Privacy Policy
Thetawave AI Privacy Policy
Last updated: May 9, 2026
This Privacy Policy explains how Thetawave AI, Inc., a Delaware corporation ("Thetawave," "we," "us," or "our"), collects, uses, discloses, and protects information when you use our website (https://thetawave.ai), mobile applications, and related services (the "Services").
By using the Services, you agree to the practices described in this Policy. If you do not agree, please do not use the Services. This Policy is incorporated into our Terms of Service.
Important Notices
- We do not train AI models on your User Content. The notes, documents, audio, images, and other materials you upload are not used to train Thetawave's models, and we contractually require our third-party AI and transcription providers not to train their models on your inputs either. See Section 5.
- We do not display third-party advertising on the Services, and we do not "sell" your personal information for monetary consideration as that term is defined under the California Consumer Privacy Act.
- Global users. The Services are operated from the United States. We comply with applicable data-protection laws in the EU/UK/Switzerland (GDPR), Japan (APPI), South Korea (PIPA), Hong Kong (PDPO), Taiwan (PDPA), Canada (PIPEDA), and the U.S. (CCPA/CPRA and state laws). See Sections 7 and 12 for region-specific rights.
Table of Contents
- Information We Collect
- How We Use Information
- Legal Bases for Processing (EEA / UK / Switzerland)
- How We Share Information
- AI Processing of User Content
- Cookies, Tracking Technologies, and Push Notifications
- International Data Transfers
- Data Retention
- Data Security
- Children's Privacy
- Your Privacy Rights — Global Overview
- Region-Specific Rights and Notices
- 12.1 European Economic Area, UK, and Switzerland (GDPR)
- 12.2 California (CCPA/CPRA)
- 12.3 Other U.S. States
- 12.4 Japan (APPI)
- 12.5 South Korea (PIPA)
- 12.6 Hong Kong (PDPO)
- 12.7 Taiwan (Personal Data Protection Act)
- 12.8 Canada (PIPEDA)
- 12.9 Other Jurisdictions
- How to Exercise Your Rights
- Do-Not-Track Signals
- Mobile App Privacy Disclosures (App Store / Google Play)
- Third-Party Links and Services
- Changes to This Policy
- Contact Us
1. Information We Collect
We collect three categories of information:
1.1 Information You Provide
- Account information: name, email address, password (stored hashed), profile preferences, and — if you sign in with a third-party identity provider (e.g., Google, Apple) — the basic profile data that provider shares with us.
- Subscription and payment information: for web purchases, billing details handled by Stripe (we receive transaction confirmations and the last four digits of your card; we do not store full payment-card numbers); for mobile in-app purchases, transaction confirmations from Apple or Google.
- Communications: messages you send to support (via email), feedback, and survey responses.
- User Content: notes, documents, audio recordings, images, videos, and other materials you upload, create, or generate through the Services. Your User Content may be considered "sensitive" (e.g., student academic records, voice recordings) and is treated as such — see Sections 5 and 12.
Third-party personal information within User Content. If your User Content includes personal information about third parties (for example, a classmate's name in your notes, or a professor's voice in a lecture recording), you act as the controller of that information and represent that you have any necessary consents or other lawful basis to share it with us. We process such third-party information solely on your behalf to deliver the Services to you, in accordance with this Policy and with our Terms of Service Sections 6.4 and 9.
1.2 Information Collected Automatically
When you use the Services, we and our analytics providers automatically collect:
- Device & technical data: IP address, browser type and version, operating system, device identifiers (including mobile advertising identifiers if not disabled at the OS level), screen size, language, time zone.
- Usage data: pages visited, features used, clicks, time spent, referral URLs, search queries within the Services, and approximate location derived from IP address.
- Diagnostic data: crash reports, error logs, performance metrics.
1.3 Information from Third Parties
- Identity providers: if you use Google Sign-In, Apple Sign-In, or similar, we receive the basic profile information you authorize.
- Payment processors: Stripe, Apple, and Google may share transaction data with us as needed to fulfill purchases.
- Service providers: our analytics, error-tracking, and customer-support tools share aggregated and event-level data about how you use the Services (see Section 4).
We do not purchase personal information from data brokers, and we do not receive personal information from advertising networks.
2. How We Use Information
We use the information described above to:
- Provide, operate, maintain, and secure the Services, including authenticating your account, syncing your content across devices, and processing your transactions;
- Generate AI outputs in response to your inputs (see Section 5);
- Communicate with you about your account, transactions, important policy changes, and (with your consent or where permitted by law) product updates;
- Provide customer support and respond to your inquiries;
- Detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms;
- Analyze and improve the Services, including aggregated usage analytics;
- Comply with legal obligations and enforce our Terms;
- With your consent, for any other purpose disclosed at the time of collection.
We do not use your information for automated decision-making that produces legal or similarly significant effects on you without human review.
Marketing communications and opt-out. Where we send marketing or promotional communications (with your consent or where permitted by law), you can opt out at any time by:
- Clicking the "unsubscribe" link in any marketing email;
- Toggling notification preferences in your account settings; or
- Emailing contact@thetawave.ai.
Transactional and account-related communications (e.g., security alerts, subscription billing notices, important policy changes) cannot be opted out of while your account is active, as they are necessary to deliver the Services and comply with our legal obligations.
3. Legal Bases for Processing (EEA, UK, Switzerland)
If you are in the European Economic Area, United Kingdom, or Switzerland, we process your personal data on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the Services to you, including AI inference on your inputs | Performance of a contract (Art. 6(1)(b) GDPR) |
| Processing payments and preventing fraud | Performance of a contract; legal obligation; legitimate interests |
| Service security and abuse prevention | Legitimate interests in protecting users and the Services |
| Product analytics and improvement | Legitimate interests; consent for non-essential cookies |
| Marketing communications | Consent (which you can withdraw at any time) |
| Compliance with legal requests | Legal obligation |
| Processing of "special category" data within User Content (if any) | Your explicit consent (Art. 9(2)(a)) |
You have the right to object to processing based on legitimate interests — see Section 12.1.
4. How We Share Information
We share your information only with the following categories of recipients, all of whom are bound by contractual confidentiality and data-protection obligations.
4.1 Service Providers (Sub-processors)
We engage third-party service providers to operate the Services on our behalf. They are permitted to use your information only to provide their services to us and must comply with appropriate confidentiality and security obligations. The categories below reflect our current sub-processor stack; this list may evolve as we change vendors.
| Category | Purpose | Current Primary Vendor(s) |
|---|---|---|
| Cloud hosting & database | Run our backend and store account data and User Content | Supabase (PostgreSQL, auth, storage); cloud-infrastructure providers |
| AI inference (LLM) | Generate AI outputs (notes, summaries, flashcards, quizzes, study chats) from your inputs | OpenAI, Anthropic, Google (see Section 5) |
| Audio transcription | Convert audio User Content (e.g., lecture recordings) into text for downstream AI processing | Soniox, Inc., Deepgram, Inc. |
| Web payment processing | Process subscriptions purchased via the website | Stripe, Inc. (https://stripe.com/privacy) |
| Mobile in-app purchases & subscription management | Process and reconcile App Store / Google Play purchases | Apple Inc., Google LLC, RevenueCat, Inc. |
| Product analytics | Understand how the Services are used | Mixpanel, Inc. |
| Error tracking & diagnostics | Detect and debug issues | Sentry (Functional Software, Inc.) |
| Customer support | Respond to email-based inquiries | Email infrastructure (no third-party ticketing tool currently) |
Sub-processor change notification. When we add or replace a material sub-processor, we will update this Policy at least 14 days before the change takes effect. For users with an active paid subscription, we will additionally provide notice by email or in-app message. If you object to a new sub-processor, you may terminate your account before the change takes effect, and request a pro-rated refund where required by applicable law.
4.2 Other Disclosures
- Legal compliance and safety. We may disclose information when we believe in good faith that disclosure is required to (a) comply with applicable law, legal process, or government request; (b) enforce our Terms; (c) protect the rights, safety, or property of Thetawave, our users, or the public; or (d) detect, prevent, or address fraud, security, or technical issues.
- Business transfers. If Thetawave is involved in a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you (e.g., by email and/or a prominent notice on the Services) of any change in ownership or use of your personal information.
- With your consent. We may share information with other parties when you direct us to do so.
4.3 What We Do NOT Do
- We do not sell your personal information for monetary consideration.
- We do not share your personal information with third parties for cross-context behavioral advertising (we don't run any).
- We do not allow our AI or transcription providers to train on your User Content (Section 5).
CCPA "sale" / "sharing" — defensive note. California's CCPA defines "sale" and "sharing" broadly. To the extent any disclosure to our analytics, AI, transcription, or error-tracking sub-processors might be construed as a "sale" or "sharing" under CCPA/CPRA, we treat such activity as opt-outable and honor opt-out signals (including the Global Privacy Control / GPC) where technically feasible. See Section 12.2 for additional California rights.
5. AI Processing of User Content
This section explains how your inputs and User Content interact with AI models. This is core to how the Services work — please read it.
5.1 How AI Inference and Transcription Work
When you use an AI feature (e.g., generating notes, summarizing a PDF, creating flashcards), your input — which may include your User Content or excerpts thereof — is transmitted to one of our third-party AI providers (currently OpenAI, Anthropic, and Google) to generate the response. When you upload audio (e.g., a lecture recording), it is first transmitted to one of our transcription providers (Soniox, Deepgram) to be converted into text, which is then processed by an AI provider as described above.
The response is returned to you and stored in your Thetawave account in association with your User Content. AI providers and transcription providers may briefly hold inputs and outputs during processing as described in Section 5.3, but the durable record of your User Content and AI-generated Outputs lives in your Thetawave account, not with the providers.
5.2 No Training on Your Content
Thetawave does not train any AI or machine-learning models on your User Content. We rely on contractual no-training and limited-retention commitments from each of our AI and transcription providers. Specifically:
- OpenAI: We use the OpenAI API. Per OpenAI's API data-usage policy, OpenAI does not use API inputs or outputs to train its models.
- Anthropic: We use the Anthropic API. Per Anthropic's commercial terms, Anthropic does not train its models on inputs or outputs submitted via the API.
- Google: We use the Google AI / Gemini API under terms that do not permit Google to train its models on our paid API content.
- Soniox: We use Soniox's commercial API under terms that do not permit Soniox to train its models on the audio content we transmit.
- Deepgram: We use Deepgram's commercial API under terms that do not permit Deepgram to train its models on the audio content we transmit.
If we change AI or transcription providers or the terms governing those providers materially change, we will update this Policy. You should not upload information to the Services that you do not want transmitted to one of these providers for processing.
5.3 No Persistent Storage at AI / Transcription Providers (Beyond Provider-Defined Limits)
AI and transcription providers may briefly retain inputs and outputs for safety, abuse-monitoring, and operational purposes, in accordance with their own privacy notices. We use enterprise / API tier configurations that minimize such retention where available (e.g., zero-data-retention or short-retention modes).
5.4 Aggregated and De-identified Data
We may use de-identified or aggregated data (which cannot reasonably be linked back to you) for product analytics, security, and service improvement. We use industry-standard de-identification techniques (e.g., removing direct identifiers, aggregation, and other technical measures designed to ensure the information cannot reasonably be associated with an individual), and we contractually prohibit any party that receives de-identified data from us from attempting to re-identify it.
6. Cookies, Tracking Technologies, and Push Notifications
6.1 Cookies and Similar Technologies
We and our service providers use cookies, pixels, local storage, software development kits (SDKs), and similar technologies to operate the Services. We do not use cookies for cross-site behavioral advertising. Where required by law (including in the EEA, UK, Switzerland, Japan, and Korea for non-essential cookies), we will request your consent through a cookie banner before placing non-essential cookies. You can manage your cookie preferences through the cookie banner or your browser settings.
The principal cookies and similar technologies we use are:
| Name / Pattern | Type | Purpose | Provider | Approx. Retention |
|---|---|---|---|---|
sb-* (auth tokens) | Strictly necessary | Authenticate your session and keep you signed in | Supabase | Session / up to 1 year |
| CSRF / anti-forgery tokens | Strictly necessary | Prevent cross-site request forgery | Thetawave | Session |
cookie_consent | Strictly necessary | Remember your cookie-banner choices | Thetawave | 1 year |
theme, locale | Functional | Remember your UI preferences (e.g., dark mode, language) | Thetawave | 1 year |
mp_* | Analytics (opt-in where required) | Product analytics — measure feature usage and improve the Services | Mixpanel | Up to 1 year |
| Sentry session tags | Strictly necessary | Associate error reports with sessions for debugging | Sentry | Up to 30 days |
If we add or change material categories of cookies, we will update this table.
6.2 Push Notifications
If you opt in to push notifications via our mobile apps, we collect and use a device-specific push token (provided by Apple Push Notification service ("APNs") for iOS or Firebase Cloud Messaging ("FCM") for Android) solely to deliver:
- Service-related notifications (e.g., transcription complete, study reminder set by you);
- Account-related notifications (e.g., security alerts);
- With your additional consent, occasional product-update notifications.
You can disable push notifications at any time through your device's notification settings. Disabling push notifications does not affect other parts of the Services.
7. International Data Transfers
Thetawave is based in the United States, and our servers and several of our service providers are located in the U.S. and other countries. When you use the Services, your personal information will be transferred to, stored, and processed in the United States and potentially other countries, which may have data-protection laws different from those of your country of residence.
We rely on the following safeguards to protect international transfers:
- EEA / UK / Switzerland: Standard Contractual Clauses ("SCCs") approved by the European Commission (and the UK Addendum / Swiss equivalents) with our sub-processors, supplemented by encryption in transit and at rest, access controls, and (where applicable) transfer-impact assessments. We are not currently certified under the EU-US Data Privacy Framework ("DPF"); we rely on SCCs as the primary transfer mechanism.
- Japan: Where required by APPI for cross-border transfer, we obtain your consent or rely on equivalent safeguards (including SCC-equivalent contractual provisions with the recipient).
- South Korea: Where required by PIPA for transfer of personal information overseas, we provide the disclosures required under Article 28-8 PIPA and obtain your consent where applicable.
- Hong Kong, Taiwan, Canada: We ensure that recipients are bound by contractual obligations consistent with PDPO, the PDPA, and PIPEDA respectively.
By using the Services, you understand that your information will be transferred internationally as described above.
8. Data Retention
We retain personal information for as long as is necessary to provide the Services and for the purposes described in this Policy, unless a longer retention period is required by law.
| Data Category | Retention |
|---|---|
| Account information | While your account is active; deleted within 30 days after account deletion (excluding backups) |
| User Content | While your account is active; deleted within 30 days after you delete the content or your account |
| Backups | Retained for up to 90 days after deletion, then permanently deleted |
| Payment and billing records | Retained for 7 years to comply with tax, accounting, and audit obligations |
| Customer support communications | Up to 3 years after resolution |
| Diagnostic / log data | Up to 12 months |
| De-identified or aggregated data | May be retained indefinitely (cannot be linked back to you) |
You may request earlier deletion at any time as described in Section 13, subject to limited exceptions (e.g., where retention is required by law).
9. Data Security
We implement administrative, technical, and physical safeguards designed to protect your information, including:
- Encryption in transit (TLS) and at rest;
- Access controls and least-privilege principles for our personnel;
- Secure software-development practices and code review;
- Vendor security review for sub-processors;
- Logging and monitoring; and
- Incident-response procedures.
No security measure is perfect, and we cannot guarantee absolute security.
Breach notification. If we become aware of a personal-data breach affecting your information, we will notify you and the appropriate supervisory authorities as required by applicable law, including:
- GDPR / UK GDPR / FADP: notification to the supervisory authority within 72 hours of becoming aware (where feasible), and to affected individuals without undue delay where there is a high risk to their rights and freedoms;
- Japan APPI (Article 26): notification to the Personal Information Protection Commission (PPC) and to affected individuals promptly, in the manner and on the schedule required by APPI;
- South Korea PIPA (Article 34): notification to affected individuals without delay, and — for breaches involving 1,000 or more individuals or sensitive information — notification to the PIPC within 24 hours;
- U.S. state laws: notification within the timelines and according to the procedures required by each applicable state breach-notification statute;
- Other jurisdictions: as required by applicable law.
10. Children's Privacy
The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13 in the United States or under the minimum age of digital consent in their country of residence (e.g., 14 in Spain, 15 in France, 16 in Germany).
If you are between 13 and 17 (or the age of majority in your jurisdiction), you may use the Services only with the involvement and consent of a parent or legal guardian.
For details on how parents can provide verifiable parental consent under COPPA and equivalent laws (and how to revoke it), see Terms of Service Section 2.2.
If we learn that we have collected personal information from a child below the applicable age without verified parental consent, we will delete it as soon as possible. Parents who believe a child has provided personal information without consent can contact us at contact@thetawave.ai.
For schools and educators using the Services with students: you are responsible for obtaining any consents required by COPPA, FERPA, GDPR, APPI, PIPA, and equivalent laws, and for serving as the appropriate authority under those laws.
11. Your Privacy Rights — Global Overview
Depending on where you live, you may have rights including:
- Access: the right to know what personal information we hold about you and to receive a copy;
- Correction: the right to correct inaccurate or incomplete information;
- Deletion ("right to be forgotten"): the right to request deletion of your information;
- Portability: the right to receive certain information in a portable format;
- Restriction / objection: the right to restrict or object to certain processing;
- Withdraw consent: the right to withdraw any consent you have given;
- Opt out of "sale" / "sharing" / targeted advertising: the right to opt out, where applicable;
- Lodge a complaint with a supervisory authority.
We honor these rights regardless of where you live, to the extent reasonably possible. See Section 12 for region-specific details and Section 13 for how to exercise your rights.
12. Region-Specific Rights and Notices
12.1 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR / FADP)
If you are in the EEA, UK, or Switzerland, you have the rights described in Section 11 under the General Data Protection Regulation (GDPR), the UK GDPR, and the Swiss Federal Act on Data Protection (FADP), respectively. You also have the right to:
- Lodge a complaint with your local data-protection supervisory authority (a list is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en for the EEA; the ICO at https://ico.org.uk/ for the UK; and the FDPIC at https://www.edoeb.admin.ch for Switzerland).
The legal bases for our processing are listed in Section 3.
EU Representative (Article 27 GDPR). Based on our assessment of the nature, scope, context, and purposes of our processing — and because our processing of EEA personal data is not "on a large scale" with respect to special categories of data under Article 9 GDPR or criminal-conviction data under Article 10 GDPR — we have not appointed an EU representative under Article 27 GDPR. EEA users may contact contact@thetawave.ai directly with any GDPR-related inquiry; we will respond consistent with applicable law. We will reassess this determination as our user base and processing activities evolve.
12.2 California (CCPA / CPRA)
If you are a California resident, you have the rights described under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA").
Categories of Personal Information We Collect
In the past 12 months, we have collected the following categories of personal information (as defined in Cal. Civ. Code § 1798.140):
| Category | Examples | Collected? | Sold? | Shared (cross-context behavioral advertising)? |
|---|---|---|---|---|
| A. Identifiers | Name, email, IP address, device IDs, account name | Yes | No | No |
| B. Customer Records | Billing address, payment information | Yes | No | No |
| C. Protected classifications | Age (where provided), country | Limited | No | No |
| D. Commercial information | Subscription history, transaction records | Yes | No | No |
| E. Biometric information | (Voice features within audio User Content, if uploaded) | If you upload | No | No |
| F. Internet activity | Usage data, interactions with the Services | Yes | No | No |
| G. Geolocation | Approximate location from IP | Yes | No | No |
| H. Sensory data | Audio, image, video within User Content (if you upload) | If you upload | No | No |
| I. Professional/employment | Not collected | No | — | — |
| J. Education information | Academic content within User Content (notes, study materials) | Yes | No | No |
| K. Inferences | Preferences and study patterns derived from usage | Yes | No | No |
| L. Sensitive PI | Account credentials; precise content of communications within the Services | Yes | No | No |
Your Rights as a California Resident
- Right to know what personal information we have collected and how we use and share it;
- Right to request deletion, subject to legal exceptions;
- Right to correct inaccurate personal information;
- Right to opt out of "sale" or "sharing" — we do not "sell" or "share" your personal information for cross-context behavioral advertising as those terms are defined under CCPA/CPRA, but we honor opt-out signals (including the Global Privacy Control / GPC) where technically feasible;
- Right to limit use of sensitive personal information to that which is necessary to perform the Services;
- Right to non-discrimination for exercising your rights.
"Shine the Light" (Cal. Civ. Code § 1798.83)
California residents may request information about disclosure of personal information to third parties for direct-marketing purposes. We do not engage in such disclosure.
12.3 Other U.S. States
If you reside in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MTCDPA), Iowa (ICDPA), Tennessee (TIPA), Delaware (DPDPA), New Jersey (NJDPA), New Hampshire (NHPA), Maryland (MODPA), Minnesota (MCDPA), Indiana (INCDPA), Nebraska (NDPA), Rhode Island (RIDPA), or Kentucky (KCDPA), you have rights similar to those described above, including (depending on your state) the rights to access, correct, delete, port, and opt out of targeted advertising, "sale," and certain types of profiling. Where required, you have the right to appeal our denial of a request — see Section 13.
You may also have the right to designate an authorized agent to make a request on your behalf. We will require verification before honoring authorized-agent requests.
12.4 Japan (個人情報保護法 / APPI)
If you are in Japan, we process your personal information in accordance with the Act on the Protection of Personal Information (APPI).
- Purpose of use is described in Section 2. We will not use your personal information for purposes beyond those without your consent, except as permitted by APPI.
- Cross-border transfer: As described in Section 7, your information will be transferred to the United States and other countries. By using the Services, you consent to this transfer in accordance with Article 28 APPI. We make available, upon request, information about the data-protection systems of the recipient countries and the safeguards we have put in place.
- Your rights: You have the right to request disclosure, correction, addition, deletion, suspension of use, suspension of provision to third parties, and to receive a copy of your personal information held by us.
- Personal Information Handling Business Operator: Thetawave AI, Inc. is the business operator handling your personal information. Contact: contact@thetawave.ai.
- Breach notification: As required by APPI Article 26, we will notify the Personal Information Protection Commission (PPC) and affected individuals of qualifying breaches.
- Complaints: If we cannot resolve your concern, you may consult Japan's Personal Information Protection Commission (PPC).
12.5 South Korea (개인정보 보호법 / PIPA)
If you are in South Korea, we process your personal information in accordance with the Personal Information Protection Act (PIPA) and related laws.
- Purpose of collection and use: as described in Section 2.
- Items collected: as described in Section 1.
- Retention period: as described in Section 8.
- Cross-border transfer (PIPA Art. 28-8): Your personal information may be transferred to the United States and other countries to the AI providers, transcription providers, hosting providers, and other sub-processors listed in Section 4. We obtain your consent for such transfer where required and provide the disclosures required under PIPA.
- Your rights: access, correction, deletion, suspension of processing, and withdrawal of consent. Under PIPA Article 35, we will respond to access and correction requests within 10 days (extendable by an additional 10 days where reasonably necessary).
- Privacy Officer / 개인정보 보호책임자: Contact contact@thetawave.ai.
- Breach notification (PIPA Art. 34): We will notify affected individuals without delay, and — for breaches involving 1,000 or more individuals or sensitive information — notify the PIPC within 24 hours.
- Complaints: You may file a complaint with the Personal Information Protection Commission (PIPC, 개인정보보호위원회) or the Korea Internet & Security Agency (KISA), including the Privacy Complaint Center (privacy.go.kr / 118).
12.6 Hong Kong (個人資料(私隱)條例 / PDPO)
If you are in Hong Kong, we process your personal data in accordance with the Personal Data (Privacy) Ordinance (PDPO) and the Six Data Protection Principles. You have the right to request access to and correction of your personal data. Requests may be made to contact@thetawave.ai. Complaints may be made to the Office of the Privacy Commissioner for Personal Data (PCPD).
12.7 Taiwan (個人資料保護法 / PDPA)
If you are in Taiwan, we process your personal information in accordance with the Personal Data Protection Act (PDPA). You have the right to inquire about, request a copy of, supplement or correct, request that we cease collection/processing/use of, and request deletion of your personal information. Requests may be made to contact@thetawave.ai. Where required, we obtain your consent before international transfer of your personal information.
12.8 Canada (PIPEDA)
If you are in Canada, we process your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws (e.g., Quebec's Law 25). You have rights to access, correct, and withdraw consent. Complaints may be filed with the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca/.
12.9 Other Jurisdictions
We respect data-protection laws applicable to your residence even if not specifically listed above. If you reside in a jurisdiction with applicable laws (e.g., Brazil's LGPD, Australia's Privacy Act, India's DPDP Act, the UAE PDPL, or others), please contact contact@thetawave.ai with any rights requests; we will respond consistent with applicable law.
13. How to Exercise Your Rights
To exercise any right described above:
- Email us at contact@thetawave.ai with the subject line "Privacy Request"; or
- Use any in-app privacy control we provide.
To protect your information, we may need to verify your identity (typically by confirming control of the email address associated with your account). If you are using an authorized agent, we may require proof of authorization.
We will respond to verifiable requests within the time period required by applicable law, including:
| Law | Response Window |
|---|---|
| GDPR / UK GDPR | One month, extendable by up to two additional months for complex or numerous requests |
| CCPA / CPRA | 45 days, extendable by an additional 45 days when reasonably necessary |
| Other U.S. state privacy laws | As required by each statute (typically 45 or 60 days) |
| Korea PIPA | 10 days, extendable by an additional 10 days |
| Japan APPI | Without undue delay; we aim to respond within 30 days |
| Other jurisdictions | As required by applicable law |
We will not discriminate against you for exercising your rights.
If we decline a request, we will explain why, and — where applicable — you have a right to appeal our decision. To appeal, reply to our response email within 60 days. If your appeal is denied, you may complain to your data-protection supervisory authority or attorney general.
14. Do-Not-Track Signals
Most browsers offer a "Do Not Track" (DNT) signal. Because there is no industry-standard interpretation of DNT signals, the Services do not currently respond to DNT signals. We do, however, honor opt-out signals required by law (e.g., the Global Privacy Control / GPC where applicable).
15. Mobile App Privacy Disclosures (App Store / Google Play)
In addition to this Policy, we make privacy disclosures through the platform mechanisms required by Apple and Google:
- Apple App Store privacy nutrition labels and the iOS Privacy Manifest (
PrivacyInfo.xcprivacy) describe the categories of data the iOS application collects and how it uses them, in the format required by Apple. - Google Play Data Safety form describes the categories of data the Android application collects, shares, and the security practices we follow, in the format required by Google.
The disclosures in those forms are intended to be consistent with this Policy. In the event of an unintended discrepancy between platform disclosures and this Policy, this Policy controls, and we will work to update the platform disclosures to align.
16. Third-Party Links and Services
The Services may contain links to third-party websites or integrations (e.g., identity providers, payment processors, AI providers). This Policy does not apply to those third parties. We encourage you to review their privacy policies before providing them with your information.
17. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent version. If we make material changes, we will notify you by email or through a prominent notice on the Services at least 14 days before the changes take effect (or sooner where required by applicable law). Material changes that affect a sub-processor are also subject to the notice requirements in Section 4.1. Your continued use of the Services after the effective date constitutes acceptance.
18. Contact Us
For privacy questions, requests, or complaints:
Thetawave AI, Inc. Attn: Privacy Email: contact@thetawave.ai Website: https://thetawave.ai
Thetawave AI is committed to protecting your privacy and being transparent about how we handle your data. If anything in this Policy is unclear, please reach out — we're happy to help.