privacy policy

privacy policy

Privacy Policy for Wav Social

Last Updated: May 2026

1. Information We Collect

Account and authentication

When you register or sign in, we collect:

  • Email address and password (handled via Supabase Auth)

  • Supabase user ID and email verification status

  • Password reset and email confirmation activity

  • Login security data: IP address, user agent, login success/failure, and risk scores used for abuse prevention (stored in auth_login_attempts)

  • CAPTCHA verification tokens (Cloudflare Turnstile) when required during signup or login

During onboarding, we collect:

  • First name and last name

  • Date of birth (18+ required)

  • Preferred language

  • Profile photo (camera or photo library)

  • Selected interest tags

Pending onboarding data (email, account fields, tag selections, and a copy of your profile photo) may be stored locally on your device until email verification completes.

Profile and preferences

We store profile and preference data in our database, including:

  • Email, first name, last name, and display name fields

  • Date of birth

  • Profile photo URL

  • Selected tags and user-created tags

  • Preferred language

  • Approximate location as latitude and longitude

  • Search distance preference (default 100 km; premium users may set 10–500 km or worldwide)

  • Whether to auto-sync location from device GPS (use_device_location)

  • Premium status: subscription type, start/expiry dates, source, and last purchase token

  • Account timestamps (created, updated, last login)

Location

We collect location to power discovery and nearby matching:

  • Precise GPS coordinates when you choose “Use current location” or when device location sync is enabled

  • Coordinates from a city you manually select via search

  • City names derived from coordinates via OpenStreetMap Nominatim (reverse geocoding sends lat/lon and language preference to Nominatim; city search sends your search query). Reverse geocoding requests sent to OpenStreetMap Nominatim contain only numerical coordinates and language parameters; no account identifiers, names, or profile details are ever exposed to this service.

Precise GPS coordinates are collected solely to establish nearby matching vectors and are overwritten dynamically upon your next location sync. We do not maintain or store historical location logs, trip paths, or tracking timelines. You can opt out of automatic background device location sync at any time via your device operating system permissions or the in-app preference settings.

Non-premium users sync device location by default. Premium users may disable automatic GPS sync and set a fixed location instead.

Photos and user-generated content

  • Profile photos: uploaded to Supabase Storage (images bucket)

  • Posts: text content you publish to the timeline, optional tags, optional attached photo, and wave activity from other users; stored in our database and visible to other users according to app discovery rules; posts older than 24 hours are removed by scheduled cleanup

  • Post photos: when you attach an image to a post, it is uploaded to Supabase Storage (post_images bucket)

  • Comments: text content on posts (soft-deleted via deleted_at when removed)

  • Reports: reported user ID, reason, and optional context when you report another user

Messages

Direct messages between connected users are securely encrypted in transit and at rest to prevent unauthorized access. This is not end-to-end encryption: message content is encrypted on your device before storage, but our backend infrastructure retains the cryptographic capability needed to process and deliver messages. We process:

  • Sender and receiver user IDs

  • Encrypted message content and encrypted sender-side content

  • Message timestamps and read status (read_at)

  • Message metadata for analytics: message length, message type, and whether a message is the first in a conversation

  • Push notification previews (first ~50 characters of message text) sent to recipients via Firebase Cloud Messaging

Cryptographic data associated with messaging includes public keys, encrypted private keys, hashed key values, and key version metadata stored in user_keys and private_keys.

Social activity and usage analytics

To operate, optimize, and improve our services, we process interaction, connection, and application performance data using both secure internal infrastructure and trusted third-party SDKs.

Internal Feature Analytics (Stored in our Supabase Database)
We collect and store social behavior metrics directly within our Supabase infrastructure (user_interactions, connection_events, connection_metrics, connection_ratings, user_blocks). This data is used solely to maintain app functionality and compute nearby matching vectors, including:

  • Waves sent/received, connections, blocks (with optional reason), and connection ratings (with optional comment)

  • Profile views and profile expansions (duration, similarity score, common tags, source screen)

  • Connection events (waves, mutual waves, first messages, connection established)

  • Connection metrics (message counts, conversation duration, average response time)

  • Post views and wave activity on posts

Third-Party Telemetry and Performance Analytics (Google Firebase)
To ensure real-time application stability and analyze user engagement trends, we utilize Google Firebase SDKs within the mobile application. These services process data dynamically:

  • Firebase Crashlytics: In the event of an application crash or non-fatal error, the app transmits technical debugging data to Google Firebase. This includes crash stack traces, point-in-time device metadata (device model, operating system version, orientation), and a localized Crashlytics installation UUID. This data contains no Personally Identifiable Information (PII) and is used exclusively to deploy stability hotfixes.

  • Firebase Analytics: We collect anonymized app session events, such as session duration, screens visited, and core application interactions (e.g., triggering a registration, entering onboarding, or sending a wave). This data is aggregated to help us evaluate feature engagement and performance across varying hardware profiles.

We do not utilize any other third-party behavioral tracking or advertising SDKs (such as Mixpanel, Sentry, or Google Mobile Ads).

Notifications and device data

When you grant notification permission, we collect and store:

  • Firebase Cloud Messaging (FCM) device token

  • Device platform (ios or android)

  • Token update timestamps in user_devices

Notification payloads may include sender user ID, sender first name, message type, and post ID for deep linking.

Purchases

If you buy premium through the App Store or Google Play, we process:

  • Product ID and platform

  • Purchase token / receipt data (sent to our backend for verification with Apple or Google)

  • Premium activation metadata stored on your user profile

Payment processing is handled by Apple or Google; we do not collect or store payment card numbers.

Local device storage and caching

The app may store data on your device, including:

  • Preferred language and translation cache (SharedPreferences)

  • Pending onboarding bundle before email verification (SharedPreferences and app documents directory)

  • Scheduled notification state

  • Cached profile, discover, timeline, and network images

2. Device Permissions

To provide core application features, our mobile app requests access to specific device systems. You can revoke these permissions at any time through your operating system settings.

Android (AndroidManifest.xml)

  • Internet — required for network access, authentication, and sync

  • NotificationsPOST_NOTIFICATIONS, WAKE_LOCK, VIBRATE, RECEIVE_BOOT_COMPLETED for push and scheduled notifications

  • LocationACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION for nearby discovery and location updates

iOS (Info.plist)

  • Location when in use — “Wav needs your location to show nearby people and personalize discover.”

  • Location always and when in use — “Wav uses your location to improve nearby discovery and notifications.”

  • Camera — “Wav needs camera access so you can take profile and post photos.”

  • Photo library — “Wav needs photo library access so you can choose images for your profile and posts.”

  • Background modesfetch and remote-notification for background notification delivery

Not requested

The app does not declare microphone, contacts, calendar, Bluetooth, or health/fitness permissions in its platform manifests.

3. Third-Party Data Services

We do not sell your personal data. We rely on trusted third-party service providers to host, secure, and operate core aspects of our application infrastructure. These external providers process data strictly in accordance with their respective privacy frameworks:

Supabase

  • Purpose: Authentication, core relational database infrastructure, secure cloud file storage, real-time sync subscriptions, and backend Edge Functions.

  • Data Processed: Account credentials, user profile records, social network interactions, encrypted messaging metadata, app-performance data, purchase logs, and mobile device-token records.

Google Firebase (FCM, Crashlytics, and Analytics)

  • Purpose: Secure push notification delivery, real-time application crash reporting, error monitoring, and aggregated user engagement analytics.

  • Data Processed: Firebase Cloud Messaging (FCM) device tokens, notification titles/bodies, deep-linking payload metadata, point-in-time debugging crash stack traces, hardware/OS specifications, unique installation UUIDs, and aggregated, anonymous app-session event logs.

Apple App Store & Google Play Console

  • Purpose: Management of premium in-app subscriptions and digital receipt verification.

  • Data Processed: Cryptographic purchase tokens, digital receipt strings, transactional product IDs, and device platform identification.

Cloudflare Turnstile

  • Purpose: Automated CAPTCHA verification and bot/abuse protection during account registration and sign-in.

  • Data Processed: User-challenge interactions, unique cryptographic verification tokens, and user IP addresses.

OpenStreetMap Nominatim

  • Purpose: Dynamic geographic city searching and reverse geocoding to calculate nearby user discovery parameters.

  • Data Processed: Geographic coordinates (latitude/longitude), localized search text queries, user language preferences, and browser User-Agent strings.

Google Translate (via translator package)

  • Purpose: Translating custom tag labels to bridge language preferences between users.

  • Data Processed: Isolated raw tag text strings sent for machine translation. The resulting translations are cached purely on-device.

On-Device Software Libraries

The application also utilizes several technical libraries that execute code locally on your physical hardware. These libraries do not transmit data to external third-party servers and are not considered data processors:

  • Flutter Local Notifications, Geolocator, Image Picker, Cached Network Image, SharedPreferences, Path Provider, App Links, Share Plus, URL Launcher, and Encrypt/Crypto (local message encryption).

Services Not Utilized

To protect your privacy, we maintain a minimal tracking footprint. Third-party advertising networks or independent behavioral trackers—such as Sentry, Mixpanel, Stripe, Google Mobile Ads, or tracking/retargeting SDKs—are completely absent from our application dependencies.

4. Account Deletion and Data Retention

We retain your personal information while your account remains active and as needed to provide the service.

In-app account deletion

You may permanently delete your account directly within the application via Settings → Delete Account. Deletion invokes our delete-account Supabase Edge Function, clears local app caches, and signs you out.

Upon triggering account deletion, all personal data, user profile records, private keys, direct messages, and user-generated content (including posts, comments, and uploaded photos in our storage buckets) are permanently deleted from our active production databases. Associated files in storage buckets are automatically purged. Residual data strictly contained in automated database backup files will be overwritten in accordance with our standard backup retention cycle (not to exceed 30 days).

Other deletion and retention practices

  • Posts: you may delete your own posts; associated comments may cascade delete. Posts and comments older than 24 hours are removed by a scheduled daily_cleanup job; post image files in storage are removed with that cleanup.

  • Comments: deleted comments are soft-deleted (deleted_at) rather than immediately purged.

  • Chat: the app includes logic to delete messages and connection records between two users in specific flows.

  • FCM tokens: invalid or unregistered device tokens are removed when Firebase reports delivery failures.

  • Onboarding: pending local onboarding data is cleared after successful email verification or failed signup.

Under applicable privacy laws (including GDPR), you may have the right to request erasure of your data. For questions or requests not covered by in-app deletion, contact us using the details below.

5. Children’s Privacy

Our services are strictly intended for individuals aged 18 and older. We do not knowingly collect or solicit personal information from anyone under the age of 18. If we discover that a minor has bypassed our onboarding age-gate and created an account, we will immediately terminate the account and permanently delete all associated data from our servers.

6. Contact Us

If you have questions regarding this policy, contact us at: hello@wav.social