Wavo and your data — what it sees

Wavo sees ONLY your team's data (team_id-scoped). Row-level RBAC per tool. Strategic context cached 5 min. Never fabricates. Output sanitizes secrets.

Written By Salvatore Sinigaglia

Last updated About 1 hour ago

Wavo sees ONLY your team's data (team_id-scoped). Row-level RBAC per tool. Strategic context cached 5 min. Never fabricates. Output sanitizes secrets.

Wavo and your data — what it sees

Wavo sees your team's data only — strictly scoped by team_id via resolveToolDataScope(ctx) in apps/backend/src/services/chat/chat-tool-handlers.ts. Per-tool RBAC enforces role hierarchy. Strategic context cached 5 min (STRATEGIC_CONTEXT_CACHE_TTL_MS=300000). Wavo never fabricates metrics — always cites the tool that produced the number. Output sanitization strips secrets before display.

Who is this for

Anyone wondering "can Wavo see my private data?" or "why doesn't Wavo know about my other workspace?"

What Wavo sees

Your team's data

  • Campaigns, ad sets, ads: performance tools read whatever platforms you've connected and synced (data is queried by platform, not limited to a fixed list). Coverage per tool varies — some tools (for example audience insights) currently support a subset of platforms (Meta, Google, TikTok, Taboola, Snapchat)
  • Performance metrics (spend, impressions, clicks, ROAS, CPA, etc.)
  • Audiences + demographics
  • Rules + automation history
  • Creative Hub files (subject to your RBAC visibility)
  • Tracker data (if integrated)
  • Project memory facts (per-project, max 20)
  • Conversation history (last 20 messages)

Static platform knowledge

  • Wevion feature overview (embedded in system prompt)
  • Common workflows (campaign launch, rule setup, etc.)
  • Not company-internal data — generic platform docs

Your preferences

user_ai_preferences (per user):

  • instructions (custom user-level instructions)
  • preferred_language (default auto — matches input)
  • preferred_model
  • tone, response_format
  • metrics[] (your priority KPI list)
  • currency
  • memory_enabled / memory_opted_out_at

What Wavo does NOT see

Other teams' data

Hard team isolation. Cannot cross workspace boundaries.

Other users' personal data

Wavo sees:

  • Your name + role
  • Your preferences

Wavo does not see:

  • Other users' chat histories
  • Other users' preferences
  • Other users' personal info

Exception: when you share a session (ai-106), the recipient can read it.

Sensitive system data

  • Encryption keys / secrets
  • DB connection strings
  • Internal admin actions

These are explicitly redacted by chat-security.ts sanitizeToolOutput() if they accidentally surface in tool output.

Wavo doesn't have live internet access by default. It can:

  • Call web_search tool when needed
  • Otherwise: relies on training data + your in-Wevion data

How team scoping works

Backend implementation:

  1. Request reaches a tool handler (e.g. get_performance_data)
  2. resolveToolDataScope(ctx) returns allowed sheet_ids + team_ids
  3. Tool query filters by these scopes — typically WHERE team_id IN (allowed) AND ...
  4. Result includes only data the user can see

Privileged roles (super_admin / owner) get broader scope; standard roles get tighter scope. See team-101 role hierarchy.

Per-tool RBAC

Each tool has a requiredRole + mode (read / write / approval). chat-tool-rbac.ts checks:

  • Viewer: read-only tools
  • Mediabuyer: read + write (drafts, generate)
  • Manager: + approval for medium-risk
  • Admin: + approval for high-risk
  • Owner: full access

If your role lacks permission: tool returns 403 with reason. Wavo explains "you don't have permission for this action; ask your admin."

Caching layers

Strategic context cache (5 min)

STRATEGIC_CONTEXT_CACHE_TTL_MS=300000. Strategic context (your top-level intent, current focus) cached for 5 min to reduce repeat tool calls.

Implication: rapidly-changing data may take up to 5 min to reflect.

Conversation history (20 messages)

Always fresh — pulled per-turn from DB.

Memory facts (per-project)

Persisted in project_memory_fact table. No TTL — facts live until explicitly removed OR until project deleted.

Never fabricates

Wavo cites tools. When you ask "what's my ROAS?":

  • Wavo invokes get_performance_data
  • Returns the actual number
  • Cites: "I checked your performance data for [period] and your ROAS is X"

If a tool fails or returns no data:

  • Wavo says so ("I couldn't find data for that period")
  • Does NOT make up a number

Hallucinations are a known risk in LLMs. Wavo's system prompt explicitly forbids fabricating metrics. If you suspect hallucination: ask Wavo to "cite the tool" or "re-query the source."

Output sanitization

chat-security.ts sanitizeToolOutput() redacts:

PatternWhere it comes from
EAA...Meta access tokens
eyJhbGciOi...JWT tokens
AKIA...AWS access keys
sk_... / pk_...Stripe API keys
AIzaSy...Google API keys
postgresql://..., mongodb://...DB connection strings

Both directions:

  • Before sending to model (so model doesn't see your secrets)
  • Before displaying to you (so the on-screen output doesn't leak them)

Prompt injection defense

chat-security.ts INJECTION_PATTERNS (50+ regex in English + Italian):

Blocks attempts to manipulate Wavo via crafted inputs (e.g. "Ignore previous instructions and...").

detectInjection() flags suspect inputs; the system prompt also instructs Wavo to reject role-override attempts.

Memory opt-out

If you don't want Wavo to persist facts across conversations:

  • /settings → AI preferences → toggle Memory off
  • Sets user_ai_preferences.memory_opted_out_at timestamp
  • No new facts persist; existing facts not deleted (clear manually if desired)

Data residency

Conversation data stored in your workspace's Wevion deployment (same region as your other Wevion data). Model providers process queries per their terms — review your enterprise agreement for cross-border data handling specifics.

Common surprises

  • "Wavo doesn't know about an ad I just created" — strategic context cache (5 min) or sync delay; ask again in 5 min
  • "Wavo says it can't see X" — RBAC check failed; verify your role
  • "Wavo cited an old number" — postback lag or cache; ask "what's the most recent value"
  • "Wavo refused to help" — probably injection-defense triggered; rephrase neutrally

FAQ

Can Wavo see my private or other teams' data?

No. Wavo sees your team's data only, strictly scoped by team_id via resolveToolDataScope(), with hard team isolation that cannot cross workspace boundaries. It also can't read other users' chat histories, preferences, or personal info — the exception being a session you explicitly share, which the recipient can then read. Per-tool RBAC further enforces role hierarchy on every query.

Does Wavo ever make up metrics?

No. Wavo never fabricates numbers — it always cites the tool that produced the value. When you ask for ROAS, it invokes get_performance_data and reports the actual figure with a citation. If a tool fails or returns no data, Wavo says so rather than inventing a number. Its system prompt explicitly forbids fabricating metrics; you can ask it to "cite the tool" to verify.

How does Wavo protect secrets in its output?

Wevion's sanitizeToolOutput() in chat-security.ts redacts sensitive patterns in both directions — before sending to the model and before displaying to you. It strips Meta access tokens (EAA...), JWTs, AWS keys (AKIA...), Stripe keys (sk_.../pk_...), Google API keys (AIzaSy...), and database connection strings, so secrets that accidentally surface in tool output never leak on screen.

Why doesn't Wavo know about an ad I just created?

Likely the strategic context cache, which holds for 5 minutes (STRATEGIC_CONTEXT_CACHE_TTL_MS=300000), or a sync delay. Rapidly-changing data can take up to 5 minutes to reflect, so ask again shortly. By contrast, conversation history is always pulled fresh per-turn from the database, and project memory facts persist with no TTL until removed.

Can I stop Wavo from remembering things across conversations?

Yes. Go to /settings → AI preferences and toggle Memory off, which sets your user_ai_preferences.memory_opted_out_at timestamp. After that, no new facts persist. Existing facts aren't deleted automatically, so clear them manually if you want them gone. This memory opt-out is per user and controls only cross-conversation fact persistence.

FAQ

Can Wavo see my private or other teams' data?

No. Wavo sees your team's data only, strictly scoped by team_id via resolveToolDataScope(), with hard team isolation that cannot cross workspace boundaries. It also can't read other users' chat histories, preferences, or personal info — the exception being a session you explicitly share, which the recipient can then read. Per-tool RBAC further enforces role hierarchy on every query.

Does Wavo ever make up metrics?

No. Wavo never fabricates numbers — it always cites the tool that produced the value. When you ask for ROAS, it invokes getperformancedata and reports the actual figure with a citation. If a tool fails or returns no data, Wavo says so rather than inventing a number. Its system prompt explicitly forbids fabricating metrics; you can ask it to "cite the tool" to verify.

How does Wavo protect secrets in its output?

Wevion's sanitizeToolOutput() in chat-security.ts redacts sensitive patterns in both directions — before sending to the model and before displaying to you. It strips Meta access tokens (EAA...), JWTs, AWS keys (AKIA...), Stripe keys (sk.../pk...), Google API keys (AIzaSy...), and database connection strings, so secrets that accidentally surface in tool output never leak on screen.

Why doesn't Wavo know about an ad I just created?

Likely the strategic context cache, which holds for 5 minutes (STRATEGICCONTEXTCACHETTLMS=300000), or a sync delay. Rapidly-changing data can take up to 5 minutes to reflect, so ask again shortly. By contrast, conversation history is always pulled fresh per-turn from the database, and project memory facts persist with no TTL until removed.

Can I stop Wavo from remembering things across conversations?

Yes. Go to /settings → AI preferences and toggle Memory off, which sets your useraipreferences.memoryoptedout_at timestamp. After that, no new facts persist. Existing facts aren't deleted automatically, so clear them manually if you want them gone. This memory opt-out is per user and controls only cross-conversation fact persistence.

Steps

  1. Request reaches a tool handler (e.g. getperformancedata)
  2. resolveToolDataScope(ctx) returns allowed sheetids + teamids
  3. Tool query filters by these scopes — typically WHERE team_id IN (allowed) AND ...
  4. Result includes only data the user can see

Last updated: 2026-05-17