Your Privacy Matters

Effective date: April 13, 2026

Last updated: April 13, 2026

Introduction

This Privacy Policy ("Policy") explains how Wednesday Waffles Inc. ("Wednesday Waffles," "we," "us," or "our"), the makers of the Wednesday Waffles mobile application (the "App") and the website at www.wednesdaywaffles.com (the "Website", and together with the App, the "Service"), collect, use, disclose, retain, and protect personal information about the people who use our Service.

Wednesday Waffles is a private video-sharing service designed to help small groups of friends and family stay close by exchanging short weekly video messages ("Waffles"). Because our Service handles personal content, we take privacy seriously and have built the Service with privacy-by-design principles.

This Policy applies to anyone who accesses the Service. By using the Service, you acknowledge that the collection, use, and sharing of your information will take place as described in this Policy. If you do not agree, please do not use the Service.

This Policy is designed to meet the substantive requirements of Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), the EU and UK General Data Protection Regulation ("GDPR" and "UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Children's Online Privacy Protection Act ("COPPA"), and other applicable data protection laws.

Data Controller & Contact

The data controller responsible for your personal information is:

Wednesday Waffles Inc.
3505–1328 W Pender St
Vancouver, BC V6E 4S9
Canada

Privacy contact / Privacy Officer: admin@wednesdaywaffles.com

Users in the EU, UK, or Switzerland may contact us at the email above for any matter related to this Policy or the processing of their personal data, including to exercise their rights under GDPR or UK GDPR.

Our Privacy Commitments

✓

We do not sell your personal information

We have never sold personal information, and we do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA.

✓

We do not use your content for third-party advertising

We do not serve third-party ads inside the App, and we do not use the content of your Waffles or messages to target advertising.

✓

We do not train AI models on your content

We do not use your Waffles, messages, or other user-generated content to train artificial intelligence or machine-learning models. We do use limited automated speech-to-text processing to generate captions for uploaded Waffles, but we do not send your content to third-party AI/LLM providers for training, advertising, or profiling.

✓

We minimize what we collect

We only collect information we need to operate the Service and keep it safe and reliable.

Information We Collect

We collect the following categories of personal information:

1. Account & Profile Information

Name or chosen display name
Email address
Phone number if you use our legacy phone-number / SMS sign-in flow for existing users
Profile photo (optional)
Date of birth or birthday information if you choose to provide it
Authentication identifiers from Sign in with Apple or Google Sign-In (such as a provider user ID and, where you permit it, the email address associated with that provider)
Account settings and preferences

2. User Content

Waffles (short videos, including the video file, audio, thumbnails, captions/transcripts generated for accessibility, and associated metadata such as duration and creation time)
Text messages, reactions, and replies you send inside groups
Links you share and any preview metadata generated from them
Group names and membership information for groups you create or join

3. Device & Technical Information

Device model, operating system and version, app version, language, and timezone
Device identifiers (such as an install ID or advertising-reset-safe identifier used for analytics and abuse prevention)
Push notification tokens issued by Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM)
Push-notification status and related app metadata, such as whether notifications are enabled on your device
IP address and approximate location derived from it
Crash diagnostics and error logs

4. Usage & Analytics Data

Pages, screens, and features you interact with
Session duration and frequency
Events such as account creation, group creation, Waffle sent, Waffle watched
Referral and attribution data (e.g., how you arrived at our Website)

6. Communications With Us

When you contact us for support, feedback, or other reasons, we collect your messages and any information you voluntarily provide (such as your email address).

What We Do Not Collect

We do not collect precise GPS location. Any location inference is coarse and IP-based.
We do not access your camera or microphone in the background — only while you are actively recording a Waffle.
We do not collect government-issued identifiers, biometric data, payment card data, or health information.

How We Use Your Information

We use personal information for the following purposes:

Provide the Service: create and manage your account, authenticate you, deliver your Waffles and messages to the groups you choose, and sync content across your devices.
Send notifications: deliver push notifications and transactional emails related to your account and activity, including weekly reminders and content alerts.
Support and communicate: respond to your requests, send important service announcements, and notify you of changes.
Safety, security, and fraud prevention: detect and prevent abuse, spam, account takeover, and violations of our Terms of Service and Child Safety Standards.
Improve the Service: understand how features are used, debug issues, and develop new features through aggregated analytics.
Legal compliance: comply with applicable laws, respond to lawful requests, and enforce our agreements.
Business operations: run internal recordkeeping, financial accounting, and due diligence in the context of corporate transactions.

Legal Bases for Processing (GDPR / UK GDPR)

If you are in the EU, UK, or Switzerland, we rely on the following legal bases under Article 6 GDPR:

Performance of a contract (Art. 6(1)(b)) — to create your account, deliver your Waffles and messages to your groups, and provide the core functionality of the Service.
Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent abuse, understand product usage, and communicate with you about the Service. We balance these interests against your rights and only rely on them where the impact on you is limited.
Consent (Art. 6(1)(a)) — for optional features such as push notifications and access to your device camera, microphone, and photo library, and where required by law for optional website analytics and attribution cookies. You can withdraw consent at any time in your device or app settings or by changing your browser cookie preferences.
Legal obligations (Art. 6(1)(c)) — to respond to lawful requests from authorities and to comply with applicable laws.

Where we process any special categories of personal data (for example if your Waffle content happens to reveal such data), we rely on your explicit consent under Article 9(2)(a) GDPR, which is given by your voluntary decision to upload that content.

How We Share Information

We share personal information only in the limited circumstances described below.

With Other Users of the Service

When you send a Waffle or message to a group, your content and associated metadata (such as your name, profile picture, and the time of posting) are shared with the other members of that group. Groups are private by design.

With Service Providers (Subprocessors)

We share personal information with trusted third-party service providers that process data on our behalf to operate the Service. These providers are contractually bound to protect your data and use it only for the purposes we specify. See the Subprocessor List below.

For Legal Reasons

We may disclose personal information where we believe in good faith that disclosure is necessary to: (i) comply with applicable laws or valid legal process, (ii) protect the rights, property, or safety of Wednesday Waffles, our users, or the public, (iii) detect, prevent, or address fraud, security, or technical issues, or (iv) enforce our Terms of Service.

In Connection With Corporate Transactions

If Wednesday Waffles is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction. We will notify users of any change in control or use of personal information, as well as any choices users may have regarding their information.

With Your Consent

We may share personal information for other purposes with your consent or at your direction.

We do not sell personal information and we do not share personal information with third parties for their own marketing or advertising purposes.

Subprocessors

The following third-party service providers process personal information on our behalf. We maintain written data-processing agreements with each of them and review their security and privacy practices before engagement.

Provider	Purpose	Data	Location
Google Cloud Platform / Firebase (Google LLC)	Authentication, database (Cloud Firestore), file storage (Cloud Storage for Firebase), serverless backend (Cloud Functions), push notifications (FCM), crash reporting (Crashlytics), product analytics (Firebase Analytics), remote configuration, app integrity (App Check), and infrastructure hosting.	Account identifiers, auth tokens, user content (Waffles, messages, media), device and usage data, crash diagnostics, push tokens.	United States and other Google Cloud regions
Apple Inc.	Sign in with Apple (authentication) and Apple Push Notification service (APNs).	Apple user identifier, optional email (which may be a private-relay address), push notification tokens and payloads.	United States
PostHog, Inc.	Product analytics and session event tracking to understand how the Service is used.	Pseudonymous user identifiers, event names, app version, device type, and interaction metadata. Not the contents of your Waffles or messages.	EU data residency in production; vendor headquartered in the United States
Customer.io (Peaberry Software Inc.)	Transactional, lifecycle, and optional marketing communications delivery (e.g., account notifications, activation reminders, and opt-in email communications).	Name, email address, phone number if present, user identifier, and lifecycle event attributes (e.g., account created, first Waffle sent).	United States
Shorebird (Shorebird, Inc.)	Over-the-air delivery of non-binary app updates.	App version, device platform, and install identifiers required to deliver updates.	United States
Google LLC (Google Analytics 4 — Website only)	Aggregate analytics for our marketing website at www.wednesdaywaffles.com. Not used inside the App.	Pseudonymous visitor identifiers, pages viewed, referrer, device and browser data.	United States

We will update this list when we add or change material subprocessors. You can request the current list and the date of last update at any time by contacting us at admin@wednesdaywaffles.com.

International Data Transfers

Wednesday Waffles is based in Canada. Personal information is processed in Canada, the United States, and other countries where our service providers operate data centers. These countries may have data-protection laws different from those of your country of residence.

Where personal information of users in the EU, UK, or Switzerland is transferred outside those regions, we rely on appropriate safeguards, including:

The European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum with our subprocessors.
Adequacy decisions where available (for example, transfers to Canada's commercial private sector are covered by an EU adequacy decision).
Supplementary organizational and technical measures, including encryption in transit and at rest.

Copies of the safeguards can be requested at admin@wednesdaywaffles.com.

Data Retention

We retain personal information only for as long as necessary to provide the Service and for the purposes described in this Policy, unless a longer retention period is required or permitted by law.

Account data: retained while your account is active. When you delete your account, we delete or anonymize your account data within 30 days, except where retention is required by law or is necessary for fraud prevention, security, or dispute resolution.
User content (Waffles, messages): retained while your account is active and associated with the groups you have shared them to. Copies shared into a group remain accessible to that group's members. Captions and transcripts generated for a Waffle are retained alongside that Waffle and deleted on the same schedule when the Waffle is deleted. When you delete content, it is removed from active systems within 30 days and from backups within 90 days.
Usage and analytics data: retained in identifiable form for up to 14 months, then aggregated or deleted.
Crash and diagnostic logs: retained for up to 90 days.
Support communications: retained for up to 3 years to help us respond to follow-up inquiries and for quality assurance.
Financial and tax records: retained for the period required by applicable law (typically 6–7 years).

You can request deletion of your data at any time by contacting us at admin@wednesdaywaffles.com or by using in-app account deletion, where available.

Security

We take the security of your personal information seriously and apply a defense-in-depth approach, including:

Encryption of data in transit using TLS 1.2+ between the App and our servers.
Encryption of data at rest using industry-standard algorithms provided by Google Cloud.
Role-based access control and least-privilege access to production systems.
Firestore and Cloud Storage security rules that restrict data access to the users authorized to see it.
Firebase App Check to mitigate abuse of our backend APIs by unauthorized clients.
Automated vulnerability scanning, dependency monitoring, and periodic security reviews.
Logging and monitoring for unusual activity.

No system is 100% secure. If we become aware of a security incident that affects your personal information, we will notify you and the relevant regulators without undue delay as required by applicable law.

Your Rights

Subject to applicable law, you have the following rights over your personal information:

Access: request a copy of the personal information we hold about you.
Rectification: correct inaccurate or incomplete information.
Erasure / "right to be forgotten": request deletion of your personal information.
Restriction: restrict processing in certain circumstances.
Objection: object to processing based on legitimate interests or for direct marketing.
Portability: receive your personal information in a structured, commonly used, machine-readable format.
Withdraw consent: withdraw any consent you previously gave, without affecting the lawfulness of processing carried out before withdrawal.
Complaint: lodge a complaint with your local data-protection authority. For EU users this is the supervisory authority in your country of residence; for UK users it is the Information Commissioner's Office (ICO); for Canadian users it is the Office of the Privacy Commissioner of Canada.

To exercise any of these rights, contact us at admin@wednesdaywaffles.com. We will respond within the time required by applicable law (generally within 30 days, extendable where permitted). We may need to verify your identity before acting on your request. You will not be discriminated against for exercising your rights.

Notice to California Residents (CCPA / CPRA)

This section provides information required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

Categories of Personal Information Collected

In the last 12 months, we have collected the following categories of personal information (as defined in Cal. Civ. Code § 1798.140):

Identifiers (e.g., name, email, account ID, device identifiers, IP address)
Customer records (e.g., account and contact information)
Internet or other electronic network activity information (e.g., usage and interaction data)
Geolocation data (coarse, derived from IP)
Audio, electronic, visual, or similar information (your Waffles, associated audio, and captions or transcripts derived from that audio for accessibility)
Inferences drawn from the above to understand preferences and improve the Service

Sources, Purposes, and Disclosures

We collect these categories directly from you, automatically from your device, and from our service providers. We use them for the purposes described in "How We Use Your Information" above, and we disclose them for business purposes to the subprocessors listed above.

Sale / Sharing of Personal Information

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We have not done so in the preceding 12 months, and we do not knowingly sell or share the personal information of consumers under 16 years of age.

Sensitive Personal Information

We do not collect or use "sensitive personal information" for purposes that would trigger the right to limit its use under the CPRA.

Your California Rights

Right to know what personal information we have collected, used, disclosed, and sold or shared.
Right to delete personal information we have collected from you.
Right to correct inaccurate personal information.
Right to opt out of sale or sharing (not applicable — we do not sell or share).
Right to limit use of sensitive personal information (not applicable — we do not use sensitive PI for purposes that trigger this right).
Right to non-discrimination for exercising these rights.

To exercise these rights, contact us at admin@wednesdaywaffles.com. You may use an authorized agent to make a request on your behalf, subject to verification.

Shine the Light

California residents may request information about our disclosure of personal information to third parties for direct-marketing purposes. We do not make such disclosures.

Notice to Canadian Users (PIPEDA)

As a Canadian company, we comply with PIPEDA and applicable provincial privacy laws (including Quebec's Law 25). You have the right to access and correct your personal information and to withdraw consent (subject to legal and contractual restrictions). You may direct questions or complaints to our Privacy Officer at admin@wednesdaywaffles.com. If your concern is not resolved, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.

Children's Privacy

Wednesday Waffles is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. Users of the Service must be at least 13 years old (or older, where required by local law — for example, 14 in Quebec and parts of the EU, 16 in the EU by default under GDPR unless a lower age has been set by a member state).

If you are a parent or guardian and believe that your child under the applicable minimum age has provided us with personal information, please contact us at admin@wednesdaywaffles.com and we will promptly delete that information and terminate the associated account.

For more details on how we protect minors on our platform, please see our Child Safety Standards.

Automated Decision-Making & AI

We do not use your personal information or user content to make automated decisions that produce legal or similarly significant effects concerning you. We do use limited automated speech-to-text processing to generate captions for uploaded Waffles, and those captions may be stored with the related Waffle as part of the Service. We do not use that processing to profile you, target advertising, or make moderation decisions, and we do not use your content to train our own models or send it to third-party AI/LLM providers for training. If we introduce additional AI or machine-learning features in the future, we will update this Policy and, where required, obtain your consent before processing your content with those technologies.

Device Permissions

The App may request the following device permissions. You can grant or revoke each permission in your device settings at any time.

Camera: required to record Waffles. Only accessed while you are actively recording.
Microphone: required to capture audio for Waffles. Only accessed while you are actively recording.
Photo Library: required to save Waffles you capture and, optionally, to select existing media.
Notifications: used to send recording reminders and alerts when new content is available in your groups. Depending on your device settings, notifications may display sender names and message or comment previews on your lock screen or in notification trays.
Background refresh / foreground service: used to deliver push notifications and keep the App responsive. We do not access your camera or microphone in the background.

Denying a permission will not prevent you from using the Service, but some features may be unavailable (for example, you cannot record a Waffle without the camera and microphone permissions).

Cookies & Similar Technologies (Website)

Our marketing Website at www.wednesdaywaffles.com uses a limited number of cookies and similar technologies to understand aggregate traffic and to attribute visits to marketing campaigns. These include:

Strictly necessary cookies: required for the Website to function.
Attribution identifiers: short-lived first-party identifiers, including our ww_click_id cookie, used on certain campaign or invite routes to help us understand whether a visit came from a marketing link.
Analytics cookies (Google Analytics 4): help us understand how visitors find and use the Website.

The App itself does not use browser cookies. It uses on-device storage (e.g., app sandbox storage, secure token storage, and local databases) to keep you signed in and to cache content for performance.

If you visit the Website from the EU or UK, we request your opt-in consent before setting optional analytics or attribution cookies. If you decline, only strictly necessary cookies remain active. You can also manage cookies through your browser settings and can opt out of Google Analytics by installing the Google Analytics opt-out browser add-on. When our Website detects the Global Privacy Control (GPC) signal, we disable optional website analytics and attribution tracking on that request.

Do Not Track

Because there is no consistent industry standard for how to respond to "Do Not Track" signals, we do not currently change our practices in response to DNT signals. We do honor the Global Privacy Control signal on our Website by disabling optional analytics and attribution tracking for requests where that signal is present.

Third-Party Links

The Service may contain links to third-party websites or services that are not operated by us. If you click a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you by updating the "Effective date" at the top of this Policy and, where required, by providing a more prominent notice (such as an in-app message or email). We encourage you to review this Policy periodically. Your continued use of the Service after the effective date of an updated Policy constitutes your acceptance of the updated terms.

Questions?

For questions about this Privacy Policy, to exercise your rights, or to contact our Privacy Officer:

admin@wednesdaywaffles.com

Wednesday Waffles Inc. · 3505–1328 W Pender St · Vancouver, BC V6E 4S9 · Canada

Provider

Purpose

Data

Location

Google Cloud Platform / Firebase (Google LLC)

Authentication, database (Cloud Firestore), file storage (Cloud Storage for Firebase), serverless backend (Cloud Functions), push notifications (FCM), crash reporting (Crashlytics), product analytics (Firebase Analytics), remote configuration, app integrity (App Check), and infrastructure hosting.

Account identifiers, auth tokens, user content (Waffles, messages, media), device and usage data, crash diagnostics, push tokens.

United States and other Google Cloud regions

Apple Inc.

Apple user identifier, optional email (which may be a private-relay address), push notification tokens and payloads.

United States

PostHog, Inc.

Product analytics and session event tracking to understand how the Service is used.

Pseudonymous user identifiers, event names, app version, device type, and interaction metadata. Not the contents of your Waffles or messages.

EU data residency in production; vendor headquartered in the United States

Customer.io (Peaberry Software Inc.)

Transactional, lifecycle, and optional marketing communications delivery (e.g., account notifications, activation reminders, and opt-in email communications).

Name, email address, phone number if present, user identifier, and lifecycle event attributes (e.g., account created, first Waffle sent).

United States

Shorebird (Shorebird, Inc.)

Over-the-air delivery of non-binary app updates.

App version, device platform, and install identifiers required to deliver updates.

United States

Google LLC (Google Analytics 4 — Website only)

Aggregate analytics for our marketing website at www.wednesdaywaffles.com. Not used inside the App.

Pseudonymous visitor identifiers, pages viewed, referrer, device and browser data.

United States

This section provides information required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

Categories of Personal Information Collected

In the last 12 months, we have collected the following categories of personal information (as defined in Cal. Civ. Code § 1798.140):

Identifiers (e.g., name, email, account ID, device identifiers, IP address)
Customer records (e.g., account and contact information)
Internet or other electronic network activity information (e.g., usage and interaction data)
Geolocation data (coarse, derived from IP)
Audio, electronic, visual, or similar information (your Waffles, associated audio, and captions or transcripts derived from that audio for accessibility)
Inferences drawn from the above to understand preferences and improve the Service

Sources, Purposes, and Disclosures

Sale / Sharing of Personal Information

Sensitive Personal Information

We do not collect or use "sensitive personal information" for purposes that would trigger the right to limit its use under the CPRA.

Your California Rights

Right to know what personal information we have collected, used, disclosed, and sold or shared.
Right to delete personal information we have collected from you.
Right to correct inaccurate personal information.
Right to opt out of sale or sharing (not applicable — we do not sell or share).
Right to limit use of sensitive personal information (not applicable — we do not use sensitive PI for purposes that trigger this right).
Right to non-discrimination for exercising these rights.

To exercise these rights, contact us at admin@wednesdaywaffles.com. You may use an authorized agent to make a request on your behalf, subject to verification.

Shine the Light

California residents may request information about our disclosure of personal information to third parties for direct-marketing purposes. We do not make such disclosures.