Data Protection & Security
WAVEE – DATA PROTECTION & SECURITY POLICY
Effective Date: 1 March 2025
This Data Protection & Security Policy explains how Wave Ai Ltd (“Wavee”, “we”, “us”, “our”) protects personal data and maintains the security of its platforms, including:
The Wavee Resident App
The Wavee Concierge & Building Portal
The Wavee Business Portal
The Wavee Pets App
Related websites and systems
(together, the “Platform”)
This Policy must be read together with our:
Privacy Policy
Data Retention Policy
Terms of Service
Business Portal Terms
End User Licence Agreement (EULA)
We comply with:
UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018
Privacy and Electronic Communications Regulations (PECR)
Australian Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs), where applicable
Applicable international privacy laws where required
1. Our Data Protection Commitment
Wavee is committed to:
Lawful, fair, and transparent data processing
Purpose limitation and data minimisation
Accuracy and integrity of personal data
Secure storage and controlled access
Accountability across all operations
We only process personal data under a valid lawful basis and never sell personal data.
2. Data Protection Roles & Responsibilities
Wavee as Data Controller
Wavee acts as an independent data controller for:
Resident user accounts
Concierge and building staff accounts
Business Portal accounts
Wavee Pets accounts
Messaging, forums, and internal communications
Platform security monitoring
System analytics and audit logs
Wavee as Data Processor
Wavee acts as a data processor where we process resident information strictly on the documented instructions of building operators using the concierge platform.
Building Operators & Concierge Teams
Buildings are solely responsible for:
Resident approvals and removals
Staff onboarding and offboarding
Internal access policies
Accuracy of resident and staff records
Lawful handling of resident personal data within their organisation
Wavee is not responsible for internal data mishandling by building operators.
Businesses Using the Business Portal
Businesses act as independent data controllers for:
Customer order data
Booking records
Payment confirmations
Marketing communications outside the Platform
Refund and dispute records
Wavee is not responsible for a business’s GDPR compliance or misuse of resident data and businesses remain responsible for compliance with applicable privacy laws, including Australian privacy law where relevant.
3. Technical & Organisational Security Measures
Wavee applies proportionate technical and organisational security measures, including:
Encrypted data transmission (TLS/HTTPS)
Encrypted data storage at rest
Role-based access controls
Segregated data environments for residents, buildings, businesses, and pets
Secure cloud hosting within the UK and EU
Firewall protection and intrusion detection systems
Continuous vulnerability monitoring
Regular penetration testing and security audits
Secure backup systems with controlled retention
4. Account & Access Security
Password & Authentication Controls
Strong passwords are required across all portals
Passwords should be changed at regular intervals
Two-Factor Authentication (2FA) is supported where available
Credential sharing is strictly prohibited
Building & Business Portal Access
Buildings and businesses are fully responsible for:
Managing staff access
Revoking access immediately when staff leave
Preventing unauthorised credential sharing
Ensuring temporary staff do not retain long-term access
Wavee is not liable for data loss or breaches caused by internal access failures.
5. Data Segmentation & Least-Privilege Access
Wavee enforces strict least-privilege access policies, ensuring:
Residents only see their own building data
Concierge staff only access assigned building records
Businesses only access their own customer data
Pet community data is segregated from building data
System admins are restricted by role and require additional authorisation
6. Transaction & Payment Security
Where payments, bookings, click & collect, and service orders are enabled:
Payments are handled by certified third-party payment providers
Wavee does not store raw card numbers
Fraud detection controls are applied
Transaction logs are encrypted and monitored
All merchant fulfilment, refunds, and chargebacks remain the legal responsibility of the business.
7. Data Breach Management & Incident Response
Wavee maintains a documented Incident Response Plan.
In the event of a confirmed personal data breach:
Immediate containment and investigation takes place
Risk is assessed without delay
The ICO is notified where legally required (within 72 hours)
Affected users are notified where a high risk to rights and freedoms exists
Remedial security measures are deployed
Where required by applicable law, notifications may also be made to relevant regulators or affected individuals in other jurisdictions, including Australia.
8. Data Retention & Secure Deletion
All personal data is retained strictly in accordance with our Data Retention Policy, including:
Secure deletion
Anonymisation for analytics
Time-limited backups (up to 90 days)
Permanent erasure when retention expires
9. International Data Transfers
Where personal data is processed outside the UK:
Approved safeguards are applied, including Standard Contractual Clauses (SCCs)
Equivalent security and privacy protections are required
Risk assessments are conducted prior to transfer
Where users are located in Australia, personal information may be transferred overseas, including to the United Kingdom and European Union, and reasonable steps are taken to ensure overseas recipients handle personal information in accordance with applicable privacy obligations.
10. Employee & Contractor Compliance
All Wavee employees and contractors:
Are bound by confidentiality obligations
Receive data protection training
Are subject to access controls
Operate under strict security governance
11. User Responsibilities
All users must:
Keep credentials secure
Use only authorised access
Avoid sharing login details
Report suspected security incidents immediately
12. Limitations of Security Guarantees
While Wavee applies industry-appropriate security safeguards, no digital system can be guaranteed 100% secure. Security depends also on:
User behaviour
Building internal access controls
Business security practices
Third-party technology providers
Wavee is not responsible for breaches caused outside its direct technical control.
13. Your Rights Under Data Protection Law
You have the right to:
Access your personal data
Rectify inaccurate data
Request erasure
Restrict processing
Object to processing
Request data portability
Users located in Australia may also exercise applicable rights under the Australian Privacy Act 1988 (Cth).
Requests should be submitted to:
14. Data Protection Officer (DPO)
Wavee has appointed a Data Protection Officer to oversee compliance and governance.
DPO Contact:
15. Changes to This Policy
We may update this Policy to reflect:
Changes in law
Security enhancements
Platform developments
The “Last Updated” date will always reflect the current version.
16. Contact
For data protection and security enquiries: