Privacy Policy
wavegrey.com
Last updated: 11 juillet 2026. This policy describes how WaveGrey ("we"), operated by OrizonLab [full legal name, company form, registration number and registered address to be completed], collects, uses and protects the personal data of wavegrey.com users, in accordance with the General Data Protection Regulation (GDPR — EU 2016/679).
1. Data controller
The data controller is OrizonLab [registered office address to be completed]. For any question about your personal data, contact us at: [GDPR contact email to be defined — e.g. privacy@wavegrey.com].
2. Data we collect
- Account — email address and password (hashed, never stored in plain text).
- Google sign-in (if used) — email, name, profile picture and Google account identifier provided by Google; we never receive or store your Google password or any other Google account data.
- Audio files — the uploaded file and the processed output, stored temporarily on our servers and automatically deleted 24 hours after delivery.
- Audio metadata — BPM, key, LUFS, clipping rate, bandwidth and other technical measurements extracted from the file, kept with your processing history (never the audio content itself).
- Billing — handled entirely by Stripe; we never receive or store your card details.
- Essential cookies — httponly, secure session cookies required for authentication, cannot be disabled.
- Analytics cookies — Google Analytics (GA4), set only after your explicit consent via the cookie banner.
3. Purposes and legal bases
- Providing the service and performing the contract (track processing, account management).
- Billing and accounting/tax obligations (legal obligation).
- Security, fraud and abuse prevention (legitimate interest).
- Audience measurement and product improvement (consent, analytics cookies).
4. Data recipients
Your data may be shared with the following processors, strictly limited to what the service requires:
- Stripe (payments) — PCI-DSS compliant.
- Anthropic (AI analysis) — receives only extracted audio metadata (BPM, LUFS, bandwidth, etc.), never the audio file.
- Google (OAuth authentication, if you choose this sign-in method).
- Our hosting provider (server infrastructure).
We do not sell or rent your personal data to third parties. Some processors (Anthropic, Google) are established outside the European Union; these transfers are governed by the European Commission's Standard Contractual Clauses or an equivalent adequacy mechanism.
5. Retention period
- Audio files (uploaded and processed): automatically deleted 24 hours after delivery.
- Account and processing history: kept while the account is active, then deleted on request or after an extended period of inactivity.
- Billing data: kept for the legally required accounting retention period.
6. Your rights
Under the GDPR, you have the right to access, rectify, erase, restrict, object to processing, and port your data. You may also withdraw your consent to analytics cookies at any time. To exercise these rights, contact us at the address in Section 1; we respond within one month at the latest. You may also lodge a complaint with your national data protection authority.
7. Security
Hashed passwords (bcrypt), httponly and secure authentication cookies, encrypted connections (HTTPS/TLS), automatic deletion of audio files after 24 hours. Despite these measures, no system is 100% infallible; we recommend using a strong, unique password.
8. Minors
The service is not intended for individuals who have not reached the legal digital consent age applicable in their country of residence.
9. Changes
This policy may be updated; the last-modified date is shown at the top of this page. We encourage you to review it periodically.
