Privacy Policy & Data Disclosure
Effective Date: March 10, 2026
1. Introduction and Who We Are
Welcome to WavCash (the “Platform”, “we”, “us”, or “our”). The Platform is operated by Sama Studios LLC, a New Mexico limited liability company.
We provide tools for music creators, songwriters, producers, and collaborators to create, sign, and manage music royalty split sheet agreements and related documents.
Data Controller: Sama Studios LLC is the data controller for all personal information processed through the Platform.
Contact:
- Email: privacy@wav.cash
- Data rights requests: privacy@wav.cash
- Web form: wav.cash/data-request
EU/EEA Establishment: Sama Studios LLC is established in the EU by virtue of operating from Portugal. No separate EU representative is required under Article 27 GDPR. Privacy inquiries may be directed to privacy@wav.cash.
UK Representative (UK GDPR): Sama Studios LLC does not currently have a designated UK representative. If you are a UK resident with a privacy inquiry or complaint, please contact privacy@wav.cash. We are in the process of appointing a formal UK representative as required under UK GDPR Article 27 and will update this Policy when that appointment is made.
Data Protection Officer: Sama Studios LLC has not appointed a formal DPO as we do not currently meet the mandatory appointment thresholds under Article 37 GDPR. Privacy inquiries may be directed to privacy@wav.cash.
2. Scope of This Policy
This Privacy Policy applies to:
- All users who access or use the Platform, including free and paid accounts
- Visitors to our website at https://wav.cash
- All personal information submitted in connection with creating, viewing, signing, or managing agreements on the Platform
- Third parties whose personal information is submitted by a Platform user (for example, a co-writer added to a split sheet by another user)
If you are a third party whose information has been submitted to the Platform by another user, please contact us at privacy@wav.cash to exercise your data rights.
This Policy does not apply to third-party websites or services linked from the Platform.
3. What Personal Information We Collect
We collect the following categories of personal information.
3.1 Information You Provide Directly
Identity Information:
- Full legal name
- Stage name or artist alias
Contact Information:
- Email address
- Mailing address
- Phone number (if provided)
Professional and Music Industry Information:
- Performing Rights Organization (PRO) affiliation (e.g., ASCAP, BMI, SESAC, SOCAN, PRS)
- IPI/CAE number (PRO-issued identifier)
- Publishing company name
- Role on musical works (e.g., songwriter, producer)
- ISRC and ISWC codes associated with works
Agreement Content:
- Ownership percentages and royalty splits entered into agreements
- Digital signatures (name, timestamp, and IP address at time of signing)
- Agreement dates and identifiers
Account Information:
- Username and password (stored in hashed and encrypted form)
- Account preferences and settings
3.2 Information Collected Automatically
When you use the Platform, we automatically collect:
- IP address
- Browser type and version
- Operating system
- Device identifiers
- Pages visited and features used
- Time and date of access
- Referring URL
- Session duration
We use Google Analytics for usage analytics. Google Analytics may set cookies on your device. You can opt out of Google Analytics across all websites using the Google Analytics Opt-out Browser Add-on. See Section 8 for further detail on cookies and how to manage them.
3.3 Information From Third Parties
We may receive personal information about you from:
- Other Platform users who add you as a collaborator or co-signatory on an agreement
- PROs or music industry databases, if you choose to connect such services
3.4 Special Categories of Data
We do not intentionally collect data revealing racial or ethnic origin, political opinions, religious beliefs, health or medical data, biometric identification data, sexual orientation, or government-issued identification numbers such as Social Security Numbers or Tax IDs.
If you believe sensitive data has been inadvertently submitted to the Platform, contact us at privacy@wav.cash and we will delete it promptly.
4. Why We Collect Your Data and Our Legal Basis
For each purpose we process your data, we rely on one of the following legal bases under GDPR.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Creating and managing your account | Name, email, password | Contract (to provide the service) |
| Generating and storing split sheet agreements | All agreement content, party information | Contract |
| Sending agreements to co-signatories | Name and email of parties | Contract and Legitimate Interests |
| Verifying identity for digital signatures | Name, IP, timestamp | Contract and Legal Obligation |
| Sending transactional emails (receipts, alerts) | Email address | Contract |
| Customer support | Any information you share with us | Contract and Legitimate Interest |
| Platform security and fraud prevention | IP address, usage logs | Legitimate Interests |
| Analytics and platform improvement | Anonymized and aggregated usage data | Legitimate Interests |
| Compliance with legal obligations | As required | Legal Obligation |
| Marketing communications | Email address | Consent (opt-in only; withdrawal available at any time) |
We do not sell your personal information. We do not share your personal information with third parties for their independent marketing purposes.
5. How Long We Retain Your Data
We retain personal information only for as long as necessary for the purpose for which it was collected, subject to applicable legal retention requirements.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account information | Duration of account plus 3 years after closure | Service delivery and legal dispute window |
| Signed agreements | 7 years from date of signing | Legal enforceability and copyright dispute evidence |
| Digital signature logs | 7 years | Legal enforceability under ESIGN Act and eIDAS |
| Usage logs and IP addresses | 90 days | Security and fraud prevention |
| Marketing preferences | Until withdrawn plus 30 days | Consent withdrawal processing |
| Support correspondence | 2 years from resolution | Quality assurance and dispute resolution |
When retention periods expire, data is deleted or anonymized in a way that prevents reconstruction. You may request early deletion subject to the exceptions described in Section 7.
6. How We Share Your Data
We share your personal information only in the following circumstances.
6.1 With Co-Signatories on Your Agreements
When you create a split sheet agreement and add other parties, those parties will receive an invitation containing your name and contact information to facilitate the agreement process. This sharing is necessary to perform the contract.
6.2 With Service Providers (Data Processors)
We work with vetted third-party service providers who process data on our behalf under written Data Processing Agreements. Our current service providers include:
| Service Category | Provider | Purpose | Data Shared |
|---|---|---|---|
| Cloud hosting and infrastructure | Vercel, Supabase | Platform hosting and storage | All Platform data |
| Email delivery | Resend | Sending system and agreement emails | Email address, name |
| Document signing | Avalanche C-Chain | Cryptographic signature anchoring | Agreement hash only (no personal data written onchain) |
| Analytics | Google Analytics | Platform usage analytics | Anonymized usage data |
Our service providers are contractually prohibited from using your data for their own purposes.
6.3 Legal Compliance and Protection
We may disclose personal information if we believe in good faith that such disclosure is necessary to:
- Comply with applicable law, regulation, or legal process, including valid court orders or subpoenas
- Enforce our Terms of Service
- Protect the rights, property, or safety of Sama Studios LLC, our users, or the public
- Detect, prevent, or respond to fraud, security incidents, or technical issues
6.4 Business Transfers
If we are involved in a merger, acquisition, asset sale, or bankruptcy, your personal information may be transferred as part of that transaction. We will notify you by email and/or prominent notice on the Platform before your personal information becomes subject to a materially different privacy policy.
6.5 With Your Explicit Consent
We will share your information with any other party only with your explicit prior consent.
7. Your Privacy Rights
Depending on where you are located, you may have the following rights regarding your personal information. We honor these rights regardless of jurisdiction and treat them as universal to the extent technically feasible.
Right to Know and Access: You may request a copy of the personal information we hold about you, including what categories we hold, how we use it, and who we share it with.
Right to Correction and Rectification: You may request that we correct inaccurate or incomplete personal information.
Right to Erasure and Deletion: You may request that we delete your personal information. We will fulfill this request unless retention is required by law. Note that signed split sheet agreements may be subject to contractual and legal retention obligations. We may retain the agreement record itself while anonymizing or deleting your contact details from our active systems upon request.
Right to Portability: You may request your personal information in a structured, machine-readable format (JSON or CSV) for transfer to another platform or service.
Right to Restrict Processing: You may request that we temporarily limit processing of your data while you contest its accuracy or our legal basis.
Right to Object: You may object to processing based on legitimate interests or for direct marketing purposes. Marketing objections will be honored immediately and without penalty.
Right to Opt Out of Sale or Sharing (California Residents): We do not sell or share your personal information as defined under the CCPA/CPRA. If our practices change, we will update this Policy and provide an opt-out mechanism before doing so.
Right to Non-Discrimination: Exercising any of your privacy rights will not result in denial of service, reduced quality of service, or any other penalty.
How to Submit a Request
Submit any rights request through:
- Email: privacy@wav.cash
- Web form: wav.cash/data-request
We will respond within 30 days (extendable to 60 days for complex requests, with notice). We may need to verify your identity before processing certain requests. We will not charge a fee for reasonable requests.
For EU and UK residents: You also have the right to lodge a complaint with your local supervisory authority at any time. In Portugal and the EU: CNPD. In the UK: ICO. You may also contact the national DPA in the EU member state where you reside or work.
8. Cookies and Tracking Technologies
We use the following types of cookies and similar technologies.
| Type | Purpose | Can Be Disabled? |
|---|---|---|
| Strictly necessary | Session management, authentication, security | No; required for platform function |
| Functional | Saved preferences, UI settings | Yes |
| Analytics | Understanding how the platform is used (Google Analytics) | Yes |
You can manage cookie preferences using the cookie consent banner that appears when you first visit the Platform. To reset your preferences, clear your browser's local storage for wav.cash.
For EU and UK users: We will not set non-essential cookies without your prior consent. You may withdraw consent at any time by clearing your browser's local storage for wav.cash, which will cause the consent banner to reappear on your next visit.
Global Privacy Control (GPC): We honor browser-level Global Privacy Control signals as an opt-out of data sharing, as required by CCPA/CPRA and applicable US state laws.
Google Analytics: We use Google Analytics to understand how users interact with the Platform. Google Analytics collects data such as pages visited, session duration, and general geographic location. This data is aggregated and anonymized. You can opt out at any time using the Google Analytics Opt-out Browser Add-on. For more information on how Google uses this data, see Google's Privacy Policy.
9. International Data Transfers
Your personal information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.
When transferring personal information outside the EU/EEA or UK, we implement the following safeguards:
Standard Contractual Clauses (SCCs): We use the EU Commission-approved SCCs for transfers to countries without an EU adequacy decision. These clauses contractually bind recipients to EU-equivalent data protection standards.
UK International Data Transfer Agreements (IDTAs): Used for applicable transfers from the UK.
Adequacy decisions: Where the destination country has been granted an adequacy decision by the European Commission (currently including the UK, Switzerland, Canada for the commercial sector, Japan, and others), we rely on that decision.
By using the Platform, you acknowledge that your information may be transferred internationally as described above.
10. Security
We implement technical and organizational measures appropriate to the risk level of the data we process, including:
- AES-256 encryption for all data at rest
- TLS 1.2 or higher encryption for all data in transit
- Hashed and salted storage of passwords (bcrypt or equivalent)
- Role-based access controls limiting staff access to personal data on a need-to-know basis
- Multi-factor authentication (MFA) for all internal systems access
- Regular security assessments and penetration testing
- Formal incident response plan with 72-hour breach notification capability
Despite these measures, no system is completely secure. You are responsible for maintaining the security of your account credentials. If you suspect unauthorized access to your account, contact us immediately at privacy@wav.cash.
Data Breach Notification: In the event of a breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay, as required by applicable law.
11. Children's Privacy
The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@wav.cash and we will delete it promptly.
If we become aware that we have collected personal information from a person under 18 without verified parental consent, we will take immediate steps to delete that information.
12. Third-Party Links and Services
The Platform may contain links to third-party websites or services, for example PRO registration portals. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through the Platform.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
Material changes (changes that materially affect your rights or how we use your data) will be communicated via:
- Email to your registered address at least 30 days before taking effect
- A prominent notice on the Platform
Minor changes (corrections or clarifications) will be reflected with an updated “Last Updated” date at the top of this Policy.
Your continued use of the Platform after the effective date of any update constitutes acceptance of the revised Policy. If you do not agree with a material change, you may delete your account prior to the effective date.
14. Jurisdiction-Specific Disclosures
14.1 California Residents (CCPA / CPRA)
In addition to the rights described in Section 7, California residents have the following rights.
Categories of personal information we collect: See Section 3. This includes identifiers (name, email, IP address), commercial information (agreement history), and professional information (PRO affiliation, music credits).
Sources of information: Directly from you, automatically through your use of the Platform, and from other Platform users who add you as a collaborator.
Business or commercial purposes: See Section 4.
We do not sell or share your personal information as defined under the CCPA/CPRA, including for cross-context behavioral advertising.
Retention: See Section 5.
Shine the Light (Cal. Civ. Code section 1798.83): We do not disclose personal information to third parties for their direct marketing purposes.
To exercise California rights, contact privacy@wav.cash or submit a request at wav.cash/data-request.
14.2 EU / EEA Residents (GDPR)
Supervisory authority: You have the right to lodge a complaint with the supervisory authority in the EU member state where you reside, work, or where an alleged infringement occurred. Our lead supervisory authority as a Portugal-based operator is the CNPD (Comissao Nacional de Protecao de Dados): https://www.cnpd.pt
Legal bases: See Section 4 for the specific legal basis for each processing activity.
Automated decision-making: We do not make solely automated decisions that produce legal or similarly significant effects on individuals.
Right to withdraw consent: Where we process your data based on consent (for example, marketing emails), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.
14.3 UK Residents (UK GDPR)
Your rights under UK GDPR are substantively identical to those of EU residents described above. The relevant supervisory authority is the UK Information Commissioner's Office (ICO): https://ico.org.uk
14.4 Canadian Residents (PIPEDA / Quebec Law 25)
We collect, use, and disclose personal information about Canadian residents with their knowledge and consent, in accordance with PIPEDA's Ten Principles. Our designated privacy contact can be reached at privacy@wav.cash. Quebec residents have additional rights under Law 25, including the right to de-indexation and the right to be informed about any automated profiling.
15. Contact and Complaints
For any privacy-related inquiries, rights requests, or complaints:
Sama Studios LLC
Attn: Privacy Team
privacy@wav.cash
We aim to respond to all privacy inquiries within 10 business days.
If you are not satisfied with our response, you have the right to escalate your complaint to the relevant supervisory authority for your jurisdiction. See Section 7 and Section 14 for supervisory authority contacts.