Privacy Policy
This Privacy Policy explains what personal information MyWave collects about you when you visit our website, use our Innovation Hub, or otherwise interact with us. It is written to align with UK GDPR, EU GDPR, CCPA/CPRA, and other applicable privacy and data protection laws.
1. Introduction
MyWave.ai ("MyWave", "we", "our", "us") is committed to protecting personal information. This Privacy Policy explains what personal information we collect about you when you visit our website, use our Innovation Hub, or otherwise interact with us; how we use it, who we share it with, how long we keep it, and the rights you have over it. It is written to align with the UK and EU General Data Protection Regulations (UK GDPR and GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and other applicable privacy and data protection laws.
This policy sits alongside our AI Ethics Policy, which sets out the principles that govern how we design and deploy AI. Together, the two policies describe how MyWave behaves with both your personal information and your trust.
Customers, integrators, and procurement teams who need operational detail — our sub-processor list, our retention practices in full, security control mapping, and our Data Processing Addendum — can request our Privacy Supplement through their account contact at MyWave.
2. Who We Are and How Our Products Work
MyWave.ai is a software vendor providing the MyWave agentic AI platform. The platform has two parts, and the distinction matters for understanding how personal information is handled.
Innovation Hub (operated by MyWave)
The Innovation Hub is the design-time environment that customer and integrator staff use to design, configure, and review MyWave agents. MyWave hosts the Innovation Hub on Google Cloud Platform in the United Kingdom.
MyWave retains two categories of personal information about Innovation Hub users: an email address, used to authenticate the user and to send service communications; and the prompts the user enters into the conversational agent builder, which MyWave processes to generate agent designs. Builder prompts are treated as confidential to the user's organisation and are described in more detail in Section 4.
MyWave Runtime (operated by the customer)
The MyWave Runtime is the component that executes deployed agents. It is installed inside the customer's own cloud tenant and operated by the customer. MyWave does not host the Runtime, does not have standing access to it, and does not receive personal information processed inside it. Personal information processed by the Runtime is governed by the customer's own privacy policy.
Where we determine the purposes and means of processing your personal information, we act as the controller. Where we process personal information on a customer's behalf in connection with their use of the Innovation Hub, we act as a processor under that customer's instructions, governed by the Data Processing Addendum to the customer's contract with us.
3. Who This Policy Covers
This policy applies to:
visitors to our public website at mywave.ai;
Innovation Hub users — staff at customer, partner, and integrator organisations who hold an Innovation Hub account;
commercial contacts at customer, prospect, partner, and integrator organisations who interact with us;
job applicants and people who otherwise contact us.
4. Information We Collect and How We Use It
We collect personal information directly from you, from your employer (where you use our products on their behalf), and through automated means when you visit our website. The categories we collect and the purposes we use them for are:
Innovation Hub Users
The Innovation Hub holds two categories of personal information about each user:
Authentication data — an email address used to authenticate the user and to send service communications about the account (for example, password resets, security notices, and release information). Authentication relies on the customer's own identity provider where federated single sign-on is configured. We do not store names, profile photos, role descriptions, or other identifying attributes.
Conversational builder prompts — the prompts you enter into the MyWave conversational agent builder, together with the agent designs the builder produces. We hold these so that you can iterate on your agent design over time and so that we can investigate issues you report to us.
Application logs of actions taken in the Innovation Hub are operational records, not personal-data records, and are tied to the email-address identifier only for the purposes of audit and security. The lawful bases we rely on are performance of a contract (with your employer) and our legitimate interests in operating a secure, auditable platform.
Conversational Builder Prompts
When you use the MyWave conversational agent builder, the prompts you enter are processed by an inference provider (currently Microsoft Azure OpenAI Service) to generate an agent design. Builder prompts are then stored by MyWave so that you can iterate on the design and so that we can support you if you report a problem.
Our commitments about builder prompts are:
Confidential to your organisation. Conversational Agent Builder prompts are accessible only to your colleagues with the right permissions, and to a limited number of MyWave staff who need access for support, security, or abuse investigation. They are not visible to other customers.
Not used to train models. Conversational Agent Builder prompts are not used by MyWave or by our inference provider to train or fine-tune foundation models or any other model used by other customers. Microsoft Azure OpenAI Service operates under contractual terms that prohibit such use.
Aggregate use to improve the platform. The agent designs produced by the conversational agent builder — not the prompts themselves — may be leveraged in aggregate and de-identified form to help us understand how the builder is used and to improve the platform capabilities. This analysis is not tied to individual users or organisations and is not shared outside MyWave.
Website Visitors
When you visit our website, we collect limited device and usage data such as your IP address, browser type, the pages you visit, and the URL that referred you. If you submit a contact or demo-request form, we collect the information you provide (typically your name, business email, employer, and message). We use this information to operate and improve our website, to respond to your enquiries, and to detect abuse. The lawful bases we rely on are our legitimate interests and, where applicable, taking steps prior to entering a contract.
Customers, Prospects, Partners, and Integrators
If you work for an organisation that engages with MyWave commercially, we collect business contact information (name, work email, role, employer), records of our communications with you, and contract and billing data where relevant. We use this information to manage the relationship, deliver our services, send service communications, and meet our legal and contractual obligations. The lawful bases we rely on are performance of a contract and our legitimate interests.
Marketing Recipients
Where you have asked to hear from us, or where applicable law allows it, we send you relevant product information and event invitations. You can unsubscribe at any time using the link in any marketing email or by contacting us. The lawful basis we rely on is consent where required by local law, and our legitimate interests otherwise.
Job Applicants
When you apply for a role with us, we collect the information you provide in your application (CV, work history, references) and information from interviews and assessments. We use this information to evaluate your application and, if you are successful, to onboard you. The lawful basis we rely on is taking steps prior to entering a contract and our legitimate interests.
We do not knowingly collect special category personal information (such as health, biometric, or genetic data) or information from children under the age of 16.
5. Our AI-Specific Commitments
MyWave makes the following commitments in addition to the general protections in this policy:
No customer-data training. MyWave does not use the prompts you enter into the conversational agent builder, the personal information you provide to us, or any content processed by the MyWave Runtime to train foundation models or to fine-tune models used by other customers.
No MyWave-side Runtime processing. Agent prompts and responses produced at runtime are processed inside the customer's own cloud tenant. MyWave does not host, route, or retain that content.
Confidentiality of builder prompts. Prompts you enter into the conversational agent builder are confidential to your organisation and are not shared with other customers or used to improve outputs for them.
Decision traceability. Agent decisions are recorded inside the customer's tenant so that the customer can investigate and audit outcomes that affect individuals.
Human oversight. Where MyWave agents take action that affects individuals, supervisor controls and approval workflows are available to keep a human in the loop.
6. Sharing and Disclosure
We share personal information only where it is necessary for the purposes described in this policy. The categories of recipients are:
Service providers who process personal information on our behalf — for example, our cloud infrastructure provider (Google Cloud, in the United Kingdom, for the Innovation Hub), our inference provider (Microsoft Azure OpenAI Service), our identity provider, our customer relationship management platform, our email service, our website analytics provider, our customer support tooling, and our payment processor.
Professional advisors. Auditors, lawyers, accountants, and insurers, where engagement requires it.
Authorities and regulators where we are required to disclose information by law, regulation, or a binding order.
Corporate transactions. In connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality and data protection terms.
We do not sell personal information
We do not sell personal information. We do not share personal information for cross-context behavioural advertising. We do not engage in profiling that produces legal or similarly significant effects on individuals without human review.
7. International Data Transfers
Innovation Hub data is hosted in the United Kingdom. Some of the service providers we use to run our business (for example, our customer relationship management platform and our customer support tooling) may process personal information in the United States or other countries outside the United Kingdom and the European Economic Area.
Where personal information is transferred from the United Kingdom or the European Economic Area to a country that has not received an adequacy decision, we rely on appropriate safeguards — typically the European Commission's Standard Contractual Clauses (or the UK International Data Transfer Agreement), supplemented by technical and organisational measures where required. You can request a copy of the safeguards by contacting us.
8. How Long We Keep Your Information
We keep personal information for as long as we need it for the purposes described in this policy, and for as long as we are required to keep it by law or by our contracts with customers. In general:
We keep Innovation Hub authentication data (email address) for the duration of the user's account, and delete it within a reasonable period after the account is closed.
We keep customer and contractual records for the duration of the relationship plus the period required to meet our accounting, tax, and contractual obligations.
We keep sales and marketing data until you unsubscribe or object, or until you have been inactive for a reasonable period.
We keep job applicant data for a limited period after the application decision, unless we have your consent to keep your details on file for future opportunities.
We keep website analytics for a limited period from collection; aggregated reporting is retained indefinitely.
Where personal information is no longer required, we delete or anonymise it. Customers and integrators can request our detailed retention schedule via the Privacy Supplement.
9. How We Protect Your Information, and Other Matters
Security
We maintain technical and organisational measures designed to protect personal information against unauthorised access, alteration, disclosure, and destruction. These include access controls, multi-factor authentication, encryption in transit and at rest where appropriate, secure software development practices, and an information security programme aligned with ISO/IEC 27001 control frameworks. Because the Innovation Hub is hosted on Google Cloud Platform in the United Kingdom, the underlying infrastructure benefits from the security controls and independent certifications that GCP maintains.
If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and — where the risk is high — affected individuals without undue delay, as required by applicable law.
Children's Privacy
Our products and services are intended for use by businesses and their authorised personnel. They are not directed to children, and we do not knowingly collect personal information from children under the age of 16. If you believe that a child has provided us with personal information, contact us using the details in Section 11 and we will take appropriate steps to delete it.
10. Your Rights
Depending on where you live and the laws that apply to you, you may have some or all of the following rights in relation to the personal information we hold about you:
Access — you can ask us for a copy of the personal information we hold about you.
Rectification — you can ask us to correct personal information that is inaccurate or incomplete.
Erasure — you can ask us to delete personal information where there is no good reason for us to continue processing it.
Restriction — you can ask us to suspend processing of your personal information in certain circumstances.
Portability — you can ask us to provide your personal information in a structured, machine-readable format, or to transmit it to another controller, where technically feasible.
Objection — you can object to processing based on legitimate interests, including direct marketing.
Withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
Complaint — you can lodge a complaint with your local data protection authority. In the United Kingdom this is the Information Commissioner's Office (ico.org.uk).
To exercise any of these rights, contact us using the details in Section 11. We will respond within the time limits set by applicable law (one month under UK and EU GDPR; 45 days under CCPA/CPRA, extendable in limited circumstances). We do not charge a fee unless your request is manifestly unfounded or excessive.
Residents of California: in addition to the rights above, you have the right under the CCPA/CPRA to know the categories of personal information we collect, the categories of sources from which it is collected, the business or commercial purposes for collecting it, and the categories of third parties with which we share it; to limit the use of sensitive personal information; and to be free from retaliation for exercising your rights. MyWave does not sell or share personal information for cross-context behavioural advertising.
11. Cookies, Contacting Us, and Changes
Cookies and Similar Technologies
Our website uses cookies and similar technologies to operate the site, remember your preferences, measure performance, and understand how visitors use the site. Where required by law, we obtain your consent for non-essential cookies through a banner on the site. You can change your cookie preferences at any time through the cookie settings link in our website footer, or by adjusting your browser settings.
Contacting Us
If you have questions about this policy or want to exercise any of your rights, you can contact us at:
Email: info@mywave.ai
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In the United Kingdom this is the Information Commissioner's Office (ico.org.uk).
Changes to This Policy
We review this policy at least annually and may update it to reflect changes in our practices, products, or applicable law. The effective date at the top of this policy indicates when it was last updated. Where changes are material, we will provide reasonable advance notice through our website or, where appropriate, by direct communication to customers.