Privacy Policy

1. Information We Collect

1.1 Account Information

Email address - For account creation and communication
Full name - Optional, for personalization
Business name - Optional, collected during checkout

1.2 OAuth Data (Instagram & Facebook)

Instagram account ID - Public identifier
Instagram username - Public information
Instagram access tokens - Encrypted with AES-256-CBC
Facebook Page ID - Public identifier
Facebook Page name - Public information
Facebook Page access tokens - Encrypted with AES-256-CBC

1.3 Chatbot Content

Message templates - The chatbot flows you create
Button configurations - Navigation and actions
Template selections - Which templates you use

1.4 Payment Information

Stripe customer ID - Links your account to Stripe
Subscription details - Plan, billing date, status
Promotion codes - If used during checkout

Important: We do NOT store credit card numbers. All payment processing is handled securely by Stripe.

2. How We Use Your Information

We use your data to:

Provide the Service - Build and deploy your chatbots
Connect to Instagram/Messenger - Via OAuth tokens
Process payments - Through Stripe integration
Send service emails - Account updates, billing notifications
Improve the platform - Bug fixes, new features
Comply with legal obligations - GDPR, data requests

We do NOT:

Sell your data to third parties
Use your data for advertising
Read your Instagram/Messenger messages (except for chatbot functionality)
Share your data with anyone except service providers listed below

3. How We Protect Your Data

3.1 Encryption

OAuth tokens: Encrypted with AES-256-CBC before storage
Transport: All connections use HTTPS/TLS
Database: Row Level Security (RLS) ensures users only see their own data

3.2 Access Controls

Authentication required for all dashboard access
Session tokens expire after inactivity
Password hashing with bcrypt (handled by Supabase Auth)

3.3 Third-Party Security

Supabase: SOC 2 Type II certified database
Stripe: PCI DSS Level 1 certified payment processor
Vercel: ISO 27001 certified hosting

4. Third-Party Services

We share data with the following service providers:

Service	Purpose	Data Shared
Meta (Facebook/Instagram)	OAuth authentication, API access	OAuth tokens, account IDs
Stripe	Payment processing	Email, subscription details
Supabase	Database hosting	All account data
Vercel	Application hosting	Anonymous usage metrics

These providers have their own privacy policies and are required to protect your data.

5. Data Retention

5.1 Active Accounts

We retain your data as long as your account is active and for up to 90 days after deletion for backup purposes.

5.2 Deleted Accounts

When you delete your account:

Immediate deletion: Account data, OAuth tokens, chatbot messages
30-day retention: Backup copies (inaccessible to you)
Permanent retention: Transaction records (required by law for 7 years)

5.3 Expired Subscriptions

If your subscription expires, we retain your chatbot data for 30 days in case you resubscribe. After 30 days, chatbot messages are deleted.

6. Your Rights (GDPR)

If you are in the EU/EEA, you have the right to:

Access: Request a copy of your data
Rectification: Correct inaccurate data
Erasure: Delete your account and data
Portability: Export your data in JSON format
Restriction: Limit how we process your data
Objection: Object to data processing
Withdraw consent: Revoke OAuth permissions anytime

To exercise these rights, email us at: [email protected]

7. Cookies & Tracking

Wave Chat uses minimal cookies:

Authentication cookies: Keep you logged in (required)
Session storage: Temporary data for form inputs

We do NOT use:

Advertising cookies
Third-party tracking scripts
Analytics cookies (no Google Analytics, etc.)

8. Children's Privacy

Wave Chat is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has created an account, please contact us immediately.

9. Data Breaches

In the unlikely event of a data breach:

We will notify affected users within 72 hours
We will report the breach to relevant authorities (if required by law)
We will provide details on what data was compromised
We will offer guidance on protective measures

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email. The "Last Updated" date at the top indicates the most recent revision.

11. Contact & Data Requests

For privacy questions, data requests, or concerns:

Email: [email protected]
Response time: Within 30 days
Data requests: We will verify your identity before processing