Privacy Policy

Last updated: April 3, 2026

1. Introduction

WAVE Inc. ("WAVE," "we," "us") is committed to protecting the privacy of our users. This Privacy Policy describes how we collect, use, store, and share information when you use the WAVE platform, APIs, SDKs, and related services.

2. Data we collect

Account information

Email address, name, and organization name
Billing information (processed by Stripe; we do not store card numbers)
Authentication tokens and API keys (hashed at rest)

Usage data

API request logs (endpoint, timestamp, response code, latency)
Streaming session metadata (duration, protocol, resolution, viewer count)
Feature usage patterns and subscription tier utilization

Technical data

IP addresses and approximate geolocation
Browser and device information (User-Agent)
Error traces and stack traces (via Sentry, PII-sanitized)
Performance metrics (page load time, API latency)

Content data

Video and audio content you stream through WAVE is processed in real-time and not stored unless you explicitly enable recording. Stored recordings are encrypted at rest (AES-256) and in transit (TLS 1.3).

3. How we use your data

Provide, maintain, and improve the Service
Process billing and enforce usage quotas
Monitor system health, security, and abuse prevention
Send transactional emails (receipts, alerts, security notifications)
Provide customer support
Generate aggregated, anonymized analytics (never sold to third parties)

4. Data retention

Data type	Retention period
API request logs	30 days
Security audit trail	90 days
Error traces (Sentry)	90 days
Billing records	7 years (legal requirement)
Account information	Duration of account + 30 days
Stored recordings	Per your plan settings (default: 90 days)

5. Third-party processors

We use the following sub-processors to deliver the Service:

Processor	Purpose	Location
Supabase	Database, authentication	US (AWS us-east-1)
Stripe	Payment processing	US
Vercel	Application hosting, CDN	Global (edge)
Cloudflare	CDN, DDoS protection, streaming	Global (edge)
Sentry	Error tracking (PII-sanitized)	US
Mux	Video infrastructure	US, EU
Resend	Transactional email	US
Upstash	Redis caching, rate limiting	US

6. Data subject rights (GDPR)

If you are located in the European Economic Area, United Kingdom, or other jurisdictions with data protection laws, you have the following rights under GDPR Articles 15-22:

Access (Art. 15) — request a copy of your personal data
Rectification (Art. 16) — correct inaccurate data
Erasure (Art. 17) — request deletion of your data
Restriction (Art. 18) — limit how we process your data
Portability (Art. 20) — receive your data in machine-readable format
Objection (Art. 21) — object to processing based on legitimate interest

To exercise any of these rights, email [email protected]. We respond within 30 days.

7. Cookies and tracking

WAVE uses the following cookies:

Cookie	Type	Purpose	Duration
`sb-access-token`	Essential	Authentication session	Session
`sb-refresh-token`	Essential	Token refresh	7 days
`_ph_*`	Analytics	Product analytics (PostHog)	1 year

We do not use advertising cookies or sell data to advertisers. You can disable analytics cookies in your browser settings without affecting Service functionality.

8. Security

We protect your data with encryption at rest (AES-256) and in transit (TLS 1.3), row-level security on all database tables, HMAC-SHA256 webhook signature verification, regular penetration testing, and SOC 2 Type II compliance (in progress).

9. International transfers

Data may be transferred to and processed in the United States. Enterprise customers can request data residency restrictions (US-only or EU-only inference) through their account settings.

10. Changes to this policy

We may update this Privacy Policy periodically. Material changes are communicated via email at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

11. Contact

Data Protection Officer: [email protected]

WAVE Inc., New York, NY, United States