Wavlo

Privacy Policy

Version 1.0 · Effective April 8, 2026

Publisher
UPAURA SERVICES - FZCO (trading as Wavlo)
Registered Office
IFZA Business Park, Dubai Silicon Oasis, Dubai, UAE
Registration
No. 66550
Trade License
No. 68597
Privacy Contact
help@wavlo.io

1. Introduction

UPAURA SERVICES - FZCO, a free zone company registered in Dubai Silicon Oasis (United Arab Emirates) under registration number 66550 and trading as “Wavlo” (hereinafter “Wavlo”, “we”, “our”, or “us”), is committed to protecting the privacy and personal data of all individuals who interact with our services, our website, and our platform.

This Privacy Policy (hereinafter the “Policy”) describes how we collect, use, store, share, and protect personal data in the context of operating the Wavlo Platform (hereinafter the “Platform”), a software-as-a-service solution enabling professional tourism operators to create, manage, and publish multilingual audio experiences.

This Policy applies to: (i) visitors of our website; (ii) authorized users of the Platform acting on behalf of a client organization; (iii) representatives of prospective and existing clients; and (iv) any other individual whose personal data we may process in the course of our business.

We process personal data in accordance with applicable data protection laws, including in particular the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”), the UK GDPR, the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“PDPL”), and any other applicable privacy legislation depending on the jurisdiction of the data subject.

By accessing the Platform, creating an account, or otherwise providing us with personal data, you acknowledge that you have read and understood this Policy.

2. Definitions

For the purposes of this Policy:

  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” means any operation performed on Personal Data, whether automated or not, including collection, storage, use, disclosure, or deletion.
  • “Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data. For the Processing described in this Policy, Wavlo acts as Data Controller.
  • “Data Processor” means a third party that processes Personal Data on behalf of the Data Controller.
  • “Data Subject” means the identified or identifiable natural person whose Personal Data is processed.
  • “Client” means the legal entity that subscribes to the Platform and on whose behalf Authorized Users access the Services.
  • “Authorized User” means a natural person designated by the Client to access and use the Platform on the Client’s behalf, under a strictly nominative account.

3. Data Controller

The Data Controller responsible for the Processing of Personal Data described in this Policy is:

UPAURA SERVICES - FZCO
IFZA Business Park, Dubai Silicon Oasis, Dubai, United Arab Emirates
Registration number: 66550
Email: help@wavlo.io

For any question related to this Policy or to the exercise of your data protection rights, you may contact us at any time at the email address above.

4. Categories of Personal Data We Collect

We only collect Personal Data that is necessary, relevant, and proportionate to the purposes described in this Policy. The categories of data we process are:

4.1. Identification and Contact Data

  • First name, last name, professional title, and function within the Client organization.
  • Professional email address and, where provided, professional phone number.
  • Name and legal details of the Client organization, including registration number, address, and VAT identification where applicable.

4.2. Account and Authentication Data

  • Username, hashed password, and authentication credentials.
  • Account creation date, last login date, and session information.
  • IP addresses, device fingerprints, and browser information used to detect unauthorized access and enforce the strictly nominative nature of accounts, as described in our Terms and Conditions.

4.3. Platform Usage Data

  • Actions performed on the Platform (creation of experiences, scripts submitted, audio production requests, credit consumption, feature usage).
  • Technical logs, timestamps, and error reports generated by the Platform.
  • Analytics data aggregated for the purpose of improving the Platform.

4.4. Content Data Submitted by Clients

The Platform allows Clients to submit written scripts and related content intended for the production of audio files through our integrated production pipeline. Where such content contains Personal Data (for example, the name of a historical figure, a tour guide’s name, or any reference to an identifiable individual), we process it solely as Data Processor on behalf of the Client, who remains the Data Controller of such content.

4.5. Billing and Transaction Data

  • Billing information, purchase orders, and invoices.
  • Transaction history related to the payment of License Fees and Credit purchases.
  • Payment-related information is collected and processed directly by our payment service provider (Stripe); Wavlo does not store full payment card numbers.

4.6. Communications

  • Content of emails and support messages exchanged with our team.
  • Feedback, survey responses, and testimonials voluntarily provided by Clients.

5. Purposes and Legal Bases of Processing

We process Personal Data only for specified, explicit, and legitimate purposes, each supported by an appropriate legal basis under applicable data protection law.

PurposeLegal Basis
Providing the Platform and Services to ClientsPerformance of a contract (Art. 6(1)(b) GDPR)
Managing accounts, authentication, and access controlPerformance of a contract (Art. 6(1)(b) GDPR)
Producing and delivering audio content through our integrated production pipelinePerformance of a contract (Art. 6(1)(b) GDPR)
Billing, invoicing, and payment processingPerformance of a contract and legal obligation (Art. 6(1)(b) and (c) GDPR)
Providing customer support and responding to inquiriesPerformance of a contract and legitimate interest (Art. 6(1)(b) and (f) GDPR)
Detecting and preventing unauthorized access, fraud, and abuseLegitimate interest (Art. 6(1)(f) GDPR)
Improving, securing, and developing the PlatformLegitimate interest (Art. 6(1)(f) GDPR)
Complying with legal, regulatory, and tax obligationsLegal obligation (Art. 6(1)(c) GDPR)
Sending service communications (incident reports, changes)Legitimate interest (Art. 6(1)(f) GDPR)
Sending commercial communications to prospectsConsent or legitimate interest (Art. 6(1)(a) or (f) GDPR)

6. Sharing and Disclosure of Personal Data

Wavlo does not sell, rent, or trade Personal Data. We only share Personal Data with a limited number of trusted recipients, and only to the extent strictly necessary to provide the Services and comply with applicable law.

6.1. Service Providers and Sub-Processors

We rely on carefully selected service providers (“Sub-Processors”) to operate the Platform. Each Sub-Processor is contractually bound to process Personal Data solely on our instructions, to maintain appropriate security measures, and to comply with applicable data protection laws. Our main categories of Sub-Processors include:

  • Cloud hosting and infrastructure providers (including global cloud providers such as Amazon Web Services and/or Google Cloud Platform), for the hosting of the Platform, databases, and backups.
  • Payment service provider (Stripe, Inc. and its affiliates), for the secure processing of payments, invoicing, and subscription management.
  • Technology providers supporting the Platform’s integrated production pipeline (operated exclusively by Wavlo and never directly accessible to Clients).
  • Professional advisors such as legal counsel, accountants, and auditors, where required for the management of our business.

An up-to-date list of Sub-Processors can be obtained upon written request at help@wavlo.io.

6.2. Legal and Regulatory Disclosures

We may disclose Personal Data where required by law, regulation, court order, or valid legal process, including in response to lawful requests from public authorities. In such cases, we limit the disclosure to what is strictly necessary and, where legally permitted, notify the concerned data subject.

6.3. Corporate Transactions

In the event of a merger, acquisition, restructuring, or sale of assets, Personal Data may be transferred to the successor entity, subject to the continued protection provided by this Policy and applicable law. We will notify affected data subjects of any such transfer where required.

7. International Data Transfers

Because we rely on global cloud infrastructure and Sub-Processors, Personal Data may be transferred to and processed in countries outside the European Economic Area (“EEA”), the United Kingdom, or the United Arab Emirates, including countries that may not provide an equivalent level of data protection.

Where such transfers occur, we implement appropriate safeguards in accordance with applicable law, including:

  • Standard Contractual Clauses (“SCCs”) approved by the European Commission for transfers from the EEA.
  • Equivalent mechanisms recognized under UK GDPR and UAE PDPL, including adequacy decisions and binding contractual commitments where relevant.
  • Additional technical measures such as encryption in transit and at rest, access controls, and data minimization.

A copy of the applicable safeguards can be obtained upon written request at help@wavlo.io.

8. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, and to enforce our agreements.

  • Account and platform usage data: retained for the duration of the Client’s subscription and up to sixty (60) days after termination to allow for data export, after which it is permanently deleted.
  • Billing and transaction data: retained for the period required by applicable tax, accounting, and commercial laws, which is typically up to ten (10) years.
  • Communications and support data: retained for up to three (3) years after the last contact, except where a longer retention period is required by law.
  • Technical logs and security logs: retained for up to twelve (12) months.

Upon expiration of the applicable retention period, Personal Data is either permanently deleted or anonymized in such a way that it can no longer be associated with an identifiable individual.

9. Security Measures

We implement appropriate technical and organizational security measures designed to protect Personal Data against unauthorized access, alteration, disclosure, loss, or destruction. These measures include, but are not limited to:

  • Encryption of data in transit (TLS/SSL) and at rest on our infrastructure.
  • Role-based access controls, principle of least privilege, and strictly nominative user accounts.
  • Monitoring of login activity, IP addresses, and device fingerprints to detect unauthorized access.
  • Regular security reviews, vulnerability assessments, and patching procedures.
  • Secure software development practices and segregation of environments (development, staging, production).
  • Backup and disaster recovery procedures to ensure the availability of the Platform.

Despite our best efforts, no system is perfectly secure. In the event of a Personal Data breach likely to result in a risk to the rights and freedoms of data subjects, we will notify the competent supervisory authority and, where required, affected data subjects without undue delay and in accordance with applicable law.

10. Your Rights

Subject to applicable data protection law, you have the following rights regarding your Personal Data:

  • Right of access — to obtain confirmation of whether we process your Personal Data and to receive a copy.
  • Right to rectification — to request correction of inaccurate or incomplete Personal Data.
  • Right to erasure (“right to be forgotten”) — to request deletion of your Personal Data, subject to applicable legal obligations.
  • Right to restriction of processing — to request that we temporarily limit the Processing of your Personal Data.
  • Right to data portability — to receive your Personal Data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to object — to object, on grounds relating to your particular situation, to the Processing of your Personal Data based on our legitimate interests, and to object at any time to Processing for direct marketing purposes.
  • Right to withdraw consent — where Processing is based on consent, to withdraw your consent at any time without affecting the lawfulness of prior Processing.
  • Right not to be subject to automated decision-making — including profiling, where such decisions produce legal or similarly significant effects on you.
  • Right to lodge a complaint — with a competent data protection supervisory authority if you believe your rights have been infringed.

To exercise any of these rights, please contact us at help@wavlo.io. We will respond to your request within one (1) month of receipt, subject to extension where the request is complex or where we receive multiple requests. We may request additional information to verify your identity before processing your request.

11. Cookies and Similar Technologies

The Platform and our website use cookies and similar technologies to operate properly, remember user preferences, authenticate sessions, measure audience, and improve the user experience.

We use the following categories of cookies:

  • Strictly necessary cookies — required for the Platform to function (for example, session cookies, authentication cookies). These cookies cannot be disabled.
  • Functional cookies — used to remember user preferences and enhance the user experience.
  • Analytics cookies — used to measure audience and understand how the Platform is used, in aggregated and anonymized form where possible.

Where required by law, we obtain your consent before placing non-essential cookies through a cookie banner displayed on first visit. You may withdraw or modify your consent at any time through the cookie settings available on our website.

12. Children’s Privacy

The Platform is intended exclusively for professional and adult use. It is not designed for, marketed to, or intended for children under the age of eighteen (18). We do not knowingly collect Personal Data from minors. If we become aware that we have inadvertently collected Personal Data from a minor, we will take immediate steps to delete such data.

Clients of the Platform are prohibited from using the Services to generate, target, distribute, or market audio content directed at children under the age of eighteen (18), as set forth in our Terms and Conditions.

13. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, in applicable law, or in the Platform itself. The updated Policy will be published on our website with a revised “Effective Date”. Where the changes are material, we will notify Clients through the Platform or by email. Continued use of the Platform after the Effective Date of any update constitutes acceptance of the revised Policy.

14. Contact Us

If you have any question, request, or complaint regarding this Privacy Policy or the way we process your Personal Data, you may contact us at:

UPAURA SERVICES - FZCO
IFZA Business Park, Dubai Silicon Oasis, Dubai, United Arab Emirates
Email: help@wavlo.io

We are committed to responding to all reasonable requests in a timely and transparent manner.