Your Privacy Matters
Effective date: July 12, 2026
Last updated: July 12, 2026
This Privacy Policy ("Policy") explains how Wednesday Waffles Inc. ("Wednesday Waffles," "we," "us," or "our"), the makers of the Wednesday Waffles mobile application (the "App") and the website at www.wednesdaywaffles.com(the "Website", and together with the App, the "Service"), collect, use, disclose, retain, and protect personal information about the people who use our Service.
Wednesday Waffles is a private video-sharing service designed to help small groups of friends and family stay close by exchanging short weekly video messages ("Waffles"). Because our Service handles personal content, we take privacy seriously and have built the Service with privacy-by-design principles.
This Policy applies to anyone who accesses the Service. By using the Service, you acknowledge that the collection, use, and sharing of your information will take place as described in this Policy. If you do not agree, please do not use the Service.
This Policy is designed to meet the substantive requirements of Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), the EU and UK General Data Protection Regulation ("GDPR" and "UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Children's Online Privacy Protection Act ("COPPA"), and other applicable data protection laws.
The data controller responsible for your personal information is:
Wednesday Waffles Inc.
3505–1328 W Pender St
Vancouver, BC V6E 4S9
Canada
Privacy contact / Privacy Officer: admin@wednesdaywaffles.com
Users in the EU, UK, or Switzerland may contact us at the email above for any matter related to this Policy or the processing of their personal data, including to exercise their rights under GDPR or UK GDPR.
We do not sell your personal information
We have never sold personal information, and we do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA.
We do not use your content for third-party advertising
We do not serve third-party ads inside the App, and we do not use the content of your Waffles or messages to target advertising.
We do not train AI models on your content
We never use your Waffles or messages to train public or foundation models. If you turn on AI Features, a provider listed below may process only the Waffle information needed to create the feature. We require providers to use it only for us, never for advertising or training their public models.
We minimize what we collect
We only collect information we need to operate the Service and keep it safe and reliable.
We collect the following categories of personal information:
1. Account & Profile Information
- Name or chosen display name
- Email address
- Phone number if you use our legacy phone-number / SMS sign-in flow for existing users
- Profile photo (optional)
- Date of birth or birthday information if you choose to provide it
- Authentication identifiers from Sign in with Apple or Google Sign-In (such as a provider user ID and, where you permit it, the email address associated with that provider)
- Account settings and preferences
2. User Content
- Waffles (short videos, including the video file, audio, thumbnails, captions or structured transcripts generated for accessibility and reliable processing, and associated metadata such as duration and creation time)
- Text messages, reactions, and replies you send inside groups
- Links you share and any preview metadata generated from them
- Group names and membership information for groups you create or join
3. Device & Technical Information
- Device model, operating system and version, app version, language, and timezone
- Device identifiers (such as an install ID or advertising-reset-safe identifier used for analytics and abuse prevention)
- Push notification tokens issued by Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM)
- Push-notification status and related app metadata, such as whether notifications are enabled on your device
- IP address and approximate location derived from it
- Crash diagnostics and error logs
4. Usage & Analytics Data
- Pages, screens, and features you interact with
- Session duration and frequency
- Events such as account creation, group creation, Waffle sent, Waffle watched
- Referral and attribution data (e.g., how you arrived at our Website)
5. Optional AI Feature Data
If you turn on AI Features, we may use eligible captions or transcript segments, audio cues, comments and replies, Waffle timing and language, and only the other information needed for the feature. The App shows whether the choice covers past Waffles, future Waffles, or both before you enable it. Creating a technical audio track or transcript for accessibility and reliable playback does not by itself turn on third-party AI processing.
AI Features can create private weekly Timeline titles; per-Waffle chapters, summaries, and comment context; reminders and talking-point suggestions before you record; short teaser text for notifications or emails; and structured topics, people mentioned, commitments, celebrations, and descriptions of observable tone. These are generated interpretations, not quotes, and may be inaccurate.
If you separately turn on Help improve Wednesday Waffles, we may use automated, aggregated themes from these results to understand what people find useful and what to build next. That choice never permits advertising, public quotations, foundation-model training, or routine human review of raw Waffle content. Any human review of real content for quality testing requires separate permission and limited access.
6. Communications With Us
When you contact us for support, feedback, or other reasons, we collect your messages and any information you voluntarily provide (such as your email address).
What We Do Not Collect
- We do not collect precise GPS location. Any location inference is coarse and IP-based.
- We do not access your camera or microphone in the background — only while you are actively recording a Waffle.
- We do not collect government-issued identifiers, biometric data, payment card data, or health information.
We use personal information for the following purposes:
- Provide the Service: create and manage your account, authenticate you, deliver your Waffles and messages to the groups you choose, and sync content across your devices.
- Send notifications: deliver push notifications and transactional emails related to your account and activity, including weekly reminders, content alerts, and—when you have enabled the relevant choices—short AI-generated teasers.
- Support and communicate: respond to your requests, send important service announcements, and notify you of changes.
- Safety, security, and fraud prevention: detect and prevent abuse, spam, account takeover, and violations of our Terms of Service and Child Safety Standards.
- Improve the Service: understand how features are used, debug issues, and develop new features through aggregated analytics.
- Provide optional AI Features: when you enable them, use eligible Waffle captions, transcripts, audio cues, comments, and replies to create the private Timeline, summaries, prep suggestions, and notification or email teasers described above.
- Product discovery: only when the separate Help improve Wednesday Waffles choice is enabled, use automated, aggregated themes to decide which features may be useful. We do not use this permission for advertising, public quotation, or model training.
- Legal compliance: comply with applicable laws, respond to lawful requests, and enforce our agreements.
- Business operations: run internal recordkeeping, financial accounting, and due diligence in the context of corporate transactions.
If you are in the EU, UK, or Switzerland, we rely on the following legal bases under Article 6 GDPR:
- Performance of a contract (Art. 6(1)(b)) — to create your account, deliver your Waffles and messages to your groups, and provide the core functionality of the Service.
- Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent abuse, understand product usage, and communicate with you about the Service. We balance these interests against your rights and only rely on them where the impact on you is limited.
- Consent (Art. 6(1)(a)) — for optional features such as push notifications and access to your device camera, microphone, and photo library, and where required by law for optional website analytics and attribution cookies. You can withdraw consent at any time in your device or app settings or by changing your browser cookie preferences.
- AI Feature permission and consent (Art. 6(1)(a), and Art. 9(2)(a) where applicable) — before we send eligible Waffle information to a third-party model provider or derive conversational or emotional tone. The independent Help improve Wednesday Waffles choice applies to product discovery. You can stop future AI processing or change the product-discovery choice under Manage AI Features.
- Legal obligations (Art. 6(1)(c)) — to respond to lawful requests from authorities and to comply with applicable laws.
Uploading a Waffle does not by itself authorize optional third-party AI analysis. Where AI processing may involve special-category information explicitly revealed in a Waffle, we rely on the express AI choice shown in the App where applicable and apply data-minimization and regional safeguards.
We share personal information only in the limited circumstances described below.
With Other Users of the Service
When you send a Waffle or message to a group, your content and associated metadata (such as your name, profile picture, and the time of posting) are shared with the other members of that group. Groups are private by design.
With Service Providers (Subprocessors)
We share personal information with trusted third-party service providers that process data on our behalf to operate the Service. These providers are contractually bound to protect your data and use it only for the purposes we specify. See the Subprocessor List below.
For Legal Reasons
We may disclose personal information where we believe in good faith that disclosure is necessary to: (i) comply with applicable laws or valid legal process, (ii) protect the rights, property, or safety of Wednesday Waffles, our users, or the public, (iii) detect, prevent, or address fraud, security, or technical issues, or (iv) enforce our Terms of Service.
In Connection With Corporate Transactions
If Wednesday Waffles is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction. We will notify users of any change in control or use of personal information, as well as any choices users may have regarding their information.
With Your Consent
We may share personal information for other purposes with your consent or at your direction.
We do not sell personal information and we do not share personal information with third parties for their own marketing or advertising purposes.
The following third-party service providers process personal information on our behalf. We maintain written data-processing agreements with each of them and review their security and privacy practices before engagement.
| Provider | Purpose | Data | Location |
|---|---|---|---|
| Google Cloud Platform / Firebase (Google LLC) | Authentication, database (Cloud Firestore), file storage (Cloud Storage for Firebase), serverless backend (Cloud Functions), push notifications (FCM), crash reporting (Crashlytics), product analytics (Firebase Analytics), remote configuration, app integrity (App Check), infrastructure hosting, and optional AI Features through Vertex AI / Gemini. | Account identifiers, auth tokens, user content (Waffles, messages, media), device and usage data, crash diagnostics, and push tokens. Eligible transcript, audio, comment, and structured output data is used with Vertex AI / Gemini only when the relevant AI Feature is enabled. | United States and other Google Cloud regions |
| Apple Inc. | Sign in with Apple (authentication) and Apple Push Notification service (APNs). | Apple user identifier, optional email (which may be a private-relay address), push notification tokens and payloads. | United States |
| PostHog, Inc. | Product analytics and session event tracking to understand how the Service is used. | Pseudonymous user identifiers, event names, app version, device type, and interaction metadata. Not the contents of your Waffles or messages. | EU data residency in production; vendor headquartered in the United States |
| Customer.io (Peaberry Software Inc.) | Transactional, lifecycle, and optional marketing communications delivery (e.g., account notifications, activation reminders, and opt-in email communications). | Name, email address, phone number if present, user identifier, and lifecycle event attributes (e.g., account created, first Waffle sent). | United States |
| Shorebird (Shorebird, Inc.) | Over-the-air delivery of non-binary app updates. | App version, device platform, and install identifiers required to deliver updates. | United States |
| OpenAI, L.L.C. | Optional AI Features, including Waffle digests, Timeline recaps, summaries, prep suggestions, and notification or email teasers when enabled. | Eligible caption or transcript segments, comments and replies, and, where useful, audio; a pseudonymous safety identifier; and generated output. No account name, phone number, email address, group name, or advertising identifier is intentionally sent. | European regional processing where configured and available; otherwise the United States and locations described by OpenAI |
| Anthropic, PBC | Optional model provider for the same AI Feature purposes. The provider used for a task may change without an App update, but only providers listed in this table and covered by the disclosure version you accepted may receive data. | Eligible caption or transcript segments, comments and replies; a pseudonymous safety identifier; and generated output. Audio is sent only if the selected provider supports it and the feature and regional policy permit it. | United States and locations described by Anthropic |
| Google LLC (Google Analytics 4 — Website only) | Aggregate analytics for our marketing website at www.wednesdaywaffles.com. Not used inside the App. | Pseudonymous visitor identifiers, pages viewed, referrer, device and browser data. | United States |
We will update this list when we add or change material subprocessors. You can request the current list and the date of last update at any time by contacting us at admin@wednesdaywaffles.com.
Wednesday Waffles is based in Canada. Personal information is processed in Canada, the United States, and other countries where our service providers operate data centers. These countries may have data-protection laws different from those of your country of residence.
Where personal information of users in the EU, UK, or Switzerland is transferred outside those regions, we rely on appropriate safeguards, including:
- The European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum with our subprocessors.
- Adequacy decisions where available (for example, transfers to Canada's commercial private sector are covered by an EU adequacy decision).
- Supplementary organizational and technical measures, including encryption in transit and at rest.
Copies of the safeguards can be requested at admin@wednesdaywaffles.com.
We retain personal information only for as long as necessary to provide the Service and for the purposes described in this Policy, unless a longer retention period is required or permitted by law.
- Account data: retained while your account is active. When you delete your account, we delete or anonymize your account data within 30 days, except where retention is required by law or is necessary for fraud prevention, security, or dispute resolution.
- User content (Waffles, messages): retained while your account is active and associated with the groups where you shared it. A technical audio track and captions or structured transcript may be kept with a Waffle for accessibility and reliable processing. They follow the same access controls and deletion schedule as the Waffle. When you delete content, it is removed from active systems within 30 days and from backups within 90 days.
- AI-derived information: Waffle digests, prep suggestions, Timeline recaps, and teaser text may be kept while the source Waffle and account remain active. If you stop future AI processing, we prevent new provider calls and hide AI results, but may keep existing results where lawful so we do not repeatedly send the same content to a provider. Deleting a source Waffle or your account deletes related active AI results on the same active-system and backup schedule. You may also ask our Privacy Officer to delete retained generated analysis.
- AI provider request data: we configure providers for no model training and use zero-data-retention or modified abuse-monitoring controls where contractually available. If those controls are unavailable for an approved task, provider request content may be retained for abuse monitoring for up to 30 days. We do not use provider background or batch modes where they conflict with our configured retention controls.
- Usage and analytics data: retained in identifiable form for up to 14 months, then aggregated or deleted.
- Crash and diagnostic logs: retained for up to 90 days.
- Support communications: retained for up to 3 years to help us respond to follow-up inquiries and for quality assurance.
- Financial and tax records: retained for the period required by applicable law (typically 6–7 years).
You can request deletion of your data at any time by contacting us at admin@wednesdaywaffles.com or by using in-app account deletion, where available.
We take the security of your personal information seriously and apply a defense-in-depth approach, including:
- Encryption of data in transit using TLS 1.2+ between the App and our servers.
- Encryption of data at rest using industry-standard algorithms provided by Google Cloud.
- Role-based access control and least-privilege access to production systems.
- Firestore and Cloud Storage security rules that restrict data access to the users authorized to see it.
- Firebase App Check to mitigate abuse of our backend APIs by unauthorized clients.
- Automated vulnerability scanning, dependency monitoring, and periodic security reviews.
- Logging and monitoring for unusual activity.
No system is 100% secure. If we become aware of a security incident that affects your personal information, we will notify you and the relevant regulators without undue delay as required by applicable law.
Subject to applicable law, you have the following rights over your personal information:
- Access: request a copy of the personal information we hold about you.
- Rectification: correct inaccurate or incomplete information.
- Erasure / "right to be forgotten": request deletion of your personal information.
- Restriction: restrict processing in certain circumstances.
- Objection: object to processing based on legitimate interests or for direct marketing.
- Portability: receive your personal information in a structured, commonly used, machine-readable format.
- Withdraw consent: withdraw any consent you previously gave, without affecting the lawfulness of processing carried out before withdrawal.
- Manage AI processing: stop future AI processing and change Help improve Wednesday Waffles under Manage AI Features. For verified deletion of retained generated analysis, contact our Privacy Officer.
- Complaint: lodge a complaint with your local data-protection authority. For EU users this is the supervisory authority in your country of residence; for UK users it is the Information Commissioner's Office (ICO); for Canadian users it is the Office of the Privacy Commissioner of Canada.
To exercise any of these rights, contact us at admin@wednesdaywaffles.com. We will respond within the time required by applicable law (generally within 30 days, extendable where permitted). We may need to verify your identity before acting on your request. You will not be discriminated against for exercising your rights.
This section provides information required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act.
Categories of Personal Information Collected
In the last 12 months, we have collected the following categories of personal information (as defined in Cal. Civ. Code § 1798.140):
- Identifiers (e.g., name, email, account ID, device identifiers, IP address)
- Customer records (e.g., account and contact information)
- Internet or other electronic network activity information (e.g., usage and interaction data)
- Geolocation data (coarse, derived from IP)
- Audio, electronic, visual, or similar information (your Waffles, associated audio, and captions or transcripts derived from that audio for accessibility)
- Inferences drawn from the above to understand preferences and improve the Service
Sources, Purposes, and Disclosures
We collect these categories directly from you, automatically from your device, and from our service providers. We use them for the purposes described in "How We Use Your Information" above, and we disclose them for business purposes to the subprocessors listed above.
Sale / Sharing of Personal Information
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We have not done so in the preceding 12 months, and we do not knowingly sell or share the personal information of consumers under 16 years of age.
Sensitive Personal Information
We do not collect or use "sensitive personal information" for purposes that would trigger the right to limit its use under the CPRA.
Your California Rights
- Right to know what personal information we have collected, used, disclosed, and sold or shared.
- Right to delete personal information we have collected from you.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing (not applicable — we do not sell or share).
- Right to limit use of sensitive personal information (not applicable — we do not use sensitive PI for purposes that trigger this right).
- Right to non-discrimination for exercising these rights.
To exercise these rights, contact us at admin@wednesdaywaffles.com. You may use an authorized agent to make a request on your behalf, subject to verification.
Shine the Light
California residents may request information about our disclosure of personal information to third parties for direct-marketing purposes. We do not make such disclosures.
As a Canadian company, we comply with PIPEDA and applicable provincial privacy laws (including Quebec's Law 25). You have the right to access and correct your personal information and to withdraw consent (subject to legal and contractual restrictions). You may direct questions or complaints to our Privacy Officer at admin@wednesdaywaffles.com. If your concern is not resolved, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.
Wednesday Waffles is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. Users of the Service must be at least 13 years old (or older, where required by local law — for example, 14 in Quebec and parts of the EU, 16 in the EU by default under GDPR unless a lower age has been set by a member state).
If you are a parent or guardian and believe that your child under the applicable minimum age has provided us with personal information, please contact us at admin@wednesdaywaffles.com and we will promptly delete that information and terminate the associated account.
For more details on how we protect minors on our platform, please see our Child Safety Standards.
AI Features are unavailable when we cannot determine the user's age or region. Below the applicable digital-consent age, we require verified parental authorization and appropriate provider retention controls before any AI provider processing. Help improve Wednesday Waffles defaults off for all minors, and audio-derived emotion or tone inference is disabled for minors at launch.
We do not use your personal information or User Content to make automated decisions that produce legal or similarly significant effects concerning you. If you turn on AI Features, our systems may use eligible captions, transcripts, audio cues, comments, and replies to create recaps, chapter or comment summaries, prep suggestions, notification or email teasers, topics, commitments, and descriptions of observable tone. These outputs can be inaccurate and are not your verbatim words, a diagnosis, or a decision about you.
A per-Waffle result is never visible more broadly than its source Waffle. A weekly Timeline title is private to the Waffle author. Prep suggestions are private to their recipient, and AI never records, posts, or replies for you—you choose what to say and share. We prohibit identity resolution, protected-characteristic inference, mental-health diagnosis, advertising profiles, and provider model training from this processing.
The App asks for explicit permission before the first third-party AI transfer and records the provider disclosure you saw. Google Vertex AI / Gemini, OpenAI, Anthropic, or another model provider may be used only after it is added to the Subprocessor list and covered by that disclosure. You can decline without losing the non-AI Timeline, stop future processing in Manage AI Features, and contact our Privacy Officer to request verified deletion of retained analysis.
The App may request the following device permissions. You can grant or revoke each permission in your device settings at any time.
- Camera: required to record Waffles. Only accessed while you are actively recording.
- Microphone: required to capture audio for Waffles. Only accessed while you are actively recording.
- Photo Library: required to save Waffles you capture and, optionally, to select existing media.
- Notifications: used to send recording reminders and alerts when new content is available in your groups. If the relevant AI and notification choices are enabled, an alert or email may include a short AI-generated teaser. Depending on your device settings, sender names, message or comment previews, and teaser text may appear on your lock screen or in notification trays.
- Background refresh / foreground service: used to deliver push notifications and keep the App responsive. We do not access your camera or microphone in the background.
Denying a permission will not prevent you from using the Service, but some features may be unavailable (for example, you cannot record a Waffle without the camera and microphone permissions).
Our marketing Website at www.wednesdaywaffles.com uses a limited number of cookies and similar technologies to understand aggregate traffic and to attribute visits to marketing campaigns. These include:
- Strictly necessary cookies: required for the Website to function.
- Attribution identifiers: short-lived first-party identifiers, including our
ww_click_idcookie, used on certain campaign or invite routes to help us understand whether a visit came from a marketing link. - Analytics cookies (Google Analytics 4): help us understand how visitors find and use the Website.
The App itself does not use browser cookies. It uses on-device storage (e.g., app sandbox storage, secure token storage, and local databases) to keep you signed in and to cache content for performance.
If you visit the Website from the EU or UK, we request your opt-in consent before setting optional analytics or attribution cookies. If you decline, only strictly necessary cookies remain active. You can also manage cookies through your browser settings and can opt out of Google Analytics by installing the Google Analytics opt-out browser add-on. When our Website detects the Global Privacy Control (GPC) signal, we disable optional website analytics and attribution tracking on that request.
Because there is no consistent industry standard for how to respond to "Do Not Track" signals, we do not currently change our practices in response to DNT signals. We do honor the Global Privacy Control signal on our Website by disabling optional analytics and attribution tracking for requests where that signal is present.
The Service may contain links to third-party websites or services that are not operated by us. If you click a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.
We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you by updating the "Effective date" at the top of this Policy and, where required, by providing a more prominent notice (such as an in-app message or email). We encourage you to review this Policy periodically. Your continued use of the Service after the effective date of an updated Policy constitutes your acceptance of the updated terms.
For questions about this Privacy Policy, to exercise your rights, or to contact our Privacy Officer:
admin@wednesdaywaffles.comWednesday Waffles Inc. · 3505–1328 W Pender St · Vancouver, BC V6E 4S9 · Canada
