpsWyse, or interacts with the Wyse AI inside either product. Separate notices may apply if you are a job applicant or a potential customer engaging with our sales team; those notices will be provided in context.
Who we are
Wysera (the “Company,” “we,” “us,” or “our”) is the data controller for the personal data described in this policy. You can reach our data team at hi@wysera.ai. Where we process workspace content on your behalf as part of providing the service, we act as a processor and your organisation is the controller; our Data Processing Addendum governs that relationship.
Data we collect
We collect only what we need to run the product and serve you. Categories below cover everything we touch.
Account data
Name, work email, password hash (Argon2), workspace name, role. Optionally LinkedIn URL if you join via the waitlist.
Workspace content
Drafts, briefs, contacts, deals, notes, files, and anything else you or your team create or upload into PostWyse or OpsWyse.
Integrations content
Data you choose to sync from Google Workspace, HubSpot, Slack, Notion, Salesforce, and other connectors. Scoped to the permissions you grant.
Usage and telemetry
Pages viewed, features used, latency, errors. Tied to your account so we can support you, but stripped of PII before reaching error-tracking tools.
Device and network
IP address, browser type, OS, approximate location (city / country) derived from IP, session cookies for sign-in.
Billing data
Company name, billing address, tax ID, invoice history. Card numbers live in Stripe; we never see or store them.
Support and comms
Messages you send us through email, chat, or forms, and our replies.
How we use it
Run the product
Authenticate you, render your workspace, save drafts, sync integrations, send transactional email.
Improve drafts for your team only
Wyse uses your team's edits and approvals to learn your voice and stack. This learning is scoped to your tenant.
Support you
Reply to your questions, debug issues you report, restore data if something goes wrong.
Keep things secure
Detect abuse, block credential-stuffing, investigate anomalies, satisfy lawful requests.
Run the business
Bill you, calculate taxes, send service notices, comply with accounting and legal obligations.
Tell you about updates
Product release notes and occasional educational content. You can opt out of marketing email any time and still receive transactional notices.
Legal bases (GDPR)
If you are in the EU, EEA, UK, or Switzerland, we rely on the following legal bases under the GDPR and UK GDPR:
Contract
Most processing is necessary to provide the service you signed up for: rendering your workspace, processing your prompts, sending your invoices.
Legitimate interests
Service security, abuse prevention, product analytics in aggregate, and direct marketing to existing customers about similar products. Balanced against your rights.
Legal obligation
Tax records, sanctions screening, lawful requests from authorities with valid jurisdiction.
Consent
Where required, for marketing email to non-customers, certain cookies, and optional integrations. Withdraw any time without affecting the service.
AI training and Wyse
Wyse is the AI agent inside PostWyse and OpsWyse. Five principles govern how it touches your data.
- Customer data never trains public AI models.
- Wyse learns inside your tenant, not across tenants.
- Upstream model providers (Anthropic, OpenAI) receive only the prompt content needed for the task, under zero-data-retention contracts.
- Every AI output is logged with prompt, model, and result so you can audit any decision.
- Sensitive fields (PHI, PII) can be flagged for field-level redaction before Wyse processes them.
See /trust for the deeper technical description, including retention, redaction, and audit logging.
International transfers
Our primary infrastructure runs in AWS us-east-1 (Virginia). EU residency in AWS eu-central-1 (Frankfurt) is available on Pro Bundle and Enterprise. Custom residency for Australia, UK, and Canada is available for Enterprise on a 30 to 60 day lead time.
Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (with the UK addendum where applicable) and conduct transfer impact assessments where required.
Retention
We keep data for as long as we need it to provide the service and meet legal obligations.
| Category | Retention |
|---|---|
| Active workspace data | Kept for the lifetime of your account. |
| Backups | Encrypted backups retained 30 days, then automatically purged. |
| AI prompt and output logs | Retained 90 days by default. Configurable down to 7 days on Pro Bundle and Enterprise plans. |
| Deleted accounts | Workspace data hard-deleted within 30 days, except where retention is legally required (e.g. tax invoices kept 7 years). |
| Support tickets | Retained 2 years for quality and training purposes. |
| Marketing contacts | Kept until you unsubscribe, then suppressed indefinitely so we do not re-import you. |
Your rights
Depending on where you live, you have some or all of the rights below. GDPR and UK GDPR apply in the EEA and UK; CCPA / CPRA applies in California; equivalent rights apply under the Colorado, Virginia, Connecticut, and other US state privacy laws.
Access and portability
Download a copy of your workspace data in machine-readable format.
Rectification
Correct anything inaccurate, from your profile to specific records.
Erasure
Delete your account or specific data. We action this within 30 days, subject to retention obligations we'll explain in writing.
Restriction and objection
Pause specific processing or object to processing based on legitimate interests, including direct marketing.
Withdraw consent
Pull back consent at any time. It will not affect processing carried out before withdrawal.
Lodge a complaint
Raise concerns with your supervisory authority. We would rather hear from you first so we can fix it.
Non-discrimination
Exercising any right above will not get you worse service, pricing, or support.
To exercise any of these, email hi@wysera.ai from the address on your account, or use the in-app “Data and privacy” controls. We respond within 30 days. If we need an extension we will tell you why.
Security
Customer data is encrypted at rest with AES-256 and in transit with TLS 1.3. KMS master keys rotate annually, application keys rotate every 90 days. Access to production systems is gated by SSO, hardware-key MFA, and least- privilege role assignment. We log every privileged action.
We are SOC 2 Type II in progress (Vanta-monitored), GDPR- compliant, and offer a HIPAA BAA for healthcare customers. The full security posture is at /trust. If you discover a vulnerability, please report it to hi@wysera.ai with the subject “Security” before public disclosure.
Children
Wysera is built for businesses. The service is not directed at anyone under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us data, please email hi@wysera.ai and we will delete it.
Changes to this policy
We update this policy when our practices, the product, or the law changes. Material changes will be announced by in-app banner and by email to account admins at least 14 days before taking effect. The “Last updated” date at the top of the page always reflects the latest version, and prior versions are available on request.
Contact and complaints
Privacy questions, rights requests, and complaints all go to the same place.
Wysera Privacy Team
hi@wysera.aiWe aim to respond within 5 business days, and to resolve verified requests within 30 days. If you are in the EEA or UK and are unhappy with our response, you have the right to lodge a complaint with your local supervisory authority.