This is a real public chat on wavebird's ad layer. Sponsor delivery is first-party today while market connectivity expands. Developers: explore the SDK or contact wavebird.

Privacy

Privacy Policy (GDPR)

Effective: 2026-02-15

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) for this website and the wavebird service is:

MC Squared UG (haftungsbeschränkt)

Ruppertstraße 24

80337 Munich

Email: info@wavebird.ai

We have not appointed a data protection officer. Please direct privacy requests to the contact details above.

2. Purpose of the service

wavebird is a publicly usable chat platform that forwards requests to the OpenAI API (proxy concept). You can choose a model (currently OpenAI) and send prompts without an account.

While the answer is processed, a clearly labeled sponsor area (banner/video) may be displayed. Sponsor delivery is currently first-party only; there are currently no external sponsors or advertising partners. Sponsors do not get access to your prompts or answers and have no influence on the output.

In this public chat, chat history is generally not stored server-side as a chat log. The history stays in your browser (e.g., in memory and depending on your settings/consent optionally in localStorage).

3. Which data are processed?

We process only the data necessary for operation, security, and provision of the features.

Typically this includes:

  • Chat content/prompts: your inputs and, if applicable, limited context are transmitted to OpenAI to generate an answer.
  • Uploads/files: if you upload a file, it is transmitted to our server to extract text (e.g., PDF/DOCX). The file is not stored as a product feature. Extracted text may be transmitted to OpenAI if you include it in your prompt.
  • Technical metadata: e.g., time, requested URL, user agent, derived security and rate-limit signals.
  • IP address: processed purely for technical security/abuse prevention (rate limiting, bot protection) and not for profiling; we do not use it as a persistent product feature.
  • Session/security data: e.g., an anonymous session ID (cookie), bot verification (ALTCHA), and rate-limit/abuse signals (e.g., counters in Redis).
  • Local browser data: e.g., consent status, UI state, and optional (opt-in) chat persistence, statistics/experiments, and telemetry.

Which data are sent (especially upstream requests to providers) can be viewed transparently at /settings#your-data.

Legal bases: Art. 6(1)(b) GDPR (service provision) and Art. 6(1)(f) GDPR (security, abuse prevention, stable operation). Where consent is required for specific local storage: Art. 6(1)(a) GDPR.

4. Cookies, local storage & consent

We use technically necessary cookies and (in some cases) local storage for core functionality and security. Optional features are disabled by default (privacy-by-default) and are enabled only after your consent.

Where applicable under German law, the legal basis for setting/reading non-essential cookies or local storage is § 25(1) TDDDG (consent). Technically necessary storage is based on § 25(2) no. 2 TDDDG.

Categories (settings: /settings#privacy):

  • Necessary: sessionId (httpOnly cookie, usually up to 7 days) for session stability, rate limiting, and secure operation.
  • Necessary: bv_token (httpOnly cookie, short-lived and scope-specific) for ALTCHA bot verification.
  • Necessary: device_id (httpOnly cookie, up to 365 days) as a pseudonymous security and abuse-prevention signal.
  • Necessary: session/security cookies (httpOnly) for stability, rate limiting, bot protection.
  • Functional (opt-in): chat persistence in your browser (e.g., threads/model selection in localStorage).
  • Statistics & experiments (opt-in): pseudonymous browser IDs (e.g., client_id), session IDs (e.g., ux_eval_session_id), local runtime config (ux_eval_admin_config_v1) and experiment cookies (wb_ads_arm / wb_ads_exp) for A/B tests.
  • Telemetry (opt-in, may also be disabled by the operator): latency metrics without prompt content (local flag wepayyourprompt_latency_telemetry).

Withdrawal/deletion: You can change or reset your consent at any time in settings. On withdrawal, related local keys/cookies are deleted.

For details and technical keys, see /settings#your-data.

5. Recipients / processors

Depending on features used, recipients/processors may include:

  • Hetzner Online GmbH (servers located in Germany, incl. Nuremberg region) (hosting/server operations).
  • Hetzner Object Storage (Germany, Nuremberg region) (object storage, e.g., for technical artifacts).
  • OpenAI (AI provider) to generate responses and images.
  • ALTCHA (self-hosted) for bot/abuse protection.
  • Self-hosted Redis (Germany) for rate limiting, concurrency, and abuse prevention.
  • No third-party analytics or marketing tools.

For OpenAI, transfers to third countries (e.g., USA) may be possible. Where required, we rely on appropriate safeguards (e.g., EU Standard Contractual Clauses) and select providers carefully.

OpenAI Data Controls (short note): According to OpenAI, API data are not used to train models by default. OpenAI may retain prompts/outputs for abuse monitoring for up to 30 days. Depending on contract/configuration, options such as Zero Data Retention (ZDR) or Modified Abuse Monitoring may be available.

6. TLS/SSL encryption

This website uses TLS/SSL encryption so that data you transmit to us is protected during transport. You can recognize an encrypted connection by `https://` in your browser address bar.

7. Retention / deletion

We store personal data only as long as necessary for the purposes of processing.

For this public chat in particular:

  • Chat histories are not stored server-side as a chat log.
  • Technical server logs (e.g., web server logs) are usually retained for 7 days and then deleted, unless longer retention is necessary to investigate security incidents or abuse.
  • UX eval / telemetry (opt-in) are usually retained for 7 days and then deleted.
  • Pseudonymized technical proof/ledger events (e.g., for evidence/billing) may be retained long-term.
  • Local browser data remain until you delete them (e.g., via /settings or browser functions).

8. Your rights

You have the following rights under GDPR:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection (Art. 21 GDPR), especially to processing under Art. 6(1)(f) GDPR
  • Complaint to a supervisory authority (Art. 77 GDPR)

To exercise your rights, please contact us via the contact details above or by email at info@wavebird.ai.

9. Contact / complaints

For privacy inquiries, contact us at info@wavebird.ai. You also have the right to lodge a complaint with a supervisory authority.