Privacy is the product
Employees only use support they trust. WeNavigateLife is built so your employer can never identify who used coaching — enforced in the platform’s architecture, not promised in a policy.
What your employer sees — and never sees
What your employer sees
- Aggregate engagement and program-efficacy indices
- Productivity-recovery signals at the cohort level
- Manager-ready materials and trends
- Satisfaction and outcome metrics only at a group of five or more
What your employer never sees
- Your name or identity tied to coaching use
- Your journals, worksheets, or uploaded files
- Your chat and coaching conversation content
Architecture, not policy
k-anonymity (k=5)
Satisfaction and outcome metrics are shown to HR only when the group includes at least five people. Smaller groups are withheld server-side, before the data reaches the browser.
Per-user encryption
Your journals, worksheets, and Nav conversations are encrypted with a key unique to you (AES-256-GCM). Deleting your account destroys the key, so the data becomes unrecoverable.
Tenant & role isolation
Employee and coach data is protected by Postgres row-level security tied to your organization and role. Everything an employer sees is scoped to their own organization — one tenant cannot see another, and a manager cannot see an individual.
Coach confidentiality
Coaches are bound by the same clinical-grade confidentiality they carry in private practice. Nothing they discuss with you flows back to your employer.
You control your data
Export everything, or delete everything, on request — from your Privacy Centre.
The guarantees, quantified
- k=5
Minimum group size for a reported outcome metric
- AES-256-GCM
Per-user envelope encryption at rest
- 0
Employees ever named to their employer for using support
Security & privacy questions
Can my employer find out I used coaching?
No. Your employer never sees your name or identity tied to coaching use.
What is k-anonymity and what value do you use?
k-anonymity guarantees that any reported figure represents at least k people. We use k=5 for satisfaction and outcome metrics: groups smaller than five are withheld server-side, before the data reaches your browser.
How is my personal content protected?
Journals, saved worksheets and planners, and your Nav conversations are encrypted at rest with a key unique to you (AES-256-GCM). Deleting your account destroys the key, making that content unrecoverable.
Can one employer’s data leak into another’s?
No. Employee and coach data is protected by Postgres row-level security tied to your organization and role, so every result an employer sees is scoped to their own organization.
Are coaches allowed to report back to my employer?
No. Coaches are bound by clinical-grade confidentiality. Nothing discussed in coaching flows back to the employer.
Can I export or delete my data?
Yes. You can export everything or delete everything on request from your Privacy Centre. Deletion is cryptographic — the per-user key is destroyed.
What can an employer actually see, then?
Aggregated, k-anonymized signals — engagement, program efficacy, and productivity-recovery indices. Never your name or identity, and never your private content.
Evaluating WeNavigateLife?
We’re glad to walk your security and privacy teams through the architecture in detail.