Privacy Notice
Last updated 11 July 2026. Operated by Waxverse.
This notice explains what personal data Waxverse (the operator of this Service, Wales) collects, why we collect it, who we share it with, and the rights you have. Waxverse is the data controller for the personal data described below. Contact us at hello@waxverse.com.
1. What we collect and why
- Account data (email, display name, password hash, sign in provider). Used to create and secure your account. Legal basis: performance of a contract.
- Studio content(recipes, batches, material lots, testing calibrations, pricing, brand kits, compliance dossiers you generate). Stored so you can return to it and export it. Legal basis: performance of a contract.
- Purchase and subscription data (order ID, tier, currency, amount, subscription status, renewal date). Used to grant access to what you paid for and to handle refunds. Legal basis: performance of a contract and our legal obligations.
- Codex lead capture(email address and optional newsletter opt in) when you download the Maker's Codex PDF. Used to email the PDF to you and, only if you tick the box, to send occasional updates. Legal basis: consent for the newsletter, legitimate interests for the delivery email.
- Contact formsubmissions (name, email, message). Used to reply to you. Legal basis: legitimate interests in responding to your enquiry.
- Technical data(IP address, region derived from IP for currency and supplier preferences, browser, device, referrer, and page views). Used to run the site, prevent abuse, and understand aggregate usage. Legal basis: legitimate interests.
2. Who we share it with
We use the following processors to run the Service. Each is bound by a data processing agreement and only handles data on our instructions:
- Supabase (database, authentication, storage) - EU region.
- Cloudflare (CDN, edge hosting, DDoS protection).
- Paddle.com Market Limited (Merchant of Record for every sale). Paddle collects the payment data (card details, billing address, tax status) directly. See Paddle's Privacy Policy.
- IONOS (inbound email hosting for hello@waxverse.com).
- Resend and notify.waxverse.com (transactional email delivery for Codex PDFs, contact replies, subscription notifications).
- Lovable (application hosting platform and AI Gateway used by some Studio tools).
- Plausible Analytics (cookieless, IP anonymising aggregate analytics). No personal data leaves the browser.
We do not sell personal data. We do not use behavioural advertising cookies. We will disclose data if required by law or to protect rights, safety, or property.
3. International transfers
Some processors are located outside the UK or EEA. Where that happens we rely on adequacy decisions or on the UK International Data Transfer Addendum and the EU Standard Contractual Clauses to keep your data protected.
4. How long we keep it
- Account and Studio content (recipes, batches, materials, burn tests, labels, profile): deleted immediately when you delete your account.
- Purchase and subscription records: kept for 7 years to meet UK HMRC and equivalent tax obligations. After you delete your account these are anonymised. Email address, name, and user id are removed, and a one-way hash of the user id replaces them so we can reconcile transactions without holding personal data.
- Active subscriptions are cancelled with our payment provider before your account is deleted, so you cannot be billed after deletion.
- Deletion audit log (anonymised): kept for 7 years so we can prove billing was stopped for a given account. Contains a one-way hash of your email and the cancellation timestamps only.
- Codex lead capture: until you unsubscribe, then removed within 30 days.
- Contact form: 24 months, then deleted.
- Technical logs: 90 days.
5. Your rights
Under UK GDPR and EU GDPR you have the right to access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent at any time. You can exercise these by emailing hello@waxverse.com. We respond within one month. You also have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk, or with your local EU supervisory authority.
6. Security
We apply appropriate technical and organisational measures including encryption in transit, encrypted database at rest, row level security on user data, principle of least privilege for internal access, and periodic security scans of the codebase.
7. Cookies
The site uses a small number of first party items in your browser for essential functionality (session, region preference, cookie consent). See our Cookie Policy for the full list.
8. Changes to this notice
We update this notice as the Service evolves. Material changes will be announced by email or in the app before they take effect.

