Wavo and your data — what it sees

Wavo sees your team's data only — strictly scoped by team_id via resolveToolDataScope() in apps/backend/src/services/chat/chat-tool-handlers.ts. Per-tool RBAC enforces role hierarchy. Strategic context cached 5 min (STRATEGIC_CONTEXT_CACHE_TTL_MS=300000). Wavo never fabricates metrics — always cites the tool that produced the number. Output sanitization strips secrets before display.

Who is this for

Anyone wondering "can Wavo see my private data?" or "why doesn't Wavo know about my other workspace?"

What Wavo sees

Your team's data

• Campaigns, ad sets, ads (across all platforms you connected: Meta, Google, TikTok, Taboola, Snapchat)

• Performance metrics (spend, impressions, clicks, ROAS, CPA, etc.)

• Audiences + demographics

• Rules + automation history

• Creative Hub files (subject to your RBAC visibility)

• Tracker data (if integrated)

• Project memory facts (per-project, max 20)

• Conversation history (last 20 messages)

Static platform knowledge

• Wevion feature overview (embedded in system prompt)

• Common workflows (campaign launch, rule setup, etc.)

• Not company-internal data — generic platform docs

Your preferences

user_ai_preferences (per user):

• instructions (custom user-level instructions)

• preferred_language (default auto — matches input)

• preferred_model

• tone, response_format

• metrics[] (your priority KPI list)

• currency

• memory_enabled / memory_opted_out_at

What Wavo does NOT see

Other teams' data

Hard team isolation. Cannot cross workspace boundaries.

Other users' personal data

Wavo sees:

• Your name + role

• Your preferences

Wavo does not see:

• Other users' chat histories

• Other users' preferences

• Other users' personal info

Exception: when you share a session (ai-106), the recipient can read it.

Sensitive system data

• Encryption keys / secrets

• DB connection strings

• Internal admin actions

These are explicitly redacted by chat-security.ts sanitizeToolOutput() if they accidentally surface in tool output.

Real-time external info (without web_search)

Wavo doesn't have live internet access by default. It can:

• Call web_search tool when needed

• Otherwise: relies on training data + your in-Wevion data

How team scoping works

Backend implementation:

1. Request reaches a tool handler (e.g. get_performance_data)

2. resolveToolDataScope(userId, teamId) returns allowed sheet_ids + team_ids

3. Tool query filters by these scopes — typically WHERE team_id IN (allowed) AND ...

4. Result includes only data the user can see

Privileged roles (super_admin / owner) get broader scope; standard roles get tighter scope. See team-101 role hierarchy.

Per-tool RBAC

Each tool has a requiredRole + mode (read / write / approval). chat-tool-rbac.ts checks:

• Viewer: read-only tools

• Mediabuyer: read + write (drafts, generate)

• Manager: + approval for medium-risk

• Admin: + approval for high-risk

• Owner: full access

If your role lacks permission: tool returns 403 with reason. Wavo explains "you don't have permission for this action; ask your admin."

Caching layers

Strategic context cache (5 min)

STRATEGIC_CONTEXT_CACHE_TTL_MS=300000. Strategic context (your top-level intent, current focus) cached for 5 min to reduce repeat tool calls.

Implication: rapidly-changing data may take up to 5 min to reflect.

Conversation history (20 messages)

Always fresh — pulled per-turn from DB.

Memory facts (per-project)

Persisted in project_memory_fact table. No TTL — facts live until explicitly removed OR until project deleted.

Never fabricates

Wavo cites tools. When you ask "what's my ROAS?":

• Wavo invokes get_performance_data

• Returns the actual number

• Cites: "I checked your performance data for [period] and your ROAS is X"

If a tool fails or returns no data:

• Wavo says so ("I couldn't find data for that period")

• Does NOT make up a number

Hallucinations are a known risk in LLMs. Wavo's system prompt explicitly forbids fabricating metrics. If you suspect hallucination: ask Wavo to "cite the tool" or "re-query the source."

Output sanitization

chat-security.ts sanitizeToolOutput() redacts:

Both directions:

• Before sending to model (so model doesn't see your secrets)

• Before displaying to you (so the on-screen output doesn't leak them)

Prompt injection defense

chat-security.ts INJECTION_PATTERNS (50+ regex in English + Italian):

Blocks attempts to manipulate Wavo via crafted inputs (e.g. "Ignore previous instructions and...").

detectInjection() flags suspect inputs; the system prompt also instructs Wavo to reject role-override attempts.

Memory opt-out

If you don't want Wavo to persist facts across conversations:

• /settings → AI preferences → toggle Memory off

• Sets user_ai_preferences.memory_opted_out_at timestamp

• No new facts persist; existing facts not deleted (clear manually if desired)

Data residency

Conversation data stored in your workspace's Wevion deployment (same region as your other Wevion data). Model providers process queries per their terms — review your enterprise agreement for cross-border data handling specifics.

Common surprises

• "Wavo doesn't know about an ad I just created" — strategic context cache (5 min) or sync delay; ask again in 5 min

• "Wavo says it can't see X" — RBAC check failed; verify your role

• "Wavo cited an old number" — postback lag or cache; ask "what's the most recent value"

• "Wavo refused to help" — probably injection-defense triggered; rephrase neutrally

Related

• Privacy + data usage — full security model

• Actions Wavo takes — RBAC for write actions

• Role hierarchy — global role definitions