Privacy policy

Effective Date: January 29, 2026

Notice Version: 2026.01.29

Data Controller / Responsible Party Contact Information:
Waves Labs Corp.
8401 MAYLAND DR #6338
RICHMOND, VA, 23294, USA
support@waveswomen.com

For privacy-related inquiries, including requests to exercise your rights under applicable data protection laws, please contact us at the email address above.

Our privacy notice governs our privacy practices when you are using our websites, waveslabs.ai & waveswomen.com, and our mobile apps, called “Waves Women”.

This notice applies to all users of our services regardless of location. It explains what personal data is collected, how it is protected, how it is shared, and what rights users have regarding their information. Where applicable laws grant additional or different rights, those are described in the “Your Regional Privacy Rights” section below.

NON-PERSONAL DATA (NPD): Information that is not personally identifiable.

PERSONAL DATA (PD): Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person can be identified directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

SENSITIVE PERSONAL DATA (SPD): Includes social security numbers, financial account credentials, exact geolocation, ethnic/racial origin, religious beliefs, union membership, mail/email contents, genetic data, biometric data for identification, health information (including menstrual and hormonal data), and sexual orientation or activity.

DATA CONTROLLER / RESPONSIBLE PARTY: The entity that determines the purposes and means of processing personal data. Under Brazil’s LGPD this is the “controlador”; under Mexico’s LFPDPPP this is the “responsable.”

DATA PROCESSOR / OPERATOR: An entity that processes personal data on behalf of, and under the instructions of, the data controller. Under Brazil’s LGPD this is the “operador.”

CONSENT: A free, specific, informed, and unambiguous indication of an individual’s agreement to the processing of their personal data. Where applicable law requires express or written consent (e.g., for sensitive data), we obtain consent in the form required.

YOUR RIGHTS
INFORMATION WE COLLECT AND HOW WE COLLECT IT
HOW YOUR PD IS USED AND SHARED
RETAINING AND DESTROYING YOUR PD
PROTECTING THE PRIVACY RIGHTS OF THIRD PARTIES
DO NOT TRACK SETTINGS
LINKS TO OTHER WEBSITES
PROTECTING CHILDREN’S PRIVACY
OUR EMAIL POLICY
OUR SECURITY POLICY
USE OF YOUR CREDIT CARD
IN-APP PURCHASES
YOUR REGIONAL PRIVACY RIGHTS
AUTOMATED DECISION-MAKING
INTERNATIONAL DATA TRANSFERS
GOVERNING LAW
CHANGES TO OUR PRIVACY NOTICE

Users may submit privacy-related requests by contacting support@waveswomen.com or using the Data Control Request Form. We respond within 30 days of receiving your request.

The company verifies requests via email or app login confirmation before fulfilling them.

Rights Include:

1. Right to equal service and non-discrimination for exercising privacy rights.
2. Right to know if personal data is sold, shared for cross-context behavioral advertising, or disclosed.
3. Right to request non-sale or non-sharing of personal data.
4. Right to request disclosure of personal information categories collected, sources, business purposes, and specific data pieces.
5. Right to be informed about collected personal data and processing methods.
6. Right to confirm processing and access personal data.
7. Right to correct inaccurate or incomplete personal data.
8. Right to request removal or deletion (subject to legal overrides).
9. Right to restrict processing.
10. Right to request personal data portability (within 30 days when technically feasible).
11. Right to object to processing for direct marketing, targeted advertising, and profiling.
12. Right not to be subject to automated decision-making with legal effects.
13. Right to limit collection to adequate, relevant, and reasonably necessary data.
14. Right to designate an authorized agent with valid power of attorney and government ID.
15. Right to anonymization, blocking, or deletion of unnecessary or excessive data.
16. Right to information about public and private entities with which your data has been shared.
17. Right to be informed about the consequences of denying consent.
18. Right to revoke consent at any time, without affecting the lawfulness of processing carried out prior to revocation.

Account Deletion

You can delete your account directly from the Waves Women app:

1. Open the app and go to Settings
2. Scroll to the Account section
3. Tap Delete account
4. Confirm the deletion when prompted

Account deletion is permanent and cannot be reversed. Once confirmed, your account and all associated personal data — including your profile, health entries, and app data — will be permanently deleted within 7 business days.

You may also request account deletion by contacting us at support@waveswomen.com.

Global Privacy Control

If at any point our practices involve “selling” or “sharing” personal data as defined by CPRA, we will honor browser-based opt-out preference signals (e.g., Global Privacy Control).

Categories of Personal Data Collected

Identifiers (name, email, device identifiers);
Commercial information (purchases, subscriptions);
Internet/Network activity (log data, app interactions, analytics);
Approximate geolocation (from IP);
Inferences (personalized content);
Sensitive personal information (health-related logged data such as cycle stage, hormonal symptoms, wellness inputs).

Sources

Data comes from users (in-app entries and settings), devices, integrated platforms users authorize (health/wellness apps, wearables), and service providers acting under contract.

Purposes

To provide, secure, debug, and improve services; personalize experience; provide support; comply with law; and perform internal analytics.

Sensitive Data Consent

Where required by law—including under U.S. state privacy laws (e.g., Virginia, Colorado), Brazil’s LGPD (Art. 11), Mexico’s LFPDPPP, Canada’s PIPEDA and Quebec’s Law 25, Australia’s Privacy Act 1988, Hong Kong’s PDPO, Singapore’s PDPA, Colombia’s Law 1581 (Art. 5), Argentina’s Ley 25.326 (Art. 7), and Peru’s Law 29733 (Art. 2.5)—we do not process Sensitive Personal Information, including health entries and precise geolocation, without your prior opt-in or express consent as required by applicable law. Users may withdraw consent at any time by emailing support@waveswomen.com.

Legal Basis for Collection

We process personal data on one or more of the following legal bases, depending on applicable law and the nature of the data:

Consent: The primary basis for processing sensitive personal data across all jurisdictions. We obtain express or specific consent where required by law (e.g., for health-related data).
Contract performance: When processing is necessary to provide products or services you have requested or to fulfill our contractual obligations.
Legal obligation: When processing is necessary to comply with applicable laws and regulations.
Legitimate interests: Where permitted by applicable law and not overridden by your rights, we may process data for purposes such as service improvement, security, and fraud prevention. We do not rely on legitimate interests for sensitive personal data.
Protection of life or physical safety: When processing is necessary to protect the vital interests of you or another person.

Jurisdiction-specific notes:

Brazil (LGPD Arts. 7 & 11): Processing of health data requires specific and prominent consent. Other legal bases under LGPD Art. 7, such as legal obligation and contract performance, apply where relevant.
Mexico (LFPDPPP): Consent is the default legal basis. Express written consent is required for sensitive personal data including health information.
Canada (PIPEDA / Quebec Law 25): Processing requires knowledge and consent of the individual. Express consent is required for sensitive information. Quebec’s Law 25 requires express consent for sensitive data and profiling activities.
Australia (Privacy Act 1988): Collection and use of sensitive information (including health data) requires consent. The Australian Privacy Principles (APPs) govern how personal information is handled, disclosed, and stored.
New Zealand (Privacy Act 2020): Collection must be for a lawful purpose and directly related to the agency’s function. The Information Privacy Principles (IPPs) govern handling of personal information.
Hong Kong (PDPO): Processing is notification-based. Personal data must be collected for a lawful purpose directly related to the data user’s function. Data subjects must be informed of the purpose at or before the time of collection via a Personal Information Collection Statement (PICS). Consent is required only for using data for a new purpose or for direct marketing.
Singapore (PDPA): Consent is required before collecting, using, or disclosing personal data. Express consent is required for sensitive data including health information. Alternative legal bases include deemed consent by contractual necessity, legitimate interests (with documented assessment), and business improvement purposes.
Colombia (Law 1581/2012): Prior, express, informed consent is required. Health data is classified as sensitive — processing is prohibited by default except with explicit consent. Data subjects must be informed that providing sensitive data is voluntary and that refusal has no adverse consequences.
Argentina (Ley 25.326): Free, express, informed consent is required. Health data is sensitive under Article 7 with a general prohibition on sensitive data processing — the healthcare exception (Article 8) does not apply to wellness apps. Consent must be specifically tied to declared purposes.
Peru (Law 29733): Prior, informed, express, and unequivocal consent is required. Health data requires written consent (signed via handwritten, digital, electronic, or equivalent authentication mechanism). Consent must identify specific purposes, recipients, and cross-border transfers.
United States: For state privacy laws using opt-out frameworks, processing is permitted as described in this notice with opt-out choices provided.

Automatic Information

We automatically receive information from your web browser or mobile device. This information may include the IP address of your computer/the proxy server you use to access the Internet, your Internet service provider’s name, your web browser type, the type of mobile device, your computer operating system, and data about your browsing activity when using our services.

Third-Party Platforms and Health Devices

Users may link accounts to Fitbit, Garmin, Google Health Connect, or Apple Health. We will receive information that you have authorized each synchronization with that platform. This information may include exercise minutes, calories expended, steps taken in a day, body weight, and other metrics you choose to share.

Google Health Connect data adheres to Google’s Permissions policy. Apple Health data complies with Apple developer terms and won’t be used for marketing or advertising.

User-Provided Information

Users may provide settings, preferences, language, lifestage, cycle information, health conditions, foods eaten, dietary preferences, and goals through drop-downs, text fields, toggle buttons, chatbot interactions, and support interactions.

Cookies

A cookie is a small piece of data or a text file that is downloaded to your computer or mobile device when you access certain websites.

Cookie Types:

Strictly Necessary Cookies – Required for website functioning, content display, login, session validation, and service responses.
Performance Cookies – Collect usage information (pages visited, traffic sources, interests, content management).
Functional Cookies – Enable preference and choice remembering (language, usernames).
Media Cookies – Improve performance and provide special features; placed by the company or service providers.
Advertising or Targeting Cookies – Develop browsing interest profiles; serve related advertisements on other websites.
Session Cookies – Link user actions during browser sessions; remember shopping cart items and page changes; expire after session ends.
Persistent Cookies – Stored between sessions; remember preferences and actions across websites; may target advertising.

Cookie Uses:

Identifying visited website areas;
Personalizing website content;
Website analytics;
Product/service remarketing;
Remembering preferences, settings, and login details;
Targeted advertising serving relevant ads;
Enabling social content sharing.

Most web browsers can be set to disable the use of cookies. However, if you disable cookies, you may not be able to access features on our services correctly or at all.

The company does not use cookies for targeted advertising or cross-context behavioral advertising profiling. We do not use cookies to “sell” or “share” your personal data for cross-context behavioral advertising. If practices change, the notice will be updated with opt-out links.

Web Beacons

We may use a technology called web beacons to collect general information about your use of our services and your use of special promotions or newsletters.

User Registration and Product Purchase

Height, weight, activity level, sex, date of birth, and optional user-provided information may be collected. Providing health-related information is optional and controlled by you.

Survey and Testimonial Submissions

By submitting your testimonial, you are granting us the right to use, reproduce, and publicly display your comments, along with your name and any images or videos you provide, across our various marketing and promotional channels. Your personal contact information will remain confidential and will not be shared publicly.

Physical Location Collection

When you use our services, we may collect and process information about your actual physical location. We use several technologies, such as IP tracking, to determine your location.

The company does not collect precise geolocation unless a feature explicitly requires it. Geofencing around healthcare facilities is not used to collect consumer health data or target individuals.

Google API

Users are subject to Google Privacy Policy and Terms of Service. When collecting and processing user data, including Personal Data (PD) from Google APIs, we will follow Google API Services User Data Policy. Employees, contractors, and agents must comply with this policy.

Chat and Contact Forms

Email address, name, location, and voluntarily provided information may be collected. You should limit the information you give to us to one that is necessary to answer your questions.

Google Analytics

Google Analytics collects information from users such as age, gender, interests, demographics, how often they visit our services, what pages they visit, in-app actions, and what other websites they have used before coming to our services.

Opt-out is available at: Google Analytics Opt-out Browser Add-on Download Page

Other Analytics Services

Our services use analytics services from several companies other than Google to collect information about the use of our services. Analytics collects information such as how often users visit our services, what pages they visit, when they do so, and their IP addresses.

We also use companies like Firebase Analytics, RudderStack, Statsig, and OneSignal for analytics and product optimization services.

If You Don’t Provide Personal Data

If you do not provide us with enough personal data, we may be unable to provide you with our services.

Primary Uses

We use the information we receive from you to:

1. Respond to sales and support requests;
2. Contact regarding agreements or terms;
3. Provide requested products and services;
4. Personalize and customize content;
5. Make service improvements;
6. Contact with product and service updates;
7. Resolve problems and disputes;
8. Contact with potentially interesting products and services;
9. Share PD with affiliates (parent company, subsidiaries, joint venture partners), requiring honor of this Privacy Notice.

Sensitive Personal Information Use

We use Sensitive Personal Information only as reasonably necessary to provide the services you request, to ensure security/integrity, for short-term transient processing, to prevent fraud, and to comply with law; we do not use Sensitive Personal Information to infer characteristics about you beyond providing the services.

Communications and Emails

When we communicate with you about our services, we will use the email address you provided when you registered as a user or customer.

Promotional emails may be sent unless opt-out has occurred. Users can unsubscribe using email links or change preferences by contacting customer support.

Sharing Information When Using Third-Party Login

We may share your Personal Data (PD) with third parties such as google.com, apple.com, and others. If you sign into our services through a third-party service or website, your information such as name, email address, language preference, profile picture etc. might be automatically imported to our services.

Social media profile information is stored and used for better experience provision and social feature integration. This sharing of information helps us provide you with a better experience when using our services and provides us with information such as visitor traffic.

Text Messaging, SMS, Push Notifications, and Telephone Calls

If you provide a mobile telephone number, or landline telephone number to us, you are giving your express consent and authorize us or a third-party to contact you by using any of these communication methods.

Consent is not required but withholding it may prevent service provision. Push notifications may be stopped via app settings or contact. Text messages, SMS, and calls may be stopped by contacting the company. Standard rates apply. Users may opt out via in-app settings, data control request, or email.

Sharing with Third Parties

We do not sell or rent your Personal Data (PD) or Sensitive Personal Data (SPD), which includes health information, to third parties for marketing purposes. We also do not “share” your personal data for cross-context behavioral advertising.

Service Providers receiving PD include payment processors, web analytics companies, data management services, LLM providers, help desk providers, accountants, law firms, auditors, shopping carts, and email service providers. Trusted providers include Google Analytics, Stripe, and Firebase. Each receives only necessary data with contractual prohibition on other purposes.

LLM providers may receive de-identified or limited user inputs solely for the purpose of supporting chatbot or helpdesk interactions. They are contractually required not to use this data for model training or profiling.

Service Providers are prohibited from selling or disclosing PD and must maintain commercially reasonable confidentiality standards. Where service providers process personal data outside your country of residence, we apply appropriate contractual and organizational safeguards as described in the “International Data Transfers” section below.

You have the right to request information about the public and private entities with which your personal data has been shared. To exercise this right, contact us at support@waveswomen.com.

We reserve the right to share or sell aggregated, anonymous or deidentified information with third parties for marketing, advertising, research or other purposes. If we disclose deidentified information, we commit to maintain and use it in deidentified form and not attempt to reidentify it, except as permitted by law.

Legally Required Releases

We may disclose your Personal Data (PD) if such disclosure is (a) required by subpoena, law, or other legal processes; (b) necessary to assist law enforcement officials or government enforcement agencies; (c) necessary to protect us from legal action or claims from third parties, including you and or other users; or (d) necessary to protect the legal rights, personal and or real property, or the personal safety of our company, users, employees, and business partners.

Disclosures to Successors

If our business is sold or merges in whole or in part with another business that would become responsible for providing the services to you, we retain the right to transfer your Personal Data (PD) to the new business. The new business would retain the right to use your personal data according to the terms of this privacy notice.

In bankruptcy, PD may be transferred if assets are sold. Successors must be bound to materially similar privacy protections or users must receive notice and choices required by law. Where required by applicable law (including Brazil’s LGPD and Mexico’s LFPDPPP), we will notify you prior to any such transfer and provide you with the opportunity to request deletion of your personal data before the transfer takes effect.

Community Discussion Boards and Blogs

Our services may offer the ability for users to communicate through online community discussion boards, blogs, or other mechanisms. If you choose to post on these discussion mechanisms, you should use care when exposing any Personal Data (PD), as such information is not protected by our privacy notice, nor are we liable if you disclose your PD through such postings.

Posted PD may be available worldwide online. The company cannot prevent misuse by others.

PD is retained as long as necessary to provide services and fulfill privacy notice purposes, subject to legal retention requirements. Account PD is kept until service provision is no longer needed or deletion is requested.

Retention Criteria:

1. Length of continuing relationship and service provision.
2. Legal retention obligations (transaction records).
3. Legal position advisability (statutes of limitations, litigation, regulatory investigations).

Examples:

Health entries are retained while accounts are active, then permanently deleted within 7 business days of account deletion. Billing records are retained up to 7 years for financial regulation compliance.

Jurisdiction-Specific Retention Rules:

Mexico (LFPDPPP): When personal data is no longer necessary for the purposes for which it was collected, we first block the data (preventing further processing while retaining it for potential legal obligations), then delete it after the applicable retention period expires.

Brazil (LGPD Art. 16): Personal data will be deleted after the processing purpose has been achieved, except where retention is required for: (i) compliance with a legal or regulatory obligation; (ii) research by a research body, with anonymization where possible; (iii) transfer to a third party in compliance with data protection requirements; or (iv) the controller’s exclusive use, provided the data is anonymized.

De-Identified or Aggregated Data:

When personal data is no longer necessary to provide the Services, we may de-identify or aggregate it and use or share the resulting information to generate insights (e.g., usage statistics). If we disclose de-identified data, we take reasonable measures to prevent reidentification, contractually require recipients to do the same, and do not attempt to reidentify the data except as permitted by law to test de-identification.

If you make any postings on our services that contain information about third parties, you agree that you have permission to include that information.

The company is not legally liable for user actions but will remove postings violating privacy rights upon notification.

While “Do Not Track” (DNT) signals are not standardized, if applicable we will honor browser-based opt-out preference signals related to “sale” or “sharing” of personal data (e.g. Global Privacy Control) as described above.

Our services may contain links to other websites. These websites are not under our control and are not subject to our privacy notice. We have no responsibility for these websites, and we provide links to these websites solely for your convenience.

Users acknowledge that website use is at their own risk.

Our services are not designed for use by anyone under the age of 18. We do not knowingly collect Personal Data (PD) from children under the age of 18. This restriction applies in all jurisdictions in which we operate, including but not limited to the United States, Canada, Mexico, Brazil (where LGPD Art. 14 provides specific protections for children’s and adolescents’ data), Australia, New Zealand, Hong Kong, Singapore, Colombia, Argentina, and Peru.

Parents/guardians believing children under 18 are using the service should contact the company. Proof of identification may be required before information removal. Discovered child data is deleted within a reasonable period.

You acknowledge that we do not verify the age of our users nor have any liability to do so.

You can always opt-out of receiving email correspondence from us or our affiliates.

Email addresses are not sold, rented, or traded to unaffiliated third parties without permission, except in company sale, transfer, or bankruptcy as described in “Disclosures to Successors.”

We have built our services and services using industry-standard security measures and authentication tools to protect the security of your Personal Data (PD). We and the third parties who provide services to us also maintain technical and physical safeguards to protect your PD.

Loss, misuse, or secure data transmission prevention cannot be guaranteed due to Internet nature. Users should protect passwords and not share them.

We implement role-based access controls, encryption in transit, and vendor due diligence appropriate to the sensitivity of your personal data, including health-related information.

Breach Notification

Data breaches affecting personal data trigger notifications as required by applicable law. Our breach notification obligations include, but are not limited to:

United States: Notifications are made in accordance with applicable state breach notification laws. Health information breaches under the FTC’s Health Breach Notification Rule (HBNR) trigger notifications to affected individuals, the FTC, and media where required, within HBNR timelines and with required content.

Brazil (LGPD): Security incidents involving personal data that may create risk or relevant harm to data subjects are reported to the Autoridade Nacional de Proteção de Dados (ANPD) and affected individuals within the timeframe established by the ANPD. We maintain records of security incidents for a minimum of 5 years.

Canada (PIPEDA / Quebec Law 25): Breaches of security safeguards creating a real risk of significant harm are reported to the Office of the Privacy Commissioner of Canada (OPC) and, for Quebec residents, to the Commission d’accès à l’information (CAI). Affected individuals are notified. We maintain records of all breaches for a minimum of 24 months.

Mexico (LFPDPPP): Security breaches affecting personal data are notified to affected individuals immediately, describing the nature of the incident, the data involved, and recommended protective actions.

Australia (Privacy Act 1988): Eligible data breaches likely to result in serious harm are reported to the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable under the Notifiable Data Breaches (NDB) scheme.

New Zealand (Privacy Act 2020): Privacy breaches that cause or are likely to cause serious harm are reported to the Office of the Privacy Commissioner and affected individuals as soon as practicable.

Hong Kong (PDPO): There is currently no mandatory data breach notification requirement under the PDPO. However, we follow the Privacy Commissioner for Personal Data’s (PCPD) recommended best practices and will notify affected individuals and the PCPD of significant breaches as appropriate.

Singapore (PDPA): Notifiable data breaches—those resulting in or likely to result in significant harm to affected individuals, or affecting 500 or more individuals—are reported to the Personal Data Protection Commission (PDPC) within 3 calendar days of assessment. Affected individuals are notified as soon as practicable.

Colombia (Law 1581): Security incidents are reported to the Superintendencia de Industria y Comercio (SIC) within 15 business days. Notification to affected individuals is strongly recommended.

Peru (Law 29733): Notifiable security incidents — those exposing sensitive data (including health data) or large volumes of personal data — are reported to the Autoridad Nacional de Protección de Datos Personales (ANPDP) and affected individuals within 48 hours.

Credit or debit cards may be required to purchase products and services. Third-party billing services are used with no company control. We use commercially reasonable efforts to ensure that your credit card number is kept strictly confidential by using only third-party billing services that use industry-standard encryption technology to protect your credit card number from unauthorized use.

However, you understand and agree that we are in no way responsible for any misuse of your credit card number.

“Waves Women” does not directly collect or store your payment information. Payments are processed either by way of the Apple Store or Google Play or by our service provider(s) when you make purchases directly within the app.

Payment processors act as independent controllers of payment information under their own privacy terms.

Privacy requests (access, correction, deletion, portability, and other applicable rights) may be submitted to support@waveswomen.com. We respond within 30 days of receiving your request, unless a shorter period is required by applicable law. Targeted advertising based on health entries does not occur.

United States

If our practices involve “selling” or “sharing” personal data as defined by applicable state law, a “Do Not Sell or Share My Personal Information” link will be provided with Global Privacy Control signal honoring.

Consumer Health Data (Washington & Nevada) Notice:
We collect consumer health data (e.g., menstrual, hormonal, and related wellness entries) only with your affirmative consent and separate consent to share with processors for security, debugging, fraud prevention, support, or analytics calibration. We do not sell consumer health data and do not use geofencing around health-care facilities. WA/NV residents may exercise access, deletion, and appeal rights via reaching out to our support team (support@waveswomen.com). Internal consent records (timestamp, scope, notice version) are maintained.

Residents of states with comprehensive privacy laws (including California, Virginia, Colorado, Connecticut, and others) may exercise rights as described in the “Your Rights” section above and the “Appeals of Denied Requests” section below.

Canada

Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec residents, Quebec’s Act respecting the protection of personal information in the private sector (Law 25), you have the following rights:

– Right to access your personal data
– Right to request correction of inaccurate personal data
– Right to withdraw consent for processing, subject to legal or contractual restrictions
– Right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) or, for Quebec residents, the Commission d’accès à l’information (CAI)
– Right to data portability (Quebec, Law 25)
– Right to be informed about the use of automated decision-making technology (Quebec, Law 25)

Express consent is required for the collection, use, or disclosure of sensitive personal information, including health data. We respond to access and correction requests within 30 days.

Mexico

Under Mexico’s Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), you have ARCO rights:

Access: Right to know what personal data we hold about you and how it is processed.
Rectification: Right to request correction of inaccurate or incomplete personal data.
Cancellation: Right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected. Data will first be blocked and then deleted after applicable retention periods expire.
Opposition: Right to object to the processing of your personal data for specific purposes.

We respond to ARCO requests within 20 business days of receiving a complete request, with implementation within 15 business days of our response. Express written consent is required for the processing of sensitive personal data, including health information.

Brazil

Under Brazil’s Lei Geral de Proteção de Dados (LGPD), Article 18, you have the following rights:

– Right to confirmation of the existence of processing and access to your data
– Right to correction of incomplete, inaccurate, or outdated data
– Right to anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data
– Right to data portability to another service provider
– Right to deletion of personal data processed on the basis of consent
– Right to information about public and private entities with which your data has been shared
– Right to be informed about the consequences of denying consent
– Right to revoke consent at any time

Specific and prominent consent is required for the processing of health data under LGPD Art. 11. You have the right to petition the Autoridade Nacional de Proteção de Dados (ANPD) regarding our processing of your personal data.

Australia

Under Australia’s Privacy Act 1988 and the Australian Privacy Principles (APPs), you have the following rights:

– Right to access your personal information (APP 12)
– Right to request correction of inaccurate, out-of-date, incomplete, or misleading personal information (APP 13)
– Right to complain about handling of your personal information to us or to the Office of the Australian Information Commissioner (OAIC)
– Right to opt out of direct marketing communications
– Right to request that we not disclose your personal information to overseas recipients without APP-compliant safeguards

Health information is classified as sensitive information under the Privacy Act. We collect and use health information only with your consent and for the purposes for which it was collected. We respond to access and correction requests within 30 days.

New Zealand

Under New Zealand’s Privacy Act 2020 and the Information Privacy Principles (IPPs), you have the following rights:

– Right to access your personal information (IPP 6)
– Right to request correction of personal information (IPP 7)
– Right to complain to the Office of the Privacy Commissioner
– Right to know what personal information we hold about you and the purposes for which it is used

Health information is treated as sensitive. We collect and use it only for lawful purposes directly related to the services we provide, and only where necessary. We respond to access and correction requests within 20 working days.

Hong Kong

Under Hong Kong’s Personal Data (Privacy) Ordinance (PDPO), Cap. 486, you have the following rights:

– Right to access your personal data (Data Protection Principle 6)
– Right to request correction of inaccurate personal data (Data Protection Principle 6)
– Right to request erasure of personal data no longer required for the purpose of collection (Section 26)
– Right to be informed of the purposes of data collection and classes of persons to whom data may be transferred
– Right to withdraw consent for use of your data for a new purpose

Personal data is collected for purposes directly related to our services and is not used for any unrelated purpose without your express and voluntary consent. We do not use your personal data for direct marketing without your opt-in consent. You may lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD).

Singapore

Under Singapore’s Personal Data Protection Act 2012 (PDPA), you have the following rights:

– Right to access your personal data
– Right to request correction of inaccurate or incomplete personal data
– Right to withdraw consent for the collection, use, or disclosure of your personal data, subject to legal or contractual restrictions and reasonable notice
– Right to be informed of the purposes for which your personal data is collected, used, and disclosed
– Right to lodge a complaint with the Personal Data Protection Commission (PDPC)

Health-related data is treated with a higher standard of protection. We collect and use health information only with your consent and for the purposes for which it was collected. We respond to access and correction requests within 30 days.

Data Protection Officer (Singapore PDPA): For inquiries related to the handling of your personal data under the PDPA, please contact our Data Protection Officer at support@waveswomen.com.

Colombia

Under Colombia’s Law 1581 of 2012 (Ley Estatutaria de Protección de Datos Personales) and the constitutional habeas data right enshrined in Article 15 of the Colombian Constitution, you have the following rights:

– Right to access (conocer) your personal data held by us
– Right to update (actualizar) your personal data
– Right to rectification (rectificar) of inaccurate or incomplete personal data
– Right to deletion or suppression (suprimir) of your personal data when it is no longer necessary for the purposes for which it was collected, or when you revoke consent
– Right to revoke consent for the processing of your personal data
– Right to file complaints with the Superintendencia de Industria y Comercio (SIC)

We respond to access requests within 10 business days (extendable by 5 business days). Rectification and deletion requests are processed within 15 business days.

Health data is classified as sensitive under Colombian law. Express consent is required for its processing, and providing sensitive data is always voluntary — refusal to provide it will not result in adverse consequences for you.

Supervisory authority: Superintendencia de Industria y Comercio (SIC).

Argentina

Under Argentina’s Personal Data Protection Act (Ley 25.326 — Ley de Protección de los Datos Personales) and the constitutional habeas data right, you have the following rights:

– Right to information about the existence and purpose of data processing (Art. 13)
– Right to access your personal data (Art. 14)
– Right to rectification of inaccurate or incomplete personal data (Art. 16)
– Right to deletion or suppression of your personal data (Art. 16)
– Right to confidentiality of your personal data (Art. 10)
– Right to habeas data judicial remedy to verify, access, correct, or delete your data (Arts. 33–34)

We respond to access, rectification, and deletion requests within 10 business days.

Health data is classified as sensitive under Article 7 of Ley 25.326, with a general prohibition on sensitive data processing. The healthcare exception under Article 8 does not apply to wellness applications. We process health data only with your free, express, and informed consent, specifically tied to declared purposes.

Supervisory authority: Agencia de Acceso a la Información Pública (AAIP).

Peru

Under Peru’s Personal Data Protection Law (Ley 29733 — Ley de Protección de Datos Personales) and its updated regulations (D.S. 016-2024-JUS), you have the following ARCO rights:

– Right to access (acceso) your personal data
– Right to rectification (rectificación) of inaccurate or incomplete personal data
– Right to cancellation/deletion (cancelación) of your personal data
– Right to opposition (oposición) to the processing of your personal data
– Right to data portability (effective September 2025 under D.S. 016-2024-JUS)

We respond to access requests within 20 business days. Rectification, deletion, and opposition requests are processed within 10 business days.

Health data requires written consent, which may be provided via handwritten, digital, electronic, or equivalent authentication mechanism. Consent must identify the specific purposes for processing, recipients of the data, and any cross-border transfers.

Data Protection Officer: For inquiries related to the handling of your personal data under Peruvian law, please contact us at support@waveswomen.com.

Supervisory authority: Autoridad Nacional de Protección de Datos Personales (ANPDP).

Collected SPD is used solely for the delivery of services you have requested and for the purposes described in this notice. SPD is not used for additional purposes such as marketing, profiling, or characteristic inference. If this changes, users will be notified and any applicable right to limit or object will be honored.

HIPAA Notice: We are not a HIPAA “covered entity” or “business associate.” Information you provide to us is not “protected health information (PHI)” under HIPAA; it is governed by this privacy notice and applicable state privacy laws.

Denied request appeals may be submitted by replying to the decision email or emailing support@waveswomen.com with “Privacy Request Appeal” in the subject.

We will inform you in writing of any action taken or not taken in response to the appeal and the reasons. If you are not satisfied with our response, you may contact the applicable supervisory authority:

United States: Your state attorney general (applicable in Virginia, Colorado, Connecticut, and other states with appeal rights).
Canada: The Office of the Privacy Commissioner of Canada (OPC), or for Quebec residents, the Commission d’accès à l’information (CAI).
Mexico: The Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI).
Brazil: The Autoridade Nacional de Proteção de Dados (ANPD).
Australia: The Office of the Australian Information Commissioner (OAIC).
New Zealand: The Office of the Privacy Commissioner.
Hong Kong: The Office of the Privacy Commissioner for Personal Data (PCPD).
Singapore: The Personal Data Protection Commission (PDPC).
Colombia: The Superintendencia de Industria y Comercio (SIC).
Argentina: The Agencia de Acceso a la Información Pública (AAIP).
Peru: The Autoridad Nacional de Protección de Datos Personales (ANPDP).

We may use automated processing to personalize your experience, including content recommendations and wellness insights based on data you provide. We do not make automated decisions that produce legal effects or similarly significant effects on you without human review.

Where applicable law provides rights related to automated decision-making—including Brazil’s LGPD (Art. 20), Mexico’s LFPDPPP (2025 amendments), and Quebec’s Law 25—you have the right to:

– Request information about the criteria and procedures used in automated decisions
– Request human review of decisions made solely through automated processing
– Contest automated decisions that affect your interests

To exercise these rights, contact us at support@waveswomen.com.

Our primary operations and data storage are located in the United States. Personal data that we collect from you may be stored, processed, and transferred to the United States or other countries in which we or our service providers operate. These countries may have data protection laws that differ from those of your country of residence.

When we transfer personal data internationally, we apply appropriate safeguards to protect your data, including:

Canada (PIPEDA / Quebec Law 25): We use contractual measures to ensure that personal data transferred outside Canada receives a comparable level of protection. For Quebec residents, we conduct privacy impact assessments for international transfers as required by Law 25.

Mexico (LFPDPPP): International transfers of personal data are made with your consent, except where permitted by law without consent (e.g., transfers necessary for contract performance or legally required transfers).

Brazil (LGPD): We transfer personal data internationally using appropriate safeguards, which may include standard contractual clauses in accordance with ANPD Resolution No. 19/2024, or with your informed and specific consent. We note that the United States has not received an adequacy determination from the ANPD.

Australia (Privacy Act 1988, APP 8): Before disclosing personal information to overseas recipients, we take reasonable steps to ensure they comply with the Australian Privacy Principles, or we obtain your informed consent to the transfer.

New Zealand (Privacy Act 2020, IPP 12): We disclose personal information to overseas recipients only where we believe the recipient is subject to comparable privacy protections or with your authorization.

Hong Kong (PDPO): There are currently no statutory restrictions on cross-border data transfers under the PDPO. We apply appropriate contractual and security safeguards consistent with the PCPD’s Recommended Model Contractual Clauses for cross-border data transfers.

Singapore (PDPA, Section 26): Before transferring personal data outside Singapore, we ensure the overseas recipient provides a standard of protection comparable to the PDPA, through contractual arrangements, binding corporate rules, or other recognized mechanisms.

Colombia (Law 1581): The United States has been designated as providing an adequate level of data protection by the SIC (External Circular 005 of 2017). Personal data transfers to the US are permitted under this adequacy determination. We also maintain contractual safeguards with our service providers.

Argentina (Ley 25.326): Under the US-Argentina Agreement on Reciprocal Trade and Investment (November 2025), the United States has been recognized as an adequate jurisdiction for data transfers. We also maintain contractual safeguards with our service providers including standard contractual clauses.

Peru (Law 29733, Section 26): Peru has not issued a formal adequacy determination for the United States. We transfer personal data internationally with your informed and specific consent, supported by contractual clauses (including standard contractual clauses) with our service providers to ensure comparable protection.

In all cases, we require our service providers and partners to protect your personal data in accordance with this notice and applicable law. We use contractual protections, data processing agreements, and organizational security measures to safeguard transferred data.

This privacy notice is governed by and interpreted in accordance with the laws applicable to your jurisdiction. Where any provision of this notice conflicts with mandatory provisions of applicable local data protection law, the local law prevails.

Nothing in this notice is intended to limit or restrict any rights you may have under applicable data protection legislation.

We reserve the right to change this privacy notice at any time. If our company decides to change this privacy notice, we will post those changes on our services so that our users and customers are always aware of what information we collect, use, and disclose.

If at any time we decide to disclose or use your Personal Data (PD) in a method different from that specified at the time it was collected, we will provide advance notice by email sent to the email address on file in your account or notify you with an in-app notice.

Otherwise, we will use and disclose our users’ and customers’ personal data in agreement with the privacy notice in effect when the information was collected. In all cases, your continued use of our services and products after any change to this privacy notice will constitute your acceptance of the change.

If you have questions about our privacy notice, please contact us through the information at the top of this privacy notice.

If material changes affect personal data use, prominent in-app notice is provided. Where required by applicable law (including Brazil’s LGPD and Mexico’s LFPDPPP), we will obtain renewed consent for material changes to the processing of your personal data.

Copyright © – This document or any portion of it may not be copied or duplicated in any way without a license.

Contact us
support@waveswomen.com

We accept privacy inquiries in English, Spanish, and Portuguese.

Explore
Waves Women app
About
Privacy policy
Terms of service

Waves labs corp

Headquarters
Waves Labs Corp.
8401 MAYLAND DR #6338
RICHMOND, VA, 23294, USA

© 2026 Waves Women. All rights reserved