wavebird logo

Data Processing Agreement

Version 1.0 · Last updated: April 15, 2026

This Data Processing Agreement applies where the wrapper acts as controller and wavebird acts as processor for personal data that may arise in connection with the Wavebird API, dashboard, and related monetization services.

1. Parties and roles

The wrapper integrating Wavebird into its application is the controller for end-user data processed within its product. MC Squared UG (haftungsbeschränkt), operating wavebird.ai, acts as processor solely to the extent it processes controller-authorized delivery, billing, and anti-fraud data on the wrapper's behalf.

2. Subject matter

The subject matter of processing is contextual ad matching, delivery, proof generation, settlement support, and fraud prevention for GenAI application surfaces that use the Wavebird API or SDK.

3. Data categories processed

  • Context topic or topic category
  • Language or locale signal
  • Device type or client surface metadata
  • Country or region derived from network location
  • Consent and regulatory flags such as GDPR, TCF, or US privacy signals
  • Operational identifiers for slots, sessions, keys, and proof events

4. Data categories not processed by default

  • Raw prompts unless the wrapper explicitly opts into prompt-based matching
  • Names, email addresses, account usernames, or comparable personal identifiers
  • Persistent conversation history or user profiles for targeting

5. Processing purposes

  • Ad matching and creative delivery during the app's existing response window
  • Settlement, billing support, and proof-backed reconciliation
  • Fraud prevention, abuse detection, and service security

6. Sub-processors

Wavebird may use SSP partners to conduct programmatic auctions and ad delivery on a controller-authorized, signal-minimized basis.

Wavebird uses hosting infrastructure from Hetzner Online GmbH for core service operation. Additional sub-processors may be introduced where operationally necessary, provided they remain bound by data protection obligations appropriate to the processing.

7. Retention and deletion

Prompt text is not required for standard operation and is not intended for long-term storage. Where prompt-derived processing is enabled, the design target is ephemeral handling limited to safety and matching workflows.

Operational logs, proof records, and settlement artifacts are retained only for the periods needed for fraud controls, reconciliation, legal compliance, and payout support, in line with the retention and deletion schedule referenced in Wavebird operational documentation.

8. Technical and organizational measures

  • TLS for data in transit
  • Ingress filtering and prompt-reduction controls in the firewall path
  • Signed asset and beacon tokens, including HMAC-backed proof steps
  • Ephemeral vault handling for prompt-adjacent processing where such processing is enabled
  • Access control, audit logging, and environment-scoped operational credentials

9. Data subject rights and assistance

The wrapper remains the primary point of contact for data subjects. Where a data subject request affects processor-held data, wavebird will provide reasonable assistance so the wrapper can respond in accordance with applicable law.

10. Term and termination

This DPA begins when the wrapper accepts it and remains in force for as long as wavebird processes controller-authorized data under the main agreement. On termination, wavebird will delete or render inaccessible processor-held personal data except where retention is required by law or strictly necessary for unresolved settlement, fraud, or security matters.