Your privacy is the product.
WeNavigateLife only works if you trust us with hard, private things — a divorce, a loss, a parent who is slipping. Here is exactly how we handle that information, in plain language. Last updated: April 2026.
What we collect
We only collect what you give us, plus the minimum needed to run the service.
- Account basics — your name, work email, and employer. These come from your employer's HR roster when you are enrolled.
- What you write — journal entries, assessment answers, coaching messages, chatbot conversations, notes your coach keeps about you.
- What you upload — documents, photos, and files you add to My Documents or share with your coach.
- How you use the platform — which pages and tools you open, so we can improve the product and show your employer aggregate engagement. This is anonymized before it leaves your account.
How we use it
We use your information to help you — not to target ads, not to sell, not to train third-party AI models.
- Personalize your journey, recommend content, and match you to the right coach.
- Power the Nav chatbot and AI-assisted features. Your private content is never sent to an external AI provider in raw form — see "How we protect it" below.
- Show your employer aggregate, anonymized usage so they can see the program is working. They never see individuals.
- Operate the service: deliver emails you asked for, keep you logged in, prevent abuse.
We never sell your data. We never share your individual data with your employer. We never use your private content to train third-party AI models.
Privacy is an engineering requirement, not a marketing line.
Encryption at rest, per user
Every journal entry, chat message, assessment response, shared note, and coaching conversation is encrypted with AES-256-GCM using a key unique to you. Your key itself is wrapped by a master key held in a hardware vault (OpenBao) that our own application servers cannot read directly.
Your employer cannot see you
We enforce k-anonymity with k=5: any statistic we show your employer must represent at least 5 people. If a team is smaller than that, we simply suppress the number. Your employer cannot tell whether you personally ever used the platform.
Role separation
Your coach sees only what you actively share with them. Our platform operators cannot read your journals, assessments, or private chats — every access is checked against your identity at the database layer.
AI never sees your raw private content
When AI features need context from your private files, a PII firewall strips names, addresses, amounts, and other sensitive details before any content leaves our infrastructure. Public, general content can be sent to a large model; your personal content cannot.
You can leave at any time and take your data with you — or erase it.
- 1
Export first, if you want.
From the Privacy Centre, request a full export of everything we have about you. You will get a downloadable archive within 48 hours.
- 2
Request deletion.
One click in the Privacy Centre. We confirm, then begin erasure. You can cancel within 24 hours if you change your mind.
- 3
Cryptographic erasure.
We destroy your personal encryption key. Every encrypted row belonging to you becomes mathematically unrecoverable — even from our backups. This is stronger than simply deleting rows, because there is no key left that could ever read them again.
- 4
Account removal.
Your login, preferences, and remaining metadata are removed within 30 days. Aggregate counts your employer already saw cannot be un-computed, but they never identified you in the first place.
Take control of your privacy
The Privacy Centre is where you control consents, export your data, and request deletion.