Privacy policy
Last updated: July 5, 2026
This policy explains how Adwave ("we", "us") handles personal data for Wavetable, both on this website and in the product. We have tried to write it the way we write everything else: plainly, and matching what the system actually does.
The short version
- This marketing site sets no cookies and runs no analytics or tracking scripts.
- The product uses one session cookie to keep you signed in. That's it.
- Your workspace data is yours. We process it to provide the service, and we do not use it to train models or permit our providers to.
- Deletion is real: erasure works by shredding encryption keys, not by hiding rows.
- Each workspace is physically isolated. We never pool or benchmark data across customers.
Data we collect on this website
Nothing beyond standard server logs. This site is static, self-hosts its fonts, sets no cookies, and includes no analytics beacons, ad pixels, or third-party embeds. Our hosting provider (Cloudflare) processes IP addresses transiently to serve and secure the site, as any host does.
Data we collect in the product
Account data
Your name, email address, and a salted hash of your password, used to authenticate you and to send you service messages (approval notifications you enabled, security notices). Authentication uses a session cookie; we do not use tracking cookies in the product either.
Workspace data
The content you connect or import: emails, payment records, calendar events, site analytics events, SMS, CSV rows, and everything derived from them (claims, projections, narratives, embeddings). You control what is connected. For this data we act as a processor on your instructions; you are the controller.
Usage and billing data
Metered usage (events ingested, automation runs, AI tokens, external sends, MCP calls) and audit events (approvals, policy changes, agent tool calls). Audit events are a product feature: they are your workspace's log, visible to you.
What we use data for
- Providing the service: assembling your graph, answering queries, running approved automations.
- Model calls that serve you: drafting artifacts, writing cited narratives, answering Ask. We do not use your data to train models, and our provider agreements prohibit them from training on it.
- Billing, from the meters described on the pricing page.
- Security and abuse prevention.
We do not sell personal data. We do not share it for advertising. There is no advertising.
Subprocessors
We use a small set of providers to run the service:
| Provider | Purpose |
|---|---|
| Cloudflare | Hosting, storage, and compute for the entire platform |
| Stripe | Payment processing and metered billing |
| AI model providers (Anthropic; others as configured) | Model inference for the design plane, narratives, and Ask, under no-training terms |
| Resend | Outbound transactional email delivery, when you configure it |
| Google, Twilio | Only if you connect them: data flows you initiate through your own accounts |
Your rights, and how deletion actually works
Depending on where you live (GDPR, UK GDPR, CCPA, and similar laws), you have rights to access, correct, export, restrict, and delete personal data. Requests go to privacy@adwave.com; we respond within the legally required window.
Deletion deserves a technical note, because ours is unusual. Event payloads and message bodies in Wavetable are envelope-encrypted with per-person data keys. When a person is erased, we shred their keys, redact their claims, and rebuild the derived tables. The append-only audit log keeps its integrity while the erased content becomes permanently unreadable. This is stronger than flagging rows as deleted, and it is the same mechanism workspace owners use to honor erasure requests from their own customers.
Retention
Workspace data is retained while your workspace is active. After termination, we retain it for 30 days (so an accidental cancellation is recoverable), then delete it. Billing records are kept as long as tax law requires. Backups age out on a fixed schedule.
International transfers
Wavetable runs on Cloudflare's global network. Where personal data is transferred across borders, we rely on standard contractual clauses and equivalent safeguards with our subprocessors.
Security
Per-tenant physical isolation, envelope encryption of payloads, secrets kept out of databases and logs, and audit-by-construction. The security pagedescribes the model in detail, including our responsible disclosure process.
Children
Wavetable is a business tool and not directed at children under 16.
Changes
We will post changes here and update the date above. For material changes affecting your rights, we will email workspace owners before the change takes effect.
Contact
Adwave · privacy@adwave.com