Privacy Policy

Last updated: April 2026

1. Data Controller

Wavee is operated by Vela Advisory (“we”, “us”). We are the data controller responsible for your personal data. For privacy-related inquiries, contact our data protection lead at privacy@wavee-ai.com

2. Data We Collect

We collect the following categories:

  • Account data: name, email address, phone number, password (hashed, never stored in plain text)
  • Profile data: photo, social links, preferences, co-rider connections
  • Booking data: dates, times, payment amounts, session history, co-rider guest lists, waiver signatures
  • Provider data: business name, boat details, availability, pricing, location, bank account details (held by Stripe)
  • Usage data:pages visited, features used, device type, browser (collected via Vercel Analytics — cookie-free, no personal identifiers)
  • Communication data: messages sent through the platform, support requests

3. Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing your bookings, payments, and account management. This is necessary to deliver the service you signed up for.
  • Legitimate interest (Art. 6(1)(f)): Platform security, fraud prevention, service improvement, and direct marketing about our services. We balance our interests against your rights and freedoms. You may object to processing based on legitimate interest at any time (see Section 8).
  • Consent (Art. 6(1)(a)): Promotional communications via email and WhatsApp. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  • Legal obligation (Art. 6(1)(c)): Retaining financial records for tax and accounting compliance, and responding to lawful data access requests.

4. How We Use Your Data

  • Process bookings, payments, refunds, and payouts
  • Send transactional notifications via email and WhatsApp (booking confirmations, reminders, cancellations, payment receipts)
  • Send promotional communications about new features, activities, special offers, and platform updates (with your consent)
  • Personalise your experience based on your booking history and preferences
  • Verify your identity during signup
  • Enable communication between riders and providers
  • Generate anonymised analytics and statistics about platform usage, booking trends, and activity popularity
  • Create marketing content using anonymised and aggregated data (e.g. “500+ sessions booked this month”)
  • Prevent fraud, enforce our terms of service, and maintain platform security
  • Comply with legal obligations and respond to lawful requests

5. Marketing Communications

With your consent, we may send you promotional messages about new features, watersport activities, seasonal offers, provider highlights, and platform updates via email and WhatsApp.

You can opt out of marketing communications at any time by:

  • Clicking the “unsubscribe” link in any marketing email
  • Replying STOP to any promotional WhatsApp message
  • Updating your notification preferences in your account settings
  • Contacting us at privacy@wavee-ai.com

Opting out of marketing does not affect transactional messages essential to the service (booking confirmations, reminders, payment receipts).

6. Data Storage, Security, and International Transfers

Your data is stored securely on Supabase (hosted in AWS regions) with row-level security policies enforcing access control at the database level. Passwords are hashed using industry-standard algorithms and never stored in plain text. Payment data is processed by Stripe — Wavee never sees or stores your card details.

Your data may be transferred to and processed in countries outside the UAE and the European Economic Area (EEA), including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place:

  • Stripe and Supabase operate under Standard Contractual Clauses (SCCs) approved by the European Commission
  • Vercel processes only anonymised, cookie-free analytics data
  • All third-party processors are bound by data processing agreements that require GDPR-equivalent protections

7. Third-Party Services (Sub-processors)

We share data with the following third-party processors, each bound by data processing agreements:

  • Stripe— payment processing and provider payouts (PCI DSS compliant)
  • Supabase— database, authentication, and file storage
  • Meta (WhatsApp Business)— transactional and promotional messages
  • Resend— transactional and marketing email delivery
  • Twilio— SMS fallback for notifications
  • Vercel— hosting and privacy-friendly analytics (cookie-free)
  • Google Maps— location display on listings (no personal data shared)

We do not sell, rent, or trade your personal data to third parties. We do not share your data with advertising networks.

8. Your Rights (GDPR)

Under the General Data Protection Regulation and applicable UAE data protection laws, you have the following rights:

  • Access (Art. 15): Request a copy of the personal data we hold about you.
  • Rectification (Art. 16): Correct inaccurate or incomplete personal data.
  • Erasure (Art. 17): Request deletion of your personal data. You can delete your account from your profile settings, or contact us.
  • Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
  • Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
  • Object (Art. 21): Object to processing based on legitimate interest, including direct marketing. We will stop processing unless we demonstrate compelling legitimate grounds.
  • Withdraw consent (Art. 7): Withdraw consent for marketing communications at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@wavee-ai.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with a supervisory authority.

9. Data Retention

We retain your data for as long as your account is active and as necessary to provide the service. Specifically:

  • Account data: retained while your account is active, deleted within 30 days of account deletion
  • Booking records: retained in anonymised form for 7 years for legal, tax, and accounting compliance
  • Payment data: retained by Stripe per their retention policy; Wavee does not store payment card data
  • Waiver signatures: retained for 7 years for legal and insurance purposes
  • Marketing preferences: your opt-out choice is retained indefinitely to ensure we respect it

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, describing the nature of the breach and the measures we are taking.

11. Children’s Privacy

Wavee does not knowingly collect personal data from children under 18. Accounts may only be created by individuals aged 18 or older. If we discover that we have collected data from a child under 18, we will delete it promptly.

12. Cookies and Tracking

Wavee uses only essential cookies required for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party cookie-based analytics. Vercel Analytics is cookie-free, does not collect personal identifiers, and is GDPR compliant by design.

13. Changes to This Policy

We may update this privacy policy from time to time. We will notify registered users of material changes via email at least 14 days before they take effect. The “last updated” date at the top reflects the most recent revision.

14. Contact

For privacy-related inquiries, data access requests, or to exercise your rights, contact us at privacy@wavee-ai.com

Vela Advisory, Dubai, United Arab Emirates