Privacy Policy

1. Who we are

Waves is an independent app. You can reach us via our contact form. For the purposes of applicable data protection law, we are the controller of any personal data processed in connection with this policy — which, as you'll read below, is very little.

2. What data Waves processes and where it lives

Waves is designed around a core principle: your data stays on your device. There is no Waves server, no cloud database, and no account in the traditional sense. Here is everything that exists:

• Your profile (display name, photo, bio, contact info, discovery preference) — stored only in your phone's local app storage.
• Waves you have sent — stored only on your phone.
• Waves you have received — stored only on your phone.
• Mutual matches (Vibes) — stored only on your phone.
• Bluetooth discovery token — a random identifier broadcast locally over Bluetooth/Wi-Fi Direct. It is not linked to your identity and rotates every 15 minutes.

3. How nearby discovery works

When you open Waves with discovery enabled, your device broadcasts a short anonymous signal using Bluetooth Low Energy and Wi-Fi peer-to-peer technology (Google Nearby Connections). This signal contains only your rotating anonymous token — not your name, photo, or any personal information.

When another Waves user is detected nearby, the two devices establish a direct encrypted connection to exchange profile data. This exchange happens entirely between the two devices; no data passes through any Waves-controlled infrastructure.

You can disable discovery at any time in Profile settings, which immediately stops broadcasting.

4. How waving works

When you wave at someone:

• A notification is sent to the other person's device via the existing peer-to-peer connection, containing only the fact that "someone nearby waved" — your identity is not included at this stage.
• If the other person waves back, both devices exchange full profiles directly over the peer-to-peer link. This includes the contact details each party chose to share.
• If the other person does not wave back, they never learn your identity. The wave record exists only on your own device.

5. Third-party services

Waves uses the following third-party SDKs on the device:

• Google Nearby Connections API — used for peer-to-peer device discovery and data transfer. Google's privacy policy applies to this SDK's use of Bluetooth and Wi-Fi hardware. We do not send any user-identifiable data to Google through this API.
• Coil (image loading library) — used to display profile photos stored locally on the device. No data is transmitted externally.

We do not integrate any analytics SDKs, advertising SDKs, or crash-reporting services that would transmit personal data off the device.

6. Permissions we request

• Bluetooth & Nearby Devices — required to discover and connect to nearby phones running Waves.
• Wi-Fi — required for Wi-Fi Direct peer-to-peer connections via Nearby Connections.
• Location (approximate, while using app) — required by Android to use Bluetooth scanning. We do not record or transmit your location. We use a one-time system cache lookup only when needed for platform requirements; no continuous GPS polling occurs.
• Notifications — to alert you when you receive a wave or a mutual match occurs.
• Photos / media — only if you choose to set a profile photo from your gallery.
• Foreground service — to keep Bluetooth discovery running while the app is in the foreground.

7. Contact form

If you use the in-app contact form or the contact form on this website, your message (name, email, topic, and message text) is submitted to Formspree, a third-party form service, which forwards it to our email address. Formspree's own privacy policy governs that submission. We use this data only to respond to your message and do not retain it beyond that purpose.

8. Children

Waves is not intended for use by anyone under the age of 18. We do not knowingly collect data from minors. Because all data is stored locally, we have no mechanism to verify or enforce age at a server level — we rely on platform (Google Play) age gates and parental controls.

9. Your rights

Under GDPR, UK GDPR, and similar frameworks, you have rights including access, rectification, erasure, restriction, and portability of your personal data. Because all data lives on your device, you exercise these rights directly:

• Access & portability — your data is on your phone; you have full access to it.
• Rectification — edit your profile at any time in the Profile tab.
• Erasure — uninstall the app. All data is permanently deleted with no server-side residue.
• Restriction / objection — disable discovery in Profile settings to stop broadcasting.

For any rights request relating to data submitted via the contact form, reach us via our contact form and we will respond within 30 days.

10. Data retention

On-device data persists until you uninstall the app or use the "Start fresh" option in Profile settings (which clears waves and vibes but retains your profile). Contact form submissions received by email are retained only as long as needed to resolve your query.

11. Security

Peer-to-peer profile exchanges occur over encrypted connections provided by the Google Nearby Connections API. Since there is no central server, there is no central point of attack. Your device's own security (lock screen, OS encryption) protects locally stored app data.

12. Changes to this policy

We will update this page if our practices change and note the revision date at the top. Significant changes will be communicated via an in-app notice. Continued use of the app after a change constitutes acceptance of the updated policy.

13. Contact

Questions about this policy or your data? Use our contact form. We read every message.