Last updated: 26 May 2026
This Privacy Policy explains how Wavertech Ltd. ("Wavertech", "we", "us") handles personal data when you use WAVER+, the online account, billing, licensing, and optional service management system for WAVER Gateway devices.
Where Wavertech processes personal data on the Customer's behalf (for example, AI Service inputs and outputs or PMS integration data), the controller-to-processor terms in our Data Processing Addendum apply (Terms and Conditions, Section 23).
Wavertech Ltd., Vasil Mechkuevski 22, 2700 Blagoevgrad, Bulgaria. EU VAT: BG204530090.
For privacy questions and to exercise your data protection rights, contact our Privacy Contact at [email protected].
As Wavertech Ltd. is established in Bulgaria, our lead supervisory authority for matters under the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") is the Bulgarian Commission for Personal Data Protection (Комисия за защита на личните данни) - https://www.cpdp.bg. You also have the right to lodge a complaint with the supervisory authority of the EU member state in which you reside or work.
The data WAVER+ collects falls into the categories described below.
Information you provide when creating and maintaining a WAVER+ account, such as full name, business email, company name, country, password (stored as a hash), and two-factor authentication settings.
Information about your subscriptions and licenses, including plan name, billing interval, start and end dates, subscription status, invoice references, and amounts charged. Payment card details are handled directly by our payment processor (Stripe). WAVER+ stores references such as customer and invoice IDs, not full card numbers.
Billing address, VAT identification number, and other invoice-relevant information are stored in our payment processor and may be cached locally in WAVER+ for display purposes.
Information about WAVER Gateway devices that you link to your account, such as device name, device ID, model and firmware identifiers, cloud URL, pairing status, sync status, cloud access status, last sync time, and license assignment state.
Records related to the operation of WAVER+, such as IP address, request metadata, authentication events, rate-limit counters, error logs, and security events. These logs are used for security, troubleshooting, abuse prevention, and reliability.
Messages you send to our support channels, along with any information you choose to include in those messages.
If you enable an AI Service License, the prompts you send and the generated outputs are transmitted to the AI provider for processing. WAVER+ retains limited metadata (request timestamp, model, token counts) for metering, abuse prevention, and quality monitoring. Provider-side retention of prompts and outputs is governed by the AI provider's terms.
If you enable a PMS Integration, configuration values, connection metadata, and the limited data fields necessary to operate the integration may be processed. The Customer remains responsible for configuring and authorizing the integration.
WAVER+ is designed so that guest WiFi traffic and End-User communications processed by a WAVER Gateway device normally remain on the device and are not transmitted to WAVER+. Traffic may be transmitted to WAVER+ or to a third-party provider only when a specific Optional Service or integration expressly requires it, and only after the Customer enables that service.
For Customer account, billing, and operational data, Wavertech Ltd. acts as the data controller.
For data relating to End Users of a guest network operated by a WAVER Gateway device, the Customer (the operator of the device) is the data controller. Where an Optional Service processes such data on the Customer's behalf, Wavertech Ltd. acts as a data processor and processes that data on the Customer's instructions, as documented in the Data Processing Addendum (Terms and Conditions, Section 23).
Where the GDPR or similar law applies, we process personal data on the following legal bases, depending on the activity:
We do not sell personal data. We share data with the following named subprocessors and recipients to operate WAVER+. Our authority to engage these subprocessors is granted by the Customer in the Data Processing Addendum (Terms and Conditions, Section 23). New or replacement subprocessors will be announced with reasonable advance notice.
| Subprocessor | Role | Location |
|---|---|---|
| Stripe Payments Europe, Ltd. | Payment processing, subscription billing, customer portal, invoicing, VAT calculation | Ireland (EU) |
| Amazon Web Services EMEA SARL | Hosting and storage of WAVER+ application data | EU region (Frankfurt) |
| Cloudflare, Inc. | Edge CDN, DDoS protection, TLS termination, and Turnstile bot/CAPTCHA challenge on login and signup | Global, EU edge POPs; corporate seat in the United States |
| OpenAI Ireland Limited | AI text processing for the Customer's AI Service prompts. Engaged only when the Customer enables an AI Service License using an OpenAI-supported model. | Ireland; provider may process in the United States under Standard Contractual Clauses |
| Anthropic, PBC | AI text processing for the Customer's AI Service prompts. Engaged only when the Customer enables an AI Service License using an Anthropic-supported model. | United States, under Standard Contractual Clauses |
Transactional email (account verification, password reset, billing notifications) is sent from Wavertech's own mail server using our own infrastructure; no third-party email provider is engaged for outbound email.
In addition to the subprocessors above, we may disclose data to authorities, regulators, or other parties where required by law.
The primary storage location for WAVER+ application data is in the European Union (Frankfurt region). Two categories of processing involve potential transfers outside the EEA:
Where personal data is transferred to a country that is not subject to an adequacy decision, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent measures recognized under applicable law.
We keep account and operational data for as long as your WAVER+ account is active. After the account is closed, some categories of data are retained for the periods required by law and by our payment processor, including billing records, tax records, and security records.
Logs and operational records are retained only for as long as needed for the purposes described in this Policy, after which they are deleted or anonymized.
We apply appropriate technical and organizational measures to protect personal data, including encrypted transport, authenticated and authorized access, application-level rate limiting, logging of security-relevant events, and periodic review of provider configurations. No system is completely secure; we work to reduce risk and to respond to security events when they occur.
Depending on your country, you may have rights under data protection law, including:
Most actions can be performed from your WAVER+ account settings. For other requests, contact [email protected]. We may need to verify your identity before acting on a request.
WAVER+ uses cookies and similar technologies only to the extent necessary for the service to function. We do not use advertising cookies, behavioral tracking cookies, or third-party analytics cookies.
On the login and signup pages we embed Cloudflare Turnstile, which may set its own challenge tokens or cookies to verify that the visitor is not an automated bot. These are managed by Cloudflare; consult Cloudflare's documentation for the current list and behavior.
When you proceed to checkout or open the Stripe Customer Portal, you are temporarily on a Stripe-hosted page. Stripe may set its own cookies for fraud prevention and session continuity while you are on that page. These are governed by Stripe's own privacy and cookie notices.
You can clear or block cookies in your browser settings. Blocking the strictly necessary cookies listed above will break sign-in and the dashboard. We do not provide an in-app cookie consent banner because we do not use any cookies that require GDPR consent (no advertising, no behavioral tracking, no third-party analytics).
WAVER+ is intended for business customers and is not directed at children. We do not knowingly collect personal data from children. If you believe a minor has provided data to WAVER+, contact [email protected] so we can investigate and take appropriate action.
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page shows when the latest version took effect. Material changes will be communicated by email or in-app notice before they take effect.
Wavertech Ltd., Vasil Mechkuevski 22, 2700 Blagoevgrad, Bulgaria. EU VAT: BG204530090.
For privacy questions, data subject requests, or to contact our Privacy Contact, email [email protected].
For general or sales enquiries, email [email protected]. For technical support, email [email protected].