Privacy Policy

Last updated: July 16, 2026

This policy explains what data Waverunner collects for always-on performance advertising measured on your site: why we collect it, and what your rights are. It covers three audiences separately: visitors to this website, Waverunner account holders, and visitors to advertisers’ websites where the Waverunner tracking tag is installed.

1. Who we are

Waverunner is an advertising platform operated by Adwave. For data you give us when you create an account, Adwave is the data controller. For data collected by the tracking tag on an advertiser’s website, the advertiser is the controller and Waverunner processes that data on their behalf.

Questions about this policy: support@waverunner.adwave.com.

2. Visitors to this website

We measure our public pages with our own product: the same first-party tracking tag we provide to advertisers runs on the marketing site, sign-in, and the post-sign-in start handoff on waverunner.adwave.com (not inside the signed-in product app). It records visits, pages viewed, and which of our own ads brought you here, using first-party cookies set on this domain (the cookies listed in the tracking section below). We load no third-party analytics products.

If your browser sends the Global Privacy Control signal, nothing about your visit is shared with ad platforms: no Google or Meta tags load for you, and you are excluded from every synced audience. When we advertise Waverunner itself, visitors who have not opted out may also receive Google and Meta measurement tags so those platforms can measure our ads.

If you arrive through a partner referral link (/a/{code}), we set a first-party cookie _wr_aff for up to 90 days to attribute signups to that partner. It is HttpOnly and used only for commission accounting, not ad targeting.

Emails and IP addresses from this website are stored only as salted one-way hashes, exactly as described for advertiser sites below. Signing in additionally sets strictly necessary, httpOnly session cookies.

3. Public URL analysis (Campaign Intelligence Brief)

On marketing pages you can submit a public website URL to generate a Campaign Intelligence Brief without creating an account. When you do, we may scrape publicly available homepage content for that URL via our subprocessors (including Firecrawl), derive a short planning summary, and cache the scraped text and brief for a short period (typically up to 24 hours) so repeat requests for the same site do not re-scrape. We rate-limit these requests.

No account is required. We do not use this analysis to build advertising profiles of site visitors, and we do not sell the scraped content.

4. Account holders

When you create and use a Waverunner account, we store:

  • Your email address: used for passwordless sign-in codes and transactional notifications (campaign status, billing events, the weekly digest).
  • Organization data: your businesses, personas, generated creatives, campaigns, and wallet ledger.
  • Billing records: wallet transactions and their Stripe references. Payments are processed by Stripe; your card number never touches Waverunner’s servers. If you enable auto-refill, Stripe stores the payment method and we store only its reference.
  • Content from your website: pages we read to build your business profile and generate ads.

We do not sell your data, and we do not use your businesses’ data to advertise anyone else’s products.

5. Tracking on advertiser websites

Advertisers can install the Waverunner tag on their own websites to measure their campaigns. On those sites, the tag records page views, sessions, UTM parameters, ad-click IDs, and conversions (with value, currency, and order ID when the advertiser provides them). All cookies are first-party, set on the advertiser’s own domain:

  • _wr_vid: visitor ID, 365 days.
  • _wr_sid: session ID, 30 minutes (sliding).
  • _wr_cid: ad-click ID, 30 days.
  • _wr_utm: first-touch UTM parameters, for the session.

Raw personal identifiers are never stored. When an advertiser identifies a visitor (for example, an email on a purchase), the email and the visitor’s IP address are hashed with a salt before storage. The advertiser is responsible for their own site’s privacy disclosures and any consent requirements that apply to them.

6. Conversion forwarding to ad platforms

To optimize delivery, attributed conversions are forwarded to Meta (Conversions API) and Google (offline conversion uploads). These platforms require a SHA-256 hash of the customer email for matching; only the hash is sent, per each platform’s specification. Forwarding exists solely to improve the advertiser’s own campaign performance.

7. Audience building (opt-in)

Advertisers can opt in to audience features. Nothing in this section happens unless the advertiser turns audience sync on and attests that their own website's privacy policy discloses it. When enabled:

  • Campaign reach audiences.When an ad we serve is displayed, the ad platforms' own measurement pixels (Google, Meta) may fire alongside ours to support Preparing and Live on those platforms. Each platform processes those signals under its own privacy policy.
  • Audience lists.SHA-256 hashes of customer emails (never raw addresses) are sent to Google Customer Match and Meta custom audiences, per each platform's specification. When someone leaves an audience, or the advertiser turns sync off, removals are propagated.
  • TV household matching. Visitor IP addresses are required by TV ad systems for household matching. They are held AES-256-GCM encrypted in a transient queue, deleted immediately after upload, and hard-purged within 24 hours regardless. Raw IP addresses are never stored anywhere else, never logged, and never included in data exports.
  • Optional platform tags. The advertiser can additionally allow the Waverunner tag to load Google (gtag) and Meta (fbevents) tags on their own website to improve audience match quality. This is off by default and gated on the same attestation.

8. Subprocessors

Waverunner runs on a small set of infrastructure and service providers:

  • Stripe: payment processing
  • Fly.io: application hosting
  • Neon: Postgres database hosting
  • Cloudflare: DNS, CDN, and DDoS protection
  • S3-compatible object storage: generated ad assets
  • AI model providers: ad copy, imagery, and video generation
  • Firecrawl: website content extraction
  • Meta, Google, and our DSP partner: ad delivery, conversion matching, and (opt-in) audience building
  • Google Analytics 4: server-side advertising measurement for opted-in advertisers
  • Sentry: error monitoring

9. Data retention

Account and organization data is retained while your account is active. Wallet ledger entries are retained as financial records. Tracking events are retained to power attribution and reporting for the advertiser that collected them. When an account is deleted, associated data is removed except where retention is legally required (for example, transaction records).

10. Your rights

  • Export: the API includes a full-organization export endpoint (GET /api/v1/export) that returns your businesses, campaigns, ledger, and tracking data as one JSON document.
  • Deletion and correction: email support@waverunner.adwave.com and we will act on your request.

If you are a visitor to an advertiser’s website, direct requests about that site’s data to the advertiser (the controller); we assist them in fulfilling such requests.

11. Changes to this policy

We will update this page when the policy changes and revise the “Last updated” date above. Material changes affecting account holders are announced by email.