Privacy Policy

Veteran Waypoints is a trading name of Interview Management Solutions, an Australian-registered company (Australian Business Number 65 166 406 015), founded by Daren Jay, a 22-year British Army veteran. We operate three regional websites: veteranwaypoints.co.uk (United Kingdom), veteranwaypoints.com (United States), and veteranwaypoints.com.au (Australia). All three are operated by the same legal entity and are governed by this single privacy policy.

For the purposes of UK GDPR and the EU GDPR, Interview Management Solutions is the Data Controller. Our contact for privacy matters is privacy@veteranwaypoints.com.

We collect only what we need to render your journey, deliver your video, and provide customer support.

Your service-record data - every posting, every place, every date, every note - is encrypted at rest using AES-256-GCM with a key controlled solely by us. Encrypted records are stored in Amazon DynamoDB in the AWS Asia Pacific (Sydney) region (ap-southeast-2). The encryption is applied at the application layer before the record reaches the database, meaning even direct database access without our application key reveals nothing.

Rendered video files are stored in Amazon S3 and delivered via Amazon CloudFront. Video files themselves are not encrypted at rest beyond AWS's default server-side encryption, on the basis that the rendered video is the product you have chosen to share.

Classified tours: if you mark a posting as classified, the location coordinates are excluded from the rendered video entirely. The encrypted record still exists in our database (so you can edit it later), but it never appears on the visible globe.

Veteran Waypoints data is stored in Australia (AWS ap-southeast-2). If you are a UK or US customer, your data will be transferred to and processed in Australia.

For UK customers, this transfer is made in reliance on the UK ICO's adequacy regulations recognising Australia's Privacy Act 1988 protections, supplemented by AWS's Data Processing Addendum and Standard Contractual Clauses where applicable.

For US customers, no equivalent adequacy finding applies, and your data is transferred under the contractual protections in our agreement with AWS.

If you are not comfortable with your data being processed in Australia, please do not use the service.

We share data only with the third-party processors required to operate the service. We do not sell, rent, or trade your data with anyone, ever. Our sub-processors are:

• Amazon Web Services (AWS) - hosting, database, storage, CDN, email delivery, authentication. Region: ap-southeast-2 (Sydney).
• Stripe - payment processing. We never see or store your card details.
• Remotion - video rendering pipeline (runs on AWS Lambda within our AWS account).
• Google Analytics 4 - anonymised usage analytics, Consent Mode v2.
• OpenStreetMap Nominatim - place-name lookup. Only the search string is sent; no identifying data.

We will disclose data to law enforcement only where required by a valid legal order in a jurisdiction we operate in.

Depending on where you live, you have the right to:

• Access the personal data we hold about you
• Correct any inaccurate data
• Delete your data (within the limits above)
• Object to processing
• Receive your data in a portable, machine-readable format
• Withdraw consent at any time

To exercise any of these rights, email privacy@veteranwaypoints.com. We respond within 30 days.

UK customers may complain to the Information Commissioner's Office (ico.org.uk). US customers in states with applicable laws may complain to their state Attorney General. Australian customers may complain to the Office of the Australian Information Commissioner (oaic.gov.au).

We use a minimal set of cookies:

• Session cookies (wp_id, wp_at, wp_rt) - required for sign-in, expire on sign-out.
• Analytics cookies (Google Analytics 4) - only if you consent via the cookie banner.
• Region preference - a small cookie to remember your regional site selection.

We do not use advertising cookies, retargeting pixels, or third-party trackers beyond Google Analytics.