Privacy Policy

Wave Atlas is an AI-powered podcast intelligence platform operated by its founders. If you have any questions about this policy or your data, contact us at [email protected].

• Account data: email address, display name, and hashed password.
• Podcast library: the RSS feeds and podcasts you choose to follow.
• Usage records: which AI features you use (transcription, summaries, digests, chat) and when, for billing and abuse prevention. We do not store the content of your AI chat messages beyond what is shown in the UI.
• API keys (BYOK): if you choose to connect your own OpenAI, Anthropic, or ElevenLabs API key, it is encrypted at rest using AES-256 and only decrypted transiently when you trigger an AI action. We do not read or log the key value.
• Billing: subscription and payment records are managed by Stripe. We store only a Stripe customer ID — no raw card data ever touches our servers.
• Log data: standard server logs including IP address, browser type, and request timestamps, retained for up to 90 days for security purposes.

We process your data on the following legal bases under GDPR Art. 6:

• Contract performance (Art. 6(1)(b)): to provide the service you signed up for — account management, AI feature delivery, and billing.
• Legitimate interest (Art. 6(1)(f)): security, fraud prevention, abuse detection, and product analytics that help us improve the service.
• Compliance (Art. 6(1)(c)): where we are required to retain records by law (e.g. financial records).

Wave Atlas fetches podcasts from publicly available RSS feeds at URLs you provide. Audio files are transcribed using AI (OpenAI Whisper or compatible). Transcripts, summaries, and digests are generated for your personal use only — they are not published or sold to third parties. AI-generated content is cached internally and may be shared anonymously across users who follow the same podcast (keyed by the podcast's RSS GUID, not your identity).

When you trigger AI features using our platform keys, your podcast audio and/or transcripts are sent to the following providers under their respective privacy policies:

• OpenAI (transcription, summaries, chat, text-to-speech) — openai.com/policies/privacy-policy
• ElevenLabs (premium text-to-speech) — elevenlabs.io/privacy
• Anthropic (optional summarization / chat) — anthropic.com/privacy

If you use BYOK, your API key is transmitted directly to the respective provider on your behalf. You are responsible for compliance with that provider's terms of service.

We use one strictly necessary cookie: a refresh_token HttpOnly cookie set at login. It is required for authentication and cannot be opted out of while using the service. It contains no tracking or advertising data. It expires after 30 days or when you sign out.

We do not use advertising cookies, analytics cookies, or third-party tracking pixels.

• Account data: retained until you delete your account.
• AI usage records: retained for 12 months, then deleted.
• Audio digest files: retained for 6 months after generation in shared storage.
• Server logs: retained for up to 90 days.
• Shared AI cache (transcripts, summaries): retained indefinitely as de-identified data keyed by RSS GUID. Deleting your account does not remove shared cache entries, as they contain no personal data.

If you are in the EU/EEA, you have the right to:

• Access — request a copy of your personal data by emailing us at the address below.
• Rectification — correct inaccurate data (you can update your name and email in Profile Settings).
• Erasure — delete your account and all associated personal data at any time from Profile Settings.
• Portability — request a machine-readable copy of your data by emailing us.
• Restriction / Objection — contact us at the email below.
• Lodge a complaint — with your local supervisory authority (e.g. ICO in the UK, CNIL in France).

California residents may request access to, correction of, or deletion of their personal information by emailing [email protected]. We do not sell personal information.

Wave Atlas is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has created an account, contact us and we will delete it.

We may update this policy when we change how we process data. The “Last updated” date at the top will reflect any changes. Significant changes will be communicated via email.

For any privacy-related questions or requests: [email protected]