Wavetable

Privacy policy

Last updated: July 5, 2026

This policy explains how Adwave ("we", "us") handles personal data for Wavetable, both on this website and in the product. We have tried to write it the way we write everything else: plainly, and matching what the system actually does.

The short version

Data we collect on this website

Nothing beyond standard server logs. This site is static, self-hosts its fonts, sets no cookies, and includes no analytics beacons, ad pixels, or third-party embeds. Our hosting provider (Cloudflare) processes IP addresses transiently to serve and secure the site, as any host does.

Data we collect in the product

Account data

Your name, email address, and a salted hash of your password, used to authenticate you and to send you service messages (approval notifications you enabled, security notices). Authentication uses a session cookie; we do not use tracking cookies in the product either.

Workspace data

The content you connect or import: emails, payment records, calendar events, site analytics events, SMS, CSV rows, and everything derived from them (claims, projections, narratives, embeddings). You control what is connected. For this data we act as a processor on your instructions; you are the controller.

Usage and billing data

Metered usage (events ingested, automation runs, AI tokens, external sends, MCP calls) and audit events (approvals, policy changes, agent tool calls). Audit events are a product feature: they are your workspace's log, visible to you.

What we use data for

We do not sell personal data. We do not share it for advertising. There is no advertising.

Subprocessors

We use a small set of providers to run the service:

ProviderPurpose
CloudflareHosting, storage, and compute for the entire platform
StripePayment processing and metered billing
AI model providers (Anthropic; others as configured)Model inference for the design plane, narratives, and Ask, under no-training terms
ResendOutbound transactional email delivery, when you configure it
Google, TwilioOnly if you connect them: data flows you initiate through your own accounts

Your rights, and how deletion actually works

Depending on where you live (GDPR, UK GDPR, CCPA, and similar laws), you have rights to access, correct, export, restrict, and delete personal data. Requests go to privacy@adwave.com; we respond within the legally required window.

Deletion deserves a technical note, because ours is unusual. Event payloads and message bodies in Wavetable are envelope-encrypted with per-person data keys. When a person is erased, we shred their keys, redact their claims, and rebuild the derived tables. The append-only audit log keeps its integrity while the erased content becomes permanently unreadable. This is stronger than flagging rows as deleted, and it is the same mechanism workspace owners use to honor erasure requests from their own customers.

Retention

Workspace data is retained while your workspace is active. After termination, we retain it for 30 days (so an accidental cancellation is recoverable), then delete it. Billing records are kept as long as tax law requires. Backups age out on a fixed schedule.

International transfers

Wavetable runs on Cloudflare's global network. Where personal data is transferred across borders, we rely on standard contractual clauses and equivalent safeguards with our subprocessors.

Security

Per-tenant physical isolation, envelope encryption of payloads, secrets kept out of databases and logs, and audit-by-construction. The security pagedescribes the model in detail, including our responsible disclosure process.

Children

Wavetable is a business tool and not directed at children under 16.

Changes

We will post changes here and update the date above. For material changes affecting your rights, we will email workspace owners before the change takes effect.

Contact

Adwave · privacy@adwave.com