This policy describes our current practices in good faith and is undergoing review by counsel; we will post any updates here.

Privacy Policy

Last updated: June 10, 2026

Wavemist is operated by Wavemist, Inc., a Delaware corporation (131 Continental Dr Suite 305, Newark, Delaware 19713). This policy explains what we collect, why, who we share it with to run the service, how long we keep it, and the choices you have. We've written it in plain language.

We do not sell your personal data — not to advertisers, data brokers, or anyone else. We don't share it for cross-context behavioral advertising.

Data you give us

When you create an account and use Wavemist, you provide an email address, authentication credentials, and the content you enter or upload — shows, budgets, line items, actuals, vendors, documents, and similar production data. We store this to provide the service to you.

Analytics & visitor data we collect automatically

We run our own privacy-conscious analytics (no third-party ad trackers). When you visit, we record a page event that includes:

  • the page path you viewed and the referring site's hostname;
  • your raw IP address, and coarse location derived from it (country, region, city, and approximate latitude/longitude) provided by our hosting edge network;
  • your device, browser, and operating system (parsed from your browser's user-agent string);
  • a session identifier that is a one-way hash rotated daily (so we can count visits without a persistent cross-day tracker); and
  • your user ID, if you are signed in.

This data is admin-only — it is not publicly readable and is used to understand usage, measure performance, and protect the service.

Analytics is consent-gated. We ask for your choice in a banner and only send the analytics page event if you accept. Declining does not affect sign-in or any essential functionality.

With your consent, we also use PostHog (a US-hosted product analytics service) to understand which pages are visited and which features are used. What PostHog receives is deliberately limited: page paths (with any query parameters removed), the referring site, and clicks with all on-screen text and element attributes masked — the content you type or upload is never captured. We do not identify you to PostHog by name or email. If you decline, PostHog never loads at all.

Session replay on public marketing pages only. With your consent, we may replay anonymized visits to our public marketing pages (such as the homepage, pricing, and FAQ) to see how visitors read and scroll our own copy. Anything typed into a form is masked. Pages inside the app — anywhere your production data appears — are never recorded.

Visitor intelligence (network/company lookup)

To understand which organizations and networks visit us, we match the IP address we already stored against an offline IP-to-network dataset held inside our own database. This estimates the visitor's internet provider or company. No IP address is ever sent to a third party for this — the lookup happens entirely within our own systems, with no external API call.

AI processing of content you submit

Some features use AI. When you use them, the text or documents you submit are sent to our AI subprocessors to generate answers, briefs, or other output:

  • Anthropic (Claude) — generates answers and briefs from your input;
  • Voyage AI — creates embeddings (numeric representations) used for search and retrieval.

Per these providers' terms, content sent through their APIs is not used to train their models. AI output can be wrong — see our Terms of Service for the disclaimer on relying on AI-generated numbers.

Subprocessors & where data is stored

We rely on these providers to operate Wavemist:

  • Supabase — hosted Postgres database and authentication (primary data store, US region us-west-1);
  • Vercel — application hosting and edge network (also the source of coarse geolocation);
  • Anthropic — AI answer/brief generation;
  • Voyage AI — AI embeddings;
  • Resend — dispatch and notification emails (Supabase sends authentication emails);
  • PostHog — consent-gated product analytics (masked, as described above; US-hosted);
  • Sentry — error reporting when something breaks; reports are scrubbed of IP addresses, emails, cookies, and auth headers before they are sent.

Our primary database is hosted in the United States (us-west-1).

Cookies & local storage

We use a strictly necessary, httpOnly session cookie to keep you signed in — this is essential and cannot be turned off while you use the app. We store your analytics consent choice in your browser's local storage (key wavemist_consent). We do not use third-party advertising cookies.

Local cache on your device (plaintext)

To work offline, Wavemist caches data in your browser's origin-private file system (OPFS). This local cache is currently stored in plaintext. At-rest encryption of the local cache with a device-derived key is planned but not yet enabled. Until it ships, anyone with access to your device and browser profile could read the cached data. Use a device you trust and lock it.

How long we keep data

We keep account and production data for as long as your account is active, and for a reasonable period afterward to meet legal, security, and backup obligations. Analytics page events are retained only as long as needed for product and security analysis. You can request deletion at any time (see below).

Your rights

You may request access to, correction of, or deletion of your personal data. To exercise any of these rights, email us at admin@wavemist.io and we'll respond.

Contact

Questions about this policy or our data practices: admin@wavemist.io, or +1 (415) 236-3857.

We use privacy-conscious analytics to understand how Wavemist is used. Essential and sign-in functionality always works. See our Privacy Policy.