Privacy Policy

Account data. Email address, username, display name, password hash (never the password itself), and any optional profile fields you add: bio, avatar, banner, credits, social links, city, and country.

Subscription & payment. Your Stripe customer ID, subscription status, and the last 4 digits + brand of any saved card. Full card numbers and CVCs are held by Stripe and never touch our servers.

Activity data. Samples you upload, packs you create, listings you post, downloads you make, likes, follows, direct messages, and sample requests.

Technical data. IP address (used for rate-limiting and abuse prevention), browser user-agent, and basic logs from our hosting provider (Vercel) and database (Supabase). We do not run third-party analytics or advertising trackers.

• To create and operate your account.
• To process payments and pay marketplace sellers.
• To deliver the Service: rendering pages, serving samples, enforcing daily download limits.
• To send transactional email: signup confirmations, password resets, marketplace receipts, in-app notifications.
• To detect and prevent fraud, abuse, and copyright infringement.
• To respond to support requests and legal obligations.

We process your data under one or more of the following GDPR bases:

• Contract — to provide the Service you signed up for.
• Legitimate interests — to keep the Service secure and to prevent abuse.
• Legal obligation — to comply with copyright, tax, and accounting laws.
• Consent — for any optional communications you specifically opt into.

We share the minimum data necessary with the following service providers, all of whom are bound by their own privacy commitments:

• Supabase (database + auth + storage; Canada region).
• Vercel (web hosting).
• Stripe (payments and subscription billing).
• Resend (transactional email delivery).
• Zoho Mail (inbound mail to @wavekey.co addresses).

We do not sell your data. We do not share it with advertisers. We may disclose data when required by law (subpoena, court order) or to protect the rights and safety of our users or the public.

The following are public by default once you create them: your username, display name, avatar, banner, bio, credits, social links, public samples, public packs, marketplace listings, and (if you opt in) your city and country on the producer map. Treat anything posted publicly as visible to the world.

We use a small number of strictly-necessary cookies, mostly for authentication (so you stay signed in) and for CSRF protection on form submissions. We do not use advertising cookies, third-party analytics, or cross-site tracking.

Account data is kept as long as your account is active. When you delete your account, we delete your profile, uploads, messages, and marketplace listings within 30 days. We may retain transaction records (sale receipts, refunds) for up to 7 years to satisfy tax and accounting laws.

Server logs are retained for up to 90 days. Email delivery logs from Resend are retained per their default policy.

Passwords are hashed by Supabase using industry-standard algorithms. All traffic to wavekey.co is served over HTTPS. The private samples bucket is access-gated by signed URLs and server-side enforcement. We use Row-Level Security policies at the database layer to enforce ownership.

No system is perfectly secure. If we discover a breach affecting your personal data, we will notify you and the appropriate authorities as required by law.

You may at any time:

• Access the personal data we hold about you.
• Correct inaccurate data by editing your profile or emailing us.
• Delete your account and associated data (see Section 7).
• Export your data in a portable format (email us to request).
• Withdraw any consent you previously gave.
• Object to or restrict certain processing.
• Lodge a complaint with your local data-protection regulator.

To exercise any of these rights, email legal@wavekey.co from the address associated with your account. We respond within 30 days.

California residents have the right to know what categories of personal information are collected, the right to delete personal information, and the right not to be discriminated against for exercising these rights. We do not sell or share personal information for cross-context behavioural advertising. Submit requests to the email above.

Wavekey is not directed at children under 16. If you believe a child has provided us personal information, email legal@wavekey.co and we will delete it.

Your data may be processed in countries other than Canada, including the United States and Singapore, depending on which regional infrastructure our providers serve from. We rely on standard contractual clauses and equivalent safeguards where required.

We may update this Policy from time to time. The “Last updated” date at the top of the page reflects the current version. Material changes will be announced by email.