Privacy policy

We collect the following categories of personal information:

• Contact information — name, email address, phone number, company name, job title, and US state, submitted through our request-for-quote (RFQ), contact, and partner application forms.
• Free-text messages — anything you type into the message field of our forms, the Ask Waive assistant, or other communication tools.
• Census files — when brokers or employers submit an RFQ, the member-level census file may include employee demographics (age band, gender, dependent count, ZIP code, employment status). These files are processed for underwriting only.
• Savings estimator inputs — group size, current premium, and state, used to calculate a savings range. These inputs are not personally identifying on their own.
• Technical data — IP address, user agent, referring URL, and basic analytics events (page views, link clicks). We use these to understand traffic patterns and improve the site.

• To respond to your inquiry and follow up on a quote, walkthrough, or partner application.
• To enter your contact details into our customer relationship management (CRM) system for ongoing sales and service communication.
• To produce underwriting quotes and, if you become a client, to administer your benefits plan.
• To improve the website, our products, and our communications based on aggregate usage patterns.
• To meet legal, regulatory, and compliance obligations, including ACA, ERISA, COBRA, and state TPA requirements.

We do not sell your personal information to third parties. We share information only with the following categories of service providers, under contracts that limit their use of the data to providing services to Waive:

• Cloudflare — bot protection (Turnstile) on our forms.
• HubSpot — CRM for tracking and responding to leads.
• Hosting and infrastructure providers — for serving the website and storing form submissions securely.
• Stop-loss and reinsurance carriers — when underwriting a level-funded plan, anonymized census data is shared with carrier underwriters.
• Government and regulatory bodies — when required by law (subpoena, court order, regulatory request).

• All data is encrypted in transit (TLS 1.2+) and at rest.
• Access to personal information is restricted by role; only personnel with a legitimate business need can access it.
• We maintain incident response procedures and review access logs regularly.
• We perform annual third-party security reviews and dependency audits.
• HIPAA-protected health information is segregated from marketing data and handled under separate technical and administrative safeguards.

Depending on where you live, you may have the following rights with respect to your personal information:

• Right to know — what categories of personal information we have collected and how we use them.
• Right to access — a copy of the personal information we hold about you.
• Right to correct — inaccurate personal information.
• Right to delete — your personal information, subject to certain legal exceptions (e.g. records we are required to retain).
• Right to opt out — of marketing communications and of any profiling or "sale" of personal information (we do not sell).
• Right to data portability — receive your information in a structured, machine-readable format.
• Right to non-discrimination — for exercising any of these rights.

These rights apply under the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and the Colorado Privacy Act, Virginia Consumer Data Protection Act, Connecticut Data Privacy Act, and Utah Consumer Privacy Act, among others. To exercise any of these rights, contact us using the details below.

We retain personal information for as long as is necessary to provide our services, comply with our legal obligations, resolve disputes, and enforce our agreements. Lead and CRM records are typically retained for the duration of the business relationship plus seven years; underwriting and claims records are retained per applicable state and federal regulations.

Waive operates from the United States. If you contact us from outside the US, your information will be transferred to and processed in the United States. We use standard contractual clauses or other appropriate safeguards where required by law.

Our services are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided information to us, please contact us and we will delete it.

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent version. Material changes will be communicated through the website or, where appropriate, by direct email.

For privacy questions, data requests, or to exercise any of the rights above, contact:

Waive Administrators, LLC
Privacy & Compliance
compliance@waivehealth.com