Skip to main content
Trust & Security

Privacy is the product

k=5
minimum group size before outcome metrics are shown

Employees only use support they trust. WeNavigateLife is built so your employer can never identify who used coaching — enforced in the platform’s architecture, not promised in a policy.

The line we will not cross

What your employer sees — and never sees

What your employer sees

  • Aggregate engagement and program-efficacy indices
  • Productivity-recovery signals at the cohort level
  • Manager-ready materials and trends
  • Satisfaction and outcome metrics only at a group of five or more

What your employer never sees

  • Your name or identity tied to coaching use
  • Your journals, worksheets, or uploaded files
  • Your chat and coaching conversation content
How the promise is enforced

Architecture, not policy

  • k-anonymity (k=5)

    Satisfaction and outcome metrics are shown to HR only when the group includes at least five people. Smaller groups are withheld server-side, before the data reaches the browser.

  • Per-user encryption

    Your journals, worksheets, and Nav conversations are encrypted with a key unique to you (AES-256-GCM). Deleting your account destroys the key, so the data becomes unrecoverable.

  • Tenant & role isolation

    Employee and coach data is protected by Postgres row-level security tied to your organization and role. Everything an employer sees is scoped to their own organization — one tenant cannot see another, and a manager cannot see an individual.

  • Coach confidentiality

    Coaches are bound by the same clinical-grade confidentiality they carry in private practice. Nothing they discuss with you flows back to your employer.

  • You control your data

    Export everything, or delete everything, on request — from your Privacy Centre.

In numbers

The guarantees, quantified

  • k=5

    Minimum group size for a reported outcome metric

  • AES-256-GCM

    Per-user envelope encryption at rest

  • 0

    Employees ever named to their employer for using support

For evaluators

Security & privacy questions

Can my employer find out I used coaching?

No. Your employer never sees your name or identity tied to coaching use.

What is k-anonymity and what value do you use?

k-anonymity guarantees that any reported figure represents at least k people. We use k=5 for satisfaction and outcome metrics: groups smaller than five are withheld server-side, before the data reaches your browser.

How is my personal content protected?

Journals, saved worksheets and planners, and your Nav conversations are encrypted at rest with a key unique to you (AES-256-GCM). Deleting your account destroys the key, making that content unrecoverable.

Can one employer’s data leak into another’s?

No. Employee and coach data is protected by Postgres row-level security tied to your organization and role, so every result an employer sees is scoped to their own organization.

Are coaches allowed to report back to my employer?

No. Coaches are bound by clinical-grade confidentiality. Nothing discussed in coaching flows back to the employer.

Can I export or delete my data?

Yes. You can export everything or delete everything on request from your Privacy Centre. Deletion is cryptographic — the per-user key is destroyed.

What can an employer actually see, then?

Aggregated, k-anonymized signals — engagement, program efficacy, and productivity-recovery indices. Never your name or identity, and never your private content.

Evaluating WeNavigateLife?

We’re glad to walk your security and privacy teams through the architecture in detail.