Privacy Policy
Last updated: 27 June 2026
1. Who We Are
Wava is a SaaS platform operated by Filova LTD, a company registered in England and Wales (Companies House No: 17263134), with registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom. For privacy enquiries: privacy@filova.io.
Controller / Processor distinction: Wava acts as a data controller in respect of Tenants (businesses using the platform), and as a data processor on behalf of Tenants in respect of their end-users' personal data. Tenants are the data controllers for their end-users' data.
2. EU Representative
We are evaluating the appointment of an EU representative under GDPR Article 27. In the interim, EU data subjects may contact us directly at privacy@filova.io.
3. Data We Collect
| Category | Examples |
|---|---|
| Account data | Name, email address, company name |
| Communication data | WhatsApp phone number, message content |
| Technical data | Hashed IP address, session token |
| Billing data | Company name, tax ID, billing address |
4. Legal Basis for Processing
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the WhatsApp AI service | Art. 6(1)(b) — contract performance |
| Security, fraud prevention, abuse detection | Art. 6(1)(f) — legitimate interest |
| Marketing communications | Art. 6(1)(a) — consent (freely given) |
| Billing and tax record-keeping | Art. 6(1)(c) — legal obligation |
5. Automated Decision-Making (GDPR Art. 22)
Wava uses AI (Anthropic Claude) to generate WhatsApp responses and to qualify leads on behalf of Tenants. These outputs may constitute automated decisions affecting end-users. You have the right to request human review of any AI-generated decision that significantly affects you. To exercise this right, contact privacy@filova.io.
6. Sub-processors
We share personal data with a limited set of sub-processors to operate the Service. The full list, including data categories processed and locations, is available on our Sub-processors page. We do not sell or share personal data for advertising purposes.
7. International Data Transfers
Some of our sub-processors are located outside the EEA/UK. We use the following mechanisms to safeguard transfers:
- EU to US (Meta, Anthropic): Standard Contractual Clauses (SCCs, 2021 EU SCC Decision) and/or EU-US Data Privacy Framework (DPF) certification where applicable.
- UK to US (Meta, Anthropic): UK Addendum to the EU SCCs (approved by ICO, March 2022) and/or the UK-US Data Bridge (effective 12 October 2023).
- Database (Supabase): Hosted in the EU (eu-central-1, Frankfurt, Germany) — no transfer outside the EEA for core data storage.
8. Retention Periods
| Data category | Retention | Basis |
|---|---|---|
| Message content | 90 days | Data minimisation |
| Account / profile | Active + 90 days | Contract performance |
| Billing records | 7 years | UK tax law (HMRC) |
| IP address / access logs | 2 years | Legitimate interest |
| Phone / email | While account active | Contract performance |
9. Your Rights
EU / EEA — GDPR
Under GDPR Articles 15–21 you have the right to: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and to object to processing. You may also withdraw consent at any time without affecting prior lawful processing. To submit a request, contact privacy@filova.io. You may also lodge a complaint with the supervisory authority in your EU member state.
UK — UK GDPR
You have the same rights as under EU GDPR. Filova LTD is subject to UK GDPR and the Data Protection Act 2018. You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
US — CCPA / CPRA
California residents and residents of states with equivalent privacy laws have the right to access, delete, and correct their personal information, and to opt out of sale or sharing. We do not sell or share personal data. We honour the Global Privacy Control (GPC) signal. CCPA requests are responded to within 45 days (extendable by a further 45 days where reasonably necessary, with notice).
11. Contact
Filova LTD
Companies House No: 17263134
71-75 Shelton Street, Covent Garden
London WC2H 9JQ, United Kingdom
(Registered in England and Wales)
Privacy requests: privacy@filova.io
We aim to respond to all requests within 30 days (or 45 days for CCPA requests). Requests must include sufficient identity verification — a government-issued ID number (passport or equivalent) may be required.
12. Changes to This Policy
We will post any changes to this page and update the "last updated" date. For material changes (e.g. new data categories, new sub-processors), we will notify Tenant account holders by email.