Privacy Policy

Last Updated: January 21, 2026

This Privacy Policy explains how Hey Wav, Inc. ("Hey Wav," "we," "us," or "our") collects, uses, shares, and protects your personal information when you use our website, applications, and services (the "Service").

By using the Service, you consent to the practices described in this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

Account Information

  • Email address (required)
  • Password (stored securely using industry-standard hashing)
  • First and last name
  • Profile photo/avatar
  • Role or job title
  • Bio/description
  • Location
  • Website and social links
  • Timezone preference

Workspace Information

  • Workspace names and settings
  • Member invitations and roles
  • Workspace-level preferences

Content You Create

  • Projects, songs, and their metadata
  • Contacts and people records
  • Events, dates, and calendar items
  • Tasks and to-do items
  • Notes and descriptions
  • Custom fields and tags
  • Files and media uploads
  • Form responses and submissions

Communication Data

  • Comments on products
  • Support requests
  • Feedback submissions

1.2 Information Collected Automatically

Device and Browser Information

  • IP address
  • Browser type and version
  • Operating system
  • Device identifiers
  • Screen resolution

Usage Information

  • Pages visited and features used
  • Time spent on pages
  • Clicks and interactions
  • Referral sources
  • Search queries within the Service

Cookies and Tracking Technologies

  • Session cookies for authentication
  • Preference cookies for settings
  • Analytics cookies for usage tracking

See our Cookie Policy for more details.

1.3 Information from Third Parties

Authentication Providers

If you sign in via third-party providers (when available), we receive basic profile information they provide

Workspace Invitations

When invited to a workspace, we receive your email address from the inviting user

1.4 Information from Public Sources

For our product catalog feature (Radar), we collect publicly available information from brand and product websites:

  • Product names, descriptions, and specifications
  • Brand information and metadata
  • Pricing information (where publicly listed)
  • Product images and media (linked, not copied)

This information is used to maintain an accurate product database for discovery purposes. We do not collect personal information about individuals from public sources.

For brands: If you represent a brand and wish to request correction, removal, or claim your brand profile, please contact us at support@heywav.com.

2. How We Use Your Information

2.1 To Provide the Service

  • Create and manage your account
  • Authenticate your identity
  • Store and display your content
  • Enable collaboration in workspaces
  • Process and respond to your requests
  • Send transactional emails (password resets, invitations, notifications)

2.2 To Improve the Service

  • Analyze usage patterns and trends
  • Identify bugs and technical issues
  • Develop new features
  • Optimize performance

2.3 To Communicate With You

  • Respond to support inquiries
  • Send service-related announcements
  • Notify you of changes to our policies
  • Send marketing communications (only with your consent)

2.4 To Ensure Security

  • Detect and prevent fraud
  • Monitor for suspicious activity
  • Enforce our Terms of Service
  • Protect the rights and safety of users

2.5 To Comply With Law

  • Respond to legal requests
  • Comply with applicable regulations
  • Protect our legal rights

3. Marketing Communications

3.1 Opt-In Consent

During account registration, you may choose to opt in to receive marketing emails by checking the marketing consent checkbox. This is not pre-checked; you must actively consent.

3.2 Opting Out

You can unsubscribe from marketing emails at any time by:

  • Clicking the unsubscribe link in any marketing email
  • Updating your preferences in account settings
  • Contacting us at support@heywav.com

Opting out of marketing does not affect transactional emails necessary for the Service.

4. Information Sharing

4.1 With Your Consent

We share information when you direct us to, such as:

  • Publishing content to your public profile
  • Sharing workspaces with invited members
  • Publishing collections for public viewing
  • Posting comments on public products

4.2 Workspace Members

Within a workspace, members can see:

  • Shared projects, songs, contacts, events, and tasks
  • Activity within the workspace
  • Other members' names and roles

Workspace administrators have additional access to workspace settings and data.

4.3 Public Information

The following may be publicly visible:

  • Your public profile (name, photo, bio, links)
  • Comments you post on public products
  • Collections you choose to publish
  • Upvotes and activity on public products

4.4 Service Providers

We share information with third-party service providers who assist in operating the Service:

ProviderPurposeData Shared
SupabaseDatabase, authentication, file storageAll account and content data
StripePayment processing, subscriptionsEmail, name, payment method details, billing address
PostHogProduct analytics (US-hosted)With consent: user ID, email, name, workspace info, behavior events, page views, device info
ResendEmail deliveryEmail addresses, email content
CloudflareSecurity, CAPTCHA, DDOS protectionIP address, browser characteristics, request patterns for bot detection and firewall
VercelWebsite hosting, CDN, DDOS/firewall protectionIP address, device info, browser type, location (city/country from IP), request data
Anthropic (Claude)AI-powered content enrichmentProduct/brand information from public sources (admin use only, not user data)

These providers are contractually obligated to protect your data and use it only for the services they provide to us.

Note on AI services: We use Anthropic's Claude API for enriching product catalog data. Per Anthropic's commercial API terms, inputs and outputs are not used for model training.

4.5 Webhooks and Integrations

If you configure webhooks to send data to external URLs:

  • Form submission data is sent to your specified endpoints
  • You are responsible for the security and compliance of those destinations
  • We are not responsible for how third parties handle data you send them

4.6 Legal Requirements

We may disclose information if required by law or if we believe disclosure is necessary to:

  • Comply with legal process
  • Protect our rights or property
  • Protect the safety of users or the public
  • Detect and prevent fraud

4.7 Business Transfers

If Hey Wav is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any change in ownership or use of your personal information.

5. Data Retention

5.1 Active Accounts

We retain your data as long as your account is active and as needed to provide the Service.

5.2 Deleted Content

When you delete content:

  • Soft delete: Items are moved to Trash and marked with a deletion timestamp
  • Trash retention: Deleted items can be recovered from Trash
  • Permanent deletion: When you empty Trash, data is permanently removed from active systems
  • Backups: Data may persist in backups for up to 30 days after permanent deletion

5.3 Deleted Accounts

When you delete your account:

  • Personal data is deleted within 30 days
  • Workspace data may be retained if the workspace has other members
  • Some data may be retained for legal compliance (e.g., payment records)
  • Aggregated, anonymized data may be retained indefinitely

5.4 Analytics Data

Usage analytics are retained according to our analytics provider's policies:

  • PostHog: 90 days for detailed event data

6. Your Rights and Choices

6.1 Access Your Data

You can access your personal data through:

  • Your account settings and profile
  • Workspace data views
  • The "Download My Data" feature in account settings
  • API endpoints (for technical users)

6.2 Correct Your Data

You can update your personal information in:

  • Profile settings
  • Workspace settings
  • Individual record editing

6.3 Delete Your Data

You can delete:

  • Individual records (projects, contacts, etc.) via the app
  • Your entire account via account settings (includes 30-day grace period)

6.4 Export Your Data

You can export your data by:

  • Using the "Download My Data" feature in account settings
  • Contacting us for a data export request

6.5 Restrict Processing

You can request that we limit how we process your data in certain circumstances.

6.6 Object to Processing

You can object to processing based on legitimate interests.

6.7 Data Portability

You can request your data in a portable format (JSON).

6.8 Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time.

6.9 How to Exercise Your Rights

To exercise any of these rights, contact us at support@heywav.com. We will respond within 30 days.

7. Data Security

7.1 Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption of data in transit (HTTPS/TLS)
  • Encryption of data at rest
  • Secure password hashing
  • Access controls and authentication
  • Regular security assessments
  • Employee security training

7.2 Authentication Security

  • Passwords are hashed using industry-standard algorithms
  • CAPTCHA protection against automated attacks
  • Session tokens for authenticated access
  • Secure cookie handling

7.3 No Guarantee

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

8. International Data Transfers

8.1 Data Location

Your data is primarily processed in the United States. Our service providers also process data in the United States.

8.2 Transfer Mechanisms by Provider

ProviderLocationTransfer Mechanism
SupabaseUnited StatesStandard Contractual Clauses (SCCs)
StripeUnited StatesEU-US Data Privacy Framework, SCCs
PostHogUnited StatesStandard Contractual Clauses (SCCs)
ResendUnited StatesStandard Contractual Clauses (SCCs)
CloudflareGlobal (CDN)Standard Contractual Clauses (SCCs)
VercelGlobal (US primary)EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs)

8.3 Safeguards

For international transfers from the EEA, UK, or Switzerland, we rely on:

  • Standard Contractual Clauses (SCCs): EU-approved contract terms that bind recipients to data protection standards
  • EU-US Data Privacy Framework: For providers that have self-certified under this framework
  • Supplementary measures: Encryption in transit and at rest, access controls, and data processing agreements

9. Children's Privacy

The Service is not intended for children under 18. We do not knowingly collect personal information from children. If we learn we have collected data from a child, we will delete it promptly.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

10.1 Right to Know

You can request information about:

  • Categories of personal information collected
  • Sources of personal information
  • Purposes for collection
  • Categories of third parties with whom we share data
  • Specific pieces of personal information we hold

10.2 Right to Delete

You can request deletion of your personal information, subject to certain exceptions.

10.3 Right to Opt-Out of Sale/Sharing

We do not sell personal information in the traditional sense. However, sharing data with analytics providers may constitute "sharing" under CPRA. You can opt out using our cookie preferences or by enabling Global Privacy Control (GPC) in your browser.

10.4 Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

10.5 How to Exercise Rights

  • Use the "Do Not Sell or Share My Personal Information" option in cookie preferences
  • Enable Global Privacy Control (GPC) in your browser
  • Contact us at support@heywav.com

11. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), UK, or Switzerland:

11.1 Legal Bases for Processing

We process your data based on the following legal bases under GDPR Article 6:

Processing ActivityLegal BasisDetails
Account creation and managementContract (Art. 6(1)(b))Necessary to provide the Service you requested
Storing your contentContract (Art. 6(1)(b))Core functionality you signed up for
Transactional emailsContract (Art. 6(1)(b))Necessary for service delivery
Analytics (with consent)Consent (Art. 6(1)(a))Only after explicit opt-in; you can withdraw anytime
User identification in analyticsConsent (Art. 6(1)(a))Separate, explicit consent required
Marketing communicationsConsent (Art. 6(1)(a))Opt-in during registration; you can unsubscribe anytime
Security and fraud preventionLegitimate interest (Art. 6(1)(f))Protecting users and the Service from abuse
Service improvementLegitimate interest (Art. 6(1)(f))Improving features based on aggregated usage
Payment processingContract (Art. 6(1)(b))Necessary to process your payments
Tax and financial recordsLegal obligation (Art. 6(1)(c))Required by applicable tax laws

11.2 Your Rights

In addition to the rights in Section 6, you have the right to:

  • Lodge a complaint with your local supervisory authority
  • Receive information about international transfers (see Section 8)
  • Object to processing based on legitimate interests
  • Request restriction of processing in certain circumstances

11.3 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or place of the alleged infringement if you believe our processing of your personal data violates the GDPR.

11.4 Data Protection Contact

For data protection inquiries, contact us at privacy@heywav.com.

12. Brazilian Privacy Rights (LGPD)

If you are in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD):

12.1 Your Rights

  • Confirmation of the existence of data processing
  • Access to your data
  • Correction of incomplete, inaccurate, or outdated data
  • Anonymization, blocking, or deletion of unnecessary or excessive data
  • Portability of data to another service provider
  • Deletion of personal data processed with your consent
  • Information about public and private entities with which we share data
  • Information about the possibility of not providing consent and the consequences
  • Revocation of consent

12.2 Legal Bases

We process your data based on:

  • Performance of contract
  • Legitimate interests
  • Consent (where required)
  • Legal or regulatory obligation

12.3 How to Exercise Rights

Contact us at support@heywav.com. We will respond within 15 days as required by LGPD.

13. Canadian Privacy Rights (PIPEDA)

If you are in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):

13.1 Your Rights

  • Access to your personal information
  • Correction of inaccurate information
  • Knowledge of how your information is used
  • Withdrawal of consent (subject to legal or contractual restrictions)

13.2 Consent

We obtain meaningful consent for the collection, use, and disclosure of your personal information. You may withdraw consent at any time, subject to legal or contractual restrictions.

13.3 How to Exercise Rights

Contact us at support@heywav.com. We will respond within 30 days.

14. South African Privacy Rights (POPIA)

If you are in South Africa, you have rights under the Protection of Personal Information Act (POPIA):

14.1 Your Rights

  • Access to your personal information
  • Correction or deletion of your personal information
  • Object to the processing of your personal information
  • Lodge a complaint with the Information Regulator

14.2 How to Exercise Rights

Contact us at support@heywav.com. We will respond within 30 days.

15. Australian Privacy Rights

If you are in Australia, you have rights under the Privacy Act 1988 and Australian Privacy Principles (APPs):

15.1 Your Rights

  • Access to your personal information
  • Correction of inaccurate information
  • Complaint to the Office of the Australian Information Commissioner (OAIC)
  • Request anonymity or use of a pseudonym where practicable

15.2 How to Exercise Rights

Contact us at support@heywav.com. We will respond within 30 days.

16. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for their privacy practices. We encourage you to review their privacy policies.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

  • We will post the updated policy on this page
  • We will update the "Last Updated" date
  • For material changes, we may notify you via email or in-app notification

Continued use of the Service after changes constitutes acceptance.

18. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

  • Email: privacy@heywav.com
  • Support: support@heywav.com
  • Company: Hey Wav, Inc., a Delaware corporation

19. Data Processing Details

19.1 Categories of Personal Data

CategoryExamplesPurpose
IdentifiersEmail, name, user IDAccount management, authentication
Contact infoEmail addressCommunications, notifications
Profile dataPhoto, bio, linksDisplay on profile, personalization
ContentProjects, songs, contactsCore service functionality
Usage dataPage views, clicks, features usedAnalytics, improvement
Device dataBrowser, OS, IP addressSecurity, optimization
LocationTimezone, stated locationPersonalization, scheduling

19.2 Retention Periods

Data TypeRetention Period
Account dataUntil account deletion + 30 days
Content (active)Until deleted by user
Content (trash)Until permanently deleted + 30 day backup period
Usage analytics90 days
Security logs90 days
Payment records7 years (tax compliance)

This Privacy Policy was last updated on January 20, 2026.