Legal

Privacy Policy

WaveTalk Ltd.

1. Who we are

WaveTalk is operated by WaveTalk Ltd. (the "Operator", "we", "us", "our"), a company registered in the United Republic of Tanzania. WaveTalk is a standalone product; your WaveTalk account credentials and OTPs are not shared with any other product or operator.

For the purposes of the EU GDPR, where applicable, WaveTalk Ltd. is the data controller of your personal data processed through WaveTalk. Our Data Protection Officer can be reached at privacy@wavetalk.co.tz.

For the purposes of the Tanzania Personal Data Protection Act, our registered Data Controller details + Personal Data Protection Commission registration number are listed at the bottom of this policy.

2. What this policy covers

This policy explains:

What personal data we collect from you and what we infer about you
Why we collect it (the legal basis)
How we use, share, and store it
How long we keep it
Your rights and how to exercise them
How we handle children's data
How we notify you of changes

It applies to WaveTalk's mobile apps (iOS + Android), any web surfaces (if and when those launch), and the back-end services that support them. It does not apply to third-party mini-apps you install — those have their own data practices, which we describe in Mini-apps.

3. Data we collect

3.1 Data you provide

Category	Examples	Purpose
Account info	Phone number (verified by OTP), display name, optional profile photo, optional username	Account creation + identification
Authentication	Bcrypt-hashed password (we never see your plaintext password), refresh tokens (JWT-rotated, stored hashed at GA)	Sign-in + session management
Messages	Text, voice notes, images, video, files you send through WaveTalk	Delivery + history retention
Reactions / read receipts	Emoji reactions, read-status timestamps	Delivery state + UX features
Wallet + payments	Wallet balance, transaction history (debits/credits, amounts, recipient identifiers, optional notes), the M-Pesa / Airtel / etc. handle used	Payment processing + reconciliation
Mini-app installs	Which mini-apps you've installed + capability grants (e.g. you allowed app X to use `payments.intent`)	App management + audit
Mini-app data	Per-app key-value storage within the sandbox (`storage.kv` capability), capped per app	Mini-app functionality (we do not read these contents in normal operation)
Business profile	If you create a business account: business name, category, verification documents, team membership	Business-account features
Support correspondence	Anything you send to support@wavetalk.co.tz or via in-app feedback	Responding to you

3.2 Data we collect automatically

Category	Examples	Purpose
Device info	Operating system + version, device model, app version, language, screen size	App functionality + crash diagnostics
Network info	IP address, approximate region inferred from IP, network type (Wi-Fi / cellular)	Fraud prevention + service quality
App usage	Which screens you visit, which features you use, error / crash events	Product analytics + crash diagnostics
Capability-audit log	For each mini-app you run: which capabilities it requested, what we granted, when	Security + your visibility into mini-app behaviour
Push notification tokens	APNs token (iOS), FCM token (Android) when you enable notifications	Delivering push notifications

3.3 Data we infer

Category	How we infer it	Purpose
Fraud signals	Velocity counters (transactions per hour), pattern matching against known abuse, blocklist matches	Refusing or flagging high-risk transactions
Language preference	First-party: from OS locale + your in-app pick; refined: from your messaging language patterns (if you opt in to WaveTalk AI translation)	Defaulting the UI + tuning AI translation
Friend / contact graph	From who you message + transact with	Showing recent contacts + suggesting recipients in payment flows

3.4 Data we DO NOT collect

Plaintext passwords — we only ever see the salted hash; the plaintext is hashed on the device before transmission. [Implementation detail: this is bcrypt-via-Phoenix at the moment, not client-side; the salted hash is generated server-side from the plaintext we receive over TLS — a slight departure from the strictest "zero-knowledge password" model. Disclose accurately in counsel review.]
Contents of third-party mini-apps' internal storage beyond your aggregate quota usage. Per-app storage.kv is encrypted on-device under the SQLCipher key in your Keychain / KeyStore.
Your contact list from your device. We use only the contacts you explicitly add via phone number + the recipients you've already transacted with.
Precise location. WaveTalk does not collect GPS coordinates from your device. We infer approximate region from IP only.
Biometric data. If you enable biometric unlock, the comparison happens entirely on your device via the OS APIs; WaveTalk never sees your biometric template.

4. Why we collect it (legal basis)

Different categories rely on different legal bases. The summary, both for GDPR (Article 6) and for the Tanzania PDPA equivalents:

Purpose	Legal basis (GDPR Art. 6)	Tanzania PDPA basis
Operating your account	Performance of contract (you signed up to use WaveTalk)	Contractual necessity
Delivering messages and processing payments you initiate	Performance of contract	Contractual necessity
Fraud prevention (especially payments)	Legitimate interest (preventing financial loss to us and other users) AND legal obligation (AML / sanctions screening)	Legal obligation + protection of vital interests
Improving the product (analytics, crash reports)	Legitimate interest, balanced via aggregation + minimum-retention	Legitimate interest
Marketing communications	Consent (opt-in only; opt out any time from Profile → Notifications)	Consent
Responding to law-enforcement requests	Legal obligation	Legal obligation
Sharing with PSPs (M-Pesa, Airtel, etc.) to settle a payment you initiated	Performance of contract	Contractual necessity
Sharing with AI providers (OpenAI / DeepSeek) for translation / smart-reply features	Consent (you have to opt into AI features)	Consent

If you withdraw consent for an opt-in purpose, the corresponding processing stops; everything you've already produced under that consent remains lawful.

5. How we use your data

A more concrete breakdown of "what does WaveTalk actually do with this":

Deliver messages. Messages are stored on our servers (PostgreSQL, schema messaging) so you can sync across devices, search history, and re-fetch on reinstall. Messages are not end-to-end encrypted in v2.0.0-rc.1 — see Security. At GA we will provide an opt-in E2E messaging mode; until then, treat message content as readable by us under court order.
Process payments. We forward your charge intent to the relevant PSP (M-Pesa Daraja, Airtel, TigoPesa, Selcom, AzamPay, ClickPesa), with idempotency keys so a retry never double-charges. We never store your PSP password / PIN — that's collected by the PSP's own confirmation flow.
Mini-apps. When you install a mini-app, we record which capabilities it requested + which you granted. Every grant decision is logged for your own visibility (see the My Apps tab → activity surface). We do not read the mini-app's internal storage.kv contents.
Push notifications. When you enable them, we send push messages to your APNs (iOS) / FCM (Android) device token via Apple's / Google's relay. The notification body shows the message preview; if you don't want previews, disable them in OS notification settings.
Analytics + crash diagnostics. We collect aggregate usage events + crash reports to fix bugs and prioritise features. Crash reports may include the contents of the failing screen — for chat, this is a known leak vector we mitigate by redacting message bodies before transmission. AI translation prompts are NOT logged with analytics.
Fraud prevention. We run server-side fraud heuristics (velocity, blocklist, pattern) before every charge. Failed-fraud decisions are persisted so we have an audit trail; you can request a review (see Your rights).
Improving WaveTalk. Aggregated analytics drive product decisions. Where we run experiments (e.g. an A/B test on a feature), we never disclose individuals.

6. Sharing your data

6.1 With service providers (processors)

We share specific data with the providers that make WaveTalk work. Each is bound by a Data Processing Agreement that limits use to delivering the service:

Provider	What we share	Why
PSPs (M-Pesa Daraja, Airtel Money, TigoPesa, Selcom, AzamPay, ClickPesa)	The minimum to complete a transaction you initiated: amount, currency, your wallet identifier, the recipient identifier, optional note	Settlement + reconciliation
AI providers (OpenAI / DeepSeek — only if you've opted into AI features)	Message contents you submit for translation / smart-reply generation	Performing the AI feature you requested
Push providers (Apple APNs / Google FCM)	Your push token + the notification body	Delivering push notifications
Cloud infrastructure (hosting + storage providers)	All data in transit / at rest (encrypted)	Operating the back-end
Crash reporting / analytics	Aggregate event data + redacted crash dumps	Diagnostics

We do not sell your data. We do not share it with advertisers. We do not use it to train AI models for third parties; if WaveTalk deploys its own models in the future, that will be a separate opt-in.

6.2 With law enforcement

We may disclose your data:

In response to a valid legal demand (court order, warrant, subpoena) under Tanzanian law, or under a jurisdiction we operate in.
To prevent imminent harm (e.g. credible threat to life).
To investigate fraud or violations of these terms.

We resist overbroad requests. We publish a transparency report annually (starting at the year after first public release) summarising the number of requests received + complied with by category.

You will be notified when we receive a request about your account unless prohibited by law or a court (e.g. a gag order on a national-security letter).

6.3 With other WaveTalk users

By using WaveTalk you choose what other users see:

Your display name + profile photo are visible to anyone you message + anyone who searches for you by phone number / username.
Your phone number is visible to people you message (as the underlying identifier) unless you've configured a username.
Messages are visible only to recipients + group members.
Wallet balance is private. Only you see it.
Transactions are visible to you and the counterparty (with the optional note).
Mini-app installs are private unless the app developer's API requests it + you've granted that capability.

6.4 Business transitions

If WaveTalk is acquired, merged, or assets are sold, your data may transfer to the acquirer subject to this policy continuing to apply. You will be notified at least 30 days in advance with the option to delete your account before the transition.

7. Mini-apps

Third-party mini-apps you install have their own privacy practices. WaveTalk does not control what a mini-app does with the data you give it.

What WaveTalk enforces:

The mini-app can only ask for capabilities declared in its manifest. Anything not declared at install time is unreachable — not just "asked-and-denied".
storage.kv is per-app, isolated, on-device only. It does not leave your device unless the mini-app explicitly uses the network.fetch capability + you granted it + the target URL is in the manifest's allowed_hosts. Even then, mini-apps use an unauthenticated HTTP client — your WaveTalk bearer token is never sent to a mini-app's network calls.
payments.intent is host-owned. The mini-app requests a charge; WaveTalk (not the mini-app) shows the confirmation sheet and runs the actual Rust payment flow. The mini-app sees the result code, never your PSP credentials or balance.

What WaveTalk records:

Every capability request the mini-app makes, what we decided (allow / deny / fail), and a timestamp.
This audit log is visible to you (Mini Apps → My Apps → that app → Activity), to the mini-app's developer (aggregated, anonymised), and to us (for abuse investigation).

Before installing a mini-app, you see the full list of capabilities it's requesting + the developer's stated reason. If a mini-app's capability list changes after install, you're prompted to re-grant.

8. Where your data is stored + cross-border transfers

WaveTalk's primary infrastructure is in [Region TBD — typically Africa for proximity to users, or EU for stronger data-protection regime]. Some service providers are based outside Tanzania:

Provider	Location
Cloud infrastructure	TBD on deployment
Apple APNs	United States
Google FCM	United States
OpenAI / DeepSeek (if AI features used)	United States / China respectively — disclosed to you at the AI opt-in screen
PSPs (M-Pesa Daraja etc.)	East Africa / per provider

Where we transfer your data outside Tanzania, we rely on:

For EU users: GDPR Standard Contractual Clauses with each non-EU recipient.
For Tanzania users: the Personal Data Protection Act's permitted cross-border mechanisms (consent, performance of contract, or adequacy where granted).

You can request the specific safeguards in place for any transfer by emailing privacy@wavetalk.co.tz.

9. Your rights

Under Tanzania's Personal Data Protection Act

You have the right to:

Access your personal data (a copy of what we hold).
Correct inaccurate data.
Delete your data (subject to legal-retention exceptions; see Retention).
Restrict processing.
Object to processing based on our legitimate interests.
Withdraw consent at any time for any opt-in processing.
Lodge a complaint with Tanzania's Personal Data Protection Commission if you believe we've violated your rights.

Under the EU GDPR (for EU users)

In addition to the rights above, you have:

Data portability — receive your data in a structured, machine-readable format and transfer it to another controller.
Object to automated decision-making that has legal or similarly significant effects on you. WaveTalk's fraud-detection system does run automated decisions on payments (it can block a transaction); you can request a human review of any block by emailing privacy@wavetalk.co.tz.

How to exercise

Most rights: Profile → Account → Data — has self-service for access (download) + delete.
Rights not self-service: privacy@wavetalk.co.tz. We acknowledge within 48 hours (business days) and respond substantively within 30 days. If we need more time we'll tell you why.

For deletion specifically:

Soft delete is immediate: your account, profile, messages-as-you-sent-them, and chat history vanish from other users' devices on next sync.
Hard delete from our backups takes up to the maximum backup retention window (currently 30 days), after which your data is unrecoverable.

10. Retention

We keep your data only as long as needed for the purpose collected.

Category	Default retention	Why
Account data	While your account is active + 30 days after closure (the backup window)	Account recovery
Messages	Until you or the other party deletes the chat; auto-purge of soft-deleted messages 30 days after deletion	UX (you don't expect a deleted message to keep haunting backups indefinitely)
Wallet transactions	7 years	Tanzania financial-recordkeeping requirements
Authentication logs (login attempts, refresh-token rotations)	90 days	Security incident response
Capability audit logs (mini-app decisions)	1 year rolling	Operator visibility into abuse + your visibility into mini-app behaviour
Push notification tokens	Until you disable notifications or uninstall	Delivery
Crash diagnostics	90 days	Bug triage cycle
Analytics aggregates	Indefinitely (aggregated only, not personally identifying)	Product decisions
Support correspondence	3 years	Reference + dispute resolution

After the retention window expires, data is deleted (not anonymised — that's a known weasel; we mean a real DELETE). Where deletion isn't technically possible (e.g. immutable financial ledger entries), data is encrypted with keys we then destroy.

11. Security

See SECURITY.md for the full security posture, threat model, and how to report a vulnerability.

Headline guarantees:

In transit: TLS for all client ↔ server traffic in production. Internal service-to-service is on an isolated network not exposed to the public.
At rest: SQLCipher (AES-256) on every mobile device; the encryption key lives in the OS-provided secure store (Android KeyStore / iOS Keychain) and never leaves it. Postgres + MinIO are stored encrypted at the disk layer in production.
Refresh tokens are rotated on every use with reuse detection — a stolen refresh token can be used at most once before family-wide revocation kicks in.
Payments run idempotency on every charge so a network retry never produces a double-debit.
Mini-apps are sandboxed in quickjs-ng with hard capability gates — see SECURITY.md §2 "Mini-app sandbox" for the full defence-in-depth list.

If you discover a vulnerability, see SECURITY.md → Reporting a vulnerability.

12. Children's data

WaveTalk is not directed at children under 13 (US COPPA) or under the minimum age of contract / data-processing consent in your jurisdiction (typically 13-16 in the EU per Member State; 16 by default in Tanzania).

If you are below the minimum age:

Don't create an account.
If a parent / guardian has created one for you, they are responsible for your use and for the choices around your data.

If we discover an account belongs to a child below the minimum age, we suspend it and contact a verifiable parent / guardian. Without a verifiable response within 30 days, we delete the account + its data.

Parents / guardians: to request deletion of a child's data, email privacy@wavetalk.co.tz with verification of your relationship.

13. International users

WaveTalk is operated from Tanzania. If you access WaveTalk from outside Tanzania:

Tanzania-headquartered services apply to you.
For data transfers, see §8 Cross-border transfers.
Local laws may grant you additional rights — we honour those rights where they apply.

14. Cookies and similar technologies

WaveTalk's mobile app does not use cookies. If/when a web surface launches, it will use only essential cookies (session + CSRF) — no advertising or third-party analytics cookies. We'll update this policy to describe specifics when that happens.

15. Changes to this policy

We'll update this policy as WaveTalk evolves. Material changes (changes that expand the data we collect, introduce new sharing, or shorten user rights) require:

30 days advance notice by in-app banner + a push notification (if you have those enabled) + a notice on the policy page.
For changes triggered by new processing of existing data, an opt-in confirmation before the new processing begins.

Non-material changes (clarifications, typo fixes, new contact addresses) take effect on publication.

The Last updated date at the top reflects the most recent revision. Older versions are archived and available on request.

16. Contact

Privacy questions, rights requests, complaints: privacy@wavetalk.co.tz
Security disclosures: security@wavetalk.co.tz (see SECURITY.md)
Postal: WaveTalk Ltd., [address TBD], Tanzania.
Tanzania PDPA registration: number TBD on registration.
EU Representative (for GDPR Art. 27): TBD on appointment if material EU presence emerges.

If you've contacted us and aren't satisfied with our response, you can lodge a complaint with:

Tanzania's Personal Data Protection Commission (contact details on the Commission's website).
Your local EU data-protection supervisory authority (a directory is on the European Data Protection Board's website).

Counsel-review checklist

When counsel reviews this draft, please specifically validate:

[ ] Data-controller designation under Tanzania PDPA + GDPR is correct for WaveTalk Ltd.'s actual structure.
[ ] Retention windows in §10 align with Tanzania financial-recordkeeping law + Bank of Tanzania regulations for the payments table specifically.
[ ] Cross-border transfer mechanism descriptions in §8 match the actual contractual reality with each provider.
[ ] §6.2 government-disclosure language matches Tanzania's current legal posture (e.g. national-security letters, gag orders, transparency-report obligations).
[ ] §12 children's-data treatment matches the most-restrictive jurisdiction WaveTalk operates in.
[ ] §3.4 "Data we DO NOT collect" claims are accurate against the v2.0.0-rc.1 code as audited.
[ ] §11 password-hashing description — confirm whether the model is "server-side bcrypt of plaintext-over-TLS" (current) or "client-side hash" (aspirational). Today's wording should match today's code.
[ ] AI provider opt-in framing in §6.1 is sufficient to constitute meaningful consent under PDPA + GDPR.
[ ] The transparency-report commitment in §6.2 is achievable on the timeline stated.
[ ] Any other jurisdiction WaveTalk launches into (Kenya, Uganda, Rwanda) gets its own appendix or a separate localised policy.