Privacy Policy

2.1 Information You Provide Directly

• Account Information: Name, email address, password, company name, job title, phone number, and profile information when you register.
• CRM Data: Contact records, organization details, notes, tags, deal information, communication history, and any other data you input about your business relationships.
• User Content: Email drafts, templates, workflow configurations, custom prompts, AI instructions, and preferences you create within the Service.
• Communications: Information you provide when contacting our support team, responding to surveys, or participating in promotions.
• Payment Information: Billing details, payment card information (processed by our payment processor—we do not store complete card numbers), and transaction history.

2.2 Information from Connected Services

When you connect third-party accounts, we access and store data from those services to provide our AI-powered features. This includes:

• Email Data (Gmail, Outlook): Email messages, threads, subject lines, sender and recipient information, timestamps, attachments metadata, labels/folders, and read status. We sync emails to enable our AI to understand your communication history, draft contextual responses, and take actions on your behalf.
• Calendar Data: Events, attendees, meeting details, scheduling information, and availability. Used to help our AI schedule meetings and understand your availability.
• Contact Data: Contact information from your connected address books to enrich CRM records and identify relationships.
• Authentication Tokens: OAuth tokens to maintain secure access to your connected services.
• Social Media Publishing Data (LinkedIn): When you connect your LinkedIn account, we access your basic profile information (name, email address, profile picture, and LinkedIn person identifier) via OpenID Connect. We use your LinkedIn account to publish posts, images, and documents (carousels) that you have explicitly reviewed and approved. We do not access your LinkedIn connections, messages, feed, analytics, or any other users' profile data.

2.3 Information Collected Automatically

• Usage Data: Features used, actions taken, pages visited, search queries, AI interactions, workflow executions, and how you interact with the Service.
• Device Information: Browser type and version, operating system, device type, screen resolution, and unique device identifiers.
• Log Data: IP addresses, access times, referring URLs, and error logs.
• Cookies and Similar Technologies: We use cookies, local storage, and similar technologies to maintain sessions, remember preferences, and improve user experience. See our Cookie Policy for details.

2.4 Information Derived Through AI Processing

Our AI systems analyze the information described above to generate derived data that helps you manage relationships more effectively:

• Relationship Insights: AI-generated summaries of your relationship history, communication patterns, sentiment analysis, and engagement levels with contacts.
• Behavioral Patterns: Understanding of your communication style, preferences, typical responses, and working patterns to personalize AI assistance.
• Suggested Actions: Recommended follow-ups, draft responses, optimal send times, and workflow suggestions based on your data.
• Embeddings and Vectors: Mathematical representations of your content used for semantic search and similarity matching.

3.1 Core Service Delivery

• Provide, operate, and maintain the CRM platform and all its features
• Sync and display your emails, calendar events, and contacts within the Service
• Enable our AI assistant to understand your relationships and communication history
• Process transactions and manage your subscription
• Authenticate your identity and maintain account security

3.2 AI-Powered Features

• Draft and send communications: Generate email drafts, replies, and follow-ups based on your communication history and style
• Take actions on your behalf: Execute approved workflows, schedule meetings, send emails, and perform other automated actions you configure
• Learn your preferences: Analyze your past actions, communication patterns, and feedback to improve AI suggestions and personalization
• Generate insights: Create relationship summaries, identify opportunities, and surface relevant information from your data
• Semantic search: Enable intelligent search across your emails and CRM data using AI-powered understanding of meaning and context
• Data extraction: Automatically extract contact information, company details, and other structured data from emails and documents

3.3 Service Improvement

• Analyze usage patterns to improve features and user experience
• Develop new features and functionality based on user needs
• Train and improve our AI models to provide better assistance (see Section 4 for details)
• Conduct research and analytics to understand how the Service is used
• Test new features and optimizations

3.4 Communications and Support

• Send transactional communications (receipts, confirmations, security alerts)
• Provide customer support and respond to inquiries
• Send product updates, feature announcements, and educational content (with opt-out)
• Notify you of changes to our policies or Service

3.5 Security and Compliance

• Detect, prevent, and address fraud, abuse, and security threats
• Monitor for violations of our Terms of Service
• Comply with legal obligations and respond to lawful requests
• Enforce our agreements and protect our rights

4.1 How Our AI Works

Our AI assistant processes your data to understand your business relationships, communication patterns, and preferences. This enables the AI to:

• Understand context from your email history to draft relevant responses
• Learn your communication style and tone to match it in suggestions
• Identify patterns in your successful interactions to recommend best practices
• Recognize relationships between contacts, companies, and deals
• Anticipate your needs based on your past behavior and current context
• Execute workflows and automated actions you configure

4.2 Third-Party AI Providers

To deliver AI capabilities, we use third-party AI service providers including:

• OpenAI — For language understanding, generation, and embeddings
• Anthropic — For advanced reasoning and analysis
• Google AI — For language models and processing

When your data is processed by these providers:

• Data is transmitted securely using encryption in transit
• Providers process data solely to return results to us for your benefit
• We have contractual agreements (Data Processing Agreements) with each provider that prohibit them from using your data to train their general models or for any purpose other than providing the service to us
• Providers are required to delete your data after processing (typically within 30 days, per their retention policies)

4.3 AI Learning and Personalization

To provide personalized assistance, our AI learns from your data:

• Per-User Learning: The AI builds an understanding of your specific communication patterns, preferences, and relationships. This learning is specific to your account and used solely to improve your experience.
• Embeddings and Vectors: We create mathematical representations of your content to enable semantic search and similarity matching within your own data.
• Aggregate Insights: We may analyze anonymized, aggregated usage patterns across users to improve our Service features. Individual user data is never used to train models that would be applied to other users without anonymization. Important: Data obtained from Google API Services (including Gmail, Google Calendar, and Google People API) is never used to develop, train, or improve generalized or non-personalized AI or machine learning models. Google user data is used exclusively for per-user personalized features as described in Section 5.

4.4 Human Review

We limit human access to your data. Our employees or contractors will only access your data:

• When you provide explicit consent (e.g., when requesting support assistance)
• To investigate security incidents, abuse, or violations of our terms
• When required to comply with legal obligations
• To review aggregated or anonymized data for service improvement

We do not allow employees to read your emails or personal content for general product development or quality assurance without your specific consent.

4.5 Automated Actions and Human-in-the-Loop

Our AI can take actions on your behalf. We provide controls to ensure you remain in control:

• Approval Workflows: You can configure which actions require your approval before execution
• Action Queue: Review and approve/reject AI-proposed actions before they are executed
• Scheduling: Set rules for when automated actions can be executed
• Audit Trail: View a complete history of all actions taken on your behalf

5.1 Google User Data We Access

When you connect your Google account, we request access to:

• Gmail API (gmail.modify scope — restricted): Read, compose, send, and manage email messages and drafts. This is a restricted scope under Google's API Services User Data Policy, and we adhere to the additional requirements for restricted scope access described below.
• Google Calendar API: Read and manage calendar events, view calendar lists, check availability, and read calendar settings
• Google People API (contacts.readonly, contacts.other.readonly scopes): Read contact information from your Google Contacts and Other Contacts
• Basic Profile: Your name, email address, and profile picture

5.2 How We Use Google User Data

Waves is a customer relationship management (CRM) application that enhances the email experience for productivity purposes. Our use of Gmail restricted scopes falls within Google's approved use case for "Applications that enhance the email experience for productivity purposes (such as applications for customer relationship management, delayed sending of email or mail merge, or providing generative AI summaries)."

Google user data is used exclusively to provide and improve user-facing features within our Service:

• Display your emails within the Waves interface for CRM context
• Enable our AI to draft email responses based on conversation history
• Send emails on your behalf through the Gmail API when you approve them
• Sync calendar events to help schedule meetings and understand availability
• Import contacts to enrich your CRM records
• Generate relationship insights based on your communication history

5.4 Google Data Storage and Security

• Google user data is stored in encrypted databases using AES-256 encryption at rest
• All data transmission uses TLS 1.2 or higher encryption
• Access to Google user data is restricted to authorized personnel and systems
• We maintain audit logs of access to Google user data
• OAuth tokens are stored securely and refreshed as needed; you can revoke access at any time
• In the event of a known or suspected unauthorized access to systems, networks, accounts, or other locations where Google user data is stored, we will promptly notify Google at security@google.com in addition to notifying affected users as required by applicable law
• We acknowledge that access to restricted Google API scopes (such as gmail.modify) may require completion of a Cloud Application Security Assessment (CASA) or equivalent security evaluation by a Google-designated third party. We commit to participating in and completing any such assessment required by Google as a condition of continued API access

5.5 Revoking Google Access

You can disconnect your Google account from Waves at any time through your account settings. You can also revoke our access directly from your Google Account permissions page. Upon revocation, we will stop accessing new data and delete synced Google data within 30 days, unless retention is required by law.

6.1 Microsoft User Data We Access

When you connect your Microsoft 365 or Outlook account, we request access to:

• Microsoft Graph Mail API: Read, compose, send, and manage email messages
• Microsoft Graph Calendar API: Read and manage calendar events
• Microsoft Graph Contacts API: Read contact information
• User Profile: Your name, email address, and profile information

6.2 How We Use Microsoft User Data

Microsoft user data is used for the same purposes as Google user data, as described in Section 5.2. We apply the same restrictions and protections: no advertising, no data sales, limited human access, and secure storage. You can revoke access through your Microsoft account permissions at any time.

7.1 LinkedIn Data We Access

When you connect your LinkedIn account, we request access to the following data:

• OpenID Connect Profile (one-time at connection): Your name, email address, profile picture, and LinkedIn person identifier (URN) via the standard OpenID Connect userinfo endpoint. This is collected once when you authorize the connection and may be refreshed when you actively use the LinkedIn publishing features in the application.
• OAuth Tokens: Access token and refresh token to maintain your authorized connection. These are used solely to authenticate API requests on your behalf.
• Publishing Permissions: The w_member_social scope allows our Service to publish posts to your LinkedIn account when you explicitly approve them.

7.2 How We Use LinkedIn Data

LinkedIn user data is used exclusively for the following purposes:

• Display your LinkedIn profile name and picture within the Waves application to confirm your connected account identity
• Publish posts (text, images, and document/carousel content) to your LinkedIn account when you explicitly approve them
• Upload images and PDF documents to LinkedIn's media servers as part of the post publishing process
• Refresh your OAuth token to maintain your authorized connection when you actively use the application

7.3 When LinkedIn Data Is Collected

To comply with LinkedIn's requirement that profile data may only be refreshed when a Member is actually using the Application, we collect LinkedIn data at the following specific times:

• At Connection Time: Your LinkedIn profile information (name, email, picture, person URN) is fetched once when you first authorize the LinkedIn connection.
• During Active Use Only: If we need to refresh your profile data (e.g., after token refresh), this occurs only when you are actively using the LinkedIn publishing features within the application. We do not pull your profile data on an automated schedule or in the background when you are not using the application.
• At Publish Time: When you approve a post for publication, we make API calls to LinkedIn to publish the content. Media files (images, PDFs) are uploaded to LinkedIn's servers at this time.

7.4 LinkedIn Data Storage and Security

We store LinkedIn data in a manner that enables identification, segregation, and selective deletion per user:

• OAuth Tokens: Access token, refresh token, expiration timestamp, and granted scopes are stored in our encrypted database, linked to your user account
• Profile Metadata: LinkedIn person URN, display name, and profile picture URL are stored to identify your connected account within the application
• Published Post References: LinkedIn post URN and post URL are stored to maintain a record of content you published through our Service

Security measures for LinkedIn data:

• All LinkedIn data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2+
• OAuth tokens are stored in dedicated, access-controlled database tables
• Access to LinkedIn data is restricted to authorized systems and personnel
• We maintain audit logs of API access and token usage
• In the event of a security incident that could reasonably be expected to affect LinkedIn data, LinkedIn Members, or LinkedIn Services, we will notify LinkedIn within 24 hours of discovery as required by the LinkedIn API Terms of Use

7.5 Withdrawing Consent and Disconnecting LinkedIn

You can disconnect your LinkedIn account from Waves at any time through the Connections page in your account settings. Disconnecting immediately:

• Revokes our ability to publish posts to your LinkedIn account
• Deletes your LinkedIn OAuth tokens (access token and refresh token) from our database
• Deletes your LinkedIn profile metadata from our database

You can also revoke our access directly from your LinkedIn Permitted Services settings. Disconnecting does not delete AI-generated content (post drafts, iterations) that you created using our Service, as this content was generated by our AI systems and is not LinkedIn API data. You may delete this content separately through the application.

7.6 Requesting Deletion of LinkedIn Data

You may request deletion of all LinkedIn data we have collected on your behalf at any time by:

• Using the Disconnect feature described in Section 7.5 above, which automatically deletes OAuth tokens and profile metadata
• Contacting us at team@ussoftwarecompany.com to request comprehensive deletion
• Deleting your Waves account, which triggers deletion of all associated data including LinkedIn data

Upon receiving a deletion request, we will immediately delete all Content collected through LinkedIn APIs on your behalf, including your Member Token (person URN) and OAuth Access Tokens. Published post references (post URN, URL) stored in our scheduling records will also be deleted upon request. If we are required by law to retain certain data, we will inform you of the specific legal basis and retain only the minimum data required.

7.7 LinkedIn Content Restrictions

In accordance with the LinkedIn API Terms of Use, we commit to the following additional restrictions:

• We do not use LinkedIn Content to train AI models that would be applied to other users without anonymization
• We do not use LinkedIn Content for credit, insurance, employment, housing decisions, or any similar eligibility determinations
• We do not use LinkedIn Content to facilitate surveillance, bias, or discriminatory practices
• We do not combine LinkedIn API data with data obtained from scraping, crawling, or any other non-official access method
• We do not attempt to re-identify any de-identified or anonymized LinkedIn data
• We comply with the LinkedIn API Terms of Use and developer documentation in all aspects of our integration

8.1 Service Providers

We share data with vendors who help us operate the Service, including:

• Cloud infrastructure providers (hosting, storage, databases)
• AI service providers (as described in Section 4.2)
• Payment processors
• Analytics providers
• Customer support tools
• Email delivery services

All service providers are bound by contractual obligations to protect your data and use it only for the purposes we specify.

8.2 Within Your Workspace

If you use Waves as part of a team or organization, other authorized members of your workspace may have access to shared CRM data, workflows, and communications based on the permissions configured by your workspace administrator.

8.3 Legal Requirements

We may disclose your information if required by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to: (a) comply with the law; (b) protect our rights, property, or safety; (c) protect the rights, property, or safety of others; or (d) detect, prevent, or address fraud, security, or technical issues.

8.4 Business Transfers

If Waves is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

For data obtained from Google API Services: Any transfer of Google user data as part of a merger, acquisition, or sale of assets requires your explicit prior consent. We will contact you to obtain your affirmative consent before any Google user data is transferred. If you do not consent, your Google user data will be deleted prior to the transaction. Any successor entity or acquiring party must also agree to comply with the Google API Services User Data Policy, including the Limited Use requirements.

8.5 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

10.1 Retention Periods

• Account Data: Retained while your account is active and for up to 90 days after deletion to allow for account recovery
• CRM Data: Retained while your account is active; deleted upon account deletion
• Synced Email/Calendar Data: Retained while the integration is active; deleted within 30 days of disconnection or account deletion
• Usage Logs: Retained for up to 24 months for analytics and security purposes
• Backup Data: Retained in backups for up to 90 days after deletion from primary systems
• LinkedIn Data (OAuth Tokens, Profile): Deleted immediately upon disconnection of your LinkedIn account or upon your request. Published post references are retained as part of your scheduling history while your account is active; deleted upon account deletion or upon request.

10.2 Deletion Process

You can request deletion of your data at any time by:

• Using the account deletion feature in your settings
• Contacting us at team@ussoftwarecompany.com

Upon receiving a deletion request, we will delete or anonymize your data within 30 days, except where we are required to retain it for legal, regulatory, or legitimate business purposes (such as maintaining records of transactions or resolving disputes).