Home
Help

Wave Privacy Policy

Effective Date: October 4, 2025

Last Updated: March 17, 2026

Version: 1.0.4

1. Introduction

This Privacy Policy describes how Wave, a brand operated by Psalm46 Monney ("we", "us", "our"), collects, uses, and shares your information when you use our web application accessible at https://app.wavepray.com (the "Service").

We are committed to protecting your privacy and handling your personal data transparently, in accordance with the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR) for our users in the European Union.

2. Information We Collect

2.1 Information you provide to us

When you use our Service, you directly provide us with the following information:

  • Account information: Name, email address, password (stored in an encrypted manner)
  • Profile information: Profile picture or avatar (optional, stored on our secure servers)
  • User content: Prayer requests, prayer cards, comments, spiritual thoughts that you post on the Service
  • Payment information: When you subscribe to a paid plan, your credit card information is collected and processed directly by our payment processor, Stripe Inc. We never store your banking information on our servers
  • Push notifications: Notification tokens if you enable push notifications on your device
  • Communications: Messages you send us via contact forms or by email

2.2 Information we collect automatically

When you use the Service, we automatically collect certain information:

  • Log information: IP address, browser type and version, operating system, time zone
  • Usage information: Pages visited, features used, time spent on the Service, navigation paths
  • Device information: Device model, unique device identifiers, screen resolution
  • Cookies and similar technologies: See section 5 for more details

2.3 Information collected from other sources

Google Authentication: If you choose to log in via Google OAuth, we receive your name, email address, and profile picture from Google. Apple Authentication: If you choose to log in via Apple Sign In, we receive your name and email address from Apple (you may choose to hide your real email). Payment Processor: Stripe provides us with information about your subscription status (active, canceled, etc.) but never your full banking information.

3. How We Use Your Information and Our Legal Bases

We use the collected information for the following purposes. In accordance with the GDPR, each processing activity is justified by a legal basis:

3.1 Provision and improvement of the Service

  • To create and manage your user account (Legal basis: Performance of a contract)
  • To allow you to create, share, and manage your prayer movements (Legal basis: Performance of a contract)
  • To facilitate collaboration among members of the same movement (Legal basis: Performance of a contract)
  • To personalize your experience (e.g., displaying your active movements) (Legal basis: Legitimate interest in providing an optimized service)
  • To improve and develop new features (Legal basis: Legitimate interest in improving the Service)
  • To analyze the use of the Service to optimize performance (Legal basis: Legitimate interest in ensuring the technical efficiency of the Service)

3.2 Subscription management

  • To process your payments and manage your subscription (Legal basis: Performance of a contract)
  • To send you payment confirmations, invoices, and receipts (Legal basis: Performance of a contract and/or Legal obligation – accounting/tax)
  • To notify you of renewals, payment failures, or subscription changes (Legal basis: Performance of a contract)
  • To manage free trial periods (Legal basis: Performance of a contract or Pre-contractual measures)

3.3 Communications

  • To send you important notifications regarding the Service (updates, changes to terms, security alerts) (Legal basis: Legitimate interest in ensuring user security and proper information)
  • To respond to your requests and questions via our customer support (Legal basis: Performance of a contract and/or Legitimate interest in proper support management)
  • To send you invitations to join prayer movements (Legal basis: Legitimate interest or Consent if the invitation is sent by Wave)
  • To notify you of new activities in your movements if you have enabled these notifications (Legal basis: Performance of a contract and/or Consent for push notifications)

3.4 Security and legal compliance

  • To detect, prevent, and resolve technical issues, fraud, and abuse (Legal basis: Legitimate interest in ensuring network and data security)
  • To enforce our Terms of Service (Legal basis: Legitimate interest in protecting our rights)
  • To comply with our legal and regulatory obligations (Legal basis: Legal obligation)
  • To protect the rights, property, and safety of Wave, our users, and the public (Legal basis: Legitimate interest)

3.5 Analytics and marketing (marketing page only)

  • On our marketing page (showcase site), we use Google Tag Manager and, depending on the active configuration, audience measurement tools (including Google Analytics 4) to understand how visitors interact with our site (Legal basis: Consent – collected via the cookie banner)
  • These analytics help us improve our communication and the presentation of the Service (Legal basis: Legitimate interest)

Important: Audience measurement tools are not loaded inside the application itself. They apply only to the public marketing page after consent.

4. How We Share Your Information

We never sell your personal data. We may share your information only in the following cases:

4.1 With service providers

We work with third-party service providers who process data on our behalf:

  • Stripe Inc. (United States): Secure credit card payment processing
  • Amazon Web Services (AWS) (Zurich, Switzerland): Secure storage of profile pictures and photos via S3, distributed globally via CloudFront
  • Vercel Inc. (United States/Europe): User interface hosting, with servers primarily in the Paris region (France)
  • Infomaniak (Switzerland): Hosting of our application server and database
  • Resend Inc. (United States): Sending transactional emails (confirmations, notifications)
  • RevenueCat Inc. (United States): Management of in-app purchases and subscriptions on mobile applications (iOS/Android)
  • Google Analytics (United States): Analytics for the marketing page only (not the application)

These providers only access the data strictly necessary to perform their services and are contractually obligated to protect your data.

4.2 Within your prayer movement

The content you post in a movement (prayer requests, cards, comments) is visible to all members of that movement. Movement administrators can see the list of members and their participation levels. Community founders have access to usage statistics for their communities.

4.3 For legal reasons

We may disclose your information if we are legally required to do so:

  • In response to a court order, subpoena, or other legal process
  • To enforce our Terms of Service or other agreements
  • To protect our rights, property, or safety, or those of our users
  • To prevent or investigate illegal, fraudulent, or dangerous activities

4.4 In the event of a change of control

If Wave is involved in a merger, acquisition, sale of assets, or bankruptcy proceeding, your personal information may be transferred to the successor entity. We will notify you by email and/or via a notice on the Service before any transfer.

4.5 With your consent

We may share your information for any other purpose with your explicit consent.

4.6 Aggregated and anonymized data

We may share aggregated and anonymized statistics that do not personally identify you (for example: "50% of users use the daily prayer feature").

5. Cookies and Tracking Technologies

5.1 What is a cookie?

A cookie is a small text file stored on your device when you visit a website. Cookies help us operate the Service and improve your experience.

5.2 Cookies we use

In the application (app.wavepray.com)

Strictly necessary cookies (cannot be disabled):

  • accessToken: Access token for your session authentication
  • refreshToken: Token to automatically renew your session
  • session: Identifier for your active session
  • deviceId: Unique device identifier for security, multi-session management, and detection of suspicious activity
  • NEXT_LOCALE: Your language preference
  • theme: Your theme preference (light/dark)
  • timezone: Your time zone for correct date and time display
  • sidebar_state: Open/closed state of the sidebar
  • onboarding_status: Progress in the onboarding flow

These cookies are essential for the operation of the Service and expire after 30 days of inactivity or when you log out.

On the marketing page

  • Analytical cookies (via Google Tag Manager, potentially including Google Analytics 4 depending on configuration):

These cookies help us understand how visitors use our marketing site. They collect anonymous information about the pages visited and browsing behavior.

Important: In accordance with the GDPR, these cookies are only placed on your device after your active consent (Opt-in) via our Consent Management Platform (CMP) banner. Refusing these cookies does not affect the use of the main Service.

5.3 Cookie management and consent

Consent banner:

When you visit our marketing page for the first time, a cookie consent banner allows you to:

  • Accept all cookies.
  • Reject all non-essential cookies.
  • Choose to accept or reject non-essential cookies.

Withdraw your consent:

You can withdraw your consent at any time by deleting the related cookies and local storage in your browser, then expressing your choice again on your next visit.

In your browser:

Most browsers automatically accept cookies, but you can modify your settings to decline them. Note that blocking essential cookies will prevent the Service from functioning properly.

Browser extensions:

You can install extensions like uBlock Origin or Privacy Badger to block third-party cookies.

6. Data Security

6.1 Security measures

We take the security of your data very seriously and implement appropriate technical and organizational measures:

Technical measures:

  • Password encryption using the Argon2 algorithm (modern security standard)
  • Application-level encryption of certain sensitive content (including prayer requests, cards, and descriptions)
  • HTTPS/TLS connections for all communications
  • Firewalls and intrusion detection systems
  • Regular automated database backups
  • Servers hosted in Switzerland with strict security standards

Organizational measures:

  • Data access restricted to individuals who strictly need it
  • Enhanced access control for administrative operations
  • Continuous system monitoring to detect threats
  • Security incident response procedures

6.2 Your responsibilities

You are responsible for:

  • Keeping your password confidential
  • Not sharing your account with others
  • Notifying us immediately in case of unauthorized use of your account

6.3 Security limitations

Despite our best efforts, no system is 100% secure. We cannot guarantee the absolute security of your information. In the event of a data breach affecting your personal information, we will notify you in accordance with applicable law.

7. Data Retention

7.1 Retention period

We retain your personal information for as long as necessary for:

  • Active account: As long as your account is active and you use the Service
  • Deleted account: Your personal data is anonymized immediately upon account deletion
  • Legal obligations: Longer if required by law (e.g., billing data retained for 10 years for Swiss tax compliance)
  • Litigation: Until the resolution of any dispute or claim

7.2 After account deletion

When you delete your account:

  • Your personal data (name, email, profile picture) is anonymized immediately
  • Your public content shared in movements (prayer requests, cards) remains visible but is anonymized ("[Deleted account]")
  • You may request the complete deletion of all your content by contacting us before deleting your account
  • Billing data is retained separately by our payment processor (Stripe) for legal compliance but disassociated from your profile

8. Your Data Protection Rights

In accordance with the Swiss FADP and the GDPR, you have the following rights regarding your personal data:

8.1 Right of access

You have the right to know what personal data we hold about you. You can request a copy of this data at any time.

8.2 Right to rectification

You can correct or update your personal information directly from your account settings. For any changes you cannot make yourself, please contact us.

8.3 Right to erasure

You can request the deletion of your account and personal data at any time. Note that:

  • Some data may be retained for legal compliance
  • Publicly shared content may be retained in an anonymized form
  • The anonymization of your personal data is effective immediately

8.4 Right to restriction of processing

You may request the restriction of processing of your data under certain circumstances (for example, while we verify the accuracy of your data or the legitimacy of our interests).

8.5 Right to data portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. As of today, data portability requests are handled through support at community@wavepray.com. A movement export is available in the application for certain plans, but it does not constitute a complete export of all account data.

8.6 Right to object

You can object to the processing of your data for direct marketing purposes at any time. For other processing, you can object on grounds relating to your particular situation.

8.7 Right to withdraw consent

Where we process your data based on your consent, you can withdraw it at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

8.8 Right to lodge a complaint

If you believe that we are not respecting your data protection rights, you can lodge a complaint with:

In Switzerland: Federal Data Protection and Information Commissioner (FDPIC) Feldeggweg 1 CH-3003 Bern Phone: +41 (0)58 462 43 95 Email: confidentialite@edoeb.admin.ch Website: https://www.edoeb.admin.ch

In the European Union: Your national data protection authority.

8.9 How to exercise your rights

To exercise any of these rights:

  • Log in to your account and access the settings
  • Send us an email at community@wavepray.com
  • We will respond to your request within 30 days

For security reasons, we may ask you to prove your identity before processing your request.

8.10 Automated decision-making and profiling

As of today, we do not use fully automated decision-making that produces legal effects or similarly significant effects on individuals. Some technical processing (for example, security or abuse prevention) may include automated rules, with human review where necessary.

9. Children's Privacy

9.1 Minimum age

Our Service is intended for individuals who are at least 16 years old. We do not knowingly collect personal information from children under 16 without the consent of a parent or legal guardian.

9.2 If you are a parent

If you believe that your child under 16 has provided us with personal information without your consent, please contact us immediately at community@wavepray.com. We will take steps to delete this information as soon as possible.

10. International Data Transfers

10.1 Data location

Your data is primarily stored and processed in Switzerland, which offers a level of data protection equivalent to that of the European Union.

10.2 Transfers outside Switzerland

Some of our service providers are located outside of Switzerland:

Stripe (United States):

  • Processes payments in accordance with PCI DSS Standards.
  • Data transfers are governed by the implementation of Standard Contractual Clauses (SCCs) of the European Union and, where applicable, Stripe's adherence to the EU-US Data Privacy Framework (DPF).
  • More information: https://stripe.com/privacy

Amazon Web Services (AWS) (Zurich, Switzerland):

  • Secure storage of profile pictures and photos via S3, distributed globally via CloudFront.
  • Note: Transfers outside Switzerland are governed by SCCs.

Vercel (United States/Europe):

  • User interface hosting, with servers primarily in the Paris region (France).
  • GDPR compliant with Standard Contractual Clauses (SCCs).

Resend Inc. (United States):

  • Sending of transactional emails only.
  • GDPR compliant with Standard Contractual Clauses (SCCs).

RevenueCat Inc. (United States):

  • Management of in-app purchases and subscriptions on iOS and Android.
  • GDPR compliant with Standard Contractual Clauses (SCCs).

Google Analytics (United States):

  • Used only on the marketing page.
  • Transfers to Google are governed by Standard Contractual Clauses (SCCs).

10.3 Applied safeguards

For all data transfers outside Switzerland/EEA, we implement appropriate safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Verification that providers offer an adequate level of protection (Transfer Risk Assessment).
  • Enhanced technical and organizational security measures.
  • Where available, the provider adheres to the EU-US Data Privacy Framework (DPF), recognized by the European Commission as offering an adequate level of protection.

11. Changes to this Privacy Policy

11.1 Updates

We may modify this Privacy Policy from time to time to reflect:

  • Changes in our practices
  • Legislative or regulatory developments
  • The addition of new features to the Service

11.2 Notification of changes

In the event of a significant change:

  • We will send you an email at the address associated with your account
  • We will display a notice within the application
  • We will update the date at the top of this document

11.3 Acceptance of changes

By continuing to use the Service after the changes become effective, you agree to the revised Policy. If you do not agree to the changes, you must stop using the Service and delete your account. We recommend that you regularly review this page to stay informed about our data protection practices.

12. Contact Us

12.1 Privacy questions

For any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, you can contact us:

By email: community@wavepray.com

By postal mail: Psalm46 Monney Nathanaël Monney Route de Châtel 338 1609 St-Martin Switzerland

12.2 Data Protection Officer and GDPR Representative

Data Protection Officer (DPO - Switzerland): Given the current size of our organization, we do not have a dedicated Data Protection Officer (DPO). All requests relating to data protection should be addressed to the email address community@wavepray.com and will be handled with the utmost care.

GDPR Representative (for European Union users): As of today, we have not appointed a representative established in the European Union within the meaning of Article 27 GDPR. Users based in the EU can contact us directly at community@wavepray.com for any question regarding the processing of their personal data.

12.3 Response times

We are committed to responding to your requests within 30 days of receipt. If your request is complex, we may extend this period by an additional 60 days, informing you of the reasons for the delay.