Legal
Privacy Policy
Last updated · June 24, 2026
WAVE DSP (“WAVE,” “we,” “us”) operates a closed-loop ad-tech platform that connects brands with social-media creators for paid sponsored content. This policy explains what data we collect, how we use it, and what rights you have over it.
We wrote this in plain English. If anything is unclear, email privacy@wavedsp.ai and we’ll clarify in writing within 5 business days.
1. Who this policy applies to
This policy covers three groups of users:
- Brands — businesses that build and fund waves on the platform.
- Creators — individuals (18+) who accept paid briefs and publish sponsored content.
- Audiences — viewers who interact with sponsored content (e.g., RSVPs, surveys, reviews).
2. What we collect — and why
From brands
- Account info: name, email, business address, payment method.
- Wave inputs: campaign goals, SKU specs, KPI weights, briefs.
- Performance data: impressions, clicks, RSVPs, redemptions, returned via creator platforms or our pixel/UTM links.
We use this to run waves, calculate fees, and produce reports.
From creators
- Account info: name, email, payout details (handled by Stripe Connect).
- Self-declared profile: niche, audience description, generation, vertical (the “6 vectors” of our Digital DNA model).
- Linked-platform data via OAuth (with your explicit consent): Instagram username + business account ID, TikTok username + open ID, YouTube channel ID, audience demographics, and the limited read-only permissions enumerated in section 4 below. WAVE never holds or requests publishing scopes on any platform.
- Content you submit, draft, or share through WAVE (briefs, drafts, public post URLs you submit as proof of completion).
We use this to match you to brand briefs, schedule posts, and pay you.
From audiences
- Voluntary inputs only: RSVPs, post-event surveys, product reviews submitted at the storefront.
- Aggregate engagement metrics (e.g., a wave reached 124K accounts) returned by social platforms.
We do not buy or use third-party cookies. We do not track audiences across unrelated sites. Every audience signal is voluntary, identified at the moment of intent, and timestamped.
3. How we use data
- To run waves. Match creators to brands, generate briefs, schedule and publish posts, measure outcomes.
- To pay creators. Calculate earnings and route payouts via Stripe Connect.
- To prevent fraud and abuse. Detect bots, verify creator identity, screen content for FTC compliance.
- To improve our matching engine. Aggregated, de-identified wave outcomes train the Digital DNA model. We never sell or share identified individual data.
- To meet legal obligations. Tax reporting (1099-NEC for U.S. creators), subpoenas, anti-money-laundering checks.
4. Social-platform data we read (and what we don’t do)
When a creator connects an Instagram, TikTok, or YouTube account through WAVE, they grant us limited, read-only OAuth permission to retrieve specific profile and performance data via the platform’s official API. The exact scopes we request, and what we use each one for, are listed below verbatim.
Instagram (Meta Graph API — Instagram Login product)
instagram_business_basic— to retrieve the creator’s public profile data (username, profile picture, account type, follower count) so brand campaign-planners can verify that the connected account matches the creator who enrolled in a wave. We do not retrieve private messages, contact lists, or third-party-account data.instagram_business_manage_insights— to retrieve insights (impressions, reach, engagement, video views) for the specific posts a creator publishes for a WAVE-enrolled campaign. Insights are retrieved per-media_idat the post-by-post level — we do not enumerate or read insights for any post the creator did not publish through WAVE. Data is rolled up into the brand’s campaign report and discarded 90 days after wave completion.
TikTok (TikTok for Developers — Display API + Login Kit)
user.info.basic— to retrieve the creator’s public username, profile picture, and bio for in-product display and brand verification of the connected account.user.info.stats— to retrieve publicly visible follower count, like count, and video count so brands can match creators to campaigns of an appropriate audience scale.video.list— to retrieve a list of the creator’s public videos (title, cover image, view count, public TikTok URL) so brands can review the creator’s recent content for brand-safety and vertical fit. We do not retrieve private or draft videos.
We do not request, and our code base does not contain, any TikTok Content Posting scopes (e.g., video.publish,video.upload). We never publish content to TikTok.
YouTube (Google API — YouTube Data v3 + YouTube Analytics)
https://www.googleapis.com/auth/youtube.readonly— to retrieve the creator’s channel info (channel ID, title, subscriber count, video count) and a list of their uploaded public videos for brand verification and matching.https://www.googleapis.com/auth/yt-analytics.readonly— to retrieve performance analytics (impressions, click-through rate, average view duration) for videos the creator publishes for a WAVE-enrolled campaign. Per-channel retrieval is scoped to the enrolledvideoIdvalues only.https://www.googleapis.com/auth/userinfo.email+openid— standard OpenID Connect identity scopes to identify the connecting Google account.
We do not request, and our code base does not contain, any YouTube upload scopes (e.g.,https://www.googleapis.com/auth/youtube.upload). We never publish content to YouTube.
Publishing model — notify-and-post
WAVE does not publish content on behalf of creators. Our Phase 0 publishing architecture is notify-and-post: a brand approves a draft inside WAVE; the creator receives a notification; the creator publishes the content natively on Instagram, TikTok, or YouTube using the platform’s own apps; the creator (or the brand on the creator’s behalf) then submits the public post URL back to WAVE so we can attach it to the wave record. We do not hold, request, or store any publishing scopes on any platform.
Revoking access
Creators may revoke WAVE’s read-only access at any time:
- Inside WAVE: Settings → Connected Accounts → Disconnect.
- On Instagram/Facebook: Settings → Apps and Websites → Active → Remove WAVE.
- On TikTok: Settings → Manage Account → Apps and Permissions → Revoke WAVE.
- On YouTube/Google: myaccount.google.com/permissions.
Revocation immediately stops any further API reads. Existing wave commitments remain in effect — revocation does not cancel a wave already in progress.
5. Who we share data with
We share data only with the parties strictly needed to operate the platform:
- Stripe — to process payments and creator payouts. Stripe’s privacy policy.
- Meta (Instagram & Facebook), TikTok, YouTube — to read creator profile data and publish approved content via their APIs.
- Sentry — to capture crash reports (no personal payload data is included).
- MongoDB Atlas, AWS — our infrastructure providers; data is encrypted at rest.
- Government authorities — only when legally compelled (subpoena, court order).
We do not sell personal data. We do not share data with ad networks, brokers, or for behavioural-advertising purposes outside of our own platform.
6. Your rights
Regardless of where you live, you can:
- Access a copy of the data we hold about you.
- Correct data that is inaccurate.
- Delete your account and associated data (subject to tax/legal retention requirements).
- Port your data to another service.
- Withdraw consent for any optional processing.
If you live in California (CCPA / CPRA), the EU/UK (GDPR), or Canada (PIPEDA), you have these rights by law and we honour them globally. Submit a request to privacy@wavedsp.aiand we will respond within 30 days. We will never charge you for exercising your rights or retaliate against you for doing so.
7. How long we keep data
- Active accounts: as long as the account exists.
- Closed accounts: 90 days, then permanent deletion. Tax records retained 7 years where law requires.
- Wave performance data: aggregated and de-identified after 18 months.
- Backups: rotated out of cold storage within 90 days of deletion.
8. Security
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Backend services communicate over HMAC-SHA256-signed channels. Access to production data is restricted to a small set of engineers under audit logging. We disclose any breach affecting your data within 72 hours, as required by GDPR Article 33.
9. Children
WAVE is for users 18 and over. We do not knowingly collect data from anyone under 18. If you believe a minor has registered, email privacy@wavedsp.ai and we will delete the account immediately.
10. International transfers
Data is stored in the United States. If you are outside the U.S., your data will be transferred and processed there under standard contractual clauses approved by the European Commission for non-EU transfers.
11. Cookies and similar technologies
We use a minimal set of cookies, all first-party:
wave_session— keeps you logged in.wave_inv_session— long-lived investor-page session cookie used to distinguish a returning viewer from a forwarded link. Contains no personal data.wave_csrf— CSRF protection for form submissions.
We do not use third-party advertising cookies, retargeting pixels, or cross-site trackers. We don’t need them — our platform runs on declared, voluntary zero-party data.
12. Changes to this policy
Material changes will be announced via in-app notice and email at least 14 days before they take effect. The full revision history is available on request.
13. Contact and data-deletion requests
Data Controller: WAVE DSP, Inc.
Email: privacy@wavedsp.ai
Self-serve data deletion: wavedsp.ai/data-deletion
Mailing address: available on request.
EU and UK residents may also lodge a complaint with their local data-protection authority. California residents may contact the California Privacy Protection Agency. We’d much rather solve it directly with you first — please write to us before escalating.