FAQ — data and privacy
Last updated: May 19, 2026
FAQ — data and privacy
Common questions about how Wevion handles your data. For deep details on AI-specific privacy: see ai-110 Wavo privacy.
Where is my data stored?
In Wevion's deployment region. Typically:
EU customers: EU region (e.g. eu-west-1, eu-central-1)
US customers: US region
Verify your specific deployment region with your admin OR contact support.
For compliance (GDPR, data residency): data residency at the deployment level. Cross-border data flow only for explicit third-party integrations (Meta APIs, etc.) that customer authorizes.
Is Wevion GDPR-compliant?
Yes. Wevion respects GDPR principles:
Lawful processing: data processed for the purposes you authorized (ad management, analytics)
User rights: access, correction, deletion via support
Data minimization: only data needed for the service
Transparency: this FAQ + privacy policy
Breach notification: per GDPR timeline if applicable
For a Data Processing Agreement (DPA): contact sales / legal.
Who can see my data inside Wevion?
Strict team isolation:
Your team's data: visible only to authorized users in your team (per RBAC)
Super_admin / owner roles: broader visibility within team
Other teams: cannot see your data
Per-role visibility:
Role | What |
|---|---|
super_admin | All team data |
owner | All team data |
admin | Most team data |
manager | Team data within scope |
mediabuyer | Own + assigned data |
finance | Billing-related data |
viewer | Read-only |
Are AI conversations (Wavo) private?
Yes — strictly team-isolated.
What model providers see:
Your message
Last 20 messages of context
System prompt + tool definitions
Tool results
Per their enterprise terms (Anthropic, OpenAI, Google, DeepSeek, Moonshot). Most enterprise tiers do not train on customer data — review your specific agreement.
See ai-110 Wavo privacy.
Does Wevion sell my data?
No. Wevion does not sell customer data.
Does Wevion share data with third parties?
Only with integrations YOU explicitly authorize:
Ad platforms (Meta, Google, TikTok, etc.) — to manage your ads
Stripe — for payment processing
Email provider — to send notifications
AI model providers — for Wavo + Creative AI (per their terms)
Telegram / Slack — when you connect them
Tracker / commerce integrations — when you connect them
Each integration uses authorized scopes only.
What's the data retention policy?
Varies by data type:
Data | Retention |
|---|---|
Account data | While subscription active + grace period |
Audit log | Plan-tier specific (typically 1-2 years) |
Chat history | Until deleted by user OR workspace policy |
Ad insights / analytics | Plan-tier specific (typically 1-3 years rolling) |
Files (Creative Hub) | Until deleted; uses Drive Service Account quota |
Logs (system) | Operational retention (typically 30-90 days) |
For specific retention questions: contact admin OR support.
Right to be forgotten (GDPR Article 17)?
Yes:
User-initiated: user can request account deletion. Removes user-owned data (preferences, AI memory, sessions, personal info).
Audit log: retained per legal / compliance requirements (often required by law to retain even after deletion).
Workspace deletion: workspace owner can request full workspace deletion (data loss permanent).
Contact support for GDPR requests.
What about subprocessors?
Wevion uses subprocessors for:
Cloud infrastructure (AWS / GCP)
Email delivery (SES / Mailgun)
AI providers (Anthropic, OpenAI, Google, DeepSeek, Moonshot)
Payment processing (Stripe)
Customer support tooling (Pylon)
Full list available in privacy policy / DPA.
How are passwords + tokens stored?
Passwords: hashed with bcrypt (industry standard; one-way)
OAuth tokens: encrypted at rest in DB
Session JWTs: signed with EdDSA, short-lived (~5 min)
API keys: hashed; full value shown once at creation
Backup codes (2FA): hashed; one-time use
Wevion staff cannot read your password or token values directly.
What about secrets in chat (Wavo)?
chat-security.ts sanitizeToolOutput() strips known secret patterns (Meta tokens, JWTs, AWS keys, Stripe keys, Google keys, DB strings) before they reach the model OR your screen.
Defense-in-depth: don't paste secrets to chat in the first place.
See ai-110.
Are notifications privacy-safe?
Notifications respect team isolation:
You see notifications for your team's data only
Owner fan-out: owners see team members' notifications (by design)
Email content sanitized for secrets (similar to Wavo)
External channels (Telegram, Slack) carry the notification text — review what you connect.
What if there's a security breach?
Wevion's incident response includes:
Notification to affected customers per GDPR timeline (72 hours where applicable)
Detail of what was exposed
Recommended user actions (password change, token rotation, etc.)
Investigation report
Suspect a breach: report to security channel (typically security@wevion.ai — verify with admin).
Cookies + tracking?
Wevion uses cookies for:
Session management (essential)
Workspace state (essential)
Analytics on Wevion product usage (consent-based)
See cookie consent banner on first visit + privacy policy.
Can I get a SOC 2 / ISO report?
For enterprise customers: contact sales for security documentation. Reports may include SOC 2 Type II, ISO 27001, penetration test summaries (depending on Wevion's current certifications).
Related
Wavo privacy + data usage — AI-specific privacy
Team data privacy — 2FA + team security
Notification categories — notification scope