Privacy Policy
Effective Date: November 3, 2025
Entity: OurWave, Inc. (“Wave,” “we,” “us,” or “our”)
Website & Apps: ourwave.io and related sites, apps, and services (collectively, the “Service”)
Contact (Privacy): [email protected] • Legal: [email protected]
Registered Address: Phoenix, Arizona, USAWe built Wave for clarity, accountability, and security. This Privacy Policy explains what personal data we collect, how we use and share it, and your rights and choices. If you do not agree with this Policy, please do not use the Service.This Policy complements our Terms & Conditions and any product-specific notices. Capitalized terms not defined here have the meanings in the Terms.
1) Scope & RolesScope.
This Policy covers personal data processed by Wave when you visit our websites, create an account, use our apps and AI features (including Atlas), join our waitlists or events, or interact with us.
Controller / Processor.
For our own websites, accounts, billing, analytics, support, and marketing, Wave acts as an independent controller (GDPR/UK GDPR).
For Customer Content you (or your organization) upload or connect to the Service, Wave acts as a processor (service provider/processor under CPRA and similar laws), processing data on documented instructions in our Terms, this Policy, and (if applicable) a Data Processing Addendum (DPA).
2) Personal Data We Collect
A. Data you provide directly
Account & Profile. Name, email, password, role, time zone, organization, job title, team, profile details.
Billing. Payment method tokens, billing address, VAT/tax IDs (payment data is processed by our PCI-compliant processors; we do not store full card numbers).
Content. Files, text, images, tasks, lists, surveys, meeting notes, projects, scorecards, “Rocks,” comments, reactions, prompts to AI features, and AI Output.
Support & Comms. Help tickets, feedback, emails, call recordings (where permitted), and survey responses.
B. Data collected automatically
Device/Usage. IP address, device identifiers, browser type/version, OS, language, referring/exit pages, clickstream, session metadata, feature usage, crash logs, performance data.
Cookies/Similar Tech. Strictly necessary, functional, analytics, and (where enabled) advertising cookies or SDKs. See Cookies & Tracking.
C. Data from others
Organization Admins. Seat invitations, role/permission settings, group membership.Integrations. If you connect third-party tools (e.g., Google Workspace, Microsoft 365, Slack, CRMs), we receive data necessary to enable the integration (e.g., files, events, messages, metrics, contact info, tasks).
Service Providers & Partners. Enrichment (business email, role), analytics, anti-abuse/fraud signals, and marketing attribution (subject to your choices).Sensitive data. We do not seek to collect sensitive personal data (e.g., health, precise geolocation, government IDs). Please do not upload such data unless covered by a signed addendum expressly permitting it.
3) How We Use Personal Data (Purposes & Legal Bases)
We use personal data to:
Provide the Service. Create and manage accounts; host, process, and display Customer Content and
AI Output; enable features (Meetings, Projects, Scorecards, Rocks, Surveys, Pulse, Spaces, Directory, CRM); deliver notifications; provide support. (Legal bases: contract, legitimate interests.)
AI Features (Atlas). Process prompts and Customer Content to generate AI Output; provide summaries, suggestions, and insights; improve relevance and safety. (Contract, legitimate interests; see Section 7 for controls.)
Security & Abuse Prevention. Authenticate users; monitor, detect, and prevent fraud, malicious activity, and violations of our Terms; protect our users and Service. (Legal obligation, legitimate interests.)
Product Improvement & Research. Analyze usage, quality, and performance; run tests; develop new features; measure outcomes. (Legitimate interests; consent where required.)
Billing & Admin. Process payments, send invoices, manage subscriptions and seat changes, handle tax compliance. (Contract, legal obligations.)
Communications. Send transactional messages, product updates, security alerts, and—with your consent or as permitted—newsletters and promotional communications (you can opt out). (Contract, legitimate interests, consent.)
Compliance. Satisfy legal obligations and law enforcement requests; enforce Terms; handle disputes. (Legal obligations, legitimate interests.)We use automated decision-making only in limited ways (e.g., abuse/fraud signals). We do not make solely automated decisions with legal or similarly significant effects without appropriate safeguards.
4) AI: Atlas, Prompts, and Outputs
Default Controls. By default, Wave does not use Customer Content or AI Output to train third-party foundation models or to improve models for other customers. Enterprise customers may opt into certain improvements via contract.
Providers. Some AI capabilities are hosted by third-party providers. We impose contractual, technical, and organizational measures to safeguard data shared with those providers.
Accuracy & Review. AI Output can be probabilistic and may be inaccurate or incomplete. You are responsible for reviewing outputs before use, especially for legal, medical, financial, or safety-critical decisions.
Logs & Retention.
- Prompt/Output Logs: 30 days by default for security, debugging, and abuse prevention (Enterprise retention options available, including 0-day).
- Model Telemetry: Aggregated/anonymous metrics may be retained longer for reliability and capacity planning.
Human Review. We may review limited samples for abuse prevention, debugging, or to respond to your support requests, under confidentiality controls and strict access logging.
5) Cookies & Tracking
We use:
Strictly Necessary Cookies to deliver core functionality (login, security, load balancing).
Functional Cookies to remember preferences and improve experience.
Analytics Cookies/SDKs to measure usage (e.g., page views, session length, feature adoption).
Advertising/Attribution (only if enabled) to measure campaign effectiveness or deliver interest-based ads.
Your choices: You can manage cookies via our cookie banner and your browser/device settings. If you use a Global Privacy Control (GPC) signal, we treat it as a “Do Not Sell or Share” preference where legally required (e.g., California).
6) How We Share Personal Data
We do not sell personal data in the traditional sense. We may share (as defined by CPRA) identifiers and usage data for cross-context behavioral advertising only if you opt in (and you may opt out at any time).
We disclose personal data to:
Service Providers / Sub-Processors. Hosting, storage, analytics, customer support, email/SMS, payment processing, security, and AI infrastructure—bound by confidentiality and data-protection obligations. A current list of key sub-processors is available upon request.
Third-Party Integrations You Enable. When you connect an integration, you authorize us to exchange data necessary to operate it, subject to that provider’s terms
.Corporate Transactions. In connection with a merger, acquisition, financing, or sale of assets (we will require the recipient to honor this Policy).
Legal & Safety. To comply with law, enforce agreements, or protect rights, safety, and security of Wave, users, or the public.
With Your Direction or Consent. As you request (e.g., sharing a Space or Project externally).We do not allow service providers to use your personal data for their own marketing.
7) International Transfers
We are U.S.-based and may transfer data to the United States and other countries where we or our providers operate. Where required, we use appropriate safeguards such as the EU/UK Standard Contractual Clauses (SCCs) and additional measures. You may request a copy of relevant transfer mechanisms at [email protected].
8) Data Retention
We retain personal data only as long as necessary to fulfill the purposes in this Policy, comply with law, resolve disputes, and enforce agreements. Typical periods:
Account & Profile: life of account + up to 24 months.
Billing Records: up to 7 years (tax/compliance)
Support Tickets: up to 36 months after closure.
Usage/Telemetry Logs: up to 12 months (security and reliability).
Analytics Data: up to 26 months (aggregate where possible).
AI Prompt/Output Logs: 30 days by default (configurable for Enterprise).
Backups: encrypted rolling backups with limited retention.If you delete content, it is removed from active systems promptly and from backups on their normal cycle.
9) Your Rights & Choices
Your rights depend on your location and role (user vs. admin). Subject to law, you may have the right to:
Access, Correct, or Delete personal data we hold about you.
Portability of certain data.
Object / Restrict certain processing (e.g., analytics; marketing).
Consent Management (withdraw consent; manage cookies, advertising preferences).
Appeal our decision regarding your request (U.S. state laws).
Complain to a supervisory authority (EEA/UK).
How to exercise your rights: Email [email protected] from the email tied to your account and specify your request. We may verify your identity (and authority, if you are an agent). We will respond within the time limits required by law. If your data is controlled by your organization, please contact your Admin first; we will support them in fulfilling requests.Marketing Opt-Out: Use the unsubscribe link in our emails or email [email protected].
Do Not Sell/Share & Targeted Ads: Use our cookie banner settings; we honor GPC where required.
10) California / U.S. State Privacy Disclosures
This section supplements the Policy for residents of California, Colorado, Connecticut, Virginia, Utah, and similar laws.
Notice at Collection (Categories). We collect identifiers (e.g., name, email, IP), commercial info (subscriptions), internet activity (usage, logs), geolocation (coarse IP-based), professional info (role, org), and inferences (product use insights).
Purposes. As described in Section 3.
Sources. You, your organization/Admins, integrations, cookies/SDKs, service providers.
Retention. See Section 8.
Sensitive Personal Information. We do not use or disclose SPI for purposes requiring a “Limit the Use of SPI” link.
Sale/Share. We do not sell personal data. We may “share” identifiers and internet activity for cross-context behavioral advertising only with your opt-in; you may opt out at any time (and we honor GPC).
Your Rights. Access, deletion, correction, portability, opt-out of sale/share/targeted ads, limit SPI (if applicable), and appeal (where provided). Submit requests to [email protected].
11) Security
We implement reasonable and appropriate technical and organizational measures to protect personal data, including encryption in transit, access controls, network segmentation, secure development practices, and employee training. No system is 100% secure. You are responsible for maintaining the confidentiality of your credentials, enforcing least-privilege access, and using supported device and browser security settings.
12) Children’s Privacy
The Service is not directed to children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact [email protected] and we will delete it.
13) Your Organization’s Responsibilities
If you are an Admin, you determine your organization’s data retention rules, access settings, role-based permissions, and integration scopes. You must obtain all necessary consents and provide required notices to your end users for data you upload or connect to Wave. You are responsible for your use of AI features and the accuracy of outputs in your environment.
14) Third-Party Links & Services
Our Service may link to third-party websites or enable integrations. We are not responsible for their privacy or security practices. Review their policies before using their services.
15) Changes to this Policy
We may update this Policy from time to time. Material changes will be communicated (e.g., in-app notice or email). Unless stated otherwise, changes take effect when posted. Your continued use of the Service after the effective date means you accept the updated Policy.
16) Contact Us
Privacy Requests & Questions: [email protected]
Legal Notices: [email protected]
Postal: OurWave, Inc., Phoenix, Arizona, USAEEA/UK users may also contact their local data protection authority. If required by law, we will appoint an EU/UK representative and update this Policy.
17) Additional Terms for Processing (DPA)For customers subject to GDPR/UK GDPR or similar laws, Wave offers a Data Processing Addendum (DPA) incorporating the SCCs and appropriate safeguards. Enterprise customers can request a signed DPA at [email protected].
Website & Apps: ourwave.io and related sites, apps, and services (collectively, the “Service”)
Contact (Privacy): [email protected] • Legal: [email protected]
Registered Address: Phoenix, Arizona, USAWe built Wave for clarity, accountability, and security. This Privacy Policy explains what personal data we collect, how we use and share it, and your rights and choices. If you do not agree with this Policy, please do not use the Service.This Policy complements our Terms & Conditions and any product-specific notices. Capitalized terms not defined here have the meanings in the Terms.
1) Scope & RolesScope.
This Policy covers personal data processed by Wave when you visit our websites, create an account, use our apps and AI features (including Atlas), join our waitlists or events, or interact with us.
Controller / Processor.
For our own websites, accounts, billing, analytics, support, and marketing, Wave acts as an independent controller (GDPR/UK GDPR).
For Customer Content you (or your organization) upload or connect to the Service, Wave acts as a processor (service provider/processor under CPRA and similar laws), processing data on documented instructions in our Terms, this Policy, and (if applicable) a Data Processing Addendum (DPA).
2) Personal Data We Collect
A. Data you provide directly
Account & Profile. Name, email, password, role, time zone, organization, job title, team, profile details.
Billing. Payment method tokens, billing address, VAT/tax IDs (payment data is processed by our PCI-compliant processors; we do not store full card numbers).
Content. Files, text, images, tasks, lists, surveys, meeting notes, projects, scorecards, “Rocks,” comments, reactions, prompts to AI features, and AI Output.
Support & Comms. Help tickets, feedback, emails, call recordings (where permitted), and survey responses.
B. Data collected automatically
Device/Usage. IP address, device identifiers, browser type/version, OS, language, referring/exit pages, clickstream, session metadata, feature usage, crash logs, performance data.
Cookies/Similar Tech. Strictly necessary, functional, analytics, and (where enabled) advertising cookies or SDKs. See Cookies & Tracking.
C. Data from others
Organization Admins. Seat invitations, role/permission settings, group membership.Integrations. If you connect third-party tools (e.g., Google Workspace, Microsoft 365, Slack, CRMs), we receive data necessary to enable the integration (e.g., files, events, messages, metrics, contact info, tasks).
Service Providers & Partners. Enrichment (business email, role), analytics, anti-abuse/fraud signals, and marketing attribution (subject to your choices).Sensitive data. We do not seek to collect sensitive personal data (e.g., health, precise geolocation, government IDs). Please do not upload such data unless covered by a signed addendum expressly permitting it.
3) How We Use Personal Data (Purposes & Legal Bases)
We use personal data to:
Provide the Service. Create and manage accounts; host, process, and display Customer Content and
AI Output; enable features (Meetings, Projects, Scorecards, Rocks, Surveys, Pulse, Spaces, Directory, CRM); deliver notifications; provide support. (Legal bases: contract, legitimate interests.)
AI Features (Atlas). Process prompts and Customer Content to generate AI Output; provide summaries, suggestions, and insights; improve relevance and safety. (Contract, legitimate interests; see Section 7 for controls.)
Security & Abuse Prevention. Authenticate users; monitor, detect, and prevent fraud, malicious activity, and violations of our Terms; protect our users and Service. (Legal obligation, legitimate interests.)
Product Improvement & Research. Analyze usage, quality, and performance; run tests; develop new features; measure outcomes. (Legitimate interests; consent where required.)
Billing & Admin. Process payments, send invoices, manage subscriptions and seat changes, handle tax compliance. (Contract, legal obligations.)
Communications. Send transactional messages, product updates, security alerts, and—with your consent or as permitted—newsletters and promotional communications (you can opt out). (Contract, legitimate interests, consent.)
Compliance. Satisfy legal obligations and law enforcement requests; enforce Terms; handle disputes. (Legal obligations, legitimate interests.)We use automated decision-making only in limited ways (e.g., abuse/fraud signals). We do not make solely automated decisions with legal or similarly significant effects without appropriate safeguards.
4) AI: Atlas, Prompts, and Outputs
Default Controls. By default, Wave does not use Customer Content or AI Output to train third-party foundation models or to improve models for other customers. Enterprise customers may opt into certain improvements via contract.
Providers. Some AI capabilities are hosted by third-party providers. We impose contractual, technical, and organizational measures to safeguard data shared with those providers.
Accuracy & Review. AI Output can be probabilistic and may be inaccurate or incomplete. You are responsible for reviewing outputs before use, especially for legal, medical, financial, or safety-critical decisions.
Logs & Retention.
- Prompt/Output Logs: 30 days by default for security, debugging, and abuse prevention (Enterprise retention options available, including 0-day).
- Model Telemetry: Aggregated/anonymous metrics may be retained longer for reliability and capacity planning.
Human Review. We may review limited samples for abuse prevention, debugging, or to respond to your support requests, under confidentiality controls and strict access logging.
5) Cookies & Tracking
We use:
Strictly Necessary Cookies to deliver core functionality (login, security, load balancing).
Functional Cookies to remember preferences and improve experience.
Analytics Cookies/SDKs to measure usage (e.g., page views, session length, feature adoption).
Advertising/Attribution (only if enabled) to measure campaign effectiveness or deliver interest-based ads.
Your choices: You can manage cookies via our cookie banner and your browser/device settings. If you use a Global Privacy Control (GPC) signal, we treat it as a “Do Not Sell or Share” preference where legally required (e.g., California).
6) How We Share Personal Data
We do not sell personal data in the traditional sense. We may share (as defined by CPRA) identifiers and usage data for cross-context behavioral advertising only if you opt in (and you may opt out at any time).
We disclose personal data to:
Service Providers / Sub-Processors. Hosting, storage, analytics, customer support, email/SMS, payment processing, security, and AI infrastructure—bound by confidentiality and data-protection obligations. A current list of key sub-processors is available upon request.
Third-Party Integrations You Enable. When you connect an integration, you authorize us to exchange data necessary to operate it, subject to that provider’s terms
.Corporate Transactions. In connection with a merger, acquisition, financing, or sale of assets (we will require the recipient to honor this Policy).
Legal & Safety. To comply with law, enforce agreements, or protect rights, safety, and security of Wave, users, or the public.
With Your Direction or Consent. As you request (e.g., sharing a Space or Project externally).We do not allow service providers to use your personal data for their own marketing.
7) International Transfers
We are U.S.-based and may transfer data to the United States and other countries where we or our providers operate. Where required, we use appropriate safeguards such as the EU/UK Standard Contractual Clauses (SCCs) and additional measures. You may request a copy of relevant transfer mechanisms at [email protected].
8) Data Retention
We retain personal data only as long as necessary to fulfill the purposes in this Policy, comply with law, resolve disputes, and enforce agreements. Typical periods:
Account & Profile: life of account + up to 24 months.
Billing Records: up to 7 years (tax/compliance)
Support Tickets: up to 36 months after closure.
Usage/Telemetry Logs: up to 12 months (security and reliability).
Analytics Data: up to 26 months (aggregate where possible).
AI Prompt/Output Logs: 30 days by default (configurable for Enterprise).
Backups: encrypted rolling backups with limited retention.If you delete content, it is removed from active systems promptly and from backups on their normal cycle.
9) Your Rights & Choices
Your rights depend on your location and role (user vs. admin). Subject to law, you may have the right to:
Access, Correct, or Delete personal data we hold about you.
Portability of certain data.
Object / Restrict certain processing (e.g., analytics; marketing).
Consent Management (withdraw consent; manage cookies, advertising preferences).
Appeal our decision regarding your request (U.S. state laws).
Complain to a supervisory authority (EEA/UK).
How to exercise your rights: Email [email protected] from the email tied to your account and specify your request. We may verify your identity (and authority, if you are an agent). We will respond within the time limits required by law. If your data is controlled by your organization, please contact your Admin first; we will support them in fulfilling requests.Marketing Opt-Out: Use the unsubscribe link in our emails or email [email protected].
Do Not Sell/Share & Targeted Ads: Use our cookie banner settings; we honor GPC where required.
10) California / U.S. State Privacy Disclosures
This section supplements the Policy for residents of California, Colorado, Connecticut, Virginia, Utah, and similar laws.
Notice at Collection (Categories). We collect identifiers (e.g., name, email, IP), commercial info (subscriptions), internet activity (usage, logs), geolocation (coarse IP-based), professional info (role, org), and inferences (product use insights).
Purposes. As described in Section 3.
Sources. You, your organization/Admins, integrations, cookies/SDKs, service providers.
Retention. See Section 8.
Sensitive Personal Information. We do not use or disclose SPI for purposes requiring a “Limit the Use of SPI” link.
Sale/Share. We do not sell personal data. We may “share” identifiers and internet activity for cross-context behavioral advertising only with your opt-in; you may opt out at any time (and we honor GPC).
Your Rights. Access, deletion, correction, portability, opt-out of sale/share/targeted ads, limit SPI (if applicable), and appeal (where provided). Submit requests to [email protected].
11) Security
We implement reasonable and appropriate technical and organizational measures to protect personal data, including encryption in transit, access controls, network segmentation, secure development practices, and employee training. No system is 100% secure. You are responsible for maintaining the confidentiality of your credentials, enforcing least-privilege access, and using supported device and browser security settings.
12) Children’s Privacy
The Service is not directed to children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact [email protected] and we will delete it.
13) Your Organization’s Responsibilities
If you are an Admin, you determine your organization’s data retention rules, access settings, role-based permissions, and integration scopes. You must obtain all necessary consents and provide required notices to your end users for data you upload or connect to Wave. You are responsible for your use of AI features and the accuracy of outputs in your environment.
14) Third-Party Links & Services
Our Service may link to third-party websites or enable integrations. We are not responsible for their privacy or security practices. Review their policies before using their services.
15) Changes to this Policy
We may update this Policy from time to time. Material changes will be communicated (e.g., in-app notice or email). Unless stated otherwise, changes take effect when posted. Your continued use of the Service after the effective date means you accept the updated Policy.
16) Contact Us
Privacy Requests & Questions: [email protected]
Legal Notices: [email protected]
Postal: OurWave, Inc., Phoenix, Arizona, USAEEA/UK users may also contact their local data protection authority. If required by law, we will appoint an EU/UK representative and update this Policy.
17) Additional Terms for Processing (DPA)For customers subject to GDPR/UK GDPR or similar laws, Wave offers a Data Processing Addendum (DPA) incorporating the SCCs and appropriate safeguards. Enterprise customers can request a signed DPA at [email protected].