GDPR Compliance
How AI Wave approaches GDPR in practice.
AI Wave is built around an EU-first privacy model. Primary application data is designed to be stored in EU-hosted infrastructure, tenant isolation is enforced through authentication and database controls, and deletion, export, and audit workflows are part of the product design.
AI Wave acts as a controller for its own business operations, including website operations, account administration, billing, security, and support. When customers use AI Wave to process contacts, campaign data, and connected-platform data, AI Wave generally acts as a processor on the customer's instructions.
If you need a controller-processor framework for your organization, review our Data Processing Agreement or contact contact@ai-wave.co.
1. Our GDPR commitment
AI Wave is designed to support GDPR compliance from day one. That includes EU-first hosting decisions where available, consent and notice flows, export and deletion tooling, audit trails, role-based access control, encryption, and documented processor oversight.
Compliance is implemented at the platform level and not treated as an optional premium feature, although some plan tiers include additional reporting or administrative capabilities.
2. AI Wave's roles under GDPR
2.1 When AI Wave acts as a controller
AI Wave acts as a controller for personal data it processes for its own purposes, including account registration, authentication, billing, security monitoring, abuse detection, support, supplier management, website operations, and direct business communications.
2.2 When AI Wave acts as a processor
AI Wave acts as a processor when a customer uses the platform to input campaign materials, connect customer-owned channels, manage email lists, review analytics, or instruct AI Wave to generate and distribute marketing materials on the customer's behalf.
2.3 Shared responsibilities
Customers remain responsible for determining their lawful basis, notices, retention choices, and campaign legality for the personal data they upload or connect. AI Wave is responsible for processing those data on documented instructions and maintaining appropriate safeguards as a processor.
3. Legal bases used by AI Wave
- Contract: to provide the website, application, subscriptions, support, and requested workflows.
- Legal obligation: to keep invoices, tax records, and certain compliance logs.
- Legitimate interests: to secure the platform, prevent abuse, monitor reliability, and defend legal claims.
- Consent: for optional marketing emails and optional analytics technologies where required.
4. Data subject rights
4.1 Right of access
You may ask whether AI Wave processes your personal data and request a copy of the personal data we hold about you, together with information about purposes, recipients, retention, and transfer safeguards.
4.2 Right to rectification
You may request correction of inaccurate or incomplete personal data. Many account details can also be updated directly inside the service.
4.3 Right to erasure
You may request deletion of personal data where the legal conditions in Article 17 GDPR are met. AI Wave uses a soft-delete followed by hard-delete workflow for most workspace data, generally with a 30-day grace period before permanent deletion, unless law requires longer retention.
4.4 Right to restriction
You may request that we limit processing in situations recognized by the GDPR, such as when the accuracy of the data is contested or the processing is under review.
4.5 Right to data portability
Where applicable, you may request a structured, commonly used, machine-readable export of the personal data you provided to us and that we process by automated means on the basis of consent or contract.
4.6 Right to object
You may object to processing based on legitimate interests, including certain security or service optimization activities, where your situation justifies the objection. You may also object at any time to direct marketing.
4.7 Right to withdraw consent
Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that took place before withdrawal.
5. How to exercise rights
Send requests to contact@ai-wave.co. To protect personal data, AI Wave may ask for information needed to verify identity and authority. If the request relates to data that AI Wave processes only as a processor for a customer, we may direct the request to that customer or support the customer in responding.
6. Response times
AI Wave aims to respond without undue delay and, in any event, within one month of receiving a valid request. Where requests are complex or numerous, AI Wave may extend the response period by up to two additional months, for a total of up to 90 days, and will explain the reason for the extension.
7. Data Protection Officer status
AI Wave has not formally designated a Data Protection Officer as of March 2026 because it does not currently consider the mandatory criteria under Article 37 GDPR to be met. AI Wave has, however, assigned privacy accountability internally and maintains privacy and security contacts at contact@ai-wave.co.
8. International transfers and safeguards
AI Wave's primary application stack is configured for EU-first storage where available, including EU-hosted primary database services. Some processors, model providers, communications providers, or Connected Platforms may process personal data outside the EEA.
AI Wave relies on valid transfer mechanisms, including Standard Contractual Clauses, adequacy frameworks, and supplementary safeguards such as encryption, access controls, scoped credentials, and processor due diligence.
9. Sub-processor oversight
AI Wave assesses processors and sub-processors based on the type of data involved, security posture, region, contractual safeguards, and operational necessity. We require processors to act only on instructions, use appropriate safeguards, and support deletion, export, and security response obligations where applicable.
A more detailed processor list appears in the DPA.
10. Privacy by design and by default
AI Wave applies privacy by design through tenant isolation, minimum-necessary data collection, encryption, secure defaults, access control, explicit integration scopes, and approval gates for external actions. New features are reviewed against data minimization and security requirements.
11. Data Protection Impact Assessments
AI Wave evaluates whether a feature or workflow requires a DPIA based on the type of data, processing scale, monitoring intensity, and risk to individuals' rights and freedoms. Where a DPIA is required, the processing is documented and reviewed before launch or material expansion.
12. Data breach response
AI Wave maintains incident detection, triage, containment, and notification procedures. If a personal data breach occurs, we assess severity and whether notification is required under Articles 33 and 34 GDPR.
Where notification is required, AI Wave will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to individuals, affected individuals or customers will also be informed as required by law.
13. Security and confidentiality measures
AI Wave's documented measures include Clerk-based authentication, role-based access control, Supabase row-level security for tenant isolation, AES-256 encryption for stored integration credentials, TLS 1.3 in the current deployment target, HSTS, secret management through Infisical, Cloudflare WAF protections, secure backups, rate limiting, audit trails, and observability tooling for incident investigation.
14. Right to complain to the AEPD
You may lodge a complaint with the Agencia Espanola de Proteccion de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid, Spain, through www.aepd.es, if you believe your rights under the GDPR or the LOPDGDD have been infringed.
15. Contact
Privacy: contact@ai-wave.co
Legal and DPA requests: contact@ai-wave.co