Data Subject Access Request
Last updated: 2026-04-27
WAVE Online, LLC honors the privacy rights granted to individuals under GDPR (EU/UK), CCPA/CPRA (California), and the privacy laws of other jurisdictions. This page describes how to exercise those rights.
Your rights
- Right of access — receive a copy of personal data we hold about you
- Right to deletion (erasure) — request deletion subject to retention obligations
- Right to correction (rectification) — fix inaccurate data
- Right to portability — receive your data in a structured, machine-readable format
- Right to restrict processing — limit how we process your data
- Right to object — object to processing based on legitimate interests
- Right to opt out of automated decision-making — including profiling that produces legal or similarly significant effects
How to submit a request
Choose the option that matches your situation:
- If you have a WAVE account: sign in and visit Settings → Privacy. Self-service export and deletion are available there.
- If you do not have a WAVE account or cannot sign in: email privacy@wave.online with subject “DSAR Request” and tell us which right you wish to exercise.
Verification
To protect your privacy, we will verify your identity before fulfilling access, deletion, correction, or portability requests. For account holders, we verify via signed-in session or magic-link. For non-account-holders, we may request additional information necessary to match the request to identifiable data.
Response timelines
- GDPR / UK GDPR: within 30 days (extendable by 60 days for complex requests with notice)
- CCPA / CPRA: within 45 days (one 45-day extension permitted)
- Other state laws: typically 45–60 days; see specific jurisdiction
We will not charge a fee for the first request in any 12-month period. We may charge a reasonable fee for excessive or repetitive requests as permitted by applicable law.
Authorized agents
You may designate an authorized agent to submit requests on your behalf. The agent must provide written authorization and we may verify the request directly with you in accordance with applicable law.
Limits on the right to deletion
We may retain personal data after a deletion request where required by law, regulation, or legitimate interests, including:
- Tax records (7 years per IRS)
- Anti-money-laundering / KYC records (5 years per FinCEN)
- Auditable security and fraud-prevention logs
- Pending legal claims or holds
See our Privacy Policy for the full retention schedule.
Right to lodge a complaint
EU/UK residents may lodge a complaint with their local supervisory authority. California residents may contact the California Privacy Protection Agency. Residents of other states may contact their state Attorney General. We encourage contacting privacy@wave.online first so we can resolve your concern directly.
EU/UK representative
Our EU representative under GDPR Article 27 and UK representative under UK GDPR Article 27 are listed in our Privacy Policy.