Privacy Policy
Effective Date: June 25, 2026 | Last Updated: June 25, 2026
This Privacy Policy explains how Adwave Inc. (“Adwave,” “Wavemaker,” “we,” “us,” or “our”) collects, uses, discloses, and protects information when you use the Wavemaker platform, websites, applications, REST API, and MCP endpoint (collectively, the “Service”). It also describes your privacy rights and how to exercise them. By using the Service, you acknowledge this Policy. If you do not agree, do not use the Service.
This Policy is incorporated into our Terms of Service. Capitalized terms not defined here have the meaning given in the Terms.
1. Who We Are (Controller)
Adwave Inc. is the controller of personal information processed through the Service, except where we act as a processor/service provider on behalf of an organization customer (see Section 11). You can contact us at [email protected] or Adwave Inc., 8 The Green, Ste A, Dover, DE 19901, United States.
2. Information We Collect
2.1 Information you provide
- Account information — email address, display name, and password (stored only as a salted, hashed value; we never store plaintext passwords). Optional profile details you add.
- Organization information — organization name, billing contact, and the email addresses of members you invite.
- User Inputs — prompts and instructions; uploaded images, video, audio, and documents; URLs and brand/reference materials you direct us to fetch or analyze.
- Support and communications — messages you send us and related metadata.
2.2 Information generated by your use
- Output and project data — generated videos, images, voiceovers, music, captions, compositions, voice profiles, subject/reference data, and related metadata.
- Content-policy classification — a label our system assigns to a request (for example, standard vs. restricted) to route and moderate generation.
- Usage, billing, and technical data — session and generation history, prompts and tool activity, timestamps, Credits consumed, cost/usage logs, plan and subscription status, device and browser information, and IP address (collected from standard request headers and our infrastructure).
2.3 Information from third parties you direct us to access
When you submit a URL, brand, or reference material, we fetch and process content from that source on your instruction. That content may contain personal information about third parties. You are responsible for ensuring you have the right to have us process it (see Terms Sections 6–7). We do not control those third-party sources.
2.4 Payment information
Payments are processed by Stripe. We do not collect or store full card numbers; we store only identifiers and limited details (such as Stripe customer/subscription IDs and billing status) needed to manage your account.
3. How We Use Information
We use information to:
- Provide the Service — process your prompts, generate, render, store, and deliver Output, and operate features you use (including sharing, where you enable it);
- Process payments — manage subscriptions, Credits, auto-refill, invoicing, and taxes through Stripe;
- Generate content — transmit User Inputs to AI Providers in real time to produce Output (Section 4);
- Maintain and secure — authenticate users, manage access, provide support, maintain logs and backups, and protect the Service;
- Enforce and comply — detect, prevent, and respond to abuse, fraud, security incidents, and violations of our Terms (including content moderation and classification), and comply with legal obligations; and
- Improve the Service — analyze aggregated and de-identified usage to maintain quality and reliability. We do not use the content of your individual prompts or your User Content to train foundation AI models.
4. How We Share Information
We share information only as described below. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
4.1 AI and processing sub-processors (core functionality)
To generate Output, your User Inputs and certain Output are processed by third-party providers in real time. These currently include providers in the following categories (the specific providers may change; contact [email protected] for the current list):
- Language, planning & review models — e.g., Anthropic (Claude), Google (Gemini).
- Image & video generation — e.g., Google, xAI (Grok), Kling.ai (Kuaishou), BytePlus, OpenAI, and self-hosted GPU model services we operate via compute providers (e.g., Modal).
- Voice & music — e.g., ElevenLabs.
- Web research & scraping — e.g., Firecrawl and search providers (e.g., Brave Search), used to fetch/analyze content and run queries at your direction.
These providers process content to deliver the Service and are subject to their own terms and privacy policies. We do not authorize them to use your content to train their models except as permitted by their applicable terms; we do not independently train models on your content.
4.2 Infrastructure, payments & rendering sub-processors
- Cloud & edge infrastructure — Cloudflare (edge, storage, compute), and hosting/database/queue providers we use to run the Service (e.g., Fly.io, a managed Postgres provider, and a managed cache provider).
- Payments — Stripe.
- Video rendering & delivery — our rendering pipeline and content-delivery infrastructure.
4.3 Legal, safety & business transfers
We may disclose information: to comply with law, legal process, or governmental requests; to enforce our Terms; to detect, prevent, or address fraud, security, or technical issues; to protect the rights, property, or safety of Adwave, our users, or the public (including reporting illegal content as required by law); and in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality.
4.4 At your direction / public content
If you make content public, unlisted, or shareable, it (and associated metadata) may be displayed, embedded, indexed, and accessed by others (see Terms Section 11). Anything you choose to share publicly is no longer private.
5. Legal Bases (EU/EEA/UK)
Where the GDPR or UK GDPR applies, we process personal data on these bases:
| Purpose | Legal basis |
|---|---|
| Providing the Service and processing your requests | Performance of a contract |
| Billing and payments | Performance of a contract; legal obligation |
| Security, fraud and abuse prevention, content moderation | Legitimate interests; legal obligation |
| Service maintenance, analytics (aggregated/de-identified) | Legitimate interests |
| Marketing communications (where applicable) | Consent (which you may withdraw) |
| Compliance, legal claims, reporting illegal content | Legal obligation; legitimate interests |
Where we rely on legitimate interests, we balance them against your rights. You may object as described in Section 8.
6. Data Storage & Security
- Passwords are salted and hashed; API keys are stored hashed and the plaintext is shown only once at creation.
- Authentication tokens expire after a limited period.
- Data in transit is encrypted via HTTPS/TLS; data at rest is protected by our infrastructure providers’ encryption.
- We restrict internal access and maintain administrative, technical, and organizational safeguards.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a personal-data breach affecting you, we will notify you and authorities as required by applicable law.
7. Data Retention
| Data type | Retention |
|---|---|
| Account data (email, name) | Duration of account; deleted/de-identified after termination (generally within ~30 days), subject to legal retention |
| Organization data | Duration of organization |
| General uploaded files | Limited period (currently ~7 days), then auto-deleted |
| Certain reference uploads | Shorter limited period (currently ~2 days), then auto-deleted |
| Generated media (images, video, audio) | Tied to composition lifecycle; deleted with the composition |
| Compositions & project data | While the account is active |
| Publicly shared / featured content | Until you remove it or close your account, subject to caches/backups and copies made by others |
| Usage, billing & moderation logs | Retained while account is active and as needed for billing, security, and legal compliance |
| API keys | Until revoked or account deletion |
| Backups | Rolling backups retained for a limited period before being overwritten |
| Payment records | Per Stripe’s retention and applicable law |
We may retain limited information longer where required to comply with law, resolve disputes, prevent abuse, or enforce our agreements, and we may retain aggregated or de-identified data indefinitely.
8. Your Privacy Rights
8.1 All users
You may access, correct, delete, and export your account information and content, and revoke API keys, from your account or by contacting [email protected]. We may need to verify your identity before acting on a request.
8.2 EU/EEA/UK (GDPR)
You have rights to access, rectification, erasure, restriction, portability, and objection, and the right not to be subject to solely automated decisions with legal or similarly significant effects (see Section 12). You may withdraw consent at any time (without affecting prior processing) and lodge a complaint with your supervisory authority. For transfers outside the EEA/UK, see Section 10.
8.3 California (CCPA/CPRA) & other U.S. state laws
If you are a resident of California or another U.S. state with a comprehensive privacy law (e.g., Virginia, Colorado, Connecticut, Utah, and others), you may have rights to: know/access the personal information we collect, use, and disclose; correct it; delete it; obtain a portable copy; opt out of “sale” or “sharing” (we do not sell or share personal information, and we do not use or disclose sensitive personal information for purposes that require an opt-out); and not be discriminated against for exercising your rights. Where applicable, you may appeal a decision by replying to our response or contacting [email protected]. You may use an authorized agent where the law permits.
To exercise any right, contact [email protected]. We respond within the timeframes required by applicable law.
9. Cookies & Local Storage
We use minimal client-side storage:
- An authentication token stored in your browser to keep you signed in (strictly necessary; not shared with third-party domains).
- Essential preferences needed to operate features you use.
We do not currently use third-party advertising or cross-site tracking cookies. We honor applicable opt-out preference signals where required. If we add analytics or other cookies in the future, we will update this Policy and provide any required notice or consent mechanism.
10. International Data Transfers
We operate globally and your information may be transferred to and processed in countries other than your own, including the United States, where data-protection laws may differ. Where required for transfers from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses (and the UK Addendum) or an adequacy decision. Contact [email protected] for more information.
11. Organization (B2B) Data
When you use the Service through an organization, the organization administers the account and may access, control, and manage members’ activity and content. In that context we may act as a processor/service provider on the organization’s behalf, and the organization’s own privacy practices apply to its members’ data. Direct data-subject requests to the organization first; we will reasonably assist.
12. Automated Processing & Moderation
We use automated systems to classify, route, and moderate content (for example, to detect prohibited content and enforce our Terms and AI Provider policies) and to detect fraud and abuse. These processes may restrict or refuse generation. We do not use these systems to make decisions producing legal or similarly significant effects without a means to contact us; you may reach a human at [email protected] or [email protected].
13. Children’s Privacy
The Service is not directed to children under 13 (or under 16 in the EU/EEA/UK), and certain mature-content functionality is restricted to users 18+ (see Terms Section 10). We do not knowingly collect personal information from children below the applicable age. If you believe a child has provided us information, contact [email protected] and we will take steps to delete it.
14. Third-Party Links & Services
The Service may reference or interoperate with third-party sites and services (including those you direct us to access). Their privacy practices are governed by their own policies, and we are not responsible for them.
15. Changes to This Policy
We may update this Policy from time to time. For material changes, we will provide reasonable notice (for example, by email or an in-Service notice), generally at least 30 days where feasible before the change takes effect. The “Last Updated” date above reflects the latest revision. Continued use after the effective date constitutes acceptance.
16. Contact
Privacy: [email protected] Security: [email protected] Abuse / Trust & Safety: [email protected]
Adwave Inc. 8 The Green, Ste A Dover, DE 19901 United States
EU/EEA and UK residents may also contact their local data protection authority.