Privacy Policy

This Privacy Policy describes how Wavecat (“Company,” “we,” “us,” or “our”) handles information when you use our services (the “Services”), including when you:

• visit our website at wavecat.ai (the “Site”), or any other site of ours that links to this Privacy Policy; or
• download, install, or use the wavecat desktop application (the “App”) — a local personal agent that runs on your own computer.

The short version. wavecat is built to be private by design. The core of the product — reading your screen, building context, and powering chat and the agent — runs entirely on your own device. We do not receive, transmit, or store the contents of your screen, the text it reads, your files, your activity, the context wavecat builds, or your conversations with the agent. That information never leaves your computer.

The only information we collect is:

1. Website analytics through Google Analytics when you visit wavecat.ai; and
2. Anonymous product-usage analytics through Aptabase from the desktop App — limited to session length, number of sessions, your operating system, and the App version.

We do not use any other analytics or tracking. We do not sell your personal information, and we do not use it for advertising.

Questions or concerns? If you do not agree with this policy, please do not use the Services. If you have questions, contact us at sdkyuan@mit.edu.

Summary of key points

This summary highlights the main points. You can find more detail in the section referenced after each point, or in the table of contents.

• What information do we process? When you visit or use the Services, we process a limited amount of information depending on how you interact with us — primarily standard website analytics and anonymous App-usage analytics. We do not process the contents of your screen, files, activity, or conversations. Learn more in What information do we collect?
• Do we process sensitive personal information? No. We do not process sensitive personal information.
• Do we collect information from third parties? No. We do not collect information about you from third parties.
• How do we process your information? To operate, maintain, secure, and improve the Services, to respond to you, and to comply with law. Learn more in How do we process your information?
• When do we share information? Only with our analytics providers (Google and Aptabase), where required by law, or in connection with a business transfer. We never sell your data. Learn more in When and with whom do we share?
• How do we keep your information safe? We use reasonable organizational and technical safeguards, but no system is perfectly secure. Learn more in How do we keep your information safe?
• What are your rights? Depending on where you live, you may have rights over your personal information. Learn more in What are your privacy rights?

Table of contents

1. What information do we collect?
2. How do we process your information?
3. What legal bases do we rely on?
4. When and with whom do we share your personal information?
5. Do we use cookies and other tracking technologies?
6. How do AI and on-device processing work?
7. Is your information transferred internationally?
8. How long do we keep your information?
9. How do we keep your information safe?
10. Do we collect information from minors?
11. What are your privacy rights?
12. Controls for Do-Not-Track features
13. Do United States residents have specific privacy rights?
14. Do we make updates to this notice?
15. How can you contact us about this notice?
16. How can you review, update, or delete your data?

1. What information do we collect?

Information you provide to us

In short: We collect only the personal information you choose to give us — for example, if you email us.

We collect personal information that you voluntarily provide when you contact us, request support, send feedback, or otherwise communicate with us. This is typically your email address and the contents of your message. We do not require you to create an account to use the Services, and the App does not require a cloud account.

Sensitive information. We do not process sensitive personal information.

Information collected automatically

In short: When you visit the Site, standard analytics information is collected automatically. The App collects only anonymous usage metrics.

Website analytics (Google Analytics). When you visit wavecat.ai, we use Google Analytics to understand how the Site is used. This may include your IP address, browser and device type, operating system, referring URLs, pages and links viewed, approximate (city-level) location inferred from your IP address, and dates/times of access. This information helps us maintain the security of the Site and understand how it is used.

App usage analytics (Aptabase). The desktop App uses Aptabase, a privacy-friendly analytics tool, to collect a small set of anonymous usage metrics, limited to:

• session length (how long the App is open),
• number of sessions / how often the App is used,
• your operating system, and
• the App version.

Aptabase is designed not to use cookies or persistent device identifiers and not to track individuals across sessions. These metrics are anonymous and aggregate; they are not tied to your identity and do not include any of your personal content.

What we do not collect. We do not collect, transmit, or store the contents of your screen, your files or documents, your activity or the context the App builds, or your conversations with the agent. All of that is processed locally on your device and never sent to us. See How do AI and on-device processing work?

2. How do we process your information?

In short: We process your information to operate, maintain, secure, and improve the Services, to communicate with you, and to comply with law.

We process the limited information described above to:

• Provide, operate, and maintain the Site and the App.
• Respond to your inquiries and provide support when you contact us.
• Understand usage trends so we can improve the Services. We use anonymous and aggregate analytics to understand how features are used — never the contents of your local activity.
• Maintain security, prevent and detect fraud or abuse, and keep the Services working reliably.
• Comply with legal obligations and protect our legal rights.

We will not process your information for any materially different purpose without informing you and, where required, obtaining your consent.

3. What legal bases do we rely on to process your information?

In short: We only process your personal information when we have a valid legal reason to do so.

If you are in the EU or UK, the General Data Protection Regulation (GDPR) and UK GDPR require us to explain our legal bases. We may rely on:

• Consent — where you have given us permission to process your information for a specific purpose (which you can withdraw at any time).
• Legitimate interests — to operate and secure the Services and to understand, through anonymous analytics, how they are used so we can improve them, where those interests are not overridden by your rights.
• Legal obligations — where processing is necessary to comply with law or to exercise or defend legal claims.
• Vital interests — where processing is necessary to protect someone’s life or safety.

If you are in Canada, we process your information with your express or implied consent, except where we are permitted or required by law to process it without consent.

4. When and with whom do we share your personal information?

In short: We share information only with our analytics providers, where required by law, or in connection with a business transfer. We do not sell your personal information.

We may share information in the following limited situations:

• Analytics providers. We share website-analytics data with Google Analytics and anonymous App-usage metrics with Aptabase, solely so they can provide their analytics services to us.
• Legal and safety. We may disclose information where required to comply with applicable law, regulation, legal process, or a governmental request, or to protect the rights, property, or safety of any person.
• Business transfers. We may share or transfer information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business.

We do not sell your personal information, and we do not share it for targeted advertising. Because the App’s core processing happens locally, there is no screen content, activity, or conversation data for us to share in the first place.

5. Do we use cookies and other tracking technologies?

In short: The Site uses cookies for analytics. The App does not use advertising trackers.

On the Site, we and our analytics provider (Google Analytics) use cookies and similar technologies to keep the Site secure and to understand how it is used. We do not use cookies for advertising or to build cross-site advertising profiles.

Most browsers accept cookies by default. You can usually set your browser to remove or reject cookies; if you do, some features of the Site may not function properly.

Google Analytics. We use Google Analytics to understand use of the Site. You can opt out of Google Analytics across websites by installing the Google Analytics Opt-out Browser Add-on. For more information, see the Google Privacy & Terms page.

The App uses Aptabase only for the anonymous usage metrics described in Section 1; it does not use advertising or cross-site tracking technologies.

6. How do AI and on-device processing work?

In short: wavecat is an AI agent that runs on your device. The AI reads your screen and builds context locally; that information is processed entirely on your computer and is never sent to us or to any third party.

wavecat offers products and features powered by artificial intelligence, machine learning, and autonomous (“agentic”) software (collectively, “AI Features”). These include models that watch on-screen content, turn your activity into context, and power chat and the agent.

• Local by design. All AI Features run locally on your computer using on-device models. The contents of your screen, the text extracted from it, your files, your activity, the context wavecat builds, and your conversations with the agent are processed on your device and are never transmitted to us, stored on our servers, or shared with any third party. There is no cloud inference in the default experience — wavecat keeps working with your network turned off.
• No training on your data. We do not use the contents of your screen, your files, your activity, or your conversations to train, fine-tune, or improve any model. That data stays on your device; we never see it.
• Optional self-hosted model. Advanced users can optionally route heavier interactive work to a model server that you provide and control. If you enable this, the data sent for that work goes to infrastructure you operate — not to us — and the rest of the local pipeline continues to run on-device.
• Your responsibility. Because wavecat can act as an agent and make suggestions or take actions based on what is on your screen, its output may be inaccurate or incomplete. You are responsible for reviewing the agent’s output and any actions before relying on them. See our Terms of Use.

7. Is your information transferred internationally?

In short: The limited information we collect may be processed in the United States and other countries.

We are based in the United States. The analytics providers we use (Google and Aptabase) may process the limited information described in this policy on servers located in the United States and other countries. If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, your information may be transferred to countries that may not have the same data protection laws as your own. Where required, we rely on appropriate safeguards (such as the European Commission’s Standard Contractual Clauses) for such transfers.

Remember: the App’s core data — your screen, activity, and conversations — is not transferred anywhere, because it never leaves your device.

8. How long do we keep your information?

In short: We keep information only as long as necessary for the purposes in this policy.

We retain the limited information we collect only for as long as needed for the purposes described here, unless a longer period is required or permitted by law. Website and App analytics are retained according to our analytics providers’ default retention settings; correspondence (such as support emails) is kept for as long as needed to address your request and our records. When we no longer have a legitimate need to process your information, we will delete or anonymize it.

9. How do we keep your information safe?

In short: We use reasonable organizational and technical safeguards.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the limited information we process. However, no electronic transmission or storage technology can be guaranteed to be 100% secure, so we cannot promise that unauthorized third parties will never defeat our safeguards. The strongest protection for your most sensitive data is structural: because the App processes your screen, activity, and conversations locally, that data is never exposed to us or to the internet in the first place.

10. Do we collect information from minors?

In short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly collect, solicit, or market to children under 18 years of age (or the equivalent minimum age in your jurisdiction). By using the Services, you represent that you are at least 18, or that you are the parent or guardian of a minor and consent to that minor’s use of the Services. If we learn that we have collected personal information from a child under 18, we will take reasonable measures to delete it promptly. If you believe we may have collected such information, please contact us at sdkyuan@mit.edu.

11. What are your privacy rights?

In short: Depending on where you live, you may have rights to access, correct, delete, or restrict the use of your personal information.

In some regions (such as the EEA, UK, Switzerland, and Canada), you have rights under applicable data protection laws. These may include the right to (i) request access to and obtain a copy of your personal information, (ii) request rectification or erasure, (iii) restrict the processing of your personal information, (iv) where applicable, data portability, and (v) not be subject to solely automated decision-making that produces legal or similarly significant effects. You may also have the right to object to processing in certain circumstances.

To make a request, contact us using the details in How can you contact us? We will consider and act upon any request in accordance with applicable data protection laws.

If you are in the EEA or UK and believe we are unlawfully processing your personal information, you may complain to your local data protection authority. If you are in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

Withdrawing your consent

If we are relying on your consent to process your personal information, you may withdraw it at any time by contacting us. Withdrawal will not affect the lawfulness of processing before the withdrawal, nor processing based on lawful grounds other than consent.

12. Controls for Do-Not-Track features

Most browsers and some operating systems include a Do-Not-Track (“DNT”) feature. No uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals. If a standard is adopted that we must follow, we will update this policy.

13. Do United States residents have specific privacy rights?

In short: If you are a resident of certain US states, you may have specific rights to access, correct, delete, or obtain a copy of your personal information, and to opt out of certain processing.

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia (among other states), you may have the rights described below, subject to limits under applicable law.

Categories of personal information we collect

The table below shows the categories of personal information (as defined under applicable US state law) that we may collect, mostly through website analytics:

Category	Examples	Collected
A. Identifiers	Online identifier, Internet Protocol (IP) address, and (if you email us) your name and email address	YES — IP/online identifiers via website analytics; name/email only if you contact us
B. Personal information (California Customer Records statute)	Name, contact, education, employment, financial information	NO
C. Protected classification characteristics	Gender, age, race, national origin, marital status	NO
D. Commercial information	Transaction and purchase history, payment information	NO
E. Biometric information	Fingerprints and voiceprints	NO
F. Internet or other similar network activity	Browsing and usage activity on our Site	YES — via website analytics
G. Geolocation data	Approximate, city-level location inferred from IP address	YES — approximate only
H. Audio, electronic, sensory, or similar information	Images, audio, video, or call recordings	NO
I. Professional or employment-related information	Job title, work history	NO
J. Education information	Student records	NO
K. Inferences drawn from collected personal information	Profiles about preferences and characteristics	NO
L. Sensitive personal information	—	NO

We do not collect the contents of your screen, your files, your activity, or your conversations — that information stays on your device.

How we use and share personal information

We use and share personal information as described in How do we process your information? and When and with whom do we share? We do not sell personal information, and we do not “share” it for targeted advertising, as those terms are defined under US state privacy laws. In the preceding twelve (12) months, we have disclosed website-analytics data to Google and anonymous App-usage metrics to Aptabase for the business purpose of operating and improving the Services.

Your rights

Depending on your state of residence, you may have the right to:

• Know whether we are processing your personal data and access it;
• Correct inaccuracies in your personal data;
• Request deletion of your personal data;
• Obtain a copy of the personal data you previously shared with us;
• Non-discrimination for exercising your rights; and
• Opt out of the processing of your personal data for targeted advertising, the sale of personal data, or certain profiling. (We do not engage in these activities.)

How to exercise your rights

To exercise these rights, email us at sdkyuan@mit.edu or use the contact details at the bottom of this policy. We will verify your request using the information we have, and may ask for additional information to confirm your identity. You may use an authorized agent to submit a request, subject to verification. If we decline your request, you may appeal by emailing us at the same address; if your appeal is denied, you may contact your state attorney general.

14. Do we make updates to this notice?

In short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Policy from time to time. The updated version will be indicated by an updated “Last updated” date at the top. If we make material changes, we may notify you by prominently posting a notice or by directly sending you a notification. We encourage you to review this policy periodically.

15. How can you contact us about this notice?

If you have questions or comments about this notice, you may email us at sdkyuan@mit.edu or contact us by post at:

Samuel Yuan 500 Memorial Dr Cambridge, MA, USA

16. How can you review, update, or delete the data we collect from you?

Depending on the applicable laws of your country or US state, you may have the right to request access to the personal information we collect, details about how we process it, correction of inaccuracies, or deletion of your personal information. You may also have the right to withdraw your consent to our processing. To make such a request, email us at sdkyuan@mit.edu.