Compliance
Privacy policy
Last updated: April 28, 2026
This page describes how the waveflow.app marketing site handles your data. The WaveFlow music player itself (the desktop app) sends nothing to our servers — it lives entirely on your machine. This policy concerns the website only.
1. Data controller
The site WaveFlow (https://www.waveflow.app) is a personal, non-commercial project. The data controller within the meaning of art. 5 lit. j Swiss FADP and art. 4 §7 GDPR is reachable at the email below, which is the official channel for any data-related request.
Contact:privacy@waveflow.app
2. Data collected
2.1 Server logs (technical)
Our host Vercel automatically collects, for security and abuse prevention:
- IP address
- HTTP headers (User-Agent, Accept-Language, Referer)
- Request timestamp
- Approximate country (derived from IP)
These logs are retained by Vercel per their own policy (typically < 30 days).
2.2 Cookies
The site sets exactly one strictly functional cookie — no advertising, no tracking, no fingerprinting.
| Name | Purpose | Duration |
|---|---|---|
| waveflow-locale | Remembers your preferred language (FR / EN) for next visits | 1 year |
This cookie is exempt from consent under art. 5(3) ePrivacy / GDPR as it is strictly necessary for the functionality you requested (language switch).
2.3 Analytics
The site uses two Vercel services to measure traffic and performance. Neither sets any cookie nor uniquely identifies a visitor.
Vercel Web Analytics
Anonymized counts of page views, approximate country, and referrer. Visitors are identified by a temporary hash derived from IP + User-Agent + day, which rotates every 24 h — it's impossible to link two visits more than 24 h apart. No cookie. No data sold to third parties.
Vercel Analytics policy ↗Vercel Speed Insights
Sampled measurement of Core Web Vitals (LCP, CLS, INP, FCP) to detect performance regressions. No personal data, only aggregated timing metrics.
Vercel Speed Insights policy ↗2.4 Data NOT collected
- No advertising tracking
- No browser fingerprinting
- No behavioral profiling
- No resale to third parties
- No Meta Pixel, Google Analytics, TikTok Pixel or similar
- No cross-site tracking
3. Purposes and legal bases
| Processing | Purpose | Legal basis |
|---|---|---|
| Vercel server logs | Security, abuse prevention | Legitimate interest (art. 31 §2 FADP, art. 6.1.f GDPR) |
| Language cookie | Interface preference | Necessary for requested functionality (art. 31 §2 lit. a FADP) |
| Anonymized Vercel Analytics | Traffic measurement | Legitimate interest (art. 6.1.f GDPR) |
| Vercel Speed Insights | Detect performance regressions | Legitimate interest (art. 6.1.f GDPR) |
No automated decision producing legal effects is taken about you. No profiling.
4. Recipients and transfers
4.1 Hosting
The site is hosted by Vercel Inc. (San Francisco, USA). Edge servers serve pages from the region closest to you (Frankfurt, Paris, etc. in Europe). Log transfers to the United States are governed by the European Commission's Standard Contractual Clauses and the EU-US Data Privacy Framework (which Vercel joined in July 2023).
4.2 Fonts
Inter and Bricolage Grotesque are self-hosted on waveflow.app via the @nuxt/fonts module. No request is sent to fonts.googleapis.com or fonts.gstatic.com — Google does not see your visit.
4.3 External links
The site contains links to GitHub.com (project source). If you click, GitHub Inc. will receive your request per their own privacy policy. No GitHub script is loaded on waveflow.app — their logo is stored locally.
5. Retention period
| Data | Duration |
|---|---|
| Vercel server logs | Per Vercel policy (≤ 30 days) |
| Aggregated Vercel Analytics | 12 months maximum |
| Vercel Speed Insights | 12 months maximum |
| waveflow-locale cookie | 1 year (renewed each visit) |
6. Your rights (FADP / GDPR)
You have the following rights:
- Access: obtain a copy of data concerning you
- Rectification: correct an inaccuracy
- Erasure: request deletion
- Portability: receive your data in a structured format
- Objection: object to processing based on legitimate interest
- Restriction: request restriction of processing
Exercise your rights by email to privacy@waveflow.app (response within 30 days). If you disagree:
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch
- EU: data protection authority of your country of residence
Analytics opt-out
You can disable Vercel Analytics and Speed Insights at any time:
- By enabling Do Not Track or Global Privacy Control in your browser — Vercel honors both automatically
- By using a script blocker (uBlock Origin, Privacy Badger, Brave Shields)
- By using private / incognito mode (analytics drop nothing)
7. Security
Technical and organizational measures consistent with art. 8 FADP and art. 32 GDPR:
- Encryption in transit: HTTPS/TLS 1.3 everywhere, HSTS preload (max-age 1 year)
- Strict Content Security Policy with SHA-256 hashes per script
- Security headers: X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, restrictive Permissions-Policy (camera/mic/geolocation blocked)
- Cross-Origin: COOP same-origin, CORP same-origin
- Open-source code: auditable on GitHub
8. Minors
The site is accessible to all but is not specifically aimed at people under 16. No data is knowingly collected from minors.
9. Changes
This policy may be updated if processing practices change. The last-updated date is shown at the top of the page. Material changes will be announced via the site's GitHub repository.
10. Contact
For any question, access request or complaint: privacy@waveflow.app