Privacy policy
This policy explains what data Waveform (operated by Adwave, "we", "us") collects when you use the Waveform website builder, why we collect it, and the choices you have. It is written to describe what the product actually does — no more, no less.
1. What we collect
Account data
When you create an account we store your email address, a hash of your password (if you use one — magic-link sign-in stores no password), and optionally your name and avatar. Passwords are hashed with a modern key-derivation function; we never store or log them in plain text.
Content you create
Your projects are your data: the sites Waveform builds for you (code, copy, images, design tokens), your chat conversations with the builder, uploaded assets, form definitions, collection entries, project memory, and version history. We store these to provide the service — building, previewing, and publishing your sites.
Billing data
If you subscribe to a paid plan, payment is processed by Stripe. We store your subscription tier and Stripe identifiers; your card details go to Stripe and never touch our servers.
Usage and operational data
We collect operational telemetry — request logs, error reports, and performance metrics — to keep the service reliable. These logs are correlated by request identifiers, not sold or used for advertising.
Analytics on your published sites
Sites you publish with Waveform include first-party analytics: page views, referrers, and conversion events for your site, shown in your dashboard. This data is collected by our infrastructure on your behalf. We do not place third-party advertising trackers on your sites. You are responsible for your own site's privacy disclosures to your visitors.
2. What we do with it
- Provide the service — build, store, preview, and publish your sites.
- Process with AI — your descriptions, site content, and reference images are sent to our AI processors (below) to generate designs, code, copy, and images. That is the product.
- Bill you — through Stripe, for paid plans.
- Communicate — transactional email (sign-in links, account notices). We do not send marketing email without consent.
- Keep it running — debug problems, prevent abuse, enforce limits.
We do not sell your data, and we do not use your sites or conversations for advertising.
3. Processors we use
We share data with service providers only as needed to run Waveform:
| Processor | Purpose | | --- | --- | | Cloudflare | Hosting, CDN, storage, and edge infrastructure | | Neon | Database hosting (Postgres) | | Anthropic | AI language models (design, code, and copy generation) | | xAI / Google | AI image generation | | Stripe | Payment processing | | Resend | Transactional email delivery | | Fly.io | Build and processing infrastructure | | Inngest | Background job orchestration | | Firecrawl | Website crawling, when you import an existing site |
Each processor receives only the data required for its function.
4. Cookies
Waveform uses a single first-party session cookie (sp_session) to keep
you signed in. It is httpOnly, scoped to Waveform domains, and not used
for cross-site tracking. We do not use advertising cookies.
5. Data retention
We keep your account and project data while your account is active. Version history and operational logs are retained on rolling windows appropriate to their purpose. When you delete a project, or your account, the associated data is removed from active systems; residual copies in backups age out on backup rotation schedules.
6. Your rights
You can:
- Access and export your data — your site code is downloadable, and you can request a copy of your account data.
- Correct your account information.
- Delete projects or your entire account.
To exercise any of these, contact us at legal@waveform.adwave.com. Depending on where you live (for example the EU/EEA under GDPR or California under CCPA), you may have additional statutory rights; we honor valid requests under applicable law.
7. Security
Data is encrypted in transit (TLS) and at rest on our storage providers.
Access tokens are short-lived; session cookies are httpOnly and
same-site. CMS credentials you connect (Contentful, Sanity) are stored
encrypted.
8. Children
Waveform is not directed at children under 16, and we do not knowingly collect their data.
9. Changes to this policy
We will post updates to this page and revise the "Last updated" date. For material changes, we will notify account holders by email.
10. Contact
Questions about privacy: legal@waveform.adwave.com.