Privacy Policy

Scope of this notice

This Privacy Policy explains how MC Squared UG (haftungsbeschränkt) processes personal data in connection with the public website at wavebird.ai, the wavebird dashboard, signup and login, OAuth linking, API-key management, DPA signing, support, contact and booking flows, the wavebird API, SDK and Script Tag, proof, fraud-prevention, settlement, payout and reporting workflows, and wavebird-operated demos such as chat.wavebird.ai unless a separate privacy notice is shown there.

For end-user data processed inside a customer's wrapper application, the customer usually acts as controller and MC Squared UG acts as processor under the Data Processing Agreement. MC Squared UG acts as controller for its own account administration, authentication, security, abuse prevention, billing, settlement, legal compliance, support and business-communication processing.

Controller

MC Squared UG (haftungsbeschränkt), Ruppertstrasse 24, 80337 München, Germany, E-Mail: info@wavebird.ai.

We have not appointed a data protection officer. Privacy inquiries can be sent to info@wavebird.ai. This assessment is reviewed as production traffic, monitoring scale and ad-delivery integrations expand.

Public website and contact data

When you visit wavebird.ai, we process data that is technically necessary to deliver the site, secure it and prevent misuse. This can include IP address, date and time, request URL, user agent, browser and device information, technical error events, rate-limit events and abuse-prevention events.

If you contact us or book a technical conversation, we process the information you provide, such as email address, optional name, message, inquiry context, product or company name, integration surface, preferred runtime path, traffic estimate, timeline, selected appointment, time zone, booking transaction ID, calendar event ID and Teams join URL.

For high-cost or abuse-prone public flows, we may use self-hosted ALTCHA bot verification and rate-limit signals. The legal bases are Art. 6(1)(b) GDPR for requested conversations and pre-contractual steps, Art. 6(1)(f) GDPR for secure operation, verification, abuse prevention and technical error analysis, Section 25(2) TDDDG for technically necessary storage, and Art. 6(1)(c) GDPR where statutory duties apply.

Account, dashboard and legal acceptance data

When you create or use a wavebird account, we process account and dashboard data such as email address, name if provided, password-login metadata, OAuth provider ID, OAuth profile fields such as name/avatar where provided by the provider, workspace and project settings, API-key metadata, notification preferences, DPA signer name, role and email, DPA receipt metadata, Terms acceptance metadata, Privacy Policy version metadata and business-use confirmation metadata.

Signup is limited to business, professional or entrepreneurial use. We record the required legal acceptance metadata so we can evidence that the Terms, Privacy Policy and B2B-only confirmation were accepted before account creation or OAuth signup.

The legal bases are Art. 6(1)(b) GDPR for account and service performance, Art. 6(1)(f) GDPR for security, abuse prevention, product administration and evidence of acceptance, and Art. 6(1)(c) GDPR where statutory retention or compliance duties apply.

API, SDK, Script Tag and ad-delivery data

When the wavebird API, SDK or Script Tag communicates with wavebird systems, we process operational data such as account, workspace, project and key identifiers, public client identifiers, slot, session and request identifiers, consent and regulatory flags, topic category, language or locale, device or surface metadata, country or broad region, IP address and user agent where technically processed, proof events, request logs, impression facts and billability or settlement records.

For customer end-user data, processing usually occurs as processor under the customer's instructions. For wavebird-controlled security, fraud, settlement, legal-compliance and service-administration processing, MC Squared UG relies on Art. 6(1)(f) GDPR and/or Art. 6(1)(c) GDPR as applicable.

No production SSP subprocessors are currently used for live customer traffic. Production partner traffic is not enabled until partner roles, data categories and transfer mechanisms are documented.

Prompt-based processing and demo/model surfaces

Raw prompts are not required for standard ad delivery. If a customer explicitly enables prompt-based matching, prompt text is processed only for firewall-bound classification and safety or matching workflows and is not sent to SSPs, DSPs or advertisers. The standard delivery signal is a reduced topic or category signal plus operational context.

OpenAI and Google Gemini are treated as model-provider surfaces only for chat, demo or model-runner functionality where they are actually enabled. Those surfaces must show an applicable notice before prompt submission. They are not part of the standard wavebird ad-delivery path unless a separate integration states otherwise.

Cookies, local storage and similar technologies

We use technically necessary cookies and local storage to operate the website and dashboard, keep sessions secure, prevent abuse, perform rate limiting and remember settings you asked us to remember. We do not use analytics, heatmaps, marketing pixels, retargeting, A/B testing or personalized-content tools on wavebird.ai unless this policy and the consent model are updated first.

The public website notice records acknowledgement of necessary storage only. It does not enable analytics, marketing, tracking or personalized content.

• wavebird_storage_notice_ack or legacy wavebird_consent: localStorage on wavebird.ai; remembers that the necessary-storage notice was acknowledged; kept until deleted by the user or until the notice version changes.
• wb_theme: cookie and localStorage on wavebird.ai and dashboard.wavebird.ai; remembers the selected light/dark theme and may be shared in production through a .wavebird.ai preference cookie; kept until changed or deleted by the user.
• wavebird_dashboard_session: HttpOnly cookie on dashboard.wavebird.ai; authenticates the dashboard session; up to 7 days by default and deleted on logout.
• wavebird_logged_in: non-sensitive cookie on wavebird.ai and dashboard.wavebird.ai where configured; remembers that a dashboard session likely exists so public navigation can show a dashboard link; contains no account ID, email address or token and is deleted on logout.
• wavebird_oauth_state_*: temporary HttpOnly cookie on dashboard.wavebird.ai; protects OAuth login/linking against CSRF; approximately 10 minutes.
• wavebird_public_start_draft: HttpOnly cookie on dashboard.wavebird.ai; connects pre-signup onboarding to a server-side draft; short-lived onboarding helper.
• sessionId, device_id and bv_token where active on public demo surfaces such as chat.wavebird.ai: technically necessary session, device and ALTCHA bot-verification cookies; short-lived and used for abuse prevention, rate limiting and high-cost request protection.
• Dashboard and sandbox localStorage keys: remember UI preferences such as collapsed sidebars, selected project, panel state, tours and draft configuration on the user's device.

SDK and Script Tag storage on customer domains

If a customer enables the built-in wavebird SDK consent widget, the SDK may store `wavebird_consent_v1` in the end user's browser on the customer's domain to remember the local semantic-targeting choice. The customer, as controller for its wrapper application, is responsible for disclosing this storage in its own privacy and cookie notice and for obtaining any legally required consent or relying on an applicable strict-necessity exemption. wavebird does not use this storage for cross-site tracking.

Recipients, subprocessors and transfers

We use infrastructure, email, collaboration and authentication providers to provide the service. The current operational list is published at https://wavebird.ai/subprocessors.

Self-hosted ALTCHA verification runs inside wavebird-operated infrastructure and does not send challenge verification data to an external CAPTCHA provider. If this changes, the privacy notice, subprocessors and consent/storage model must be updated before activation.

Where subprocessors process personal data outside the EU/EEA, we use an applicable adequacy decision, Standard Contractual Clauses or another transfer mechanism under GDPR Chapter V as applicable. For US providers, we verify whether the provider is certified under the EU-US Data Privacy Framework; where this is not sufficient or not available, we use EU Standard Contractual Clauses and additional safeguards where required.

Retention and deletion

We retain personal data only for as long as necessary for the purposes described in this policy. The current controlled-pilot retention model is 7/30/395 unless a statutory duty, fraud investigation, dispute, security incident, settlement record or legal hold requires longer retention.

Public website and dashboard session/security identifiers are targeted for short retention. Client identifiers covered by the CSI retention cleanup path are targeted for 7 days.

API request logs containing IP address or user agent are targeted for anonymization or removal of those personal fields after 30 days.

Request-level CSL request and impression records are targeted for deletion after 395 days where no documented fraud, dispute, settlement or legal hold applies. Aggregate non-personal daily metrics may be kept longer.

Account data is retained while the account is active and then deleted, disabled or anonymized following account deletion except where continued retention is required for settlement, fraud, legal claims, security or statutory duties.

Settlement, invoice, payout, tax and accounting records may be retained for the statutory commercial and tax retention periods applicable to the record type, usually 6, 8 or 10 years under German commercial and tax law. Records retained for statutory purposes are not used for new ad targeting or profiling.

Backups and object-storage lifecycle deletion are operator-controlled and must be configured to match the retention schedule before production scale.

Your rights

You may contact us at info@wavebird.ai to exercise your GDPR rights. We respond without undue delay and generally within one month unless an extension is permitted by law.

Depending on the circumstances, you have rights of access, rectification, erasure, restriction of processing, data portability and objection. Where processing is based on consent, you may withdraw consent at any time with effect for the future. Where processing is based on legitimate interests, you may object on grounds relating to your particular situation.

You also have the right to lodge a complaint with a supervisory authority, in particular the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany, or another competent authority.

Provision of data and automated decision-making

Providing account, authentication, API, security and operational data is necessary to create an account, use the dashboard, issue keys, operate the API, SDK and Script Tag, sign the DPA, receive support, and perform settlement where applicable. If required data is not provided, the relevant service or feature may not be available.

wavebird does not use automated decision-making within the meaning of Article 22 GDPR for website or dashboard account decisions. Ad matching, no-fill handling, abuse checks and settlement calculations may use automated operational rules, but they are not intended to produce legal effects or similarly significant effects for end users. If a specific integration enables processing with such effects, it must be separately disclosed.