Privacy Policy

KWAVE is operated by OpenEdu Inc. ("KWAVE", "we", "us"). We provide an agent-operations platform that lets a company run AI agents to automate work across the SaaS tools it already uses, including social platforms.

This policy explains what data we collect, how we store it, who we share it with, and how you can access or delete it. It applies to everyone who uses kwave.ai, agent.kwave.ai, or any other domain we operate.

2.1 Account data

When you sign up we store your email address, display name, and the authentication identifiers our identity provider returns. We also store the company workspaces you create and the role you hold in each.

2.2 Connected platform data

When you connect a social platform (YouTube, Facebook, Instagram, and other providers as we add them), the provider returns OAuth access and refresh tokens scoped to the page, channel, or account you select. We store:

• OAuth tokens — encrypted at rest with AES-256-GCM using a key held only by our infrastructure. Tokens are never written to logs.
• Account identifiers — page id, channel id, Instagram business id, and the human-readable name you selected during connect.
• Action audit log — every time an agent uses a token (e.g., publishes a post, fetches insights), we record the company id, provider, tool name, and timestamp. We do not persist the response payload.

We do not pull your full social graph, follower lists, or message inboxes unless a specific tool you invoke requires them. We do not read or store messages from people who are not you.

2.3 Operational data

We collect IP address, user agent, request timing, and error traces for security and debugging. These rotate out of our logs within 30 days.

We only use the data above to do what you asked us to do:

• Run the agents you configured against the platforms you connected.
• Refresh OAuth tokens before they expire so your automations keep working.
• Show you what your agents did (audit log, dashboards, billing usage).
• Notify you when something needs your attention (a token expired, a platform reported a policy issue, your subscription needs updating).
• Detect and stop abuse on a per-company basis (e.g., suspending tokens that show spam patterns).

We do not sell your data. We do not use connected-platform data to train AI models. We do not share your data with advertisers.

We use the following sub-processors to operate the platform. Each one only receives the data needed to perform its function.

Connected social platforms (Google / YouTube, Meta / Facebook / Instagram) are not sub-processors — they are upstream services you authorized us to call on your behalf, and your data with them is governed by their own privacy policies.

• OAuth tokens — kept until you disconnect the platform in Settings, delete your company workspace, delete your KWAVE account, or the upstream provider notifies us of a deletion request (see §7).
• Action audit log — 12 months, then deleted.
• Operational logs — 30 days, then deleted.
• Account data — kept until you delete your account, then deleted within 30 days. We may keep billing records longer where tax law requires it.

You can, at any time:

• Disconnect a platform — Settings → Connectors → Disconnect. Token is purged immediately.
• Delete a company workspace — Settings → Workspace → Delete. Cascades through all agent data, tokens, and audit logs for that workspace.
• Delete your account — Settings → Account → Delete. We process within 30 days.
• Request your data — email info@kwave.ai and we will send a JSON export within 30 days.
• File a complaint — if you are in the EEA / UK / Switzerland and we have not addressed a concern, you may contact your local data protection authority.

See our Data Deletion page for the dedicated request flow that platform reviewers (Meta, Google) require.

If you delete your Facebook account or remove the KWAVE app from your Facebook settings, Meta sends us a signed deletion request. On receipt we:

1. Verify the request signature using our app secret.
2. Delete the OAuth tokens and cached account identifiers tied to that user within 30 days.
3. Return a confirmation URL and tracking code to Meta so you can verify deletion progress.

We cannot remove posts that were already published to your Facebook page or Instagram account — those live in your account on Meta's servers and are removed only when you remove them in Meta.

KWAVE is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.

Our infrastructure is in the United States. If you access the service from outside the US, your data is transferred to the US. For users in the EEA / UK / Switzerland we rely on the European Commission's Standard Contractual Clauses (2021).

We encrypt OAuth tokens with AES-256-GCM, transport everything over TLS 1.2+, isolate each company's data with explicit company-id checks at every query boundary, and authenticate all internal service-to-service calls with HMAC. Access to production infrastructure is limited to a small number of named operators and logged.

No system is perfectly secure. If you discover a vulnerability, email info@kwave.ai.

When we make a material change we update the effective date at the top of this page. If the change affects how we use data you have already shared, we will email you before it takes effect.

For privacy questions, data requests, EU GDPR matters, security reports, or to invoke any right described above, email info@kwave.ai.

OpenEdu Inc., United States.