Privacy Policy

1. Information We Collect

To provide and improve WavyOS, we collect the following types of information:

• Contact Information: Email addresses and phone numbers used for communication, authentication, and transactional SMS notifications.
• Business Operational Data: Data you input into WavyOS to run your business, including orders, scheduling information, and related operational metrics.
• Usage Data: Standard system logs and interactions with our portal to help us monitor performance and troubleshoot issues.

1.1 Conversation & Message Data

A core function of WavyOS is to receive, process, and respond to messages exchanged between our AI assistant and your customers across channels including Instagram direct messages, SMS, email, and your WavyOS storefront. To operate this service, we store the content of these conversations durably — not merely transiently — in our database. This includes:

• Inbound message content from your customers and outbound responses generated by the AI assistant or sent by you.
• Conversation metadata such as channel, timestamps, and thread identifiers needed to maintain context across a conversation.

Storing this content is necessary to maintain conversation context, generate accurate responses, provide your team with a record of customer interactions, and support and troubleshoot the service. Conversation content is retained for a limited period — see Section 7 (Data Retention & Deletion).

2. How We Use Your Information

We use your data strictly to deliver and improve our B2B services. Specifically, we use your information to:

• Provide, operate, and maintain WavyOS.
• Authenticate your identity via our passwordless One-Time Password (OTP) system.
• Store and process your business operational data (orders, schedules) to facilitate your workflows.
• Communicate with you via email and transactional SMS regarding support, updates, system alerts, and account notifications.
• Improve the quality and reliability of WavyOS. We may use de-identified or aggregated conversation data — stripped of customer names, contact details, and other direct identifiers — to evaluate and improve our own AI assistant and service quality. This internal improvement is distinct from, and does not involve, sending your data to third-party AI model providers for the training of their models.

3. Third-Party Infrastructure & Subprocessors

We do not build our infrastructure from scratch. To provide a reliable, secure service, we utilize industry-leading third-party service providers. Your data is processed by:

• Vercel: Cloud hosting and application deployment.
• Supabase: Database and file storage for your business and customer data.
• Resend: Transactional email delivery and authentication.
• Telnyx: Transactional SMS delivery.
• Railway: Cloud infrastructure and backend services.
• Anthropic: AI-powered message processing, content analysis, and response generation. Message content sent to Anthropic is used only to generate responses for your business and is not used by Anthropic to train its models. (Separately, WavyOS stores conversation content durably in our own database to operate the service — see Section 1.1.)
• OpenAI: Audio transcription services. Audio sent to OpenAI is used only to produce transcriptions for your business and is not used by OpenAI to train its models. Resulting transcribed content may be stored durably as part of the conversation record — see Section 1.1.
• Stripe: Payment processing and subscription billing. Payment data is handled directly by Stripe and never stored on our servers.
• Better Stack: System uptime monitoring.
• Sentry (Functional Software, Inc.): Application error monitoring and diagnostics. We configure Sentry to scrub personally identifiable information from error reports so that message content and customer contact details are not captured in error data.
• Discord: Internal operational monitoring.

3.1 Instagram & Meta Platform Data

WavyOS integrates with the Instagram Graph API to provide automated direct message management on behalf of our business clients. Through this integration, we access and process:

• Instagram Business account identifiers and usernames
• Direct message content sent to our clients' Instagram accounts
• Customer Instagram user IDs for conversation threading

This data is used exclusively to operate the automated response features of WavyOS. We do not sell, share, or use Instagram user data for advertising or any purpose beyond delivering the contracted service to our business clients. All Instagram data is processed in accordance with Meta's Platform Terms and Developer Policies.

Clients may revoke WavyOS access to their Instagram account at any time through their Instagram account settings under “Apps and Websites.”

4. Data Sharing & Disclosure

We do not sell your personal or business data to third-party data brokers. Your information is only shared under the following circumstances:

• With Service Providers: As outlined above, strictly for infrastructure and operational purposes.
• For Legal Reasons: If required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency) within the Commonwealth of Virginia or applicable federal jurisdictions.

4.1 Mobile Information & SMS Consent

Notwithstanding any other provision in this policy, no mobile information will be shared with third parties or affiliates for marketing or promotional purposes. This includes text messaging originator opt-in data and consent, which will not be shared with any third parties. SMS communications are used exclusively for transactional account notifications between Wavy Systems LLC and its authorized business clients.

We may share your Personal Data, including your SMS opt-in or consent status, with third parties that help us provide our messaging services, including but not limited to platform providers, phone companies, and any other vendors who assist us in the delivery of text messages. All of the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

5. Data Security

We implement commercially reasonable security measures to protect your data from unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the Internet or electronic storage is 100% secure. You are responsible for keeping your email and phone devices secure to protect your OTP access.

6. Children's Privacy

WavyOS is a B2B platform intended for use by business owners and their authorized staff. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have inadvertently collected such data, we will take steps to delete it promptly.

7. Data Retention & Deletion

We retain your business operational data for the duration of your active subscription. Conversation and message content (see Section 1.1) is generally retained for up to 180 days from the date of each message, after which it is automatically deleted from our active systems, unless we are required to retain it longer to comply with law or resolve a dispute. We may retain a small number of the most recent conversations per customer beyond this window to maintain service context. Upon cancellation or termination of your WavyOS subscription:

• Your business data (orders, customer records, conversation history) will be retained for 30 days following termination to allow for data export.
• After the 30-day retention period, all client-specific data will be permanently deleted from our systems and subprocessor platforms.
• De-identified or aggregated data — including conversation data stripped of direct identifiers — may be retained beyond these windows for service improvement and analytics purposes, as described in Section 2.
• You may request immediate deletion of your data at any time by contacting support@wavyautomations.com.

Cached or temporary data (session tokens, rate limiting counters) is automatically purged and not retained beyond its operational lifespan.

8. Data Breach Notification

In the event of a data breach affecting your personal or business information, we will notify affected clients via email within 60 days of discovering the breach, in accordance with the Virginia Consumer Data Protection Act (VCDPA). Notification will include the nature of the breach, the types of data affected, and steps we are taking to mitigate impact.

9. Your Privacy Rights

Depending on where you reside, you may have rights regarding your personal information, including the right to:

• Access: Request a copy of the personal information we hold about you.
• Correct: Ask us to fix inaccurate or incomplete information.
• Delete: Request deletion of your personal information, subject to legal and contractual retention obligations.
• Portability: Receive your data in a portable format where applicable.
• Opt out of sale/sharing: We do not sell your personal information. We honor opt-out requests where this right applies.

We will not discriminate against you for exercising any of these rights. Virginia residents may exercise the rights granted under the Virginia Consumer Data Protection Act (VCDPA), and California residents may exercise the rights granted under the California Consumer Privacy Act, as amended (CCPA/CPRA), including the right to appeal a denied request. To exercise any of these rights, contact us at support@wavyautomations.com. We will verify your request and respond within the timeframe required by applicable law. Where WavyOS processes customer data on behalf of a business client (as a processor), we will direct end-customer requests to the relevant business client and assist them in responding.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Effective Date” above and, where appropriate, notify affected clients by email. Your continued use of WavyOS after an update constitutes acceptance of the revised policy.

11. Contact Us

If you have questions or concerns about this Privacy Policy or your data, please contact us at: