Privacy Policy
Last Updated: July 2, 2026
Last Updated: June 21, 2026
Data Controller
Brehm, Osipovs & Zimmermann Software GbR Birkenstr. 111 40233 Düsseldorf Germany Email: contact@wavealign.app
Note on Children
Our services are not intended for individuals under the age of 16, and we do not knowingly collect personal data from minors.
1. Introduction
Welcome to WaveAlign. We are committed to protecting your privacy and handling your personal data in a transparent and secure manner. This Privacy Policy describes how we collect, use, and share your personal data when you:
- Visit our website (the "Site")
- Use our desktop application (the "App")
Please read this policy carefully. By using our services, you agree to the collection and use of information in accordance with this policy.
2. Data We Collect
2.1 Website Data Collection
Anonymous Analytics (No Consent Required) We use anonymous analytics (PostHog) to understand basic website usage patterns without identifying individual users. This operates without cookies or persistent storage and collects:
- Page views and navigation: Which pages you visit and how you navigate our Site
- Traffic sources: UTM parameters and referrer information to understand how you found us (e.g., from search engines, social media, or advertising campaigns)
- Device and browser information: Browser type, operating system, screen resolution, and user agent string
- Approximate location: City and country derived from your IP address
- Session data: A temporary, anonymous session identifier that changes daily and cannot identify you across different days or sessions
- Aggregate conversion events: When a purchase completes, an anonymous record of the sale (amount, currency, and campaign source) with no email, no persistent identifier, and no stored IP, used solely to measure marketing effectiveness in aggregate
How it works: PostHog generates a privacy-preserving hash on our servers using your IP address, user agent, and a daily salt that is deleted after processing. This hash cannot be reversed to identify you and changes every day, meaning each day you visit appears as a new anonymous user. Legal Basis: Legitimate Interest in understanding website usage patterns and measuring marketing effectiveness.
Consent-Based Analytics (Requires Consent) If you accept analytics cookies through our cookie consent banner, we upgrade to persistent tracking which provides:
- Cross-session identification: Recognition of you across multiple visits to our Site
- User journey tracking: Understanding your behavior over time
- Advanced analytics: Feature flag assignments, A/B testing, and detailed interaction tracking
- Persistent identifiers: PostHog distinct IDs stored in cookies/local storage
This enhanced tracking collects the same data types as anonymous analytics, but with persistent identifiers that allow us to recognize you on return visits. Legal Basis: Consent (GDPR Article 6(1)(a))
Information You Provide:
- Email Address: When you contact us or sign up for communications
- Marketing Consent: Whether you have provided explicit consent to receive marketing communications
- Server Logs: Our hosting provider automatically collects standard server logs, which may include your IP address, browser type, page requests, and timestamps
2.2 Advertising and Marketing Technologies
We use advertising pixels and cookies from third-party platforms to measure the effectiveness of our marketing campaigns and deliver relevant advertising. These services may collect information about your visit to our website and your interactions with our ads.
Cookie Consent Requirement: Before any advertising technologies are activated, you will see a cookie consent banner asking for your explicit permission. You can choose to:
- Accept all cookies (analytics + advertising)
- Accept only essential cookies (advertising disabled)
- Customize your preferences
Advertising pixels will only be activated if you provide explicit consent through this banner.
Platforms we use:
- Google Ads (Conversion tracking and remarketing)
- Meta Pixel & Conversions API (Facebook/Instagram advertising)
- TikTok Pixel & Events API (TikTok advertising)
What they collect:
- Your IP address
- A hashed (pseudonymised) version of your email adress
- a hashed pseudonymous identifier and ad-platform cookie IDs
- Browser type and version
- Pages you visit on our website
- Whether you arrived from one of our advertisements
- Actions you take on our Site
- Device identifiers and advertising IDs
How we use this data:
- Measure conversion rates from our advertising campaigns
- Show you relevant ads on Google, Facebook, Instagram, and TikTok
- Create audiences of similar users who might be interested in WaveAlign
- Optimize our advertising spend
Your choices: You can opt out of personalized advertising:
- Meta (Facebook/Instagram)
- TikTok
- Your browser's "Do Not Track" settings
2.3 Desktop Application Data Collection
Application Metadata:
- App Version: Retrieved from application initialization
- App Lifecycle Events: When the app starts (
app_opened) and closes (app_closed)
User Interface Interactions:
- Button Clicks: Process button interactions (start/cancel actions), feedback button clicks, settings dialog openings
- Settings Changes: Target loudness adjustments with previous and new values
- Path Selections: Length (character count) of selected input paths, output paths, and backup paths (actual file paths are never collected)
- Dead Click Tracking: Clicks on disabled interface elements for user experience analysis, including element identifiers
Audio Processing Data (Per Track): For each processed audio file, we collect:
- File Extension: .mp3, .wav, .flac, .aiff, .aif — no other information about the processed file
- Loudness Measurements: Original and adjusted loudness values (LUFS), original and adjusted peak values (dB)
- Processing Status: Whether tracks were skipped due to clipping, caching, unsupported format, or processing errors
Technical Data Collected Automatically (via PostHog):
- System Information: Operating system and version, browser engine details, device type
- Network Data: approximate geographic location (city, country, timezone) derived from your IP address. We have configured PostHog to not retain IP addresses — the IP is used transiently at ingestion to derive the approximate location and is then discarded, so it is not stored with your events
- Display Information: Screen resolution and viewport/window dimensions
- Session Data: Pseudonymous session and device identifiers for analytics correlation
- Library Information: PostHog SDK version and configuration details
Privacy Safeguards in Desktop App:
- Only file extensions are collected, never full file paths or file names
- Only path lengths are collected, not actual directory structures
- Identifiers are pseudonymous (randomly generated, not personally identifiable)
- Geographic data is approximate (city-level, derived from IP address)
- Data collection is limited to supported audio formats only
- Analytics collection is optional and can be disabled at any time in the application settings
App analytics consent is managed independently from website cookie consent — the two are not linked. Accepting or rejecting cookies on our website has no effect on app analytics, and vice versa.
License Activation (Polar) — independent of analytics consent: To activate your license and enforce the per-device limit, the App transmits the following to Polar Software, Inc. (United States):
- License Key
- Device fingerprint: a pseudonymous SHA-256 hash derived from your device's hardware identifier. Where no hardware identifier is available, this value is left empty.
Purpose and legal basis: performance of the license contract (Art. 6(1)(b) GDPR). This processing occurs regardless of your analytics choice. For license enforcement Polar acts as our processor; for the purchase transaction Polar acts as Merchant of Record and as an independent controller (see Section 4). Transfers to the United States are based on the EU Standard Contractual Clauses (Art. 46 GDPR).
Update Check (Vercel): At launch, the App fetches a version manifest from Vercel Inc. (United States), which discloses your IP address to Vercel as a necessary consequence of the connection. No further data is transmitted, and no update is installed without your confirmation.
Purpose and legal basis: keeping the App functional and up to date (Art. 6(1)(b) GDPR). The transfer is covered by Vercel's certification under the EU-US Data Privacy Framework (Art. 45 GDPR) and, additionally, the Standard Contractual Clauses.
Data Stored Locally on Your Device (never uploaded to us):
- Settings (your preferences)
- License state (your license key and activation identifier, in obfuscated form)
- Processing cache — includes file paths and may contain your operating-system username; retained until you clear it in Settings
- Session log files — include file paths and error details; up to 100 files retained on a rolling basis, deletable in Settings
This data stays on your device and is not transmitted to us or any third party.
3. How We Use Your Data (Purpose and Legal Basis)
3.1 Website Data Usage
To Analyze Site Usage, Measure Marketing Effectiveness, and Improve the Site (Anonymous Analytics — No Consent Required):
- Purpose: Understand basic website traffic patterns, measure effectiveness of marketing campaigns (including UTM parameters from advertising sources), identify popular content, and optimize website performance. This also includes measuring completed-purchase conversions in aggregate, using no personal identifiers, so we can assess campaign return on investment even where analytics consent has not been given.
- Legal Basis: Legitimate Interest in understanding how our website is used and measuring the return on our marketing investments
- Data Processing: PostHog processes this data using anonymous, non-persistent identifiers that cannot track you across different days
To Enable Advanced Analytics and Cross-Session Tracking (Consent-Based):
- Purpose: Recognize returning visitors, analyze user journeys over time, perform A/B testing, and deliver personalized feature experiences
- Legal Basis: Your explicit Consent, obtained through the analytics consent banner
- Data Processing: PostHog stores persistent identifiers in cookies/local storage only when you have consented
To Send You Marketing Communications:
- Purpose: Inform you about WaveAlign updates and send marketing information
- Legal Basis: Your explicit Consent, obtained through the signup form
3.2 Desktop Application Data Usage
To Improve Application Performance and User Experience:
- Purpose: Understand how users interact with the application, identify usability issues, measure feature effectiveness, and optimize the user interface
- Legal Basis: Your explicit Consent (Art. 6(1)(a) GDPR), obtained through the in-application analytics consent prompt. Analytics is off by default and the App is fully functional without it
To Enhance Audio Processing Features:
- Purpose: Analyze processing patterns, identify common issues, improve audio processing algorithms, and ensure compatibility with various audio formats
- Legal Basis: Your explicit Consent, obtained through the in-application analytics consent prompt
To Provide Technical Support:
- Purpose: Diagnose technical problems, understand error patterns, and improve application stability
- Legal Basis: Your explicit Consent (Art. 6(1)(a) GDPR), obtained through the in-application analytics consent prompt
3.3 Shared Purposes (Website and Desktop App)
For Security and Troubleshooting:
- Purpose: Monitor for and prevent fraudulent or malicious activity, diagnose technical problems, and maintain security
- Legal Basis: Our Legitimate Interest in protecting our services and business operations
To Comply with Legal Obligations:
- Purpose: Comply with applicable laws, regulations, and legal processes
- Legal Basis: Compliance with a legal obligation
4. How We Share Your Data (Third Parties)
We share your personal data with third-party service providers who perform services on our behalf. These third parties are obligated to protect your data and use it only for the purposes we specify.
Brevo (Email Marketing Service): We share your email address and marketing consent status with Brevo to manage our email contact list and send you marketing communications (website only).
PostHog (Analytics): We share usage data, identifiers, and event information with PostHog to perform:
- Website analytics, A/B testing, and feature flag management (website data)
- Application usage analytics and user experience analysis (desktop app data, only if you have consented in the application settings)
- Geographic and technical data processing for both website and desktop analytics
- Anonymous Analytics (no consent required): Page views, traffic sources (including UTM parameters), device information, and approximate location are processed using privacy-preserving, non-persistent identifiers.
PostHog, Inc. acts as our processor under a data processing agreement (Art. 28 GDPR). All analytics data is hosted on PostHog Cloud EU (AWS data centre, Frankfurt, Germany), and we have disabled IP-address retention, so events are stripped of IP-derived personal data on ingestion.
Polar.sh (License Activation and Payment), Polar Software, Inc., United States: Polar serves two roles. (1) License activation/enforcement — the desktop App transmits your license key and pseudonymous device fingerprint to Polar to enforce the per-device limit; here Polar acts as our processor under a data processing agreement (Art. 28 GDPR). (2) Purchases — license purchases are processed by Polar as Merchant of Record and independent controller; we do not directly handle or store your payment information, and Polar (with its payment subprocessor Stripe) processes payment data under its own privacy policy. Transfers to the United States are based on the EU Standard Contractual Clauses (Art. 46 GDPR).
Vercel (Software Update Service), Vercel Inc., United States: When the desktop App checks for updates, it fetches a version manifest from Vercel's network, disclosing your IP address. The transfer to the United States is covered by Vercel's certification under the EU-US Data Privacy Framework (Art. 45 GDPR) and the Standard Contractual Clauses.
Advertising and Marketing Platforms: We share your website usage data, device information, and interaction data with the following advertising platforms to measure campaign effectiveness, perform conversion tracking, and deliver relevant advertising:
- Google Ads — for advertising campaigns, conversion tracking, and remarketing (Privacy Policy)
- Meta Platforms (Facebook/Instagram) — for advertising campaigns and the Meta Pixel for conversion tracking and remarketing including server-side conversion events (Conversions API / Events API) containing a hashed email address and technical identifiers, sent only with your advertising consent. (Privacy Policy)
- TikTok — for advertising campaigns and TikTok Pixel for conversion tracking and remarketing including server-side conversion events (Conversions API / Events API) containing a hashed email address and technical identifiers, sent only with your advertising consent. (Privacy Policy)
Hosting Provider: Your website data, including server logs, is processed and stored by our hosting provider as necessary to operate the Site.
We do not sell your personal data. We may also disclose your data if required by law or in response to valid requests by public authorities.
5. Cookies and Tracking Technologies
5.1 Website Cookies
Anonymous Analytics (No Cookie Consent Required) Our website uses PostHog anonymous analytics by default, which operates without cookies or persistent browser storage. This means:
- No data is stored on your device
- You cannot be tracked across different days or sessions
- Each visit appears as a new anonymous user
- Page views and UTM parameters (traffic sources) are collected to understand basic website usage and marketing effectiveness
Legal Basis: Legitimate interest in understanding website usage and measuring marketing campaign performance.
Cookie Consent Banner: When you first visit our website, you will see a cookie consent banner that allows you to:
- Accept all cookies (including advertising and analytics)
- Reject non-essential cookies (advertising and analytics disabled)
- Customize your cookie preferences
- Review and change your choices at any time
Our website uses cookies and similar tracking technologies from both first-party (PostHog) and third-party services (Google, Meta, TikTok) to:
- Analyze website usage (requires consent)
- Remember your preferences (essential, no consent required)
- Track advertising effectiveness (requires consent)
- Enable retargeting campaigns (requires consent)
You can control cookies through:
- Our cookie consent banner (recommended)
- Your browser settings (may limit functionality)
Cookie Duration:
- Essential cookies: Session end or a few days
- Analytics cookies: Up to 1–2 years unless consent is withdrawn
- Advertising cookies: Up to 1–2 years unless consent is withdrawn
Withdrawing Consent: You can withdraw your cookie consent at any time by clearing your browser cookies or using the "Manage Cookie Preferences" link at the bottom of this page.
5.2 Desktop Application Analytics
The desktop application uses PostHog for optional analytics. Analytics collection is disabled by default and requires your explicit consent through the in-application consent prompt on first launch. You can change your analytics preference at any time in the application settings.
This consent is entirely separate from the cookie consent banner on our website — accepting cookies on the website does not enable app analytics, and enabling app analytics does not affect your website cookie preferences.
When analytics are enabled:
- capture_pageview: Disabled (no automatic page view tracking)
- Data Collected: System information, usage events, and geographic data as described in Section 2.3
- Identifiers: Pseudonymous session and device identifiers for analytics correlation
When analytics are disabled, no usage data is transmitted from the application.
6. Data Retention
Email Address and Marketing Consent: Retained while you remain subscribed to our mailing list or until you withdraw consent, unless a longer retention period is required by law.
Website and Desktop Application Analytics Data: Retained by PostHog for up to seven (7) years in line with our PostHog plan. Because IP addresses are not retained (see Section 4), the stored analytics data does not identify you. You can request deletion of your application analytics data at any time by contacting us, subject to the limitation noted in Section 9.2.
Audio Processing Data: Aggregated and anonymized processing statistics may be retained to improve our algorithms. Individual track data is not linked to personal identifiers.
Payment Records: Transaction records are retained by Polar.sh in accordance with their privacy policy and applicable legal retention requirements.
7. Data Security
We have implemented appropriate technical and organizational security measures designed to protect your personal data from accidental loss and unauthorized access, use, alteration, and disclosure. However, no method of transmission over the Internet or electronic storage is 100% secure.
Desktop Application Security: Analytics data from the desktop application is transmitted using secure protocols and encrypted in transit.
In the event of a personal data breach, we will notify affected individuals and regulators as required by applicable law.
8. Your Data Protection Rights
For Users in the European Economic Area (EEA), UK, and Switzerland: Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:
- Right to Be Informed — Know what data we collect and how we use it
- Right to Access — Request a copy of the personal data we hold about you
- Right to Rectification — Ask us to correct inaccurate data
- Right to Erasure — Request deletion of your data ("right to be forgotten")
- Right to Restrict Processing — Ask us to limit how we use your data
- Right to Data Portability — Receive your data in a portable format
- Right to Object — Object to processing based on legitimate interest or direct marketing
- Right to Withdraw Consent — Withdraw consent for marketing or analytics at any time without affecting the lawfulness of prior processing
- Right to Lodge a Complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with a data protection authority. Our competent supervisory authority is:
- Germany (our authority): Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
- Other EU countries: you may also complain to the authority in your country of residence — find your local authority
Automated decision-making: We do not carry out any automated decision-making producing legal or similarly significant effects within the meaning of Art. 22 GDPR.
9. How to Exercise Your Rights
To exercise your rights or withdraw consent, contact us at contact@wavealign.app.
9.1 Website Consent Management
Withdraw Marketing Consent: Click the "unsubscribe" link in any marketing email or contact us directly.
Withdraw Website Analytics Consent:
- Click "Manage Cookie Preferences" at the bottom of this page to re-open the consent banner
- OR: Clear your browser cookies and refresh the page
- OR: Contact us at contact@wavealign.app and we will manually remove your consent
Withdraw Advertising Consent:
- Use the same methods as analytics consent above
- Additionally, you can opt out directly through advertising platforms:
9.2 Desktop Application Consent Management
You can enable or disable analytics collection at any time through the application settings. When you disable analytics, data collection stops immediately and no further usage data is transmitted.
To request access to, correction of, or deletion of any personal data already collected through the application, contact us at contact@wavealign.app.
Please note: the application analytics data is pseudonymous and contains no identifier we can link back to you (Art. 11 GDPR). We may therefore be unable to locate your specific records in response to an access or erasure request, although we will assist where you can provide information that enables identification.
10. International Data Transfers
Some of our service providers are located outside the EU/EEA (primarily in the United States). Where that is the case, we ensure an appropriate safeguard under Chapter V GDPR for each transfer:
- PostHog (analytics): hosted on PostHog Cloud EU (Frankfurt, Germany) — analytics data is not transferred to a third country.
- Polar (license activation and payment), United States: EU Standard Contractual Clauses (Art. 46 GDPR).
- Vercel (update service), United States: EU-US Data Privacy Framework certification (Art. 45 GDPR) and Standard Contractual Clauses.
- Google, Meta, and TikTok (website advertising including via server-side Conversions API / Events API, only with your consent), United States: EU-US Data Privacy Framework and/or Standard Contractual Clauses, as provided by each platform.
You may request a copy of the relevant Standard Contractual Clauses by contacting us at contact@wavealign.app.
11. Changes to This Policy
We may update this Privacy Policy periodically. Changes will be published on this page with a revised "Last Updated" date. For significant changes, we will also notify desktop application users through the application itself. We encourage you to review this page regularly.
12. Contact Us
If you have questions about this policy or want to exercise your data rights, contact us:
Brehm, Osipovs & Zimmermann Software GbR Birkenstr. 111 40233 Düsseldorf Germany
Email: contact@wavealign.app
If you want to change your cookie preferences or see the consent banner again, you can do so here: