TL;DR — The short version
- ✦ We have no servers and no database. Your profile never leaves your device unless you wave at someone.
- ✦ When two phones connect, profiles are exchanged directly between them — no cloud relay.
- ✦ Your contact info (Instagram, phone, etc.) is only transmitted at the moment of a mutual wave, and only to that one person.
- ✦ Your Waves ID is generated once on your device and never sent to any server.
- ✦ Uninstalling the app deletes everything. No "delete account" request needed.
- ✦ We don't run ads. We don't sell data. We make no money from your personal information.
1. Who we are
Waves is an independent app. You can reach us via our contact form. For the purposes of applicable data protection law, we are the controller of any personal data processed in connection with this policy — which, as you'll read below, is very little.
2. What data Waves processes and where it lives
Waves is designed around a core principle: your data stays on your device. There is no Waves server, no cloud database, and no account in the traditional sense. Here is everything that exists:
- Your profile (display name, photo, bio, contact info, discovery preference) — stored only in your phone's local app storage. Contact info is limited to Instagram, Twitter/X, and email.
- Your date of birth — entered once on first setup to verify you are 18 or older. Stored only on your device; never transmitted anywhere.
- Waves you have sent — stored only on your phone.
- Waves you have received — stored only on your phone.
- Mutual matches (Vibes) — stored only on your phone, including the approximate location where the match occurred (used only to display a map pin to you).
- Block list — tokens of users you have blocked, stored locally so they cannot rediscover you.
- Waves ID — a random identifier generated once when you first set up the app, stored only on your device, and broadcast locally over Bluetooth/Wi-Fi Direct. It is not linked to your real identity and never sent to any server.
Because we have no servers, we are structurally incapable of accessing, storing, or disclosing your profile data. There is nothing to subpoena, nothing to hack, and nothing to breach.
3. How nearby discovery works
When you open Waves with discovery enabled, your device broadcasts a short anonymous signal using Bluetooth Low Energy and Wi-Fi peer-to-peer technology (Google Nearby Connections). This signal contains only your Waves ID — not your name, photo, or any personal information.
When another Waves user is detected nearby, the two devices establish a direct encrypted connection to exchange profile data. This exchange happens entirely between the two devices; no data passes through any Waves-controlled infrastructure.
You can disable discovery at any time in Profile settings, which immediately stops broadcasting.
4. How waving works
When you wave at someone:
- A wave message is sent to the other person's device via the existing peer-to-peer connection. This message contains your display name and wave identifier so the recipient knows who waved at them. Their device shows a notification such as "[Your name] sent you a wave."
- Your full profile (photo, bio, contact info) is not transmitted at this stage. Contact details are withheld until a wave is mutual.
- If the other person waves back, both devices exchange full profiles directly over the peer-to-peer link, including the contact details each party chose to share. This exchange happens only between the two devices involved.
- If the other person does not wave back, your contact details are never shared with them. The wave record exists on both devices (yours as a sent wave, theirs as a received wave), but you will not receive any "seen" confirmation — unreciprocated waves simply expire from your sent history.
- Irrevocability of transmitted data. Because there is no server, data transmitted during a mutual wave (your display name at the wave stage, or your full profile at the match stage) exists on the recipient's device and cannot be remotely deleted or recalled by us or by you after the fact.
5. Third-party services and on-device processing
Waves uses the following third-party SDKs on the device:
- Google Nearby Connections API — used for peer-to-peer device discovery and data transfer. Google's privacy policy applies to this SDK's use of Bluetooth and Wi-Fi hardware. We do not send any user-identifiable data to Google through this API.
- Google ML Kit (Face Detection & Image Labeling) — used entirely on-device when you upload a profile photo from your gallery. It checks that the photo contains exactly one face and does not contain inappropriate content (nudity or similar). The photo is analysed locally; no image data or biometric information is sent to Google or to us. The analysis result (pass/fail) is used solely to allow or reject the photo. No biometric template is stored.
- Coil (image loading library) — used to display profile photos stored locally on the device. No data is transmitted externally.
We do not integrate any analytics SDKs, advertising SDKs, or crash-reporting services that would transmit personal data off the device.
The face detection processing described above constitutes automated processing of biometric data under GDPR Article 9. The legal basis is your explicit consent, given when you choose to upload a profile photo. You may decline to set a photo at any time; the app functions without one.
5a. Block feature and account restriction
When you block another user, a short anonymous signal is sent to their device over the existing peer-to-peer connection. This signal contains no personal information — only an indication that a block has occurred. The receiving device increments a local counter of unique blockers stored in on-device preferences. If three distinct users block the same account, that account is permanently restricted on that device. No central record of blocks is maintained by us.
6. Permissions we request
- Bluetooth & Nearby Devices — required to discover and connect to nearby phones running Waves.
- Wi-Fi — required for Wi-Fi Direct peer-to-peer connections via Nearby Connections.
- Location (approximate, while using app) — required by Android to use Bluetooth scanning. We do not record or transmit your location. We use a one-time system cache lookup only when needed for platform requirements; no continuous GPS polling occurs.
- Notifications — to alert you when you receive a wave or a mutual match occurs.
- Photos / media — only if you choose to set a profile photo from your gallery.
- Foreground service — to keep Bluetooth discovery running while the app is in the foreground.
7. Contact form
If you use the in-app contact form or the contact form on this website, your message (name, email, topic, and message text) is submitted to Formspree, a third-party form service, which forwards it to our email address. Formspree's own privacy policy governs that submission. We use this data only to respond to your message and do not retain it beyond that purpose.
8. Children and age verification
Waves does not contain adult content. The 18+ minimum age requirement exists solely to protect children from unsolicited contact with adults — not because the app is intended for adult content or restricted activities.
On first setup, users must enter their date of birth; anyone under 18 is blocked from creating a profile. This date of birth is stored only on the device and is never transmitted to us or any third party. We additionally rely on platform-level controls (Google Play family policies and parental controls) to reinforce this protection.
If you believe a minor is using Waves, please contact us immediately via our contact form. Because all data is stored locally on devices, we have no server-side mechanism to remove a specific account; we encourage parents to use device-level parental controls and to uninstall the app from a minor's device.
9. Your rights
Under GDPR, UK GDPR, and similar frameworks, you have rights including access, rectification, erasure, restriction, and portability of your personal data. Because all data lives on your device, you exercise these rights directly:
- Access & portability — your data is on your phone; you have full access to it.
- Rectification — edit your profile at any time in the Profile tab.
- Erasure — uninstall the app. All data is permanently deleted with no server-side residue.
- Restriction / objection — disable discovery in Profile settings to stop broadcasting.
For any rights request relating to data submitted via the contact form, reach us via our contact form and we will respond within 30 days.
10. Data retention
On-device data persists until you uninstall the app or use the "Start fresh" option in Profile settings (which clears waves and vibes but retains your profile). Contact form submissions received by email are retained only as long as needed to resolve your query.
11. Security
Peer-to-peer profile exchanges occur over encrypted connections provided by the Google Nearby Connections API. Since there is no central server, there is no central point of attack. Your device's own security (lock screen, OS encryption) protects locally stored app data.
12. Changes to this policy
We will update this page if our practices change and note the revision date at the top. Significant changes will be communicated via an in-app notice. Continued use of the app after a change constitutes acceptance of the updated policy.
13. Contact
Questions about this policy or your data? Use our contact form. We read every message.