Privacy Policy
Last updated: July 15, 2026. This page is maintained by Marcus Mason, the operator of WaveWrench Pro, to explain how the application handles personal data. It is not a legal opinion or a certification.
1. Who we are (Data Controller)
WaveWrench Pro is operated by Marcus Mason ("we", "us", the "seller"). For the personal data described below, Marcus Mason acts as the data controller. You can reach us for any privacy request at the contact address in Section 10.
2. Data we collect
- Account data: email address, and — if you sign in with Google — your name, profile picture, and Google account ID.
- Diagnostic content: waveform images, engine-sound clips, vehicle context (year/make/model/VIN) you enter, and the AI analysis returned to you.
- Billing data: when you purchase the Pro subscription or a DIY scan pack, our payment processor (Stripe) collects your name, billing address, email, and payment method details. We receive only limited transaction metadata (customer id, subscription id, amount, status) — never your full card number.
- Operational data: basic logs (timestamps, error traces) needed to run and secure the service.
3. Legal basis for processing (GDPR / UK GDPR)
- Performance of a contract (Art. 6(1)(b)) — creating your account, running the diagnoses you request, and fulfilling your subscription or credit-pack purchase.
- Legal obligation (Art. 6(1)(c)) — retaining invoices and tax records where required.
- Legitimate interests (Art. 6(1)(f)) — securing the service, preventing abuse, and product improvement, balanced against your rights.
- Consent (Art. 6(1)(a)) — where you actively opt in (e.g. Google Sign-In authorization).
4. Google Sign-In and OAuth scopes
We use Google Sign-In through OAuth 2.0 with only the following limited scopes:
openid— to authenticate you..../auth/userinfo.email— your primary email..../auth/userinfo.profile— name and picture.
We do not access Gmail, Drive, Calendar, or Contacts, do not use Google user data for advertising, and do not sell it. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including Limited Use.
5. How we use your data
- To authenticate you and keep you signed in.
- To run the AI diagnosis you request and show you the result.
- To let you save, reload, and delete past analysis sessions.
- To process payments, issue receipts, and manage subscriptions.
- To operate, monitor, secure, and improve the service.
6. Sharing with service providers
We share the minimum data required with the following processors:
- Stripe, Inc. — payment processing, subscription billing, fraud prevention, and tax collection for Pro subscriptions and DIY scan packs. Stripe receives your name, email, billing address, and payment method details directly; see the Stripe Privacy Policy.
- Google (Gemini via the Lovable AI Gateway) — receives the waveform / audio and vehicle context solely to generate your diagnosis.
- Supabase (hosting, database, authentication, storage) — stores your account and saved analyses.
- Lovable / Cloudflare — application hosting and edge delivery.
We do not sell your personal data or share it with third parties for their own advertising or marketing.
7. Security measures
- All traffic is served over HTTPS/TLS.
- Account data is stored in a managed Postgres database protected by row-level security so each user can only read their own records.
- Passwords are never stored by us — authentication is delegated to Supabase Auth / Google OAuth.
- Payment card data is handled entirely by Stripe (PCI-DSS Level 1 certified); it never touches our servers.
- Secrets and API keys are stored in an encrypted secret store.
- Access to production systems is limited to the operator (Marcus Mason).
No online service can be guaranteed 100% secure. If you become aware of a vulnerability, please contact us (Section 10).
8. Retention and deletion
- Saved analyses remain in your account until you delete them from the Profile page or delete your account.
- Account records are kept for as long as your account is active; deletion requests are honored within 30 days.
- Billing / tax records are retained by us and by Stripe for up to 7 years to meet legal obligations, even after account deletion.
- Operational logs are retained for up to 90 days.
9. Your rights
Depending on where you live (EEA/UK GDPR, California CCPA, and similar regimes), you have the right to:
- Access a copy of the personal data we hold about you.
- Rectify inaccurate data.
- Erase your account and associated saved analyses ("right to be forgotten"), subject to legal retention obligations for billing records.
- Export your data in a portable format.
- Restrict or object to certain processing.
- Withdraw consent for processing based on consent.
- Lodge a complaint with your local data-protection authority.
To exercise any of these rights, email the address in Section 10. You may also revoke WaveWrench Pro's access to your Google account any time from your Google Account permissions page.
10. Contact
Marcus Mason — WaveWrench Pro. For privacy requests, data access/export/ deletion, or security reports, contact the operator via the support email listed on your Stripe receipt or on the pricing page.