Privacy Policy

For the website, sales, support, account administration, and billing relationship, the controller is Latent Labs OÜ, the company operating WaverSec.

If you have privacy questions or want to exercise a right under this notice, contact us at info@latent-labs.io. Existing customers can also reach support@waversec.com for operational help.

This policy applies to the public website, the WaverSec Protect admin product, the API and related endpoints, the Outlook add-in, the documentation site, and our support, onboarding, and billing workflows.

It does not replace a separate data processing agreement or customer contract. If a signed customer agreement says something more specific about customer data, that agreement controls to the extent of any conflict.

WaverSec is the controller for data we use to run our business and customer relationship, including website analytics, contact requests, account creation, support, subscription management, and product administration.

When WaverSec Protect processes customer email content or related message data on behalf of a customer organization, that customer organization is typically the controller or business, and WaverSec acts as a processor or service provider.

If you use WaverSec Protect through your employer or another organization, you should usually direct privacy requests about message data to that organization first. They decide how the product is configured and whether warnings or blocking rules are enabled.

WaverSec Protect may receive message data when a customer uses the product to scan an email or attachment. That processing happens to deliver the requested protection result.

As designed today, WaverSec Protect does not retain email bodies, recipient lists, or attachment files in its application databases as part of normal service operation. Core service records are centered on account, configuration, usage, and billing data instead.

That does not mean no personal data is processed at all. Some personal data still exists in account records, customer-configured lists, sender identifiers used for seat tracking, support messages, and similar operational records.

We process personal data to provide and secure WaverSec Protect, manage customer accounts and subscriptions, answer support requests, improve the service, and comply with legal obligations.

Where GDPR applies, we generally rely on one or more of the following legal bases depending on context.

The public website may use optional PostHog analytics. On the landing site, page views, scroll depth, and CTA interactions are presented through a consent banner where required so visitors can accept or decline them.

The product apps also use technologies needed for authentication, UI state, and product operation, including Clerk session cookies and local or session storage for interface preferences. Optional PostHog product analytics and masked session replay in the admin dashboard and Outlook add-in are disabled by default and can be enabled or disabled by an organization administrator through the admin dashboard's Optional product analytics setting. The Outlook add-in follows that organization setting.

If product analytics is enabled, PostHog stores analytics preference and persistence data in browser storage for that surface. Analytics events are configured not to include email body text, recipient lists, or attachment content.

We disclose personal data only when needed to run the service or comply with law. Depending on the workflow, data may be handled by service providers that support our product operations.

Some of our providers may process personal data in the United States or other countries outside the EEA, UK, or Switzerland. When those transfers are covered by GDPR or similar rules, we use the transfer mechanism that fits the specific provider and destination.

Depending on the situation, that may include an adequacy decision, the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or another recognized safeguard.

We keep personal data only for as long as we need it for the purpose described in this notice, unless a longer retention period is required by law or justified by a documented security or dispute-handling need.

Retention depends on the dataset. We use the following criteria today.

We use technical and organizational measures designed to reduce risk and limit unnecessary data exposure. No system can guarantee perfect security, but we apply layered controls that reflect the current product architecture.

WaverSec Protect automatically analyzes message data to generate detections, warnings, and, where the customer chooses, blocking decisions before an email is sent. The exact behavior depends on the policies, DLP rules, scanners, and optional AI features configured by the customer organization.

For many deployments, the service is used to warn users and let them fix issues before sending. Some organizations may configure stricter enforcement. If you are an end user and believe a customer-configured decision should be reviewed, contact your organization’s administrator first.

If GDPR or a similar regime applies, you may have the right to request access, correction, deletion, restriction, portability, or objection, and to withdraw consent where we rely on consent.

You may also have the right to lodge a complaint with your local supervisory authority. We may need to verify your identity or your authority to act before we complete a request.

If you live in a U.S. state with an applicable privacy law, you may have rights that include access, deletion, correction, portability, and appeal, and in some states the right to opt out of certain sales, targeted advertising, or profiling uses.

WaverSec does not sell personal data. We do not share personal data for cross-context behavioral advertising. If you submit a privacy request and disagree with our response, you can appeal by emailing info@latent-labs.io with the subject line “Privacy Appeal”.

Some browsers offer a Do Not Track setting. Because there is not a uniform industry standard for interpreting that signal, WaverSec does not currently change the public website’s behavior in response to browser Do Not Track signals.

We do not use the public website for cross-context behavioral advertising, and we do not knowingly allow third parties to collect personal data through the public website for their own cross-site advertising purposes.

WaverSec Protect is designed for business use and is not directed to children. We do not knowingly collect personal data from children for consumer use of the service.

If you believe a child has provided personal data to us in a way that should not have happened, contact us so we can investigate and take appropriate action.

We may update this notice as the product, providers, or legal requirements evolve. When we do, we will update the effective date at the top of the page and, where appropriate, provide additional notice.

Send privacy requests to info@latent-labs.io. If you are writing about a customer-managed deployment, include the organization name, the environment involved if you know it, and the nature of your request so we can route it correctly.

For support matters related to an active deployment, you can also use support@waversec.com. We may ask for information needed to verify identity, authority, or account ownership before acting on a request.