Privacy Policy

Hi 👋
I'm Waveful, the creator-friendly social network where everyone can become a creator 🌊

Before diving in a more formal explanation of our privacy policy, let me briefly tell you my mission 🚀
My goal is to be a social network where everyone can share their passions and feel welcomed in a comfortable and positive environment; where creators can thrive and where users can enjoy original content, find new meaningful connections and have fun. I hope I'm doing well in this, but you be the judge!

I collect data using the latest industry security standards, and the collected data is used with the only goal of delivering the best experience a social network can offer 📡
Waveful does not sell your data and will never do. In fact, to be sustainable, Waveful has some paid elements in the platform (purchasable likes and premium subscriptions). I know some users don't like to pay for a service, but the core functionalities of Waveful are free and will always remain free, and you can still enjoy the Waveful experience without spending a single cent!

Now I'll leave you to a more formal explanation of our data collection practices, and thanks for being here!

And if you need any help on understanding any part of this privacy policy, send us a message at support@waveful.app, will be happy to help you ✨

Introduction

Controller: Waveful S.r.l., with headquarters in Italy, 20121 Milan (MI), Via Daniele Manin 3, VAT Identification Number IT12343330960, e-mail privacy@waveful.app.

Pursuant to and for the purposes of art. 13 of Regulation (EU) no. 2016/679 of the European Parliament and of the Council of 27 April 2016 concerning the protection of individuals with regard to the Processing of Personal Data, as well as the free circulation of such Data (the "Regulation" or the "GDPR") and legislative decree 30 June 2003, n. 196 "Code regarding the protection of personal data" ("Code") (Code and Regulations also jointly defined as "Regulations") we inform the interested parties ("Data Subjects") that their Personal Data will be processed in compliance with the Regulations and what is specified below.

0) Definitions

• Authorized
  the natural persons authorized to carry out Processing operations under the direct authority of the Controller or the Processor, pursuant to art. 29 of the Regulation and art.2-quaterdecies of the Code.
• Communication
  ‍the giving knowledge of Personal Data to one or more specific subjects other than the Data Subject, the Controller's representative in the State, the Processor and the Authorized, in any form, including by making them available or consulting.
• Contents
  ‍means any music, sound element, photograph, image, video, message, or other material, uploaded and/or published by the user on the platform (by way of example, posts, comments, messages sent and/or received through the messaging service, etc.).
• Controller
  ‍means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law. For the purposes of this Privacy Policy, the terms "Controller" and "Waveful" are equivalent.
• Data Subject
  ‍the natural person to whom the Personal Data refers.
• Designated
  ‍the natural person who is assigned specific tasks and functions related to the Processing of Personal Data and who operates under the authority of the Controller or the Processor, pursuant to art. 2-quaterdecies of the Code.
• Personal Data or Data
  ‍any information relating to a natural person, identified or identifiable, even indirectly, by reference to any other information, with particular reference to an identifier such as the name, an identification number, location data, an identifier online or to one or more characteristic elements of its physical, physiological, genetic, psychic, economic, cultural or social identity.
• Privacy Policy
  ‍this document.
• Processing
  ‍means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Processor
  ‍the natural or legal person, public authority, service or other body that processes Personal Data on behalf of the Controller.
• Security Measures
  ‍the set of technical (including IT), organizational and physical measures adopted by the Controller to guarantee a level of security adequate to the risk of the Processing, pursuant to art. 32 of the Regulation.
• Supervisory Authority
  ‍the supervisory authority referred to in art. 51 of the Regulation.

1) Context of the Processing

This Privacy Policy is provided by the Controller in relation to the following context:
Processing of Personal Data relating to the use of the Waveful application and the Waveful website by users.

2) Processing operations

The Data collected, the purposes for which they are processed, the legal bases and Data retention period are reported below in analytical form.

Operation: Allow registration to Waveful services.

• Purpose of this operation: Allow registration to Waveful services.
• Data processed in this operation: Email, Username, Telephone number, Account name, Date of birth, Country of residence, IP address.
• Legal base of this operation: The Processing of such Data is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6 b) GDPR].
• Data retention period: Data will be stored no later than 30 days from the deactivation of the account.

Operation: Management of the user's personal profile on the platform and Contents upload.

• Purpose of this operation: Management of the user's personal profile on the platform and Contents upload.
• Data processed in this operation: Profile picture, Contents, Bio, Links to external websites, Username, Account name, User ID, IP address.
• Legal base of this operation: The Processing of such Data is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6 b) GDPR].
• Data retention period: Data will be stored until cancellation by the user, which can be performed at any time and, in any case, no later than 30 days from the deactivation of the account.

Operation: Interactions with other users (through messaging services and through the ability to "react" to other users' contents, for example, with likes, Superlikes and comments), exporting Contents from other users.

• Purpose of this operation: Interactions with other users (through messaging services and through the ability to "react" to other users' contents, for example, with likes, Superlikes and comments), exporting Contents from other users.
• Data processed in this operation: Username, Data of various kinds contained in the message, Contents, Account name, User ID, IP address.
• Legal base of this operation: The Processing of such Data is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6 b) GDPR].
• Data retention period: Data will be stored until cancellation by the user, which can be performed at any time and, in any case, no later than 30 days from the deactivation of the account.

Operation: Request to find friends and contacts that are already on Waveful through Contacts uploading. Allow to be findable by friends and contacts.

• Purpose of this operation: Request to find friends and contacts that are already on Waveful through Contacts uploading. Allow to be findable by friends and contacts.
• Data processed in this operation: Device's Address Book (only names, phone numbers and emails), Email, Telephone number, User ID, IP address.
• Legal base of this operation: The Processing of such Data is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6 b) GDPR].
• Data retention period: Data will be stored until cancellation by the user, which can be performed at any time and, in any case, no later than 30 days from the deactivation of the account.

Operation: Create a unique link to allow the user to receive benefits and/or rewards upon registration of invited friends.

• Purpose of this operation: Create a unique link to allow the user to receive benefits and/or rewards upon registration of invited friends.
• Data processed in this operation: Unique link, User ID, IP address.
• Legal base of this operation: The Processing of such Data is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6 b) GDPR].
• Data retention period: Data will be stored no later than 30 days from the deactivation of the account.

Operation: Purchase of premium/paid services through device stores (e.g., Google Play Store, Apple App Store).

• Purpose of this operation: Purchase of premium/paid services through device stores (e.g., Google Play Store, Apple App Store).
• Data processed in this operation: Username, Account name, User ID, IP address, Purchase object, Country of purchase.
• Legal base of this operation: The Processing of such Data is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6 b) GDPR].
• Data retention period: 10 years starting from each single purchase (expiry of the limitation period applicable to the conservation of accounting records).

Operation: Payments relating to the compensation accrued by a Creator user.

• Purpose of this operation: Payments relating to the compensation accrued by a Creator user.
• Data processed in this operation: Name, Surname, E-mail, Fiscal Code/tax code, VAT number, Telephone number, Residence/domicile address, Payment instrument, User ID, IP address.
• Legal base of this operation: The Processing of such Data is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6 b) GDPR].
• Data retention period: 10 years (expiry of the limitation period applicable to the conservation of accounting records).

Operation: Receipt and storage of tax documents required by current legislation.

• Purpose of this operation: Receipt and storage of tax documents required by current legislation.
• Data processed in this operation: Name, Surname, E-mail, Fiscal code/tax code, VAT number, certified e-mail or SDI code, Residence/domicile address, User ID, IP address.
• Legal base of this operation: The processing of such Data is necessary for compliance with a legal obligation to which the Controller is subject [art. 6 c) GDPR].
• Data retention period: 10 years (expiry of the limitation period applicable to the conservation of accounting records).

Operation: Sending of non-commercial communications to the user (notices on activities carried out on the platform).

• Purpose of this operation: Sending of non-commercial communications to the user (notices on activities carried out on the platform).
• Data processed in this operation: E-mail, Username, Account name, User ID, IP address.
• Legal base of this operation: The Processing of such Data is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6 b) GDPR].
• Data retention period: 30 days from the sending of the single notice.

Operation: Sale of physical products through the Controller’s website and subsequent shipment to the user.

• Purpose of this operation: Sale of physical products through the Controller’s website and subsequent shipment to the user.
• Data processed in this operation: Name, Surname, E-mail, Shipping address, Payment instrument.
• Legal base of this operation: The Processing of such Data is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6 b) GDPR].
• Data retention period: 10 years starting from each single purchase (expiry of the limitation period applicable to the conservation of accounting records).

Operation: Issuing an invoice or equivalent tax documentation relating to the purchase of products on Controller’s website.

• Purpose of this operation: Issuing an invoice or equivalent tax documentation relating to the purchase of products on Controller’s website.
• Data processed in this operation: Name, Surname, E-mail, Fiscal code/tax code, VAT number, certified e-mail or SDI code, Residence/domicile address.
• Legal base of this operation: The processing of such Data is necessary for compliance with a legal obligation to which the Controller is subject [art. 6 c) GDPR].
• Data retention period: 10 years (expiry of the limitation period applicable to the conservation of accounting records).

Operation: Managing user support requests.

• Purpose of this operation: Managing user support requests.
• Data processed in this operation: E-mail, Username, Account name, User ID, IP address, content of the message containing the request for assistance.
• Legal base of this operation: The Processing of such Data is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6 b) GDPR].
• Data retention period: Data will be stored no later than 30 days from the deactivation of the account.

Operation: Provisioning the services offered by the application.

• Purpose of this operation: Provisioning the services offered by the application.
• Data processed in this operation: IP address, Navigation Data, User ID.
• Legal base of this operation: The Processing of such Data is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6 b) GDPR].
• Data retention period: Navigation Data are deleted within 30 days from the time of collection, without prejudice to any need for the investigation of crimes by the judicial authority.

3) Processing methods and categories of recipients.

• Unless otherwise expressly provided for in this Privacy Policy, the Data Subject is informed that the Processing of his/her Personal Data is carried out using manual systems and/or IT, telematic or automated systems, in compliance with the principles of relevance, lawfulness, fairness and purposes provided for by the Regulation.
• Pursuant to the Regulation, the Controller processes the Personal Data of the Data Subject by adopting the appropriate Security Measures aimed at minimizing the risks of unauthorized access, diffusion, loss and destruction of the aforementioned Data.
• The Data Subject is also informed that the Processing of Personal Data for the accomplishment of the aforementioned purposes may be carried out by the Controller directly or with the collaboration of other subjects, as Processors, Designated or Authorized (e.g. employees and/or collaborators of the Controller).
• In particular, the Data may be disclosed to the following categories of recipients (independent Controllers): other platform users (for example when sending messages or interacting with them), Italian revenue agency (fiscal agency).
• The Data Subject is informed that Personal Data may be disclosed to the following categories of external Processors: cloud service providers, content delivery network (CDN) providers, payment services, accountant, e-mail services.
• The list of Processors can be consulted at any time, by request to be sent to the e-mail address indicated at the beginning of this Privacy Policy.

4) Data Transfer

• The Data Subject is informed that the Personal Data processed by the Controller may be transferred to other countries within the European Union.
• The Data Subject is informed that the Personal Data processed by the Controller may be transferred to other countries outside the European Union, for which there is an adequacy decision by the EU Commission or for which additional security measures are applied to the outcome of an assessment by the Controller regarding the impact of the transfer on the rights and freedoms of the Data Subject.

5) Rights of the Data Subject

The Data Subject may exercise at any time, by means of a notice to be sent to the addresses indicated at the beginning of this Privacy Policy, the rights provided for by the Regulation pursuant to articles 15-22. In particular:

• The Data Subject has the right to ask the Controller for access to Personal Data, pursuant to and within the limits of art. 15 of the Regulation.
• The Data Subject has the right to ask the Controller to rectificate inaccurate Personal Data, pursuant to and within the limits set out in art. 16 of the Regulation.
• The Data Subject has the right to ask the Controller to erase the Personal Data, pursuant to and within the limits of art. 17 of the Regulation.
• The Data Subject has the right to ask the Controller to restrict the Processing of Personal Data, pursuant to and within the limits of art. 18 of the Regulation.
• The Data Subject has the right to ask the Controller to transmit his/her Personal Data in a structured, commonly used and machine-readable format, pursuant to and within the limits of art. 20 of the Regulation.
• The Data Subject has the right to object to the Processing by the Controller, pursuant to and within the limits of art. 21 of the Regulation.
• The Data Subject has the right to withdraw consent with reference to those Processing operations that are based on this legal basis. Pursuant to art. 7, paragraph 3 and art. 13, paragraph 2 lett. c) of the Regulation, the Data Subject is informed that, in any case, the withdrawal of consent does not affect the lawfulness of the Processing based on consent before the withdrawal itself.

6) Changes to this Privacy Policy

The Controller reserves the right to make changes to this Privacy Policy at any time. The Controller will post the up-to-date Privacy Policy on the Website.

This Privacy Policy was published on December 23, 2022.