WAVE PRIVACY POLICY - V2.0 - Oct 18th, 2022

Introduction

The company Wave offers coaching services (the “Services”) as described in its general terms and conditions of use and sale (“GTCS”) accessible on its Site and Platform through the following URL: https://www.wave.ai/terms.

During the provision of its Services, Wave collects and processes personal data from its users and clients (“You”) through the Platform or by any other means.

‍

Data protection is highly important to Wave.

Wave undertakes to comply with data protection legal provisions applicable under both European and French law, notably:

• The French law no 78-17 of 6 January 1978 relating to data processing, data files, and individual liberties (“French Data Protection Act”);
• The Regulation no 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”);

(hereinafter collectively referred to as the “Data Protection Laws”);

‍

The purpose of this Privacy Policy is to help You understand how Wave uses your personal data and follows the best practices to protect them in compliance with the Data Protection Laws. In case of doubt or for any question regarding the use of your personal data, we are only one email away at dpo@wave.ai.

By accessing and/or using our Site, Platform and/or Wave Services, you agree to the use of your personal data by Wave as described in this Privacy Policy. If you do not agree with this Privacy Policy or any of its updates, you should not use our Site, Platform and/or Wave Services.

Hypertext links may lead to third parties’ websites which have their own privacy policies and cookie policies. Third parties’ privacy policies shall be read by You. Wave accepts no responsibility as to the way personal data are collected and processed by these third parties.

1 • Who is the Data Controller?

The data controller is Wave, a simplified joint-stock company under French law, having its registered office located 65 rue de la Croix, 92000, Nanterre, France, registered with the trade and companies register of Nanterre under number 881 114 037.

‍

Should you have any question about your personal data, You may contact us at the following address: dpo@wave.ai.

2 • Who are the Data Subjects?

Wave may collect and process personal data from the following data subjects:

• “Prospect”, means any individual who is potentially interested in Wave Services;
• “Visitor”, means any individual who visits our Site;
• “Client”, means any individual who received a registration confirmation to the Wave Services by e-mail or by signing a separate agreement with Wave (as the case may be).
• “User” or “You”, means any of the data subjects mentioned hereinabove.

3 • What types of personal data is collected by Wave?

We consider that, as far as possible, Wave should coach You without knowing everything about You. We try to collect and process only the minimum amount of information we need from You to provide the Wave Services. That’s how Wave is designed.

Most of the time, we collect personal data directly from You.

As a Prospect or Visitor of our Site, we may collect the following personal data from You:

• Identification information: name, first name, e-mail address, request for information and/or documentation;
• Identification about your use of our Site: when you visit our Site, we may track, collect and aggregate information indicating among other things, which pages of our Site you visited, the order in which you visited them, when you visited them and which hyperlinks you clicked (if any). In connection with our collecting of such information, we may also log the IP address, operating system and browser software used by You during your interaction with our Site. We may also collect information by using cookies when You visit our Site.

‍As a Client of Wave, there are three (3) types of information that You will give us access to, and only part of this information is personal data within the meaning of the Data Protection Laws:

• Identification and billing information:
• personal data needed for registration and payment of the Wave Services
• your name, first name, address, e-mail address, company name, payment info, IP address, operating system, browser software used by You during your interaction with our Site and/or Platform, your login data (to access your personal user account) to the Platform, information collected through cookies when You visit our Site and/or Platform
• Public contextual information about your company: funding stage, industry, number of employees, reputation, etc. We collect this public information from the web, from third parties or from You if You voluntarily share it with us; In the latter case, please note that You must prevent yourself from providing Wave with information about your company which is not publicly official or which is (or should be) confidential. Before providing Wave with information about your company, please ensure that You are allowed to do so.
• Contextual information about You or your company for your coaching: your position within the company, number of employees under your management (if any) and/or within your service/department/business unit, areas of development, objectives, professional context, how You feel, etc. You share this information voluntarily during the coaching process via your e-mails, entries in the journal, form answers, or any documents that You want to share with us.

We do our best to pseudonymize as much information as possible during the provision of the Services, to keep it confidential and secure.

‍

The contextual information about You or your company for your coaching, as defined hereinabove, is referred to as your “Coaching Story”.

The public contextual information about your company, as defined herinabove, is referred to as your “Company Public Data”

Your Coaching Story refers to the data we collect to analyze your profile and your needs and provide You with our Wave Services.

The term “Data” refers to your “Identification and billing information”, your “Company Public Data” and your “Coaching Story”.

4 • Our key principles and ethical commitment

We process all your personal data in accordance with the terms of this Policy and in compliance with the Data Protection Laws.

In particular, Wave is committed to ensuring that personal data we collect is:

• processed in a fair, lawful, and transparent manner,
• used in accordance with the purposes for which it was collected,
• stored in such a way as to ensure its security and confidentiality,
• updated as regularly as possible.

Besides, at the time of data collection, we separate your Coaching Story from your identification and billing information and your Company Public Data so that nobody in our coaching supervision team will be able to identify You directly from your Coaching Story (e.g. they will not be able to see your name or the name of your company). Thus, while the team does not know your name nor the exact name of your company, it knows what You are aiming at achieving (e.g., “I want to empower my direct reports”).

Our coaching team only has access to pseudonymized data, and standard fields such as your name will automatically appear obfuscated. You can voluntarily disclose additional information based on your context (e.g., investor name, names of your colleagues, or partners), through free-form content. We are currently strengthening our pseudonymization layer to limit the amount of personal information displayed from those free-form while maintaining the context for the coaching team (e.g., replace “John Smith” with “VC 1”, “Colleague C” or “Partner”).

Unless required by public authorities or by law, we do not use or disclose your identification and billing information for any other purposes than those provided hereunder (What are the purposes and legal basis of collecting and processing personal data?) like the performance of the contractual relationships between You and us.

We only collect and use the Data strictly necessary to provide You with our Wave Services.

At the core of any coaching practice, there is your Data.

Confidentiality and security are, and will always be, at the heart of Wave’s coaching practice and engineering development. We keep on working on it, challenging it, reinforcing it.

We launched a special committee. It is made of both employees and external professional coaches. They review and challenge our practice, as well as our Privacy Policy.

5 • What are the purposes and legal basis of collecting and processing Your personal data?

When we collect and process your personal data, we do it on the basis of one of the following legal grounds: (i) the performance of the contract between us, (ii) your consent to such processing, including for the use of cookies, the use of your personal data for statistical purposes, or to inform you about our Services, (iii) our legitimate interests as data controller except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject involved (for administrative purposes for example), (iv) our compliance with any legal or regulatory obligation or (v) the defense of our rights and interests.

We may use your personal data in some or all of the following ways and for some or all of the following purposes:

• To provide you with the Wave Services;
• To provide you with information you request;
• To learn more about who is interested in our Services;
• To understand how users of our Site, or Platform are using it, and which pages and features of the websites are most popular;
• To help us improve the navigational experience on our web pages;
• To track and prevent fraudulent activities and other inappropriate activities and monitor content integrity, manage security, and verify or authenticate information provided by You;
• To identify you as a Wave account holder;
• To communicate with you in the context of the provision of the Services;
• To bill you for your use of our Services.
• To gain a better understanding on how our clients evaluate, use and interact with our Services, and how we can continue to improve our offerings and the overall performance of our Services.

No Personal Data is collected without your knowledge, nor is it processed for purposes of which You have not been informed.

6 • Who do we share your personal data with?

As part of our processing activities, we may communicate your personal data to the following categories of recipients:

• Our internal services (commercial, marketing, administrative, technical, legal service, as the case may be) who need to have access to your personal data, on a strict need-to-know basis. Please note that all Wave employees are bound by confidentiality agreements.
• Our service providers and partners assisting us in meeting the purposes identified here in:
  • Amazon AWS: to store your files. When You share information with Wave, the Data is stored on Amazon AWS with the servers located in France. Most of your Data is stored on a database, encrypted in-transit, within Amazon AWS. Information shared: coaching content, name, nickname, company name, company information. You can read more about their privacy policy: [https://aws.amazon.com/compliance/data-privacy-faq/]
  • Amplitude: to determine how our website/Platform and our features are used by You. Amplitude is an analytics platform that lets us follow feature usage, discover new anonymized trends, detect bugs and ensure that our software is behaving as expected. It allows us to understand how visitors browse the website and adjust how our information is displayed. It does not access nor collect information from your confidential coaching content. Information shared: app browsing behavior, IP address. Important note: Amplitude’s data centers are located in the United States. You can read more about their privacy policy: [https://amplitude.com/amplitude-security-and-privacy]
  • Auth0: to perform identity verification. Auth0 is an identity authentication provider that maintains the highest security standards and is trusted by enterprise customers worldwide. It allows us to better manage our users’ login experience and protect their credentials. We share your full names, email addresses, and a hash of your password so You can log in to Wave securely. Information shared: name, email address, and password hash You can read more about their privacy policy: [https://auth0.com/privacy]
  • Front: to regroup all our email inboxes in one place Front is a software company with its servers located in EU (Ireland) that develops a shared email inbox and calendar product. Its collaboration software allows companies to communicate with customers. It allows us to have one touch point for several inboxes, and manage our email communication with You Information shared: name and email address You can read more about their privacy policy: [https://front.com/legal/privacy-policy]
  • Google Cloud Platform (GCP): to analyze trends, deliver coaching and support marketing operations Google GCP is a cloud storage and computing solution with its servers located in France whenever possible otherwise in the European Union in the europe-west1 region. We use it for data analytics, to understand progression patterns and profiling using both aggregated views and granular pseudonymised data. It is also used to generate specific coaching content. Finally it’s also used to segment clients for sales activity, marketing campaigns, or booking a live session to do product research. Role-based permissions are set up to segregate personally-identifiable information from coaching content. In the GCP suite, data are stored in BigQuery and visualized via Looker and Data Studio. Information shared: pseudonymized coaching content, client satisfaction rating, client mental and physical ratings and details clients are spontaneously sharing as part of their coaching. We also share client name, email, company, role (accessible to specific user-roles) and in some cases we also manually fill in gender, city of residence, age group, marital status for statistical and research purposes You can read more about their privacy policy: [https://cloud.google.com/terms/cloud-privacy-notice]
  • Google Workspace (Gmail mainly) : to manage email interactions as part of the coaching program Google Workspace is a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google with its servers located in EU. In particular, we use Gmail to communicate with clients and notify them about new coaching content in the Wave application. Emails sometimes contain coaching content as well as the name of the clients. The access to the mailbox is restricted to the Engineering team and the account management team for debugging purposes. Otherwise, emails go through a pseudonymization layer before being accessed by other employees. Information shared: name, email, company name, coaching content You can read more about their privacy policy: [https://cloud.google.com/terms/cloud-privacy-notice]
  • Hotjar: to better understand our users’ needs and to optimize our service and experience Hotjar is a technology service that helps us better understand our prospects’ experience (e.g. how much time they spend on which pages, which links they choose to click…) and this enables us to build and maintain our service with user feedback. Hotjar is contractually forbidden to sell any of the data collected on our behalf. Information shared: IP address (processed during the session and stored in a de-identified form) You can read more about their privacy policy: [https://www.hotjar.com/legal/policies/privacy/]
  • Ipaidthat: to manage our accounting and generate invoices iPaidThat is a French fintech startup developing a Software as a Service (SaaS) that allows the automation of pre-accounting. Information shared: name, email, company name, and billing information You can read more about their privacy policy: [https://ipaidthat.io/en/privacy/]
  • Notion: to document user research feedback Notion is our knowledge base provider. When a member of the Wave team conducts a user interview, the content of the interview and personal information you voluntarily disclose can be captured in Notion. Information shared: name, email address, company name, role. Important note: Notion’s data centers are located in the United States. Important note: members of the coaching practice team will never have access to your name, your email address or your company name. Only pseudonymized content will be shared. You can read more about their privacy policy: [https://www.notion.so/help/security-and-privacy
  • Segment: to distribute data to our analytics stack. Segment is a data pipeline service used to send data to other third-party services (mentioned in that list) in a standardized way that ensures data does not get lost. We do not access or collect information from your confidential content. Information shared: operators’ activities, client browsing activity You can read more about their privacy policy: [https://segment.com/legal/privacy/]
  • SendinBlue: to manage our marketing email campaigns Sendinblue is a SaaS solution for relationship marketing. The company offers a cloud-based marketing communication software suite with email marketing, transactional email, marketing automation, etc. Information shared: name, email address You can read more about their privacy policy: [https://www.sendinblue.com/legal/privacypolicy/]
  • Stripe: to process subscription payments. Stripe is our payment service provider. Stripe uses your billing details to be able to process your payments, and your email address to send payment receipts and contact You if your payment method stops working. Wave can never access your credit card information. Information shared: name, email address, and billing information. Important note: Stripe data centers can be located in any country where they do business. You can read more about their privacy policy: [https://stripe.com/en-ie/privacy]
  • Typeform: to create forms and gather results. Typeform is a software as a service (SaaS) company that specializes in online form building and surveys. Given your nickname, company, role, and objectives, it will dynamically generate a personalized form for You to sync with us using both numerical and free-form fields. Only Wave can access your answers to the forms. Information shared: coaching content, nickname, role, company name. Important note: Typeform’s data centers are located in the United States. You can read more about their privacy policy at: https://help.typeform.com/hc/en-us/articles/360029581691-What-happens-to-my-data
• Competent courts, public authorities and law enforcement forces (in particular, where we must respond to legal or regulatory requests). In this case, we undertake, as far as possible, to notify You (unless we are not authorized to do so in view of any legal, regulatory or judicial obligations which may be incumbent on us).

7 • How do we keep your personal data secure?

Your Data (including your personal data) is kept in a secure environment.

Your Data is encrypted in transit (i.e. while it goes from one server to another during its processing). Encryption is a process that scrambles the Data. To unscramble the Data and be able to understand it, one needs a specific key that only very select processes have. Encryption ensures that if the data is stolen, it cannot be understood unless the thief has the proper key.

To ensure the security of your Data, we also use the following measures: we have set up firewalls and strict network security, regular backups of our encrypted databases, regular software updates to apply security patches.

Most of all, data security is down to our own training. All employees are trained on the importance of data confidentiality, and on the efforts we make for our processes to be robust and compliant with Data Protection Laws.

We guarantee the existence of adequate levels of protection in accordance with the applicable Data Protection Laws.

However, a risk remains when the Internet is used to transfer personal data or other information. In the event of security breach or loss We will notify the French data protection supervising authority, the “Commission nationale de l'informatique et des libertés” (the “CNIL”), and/or the Person Concerned, as the case may be, of any violations of personal data.

You can contact us with any questions or requests regarding these measures.

8 • How long does Wave keep your personal data ?

We keep your personal data for as long as necessary to provide You with our coaching services.

You can get access to your journal and the content You shared with us during the Wave Services at any time and within one (1) calendar year following the end of your last coaching wave. To download the content You shared with us or the content from your personal user account, please send a request to our DPO at dpo@wave.ai.

Then, once the coaching program is over, we will keep your personal data:

‍

(i) for commercial purposes (in case you would like to initiate a new “coaching wave”):

• for a maximum period of one (1) year after the last coaching program has ended;
• in a pseudonymized format:
• in our active database: Your personal data is easily accessible in our immediate working environment to people in charge of their processing;

(ii) for legal purposes (contractual liability in case of litigation and in accordance with legal and regulatory obligations applicable to Wave) and administrative purposes (e.g., for invoicing data, in accordance with the French Code of Commerce):

• for a period of ten (10) years;
• subject to intermediate archiving;

(iii) for statistics and machine learning purposes:

• Indefinitely;
• in an anonymized format: the anonymization process is irreversible – Wave can no longer identify You;
• Wave keeps your anonymized Data permanently to improve its Services.

‍

Information relative to a Prospect will be kept for three (3) years after the date of the last communication with the Prospect, as per the CNIL’s recommendation.

‍

Navigation data will be kept for a maximum period of thirteen (13) months.

9 • What are your rights?

‍Wave would like to make sure you are fully aware of all your data protection rights.

As per the Data Protection Laws, You have the following rights:

• Right to Access – you have the right to request Wave confirmation of whether we process personal data relating to you, and if so, to request a copy of that personal data;
• Right to Rectification – you have the right to request Wave that we rectify or update any personal data that is inaccurate, incomplete or outdated;
• Right to Erasure – you have the right to request that we erase your personal data in certain circumstances, such as where we collected personal data on the basis of your consent and you withdraw your consent; In some cases, however, it is not possible to erase personal data, for example, when we are legally obliged to store data, or when the removal of the data would hinder your ongoing training. We will therefore assess whether we can meet the request on a case by case basis.
• Right to Restriction of Processing – you have the right to request that we restrict the use of your personal data in certain circumstances, such as while we consider another request that you have submitted, for example a request that we update your personal data;
• Right to Object to Processing – you have the right to object to the processing of your personal data by giving us reasons pertaining to your specific situation. However, in some cases, if you object to the processing of your personal data by us, we might not be able to provide you with Wave Services. We will therefore assess whether we can meet the request on a case by case basis.
• Right to Withdraw Consent - where you have given us consent to process your personal data, you have the right to withdraw your consent;
• Right to Data Portability – you have the right to request that we provide a copy of your personal data to you in a structured, commonly used and machine readable format in certain circumstances.

In any case, we may ask you to identify yourself first (e.g. by providing us with a copy of your ID card or passport) before we process your request. Upon receipt of your request, Wave will reply within thirty (30) calendar days.

Should you wish to lodge a complaint or if you feel that Wave has not addressed your concern in a satisfactory manner, you may contact the French Data Protection Authority (CNIL) via the following URL: https://www.cnil.fr/fr/adresser-une-plainte.

10 • How can you contact us?

To exercise your rights as set out above or for any request regarding the use of Your personal data by Wave, please contact our DPO by (i) email at dpo@wave.ai or (ii) writing to us at the relevant address set out in “Who is the Data Controller?”