Waveguide

Last updated July 5, 2026

Privacy Policy

This policy explains what data Waveguide (operated by Adwave, “we”) collects, why, and what your rights are. Waveguide is a business tool; this policy covers both account holders and the individuals whose data flows through the Service (such as your leads and customers).

1. Data we collect

Account data. Your email address, company name, sign-in timestamps, and notification preferences.

Billing data. Handled by Stripe. We store your Stripe customer and subscription identifiers and metering totals; we never see or store full card numbers.

Connected-account data. When you connect an account (Gmail, Google Calendar, Meta Ads, Stripe, Slack, Telegram), we receive OAuth tokens — stored envelope-encrypted in a credential vault — and, during agent sessions, the data those scopes allow: relevant email messages, calendar availability, campaign performance, lead records, payment events, and chat messages you exchange with the agent.

Agent work product. The agent’s workspace, its structured ledger (leads, assets, campaigns, events, attribution), session records, and a complete audit log of actions taken.

Technical data. Standard server logs (IP address, user agent, timestamps) for security and rate-limiting; aggregate, cookie-free web analytics on the marketing site.

We do not use advertising cookies and do not sell personal data.

2. How we use data

  • To operate the Service: run agent sessions, deliver briefs and approvals, keep the ledger, meter usage.
  • To secure it: verify webhooks, rate-limit, detect anomalies, keep audit trails.
  • To bill: report metered usage to Stripe.
  • To communicate: transactional email (sign-in links, approvals, budget and billing notices, weekly summaries — the optional ones are controllable in Settings).
  • To improve the Service, using aggregate operational metrics — we do not train AI models on your data.

3. AI processing

Agent reasoning uses Anthropic’s Claude models via API. Content processed in a session (for example, an email being triaged) is sent to Anthropic for inference under an agreement that prohibits training on it. Credentials are never included in model input, by architecture. Untrusted third-party content is additionally processed through a restricted extraction step before it can influence actions.

4. Subprocessors

SubprocessorRoleData touched
CloudflareControl plane, database, storage, queuesAll service data
Fly.ioSandboxed agent computeWorkspace contents during sessions
AnthropicAI model inferenceSession context (no credentials)
StripeBillingBilling identity, payment method, usage totals
NangoOAuth connection brokerOAuth tokens at connect/refresh time
PostmarkInbound email processingMail sent to your tenant address
ResendOutbound transactional emailYour email address, notification content
Slack / TelegramReporting channels you connectMessages the agent exchanges with you

We will update this table before adding subprocessors that process Customer Data.

5. Retention

  • Account and tenant data: for the life of the account.
  • Audit logs: 90 days hot, then archived to cold storage.
  • Workspace snapshots: rolling 30 days.
  • After cancellation: data remains exportable for 30 days, then may be deleted.
  • Self-serve deletion (Settings → Delete tenant) immediately and permanently purges the workspace, credential vault, connections, history, and ledger, and destroys the sandbox machine.

6. Security

Encryption in transit (TLS) everywhere and at rest for credentials (AES-256-GCM envelope encryption with per-tenant keys); per-tenant sandbox isolation with default-deny networking; credential injection at a guarded egress proxy so AI models never hold secrets; signature verification on all inbound webhooks; single-use email sign-in links; and comprehensive audit logging. Full detail: waveguide.adwave.com/security.

7. Your rights

Depending on your jurisdiction (GDPR, CCPA, and similar), you may have rights to access, correct, export, delete, or restrict processing of personal data. Export and deletion are self-serve in the dashboard; for anything else, or to exercise rights concerning data about you processed on behalf of one of our customers, contact hello@waveguide.adwave.com. If you are in the EEA/UK, you may also lodge a complaint with your supervisory authority.

Where we process personal data on your behalf as a processor (your leads’ and customers’ data), our Data Processing Addendum applies.

8. International transfers

Our infrastructure providers operate globally; where personal data is transferred out of the EEA/UK, we rely on standard contractual clauses and our subprocessors’ equivalent safeguards.

9. Children

The Service is not directed to children and we do not knowingly collect data from anyone under 16.

10. Changes

Material changes will be announced by email to account owners at least 14 days before taking effect and posted here with an updated date.

Contact: hello@waveguide.adwave.com