FAQ — data and privacy
FAQ: data storage region, GDPR, team isolation, AI provider data handling, data sharing, retention, right to be forgotten.
Written By Salvatore Sinigaglia
Last updated About 4 hours ago
FAQ: data storage region, GDPR, team isolation, AI provider data handling, data sharing, retention, right to be forgotten.
FAQ — data and privacy
Common questions about how Wevion handles your data. For deep details on AI-specific privacy: see ai-110 Wavo privacy.
Where is my data stored?
In Wevion's deployment region. Typically:
- EU customers: EU region (e.g. eu-west-1, eu-central-1)
- US customers: US region
Verify your specific deployment region with your admin OR contact support.
For compliance (GDPR, data residency): data residency at the deployment level. Cross-border data flow only for explicit third-party integrations (Meta APIs, etc.) that customer authorizes.
Is Wevion GDPR-compliant?
Yes. Wevion respects GDPR principles:
- Lawful processing: data processed for the purposes you authorized (ad management, analytics)
- User rights: access, correction, deletion via support
- Data minimization: only data needed for the service
- Transparency: this FAQ + privacy policy
- Breach notification: per GDPR timeline if applicable
For a Data Processing Agreement (DPA): contact sales / legal.
Who can see my data inside Wevion?
Strict team isolation:
- Your team's data: visible only to authorized users in your team (per RBAC)
- Super_admin / owner roles: broader visibility within team
- Other teams: cannot see your data
Per-role visibility:
Are AI conversations (Wavo) private?
Yes — strictly team-isolated.
What model providers see:
- Your message
- Last 20 messages of context
- System prompt + tool definitions
- Tool results
Per their enterprise terms (Anthropic, OpenAI, Google, DeepSeek, Moonshot). Most enterprise tiers do not train on customer data — review your specific agreement.
See ai-110 Wavo privacy.
Does Wevion sell my data?
No. Wevion does not sell customer data.
Does Wevion share data with third parties?
Only with integrations YOU explicitly authorize:
- Ad platforms (Meta, Google, TikTok, etc.) — to manage your ads
- Stripe — for payment processing
- Email provider — to send notifications
- AI model providers — for Wavo + Creative AI (per their terms)
- Telegram / Slack — when you connect them
- Tracker / commerce integrations — when you connect them
Each integration uses authorized scopes only.
What's the data retention policy?
Varies by data type:
For specific retention questions: contact admin OR support.
Right to be forgotten (GDPR Article 17)?
Yes:
- User-initiated: user can request account deletion. Removes user-owned data (preferences, AI memory, sessions, personal info).
- Audit log: retained per legal / compliance requirements (often required by law to retain even after deletion).
- Workspace deletion: workspace owner can request full workspace deletion (data loss permanent).
Contact support for GDPR requests.
What about subprocessors?
Wevion uses subprocessors for:
- Cloud infrastructure (AWS / GCP)
- Email delivery (SES / Mailgun)
- AI providers (Anthropic, OpenAI, Google, DeepSeek, Moonshot)
- Payment processing (Stripe)
- Customer support tooling (Featurebase)
Full list available in privacy policy / DPA.
How are passwords + tokens stored?
- Passwords: hashed with bcrypt (industry standard; one-way)
- OAuth tokens: stored in an access-controlled database; encrypted at rest for supported ad providers (per-provider AES-GCM keys)
- Session JWTs: signed with EdDSA, 1-hour expiry (refreshed hourly)
- API keys: hashed; full value shown once at creation
- Backup codes (2FA): hashed; one-time use
Wevion staff cannot read your password or token values directly.
What about secrets in chat (Wavo)?
chat-security.ts sanitizeToolOutput() strips known secret patterns (Meta tokens, JWTs, AWS keys, Stripe keys, Google keys, DB strings) before they reach the model OR your screen.
Defense-in-depth: don't paste secrets to chat in the first place.
See ai-110.
Are notifications privacy-safe?
Notifications respect team isolation:
- You see notifications for your team's data only
- Owner fan-out: owners see team members' notifications (by design)
- Email content sanitized for secrets (similar to Wavo)
External channels (Telegram, Slack) carry the notification text — review what you connect.
What if there's a security breach?
Wevion's incident response includes:
- Notification to affected customers per GDPR timeline (72 hours where applicable)
- Detail of what was exposed
- Recommended user actions (password change, token rotation, etc.)
- Investigation report
Suspect a breach: report to security channel (typically security@wevion.ai — verify with admin).
Cookies + tracking?
Wevion uses cookies for:
- Session management (essential)
- Workspace state (essential)
- Analytics on Wevion product usage (consent-based)
See cookie consent banner on first visit + privacy policy.
Can I get a SOC 2 / ISO report?
For enterprise customers: contact sales for security documentation. Reports may include SOC 2 Type II, ISO 27001, penetration test summaries (depending on Wevion's current certifications).
FAQ
Where does Wevion store my data?
Wevion stores your data in its deployment region — typically an EU region for EU customers and a US region for US customers. Data residency is handled at the deployment level, and cross-border flow only happens for explicit third-party integrations you authorize, such as Meta APIs. Verify your specific region with your admin or Wevion support.
Who can see my data inside Wevion?
Wevion enforces strict team isolation: your team's data is visible only to authorized users in your team per RBAC, and other teams cannot see it. Broader visibility within a team is limited to super_admin and owner roles, with admin, manager, mediabuyer, finance, and viewer each scoped by the role hierarchy.
Does Wevion sell or share my data?
No — Wevion does not sell customer data. It only shares data with integrations you explicitly authorize, such as ad platforms to manage your ads, Stripe for payments, your email provider for notifications, AI model providers for Wavo, and Telegram or Slack when you connect them. Each integration uses authorized scopes only.
How does Wevion store my passwords and tokens?
Wevion hashes passwords, signs session JWTs with EdDSA (1-hour expiry, refreshed hourly), and hashes API keys and 2FA backup codes. Because these are hashed, Wevion staff cannot read your password directly. Full API key values are shown only once, at creation.