Data Protection & Security

Last update:
May 1, 2025

WAVEE – DATA PROTECTION & SECURITY POLICY

Effective Date: 1 March 2025

This Data Protection & Security Policy explains how Wave Ai Ltd (“Wavee”, “we”, “us”, “our”) protects personal data and maintains the security of its platforms, including:

  • The Wavee Resident App
  • The Wavee Concierge & Building Portal
  • The Wavee Business Portal
  • The Wavee Pets App
  • Related websites and systems
    (together, the “Platform”)

This Policy must be read together with our:

  • Privacy Policy
  • Data Retention Policy
  • Terms of Service
  • Business Portal Terms
  • End User Licence Agreement (EULA)

We comply with:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR)
  • Applicable international privacy laws where required

1. Our Data Protection Commitment

Wavee is committed to:

  • Lawful, fair, and transparent data processing
  • Purpose limitation and data minimisation
  • Accuracy and integrity of personal data
  • Secure storage and controlled access
  • Accountability across all operations

We only process personal data under a valid lawful basis and never sell personal data.

2. Data Protection Roles & Responsibilities

Wavee as Data Controller

Wavee acts as an independent data controller for:

  • Resident user accounts
  • Concierge and building staff accounts
  • Business Portal accounts
  • Wavee Pets accounts
  • Messaging, forums, and internal communications
  • Platform security monitoring
  • System analytics and audit logs

Wavee as Data Processor

Wavee acts as a data processor where we process resident information strictly on the documented instructions of building operators using the concierge platform.

Building Operators & Concierge Teams

Buildings are solely responsible for:

  • Resident approvals and removals
  • Staff onboarding and offboarding
  • Internal access policies
  • Accuracy of resident and staff records
  • Lawful handling of resident personal data within their organisation

Wavee is not responsible for internal data mishandling by building operators.

Businesses Using the Business Portal

Businesses act as independent data controllers for:

  • Customer order data
  • Booking records
  • Payment confirmations
  • Marketing communications outside the Platform
  • Refund and dispute records

Wavee is not responsible for a business’s GDPR compliance or misuse of resident data.

3. Technical & Organisational Security Measures

Wavee applies proportionate technical and organisational security measures, including:

  • Encrypted data transmission (TLS/HTTPS)
  • Encrypted data storage at rest
  • Role-based access controls
  • Segregated data environments for residents, buildings, businesses, and pets
  • Secure cloud hosting within the UK and EU
  • Firewall protection and intrusion detection systems
  • Continuous vulnerability monitoring
  • Regular penetration testing and security audits
  • Secure backup systems with controlled retention

4. Account & Access Security

Password & Authentication Controls

  • Strong passwords are required across all portals
  • Passwords should be changed at regular intervals
  • Two-Factor Authentication (2FA) is supported where available
  • Credential sharing is strictly prohibited

Building & Business Portal Access

Buildings and businesses are fully responsible for:

  • Managing staff access
  • Revoking access immediately when staff leave
  • Preventing unauthorised credential sharing
  • Ensuring temporary staff do not retain long-term access

Wavee is not liable for data loss or breaches caused by internal access failures.

5. Data Segmentation & Least-Privilege Access

Wavee enforces strict least-privilege access policies, ensuring:

  • Residents only see their own building data
  • Concierge staff only access assigned building records
  • Businesses only access their own customer data
  • Pet community data is segregated from building data
  • System admins are restricted by role and require additional authorisation

6. Transaction & Payment Security

Where payments, bookings, click & collect, and service orders are enabled:

  • Payments are handled by certified third-party payment providers
  • Wavee does not store raw card numbers
  • Fraud detection controls are applied
  • Transaction logs are encrypted and monitored

All merchant fulfilment, refunds, and chargebacks remain the legal responsibility of the business.

7. Data Breach Management & Incident Response

Wavee maintains a documented Incident Response Plan.

In the event of a confirmed personal data breach:

  • Immediate containment and investigation takes place
  • Risk is assessed without delay
  • The ICO is notified where legally required (within 72 hours)
  • Affected users are notified where a high risk to rights and freedoms exists
  • Remedial security measures are deployed

8. Data Retention & Secure Deletion

All personal data is retained strictly in accordance with our Data Retention Policy, including:

  • Secure deletion
  • Anonymisation for analytics
  • Time-limited backups (up to 90 days)
  • Permanent erasure when retention expires

9. International Data Transfers

Where personal data is processed outside the UK:

  • Approved safeguards are applied, including Standard Contractual Clauses (SCCs)
  • Equivalent security and privacy protections are required
  • Risk assessments are conducted prior to transfer

10. Employee & Contractor Compliance

All Wavee employees and contractors:

  • Are bound by confidentiality obligations
  • Receive data protection training
  • Are subject to access controls
  • Operate under strict security governance

11. User Responsibilities

All users must:

  • Keep credentials secure
  • Use only authorised access
  • Avoid sharing login details
  • Report suspected security incidents immediately

12. Limitations of Security Guarantees

While Wavee applies industry-appropriate security safeguards, no digital system can be guaranteed 100% secure. Security depends also on:

  • User behaviour
  • Building internal access controls
  • Business security practices
  • Third-party technology providers

Wavee is not responsible for breaches caused outside its direct technical control.

13. Your Rights Under Data Protection Law

You have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request erasure
  • Restrict processing
  • Object to processing
  • Request data portability

Requests should be submitted to:

privacy@wavee.ai

14. Data Protection Officer (DPO)

Wavee has appointed a Data Protection Officer to oversee compliance and governance.

DPO Contact:
dpo@wavee.ai

15. Changes to This Policy

We may update this Policy to reflect:

  • Changes in law
  • Security enhancements
  • Platform developments

The “Last Updated” date will always reflect the current version.

16. Contact

For data protection and security enquiries:

privacy@wavee.ai
dpo@wavee.ai