Privacy Policy
How AI Wave handles personal data.
AI Wave processes personal data to operate its website, authenticated application, billing flows, customer support, and the AI marketing workflows requested by customers. We collect account information, campaign and content inputs, connection metadata, and technical usage data needed to deliver the service securely.
We do not sell personal data and we do not use customer data, campaign data, or brand data to train AI models for AI Wave or for third parties. Publishing, email sending, and ad-spend actions remain subject to human approval inside the product.
You can exercise your GDPR rights at any time by emailing contact@ai-wave.co. Cookie and similar technology information is available in our Cookie Policy.
This Privacy Policy applies to the AI Wave marketing website at aiwave.es, the AI Wave application, and related services we operate, unless a separate notice applies to a specific product or engagement.
1. Data controller
The data controller for the personal data described in this Privacy Policy is AI WAVE DEV SL, trading as AI Wave, with NIF B75872218, registered office at Calle d'Arcadi Balaguer 4, Puerta 1, 08860 Castelldefels, Barcelona, Spain, and registered in the Commercial Registry of Barcelona, Volume 44339, Folio 1, Sheet B-629713, Entry 1.
For privacy matters, contact contact@ai-wave.co. For general support, contact contact@ai-wave.co.
2. Data protection officer
As of March 2026, AI Wave has not appointed a formal Data Protection Officer because it does not currently consider itself legally required to do so under Article 37 GDPR. Privacy governance is handled by our internal privacy and security leads. You may direct all privacy requests and questions to contact@ai-wave.co.
3. Categories of personal data we process
3.1 Account and organization data
This includes name, business email address, passwordless or authentication identifiers managed by Clerk, company name, team role, workspace settings, plan tier, billing country, and support communications.
3.2 Content and campaign data
This includes prompts, campaign briefs, brand voice settings, product descriptions, audience definitions, generated text, generated visual briefs, approved assets, publishing schedules, email campaign content, ad copy, analytics dashboards, and files or links you intentionally upload or connect.
3.3 Integration and connection data
When you connect third-party tools, we process account metadata, scopes granted, token status, refresh state, webhook metadata, and platform identifiers required to publish, sync, or analyze data on your instructions. Access credentials are stored server-side in encrypted form.
3.4 Usage and technical data
This includes IP address, browser and device metadata, log records, session and security events, API request metadata, feature usage, page interactions, error telemetry, rate-limit events, and audit trail data for privileged actions.
3.5 Billing and payment data
Subscription status, invoices, tax information, payment method metadata, billing history, and payment fraud screening are processed through Stripe. AI Wave does not store full payment card numbers.
3.6 Website preference and consent data
We store cookie and analytics preferences, including the `cookie_consent` local storage value on the marketing site, and strictly necessary session state used to keep the site and application secure.
4. Purposes of processing and legal bases
| Purpose | Examples | Legal basis |
|---|---|---|
| Provide and secure the service | Account creation, login, tenant isolation, campaign execution, support, abuse prevention | Article 6(1)(b) GDPR, contract |
| Manage subscriptions and invoicing | Checkout, renewals, tax handling, invoice retention | Article 6(1)(b) GDPR, contract and Article 6(1)(c) GDPR, legal obligation |
| Operate connected channels and integrations | OAuth connections, publishing to social channels, email delivery, analytics sync | Article 6(1)(b) GDPR, contract |
| Improve reliability, performance, and security | Logs, error monitoring, rate limiting, fraud prevention, backup and recovery | Article 6(1)(f) GDPR, legitimate interests |
| Send service communications | Security notices, account notices, transactional emails, support responses | Article 6(1)(b) GDPR, contract and Article 6(1)(f) GDPR, legitimate interests |
| Send optional marketing communications | Newsletters, launch updates, promotional emails | Article 6(1)(a) GDPR, consent |
| Comply with legal obligations | Accounting records, tax law, lawful requests, dispute handling | Article 6(1)(c) GDPR, legal obligation |
5. How AI Wave uses AI systems
AI Wave uses large language models, image generation tools, and retrieval systems to help customers generate marketing strategy, content, visual concepts, channel plans, and reporting. Inputs may include prompts, campaign context, approved brand settings, and connected-platform data the customer has chosen to make available.
AI-generated content may contain errors, third-party references, or outputs that require review. Customers remain responsible for reviewing and approving outputs before publication. AI Wave applies human approval gates to external side effects such as publishing posts, sending bulk emails, and launching or changing ad spend.
Customer data is processed to provide inference and workflow execution. AI Wave does not use customer data to train AI Wave models or third-party models.
6. Recipients and categories of recipients
We share personal data only where needed to provide the service, comply with law, or protect the platform. Depending on your use of AI Wave, recipients may include:
- Identity and authentication providers such as Clerk.
- Hosting, database, cache, and infrastructure providers such as Vercel, Supabase, Upstash, Cloudflare, Inngest, and Infisical.
- Payment providers such as Stripe.
- Email delivery and notification providers such as Resend.
- AI and model providers used for inference, embeddings, or media generation, such as OpenAI, Anthropic, Google model services, Voyage AI, Cohere, and Fal.ai where configured in the platform stack.
- Connected platforms you choose to authorize, such as LinkedIn, X, Meta, Google Ads, TikTok, YouTube, HubSpot, Salesforce, Google Analytics, Google Search Console, Mixpanel, SEMrush, Ahrefs, and webhook or automation endpoints.
- Security, observability, and support tooling such as Langfuse, Sentry, Better Stack, and PostHog where enabled.
- Professional advisers, auditors, insurers, and competent public authorities where legally required.
More detail about processor relationships is available in our Data Processing Agreement for customer controller-processor relationships.
7. International data transfers
AI Wave is designed around EU-first data residency, including primary application data stored in EU-hosted infrastructure where available. Some providers or connected platforms may process data outside the European Economic Area, including in the United States or other jurisdictions.
Where personal data is transferred internationally, AI Wave relies on lawful transfer mechanisms such as the European Commission's Standard Contractual Clauses, adequacy decisions, or another valid GDPR transfer tool, together with supplementary technical and organizational safeguards such as encryption, access controls, and least-privilege processing.
8. Data retention
We retain personal data only for as long as necessary for the purposes described above, unless a longer period is required by law or necessary to resolve disputes, enforce agreements, or protect the service.
| Data category | Typical retention |
|---|---|
| Account and workspace records | While active, then soft-deleted and hard-deleted after a 30-day grace period unless retention is legally required |
| Campaign and content data | While the workspace is active, then deleted in line with workspace deletion rules |
| Integration tokens | While connected, with immediate deletion on disconnect or workspace closure |
| Usage events | Up to 2 years for billing and audit purposes |
| Analytics history | Founder: 30 days. Startup: 1 year. Scale-Up and Enterprise: unlimited during the active subscription, subject to deletion requests, account closure, or legal retention duties |
| Audit logs | Generally 1 year, or longer where contractually required for Enterprise compliance |
| Billing records | For the statutory periods required by Spanish tax and accounting law |
Additional operational detail is described in our internal retention controls and in customer controller-processor relationships under the DPA.
9. Cookies and similar technologies
AI Wave uses cookies, local storage, and similar technologies for security, session continuity, and preference management. Please review our Cookie Policy for a detailed description of categories, storage periods, and choices.
10. Security measures
AI Wave uses technical and organizational measures appropriate to the risk, including encryption at rest and in transit, role-based access controls, tenant isolation, audit logging, secure secret management, vulnerability scanning, and approval gates for high-risk platform actions.
Documented controls include AES-256 encryption for stored integration credentials, TLS 1.3 for network transport in our current deployment target, HSTS, Cloudflare WAF protections, Clerk-based authentication, Supabase row-level security, and secrets managed through Infisical. No system can guarantee absolute security, and you should also protect your credentials and connected accounts.
11. Your rights
Subject to applicable law, you may have the right to access, rectify, erase, restrict, object to, or port your personal data, and the right to withdraw consent where processing is based on consent. You may also request information about international transfer safeguards and recipients.
We may need to verify your identity before acting on a request. If we act as a processor for a customer workspace, we may direct your request to the relevant customer as controller unless we are legally required to handle it directly.
12. Right to complain
If you believe your personal data has been processed unlawfully, you may contact us first at contact@ai-wave.co. You also have the right to lodge a complaint with the Agencia Espanola de Proteccion de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid, Spain, or through www.aepd.es.
13. Children's privacy
AI Wave is a business service intended for users acting on behalf of organizations and is not directed to children. We do not knowingly collect personal data from children under 18 through the service. If you believe a child has provided personal data to us, contact contact@ai-wave.co.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect product changes, legal requirements, or security and operational updates. When we make material changes, we will update the "Last updated" date and, where required, provide notice through the website, the application, or email.
15. Contact
Privacy requests: contact@ai-wave.co
Legal notices: contact@ai-wave.co
General support: contact@ai-wave.co