Wax Privacy Policy
Last updated: May 19, 2026 · Effective date: May 19, 2026
This Privacy Policy explains how Angelo Cecco, a sole proprietor doing business as "Wax" ("Wax," "we," "us," or "our"), collects, uses, shares, and protects information when you use the Wax mobile application and any related services (collectively, the "Service"). It also explains the choices and rights you have regarding your information.
If you have any questions, contact us at legal@waxmusic.app.
Quick summary. We collect the information you provide when you sign up, build your profile, and rank albums. We use it to run the Service, show your activity to people who follow you, and improve how Wax works. We do not sell or share your personal information for advertising. Wax does not show ads. Your feed is shown in chronological order — we do not use engagement-based algorithms to manipulate what you see. The rest of this policy explains the details.
1. Who We Are
The "controller" of your personal information (for purposes of the EU/UK General Data Protection Regulation) and the "business" that determines the purposes and means of processing (for purposes of California law) is:
Angelo Cecco, sole proprietor, doing business as "Wax"
Contact: legal@waxmusic.app
Because Wax is currently operated by an individual rather than a registered entity, the operator is personally responsible for compliance with this Privacy Policy.
2. Scope
This Privacy Policy applies to information we collect through the Wax mobile application and any related online services we provide. It does not apply to third-party services you may access through Wax, such as Spotify, Apple, or Google, which are governed by their own privacy policies.
3. Information We Collect
3.1 Information you provide to us
Account information. When you create an account, we collect your email address and a password (which is stored only in hashed form by our authentication provider). If you sign in using "Sign in with Apple" or "Sign in with Google," we receive a unique identifier and the email address you authorize Apple or Google to share with us.
Profile information. We collect your display name, username, and any optional information you add to your profile, such as a biography, website link, or profile photo.
User content. We collect the content you create and submit through the Service, including album rankings, star ratings, written notes about albums, comments, reactions (likes), items saved to your "Listen Later" list, and the people you choose to follow.
Communications. If you contact us by email or otherwise, we collect the information you provide, including your email address and the contents of your message.
3.2 Information collected automatically
Device and technical information. When you use the Service, we automatically receive limited technical information, including your device type, operating system and version, app version, language settings, and IP address (typically only at the time of authentication and database requests, through our backend provider).
Usage information. Our backend systems log records of actions you take in the Service, such as when you create a ranking, edit a profile, or follow another user. We use these logs to operate and debug the Service.
Local storage on your device. The Wax app stores certain information locally on your device using AsyncStorage so the app can work offline and load quickly. This includes your cached ranked list, profile information, listen-later list, an onboarding-completion flag, and your notification preference. Local storage data is on your device and not transmitted to us unless and until it is synced with our backend.
3.3 Information we receive from third parties
Apple Sign In. If you choose Apple Sign In, Apple sends us a unique identifier and, depending on your Apple privacy settings, your name and either your real email address or a private relay address.
Google Sign In. If you choose Google Sign In, Google sends us a unique identifier, your email address, and your name as it appears on your Google account.
Spotify. Wax uses Spotify's public catalog API on a server-to-server basis (using Spotify's Client Credentials flow) to look up album metadata, cover art, and track listings. We do not receive any personal information about you from Spotify, and we do not share information about you with Spotify, except to the extent that you choose to follow a link out of Wax to a Spotify property.
We do not currently use third-party analytics, advertising, attribution, or marketing SDKs in the app.
3.4 What we do not collect
- We do not collect or process payment card or bank account information. When we launch premium subscriptions, payments will be processed entirely by Apple In-App Purchase, and Wax will not see your payment details.
- We do not collect precise geolocation data.
- We do not collect health data, biometric identifiers, or other special-category data under GDPR.
- We do not access your contacts, photo library (except for the specific image you choose to upload as a profile photo), microphone, or camera.
4. How We Use Information
We use the information described above for the following purposes:
To provide the Service. Creating and securing your account, displaying your profile, saving your rankings, running the head-to-head ranking algorithm, showing your activity to people who follow you, loading your feed, delivering comments and reactions, and syncing your data between your device and our backend.
To operate, maintain, and improve the Service. Debugging, monitoring performance, fixing errors, developing new features, and understanding how the Service is used in aggregate.
To communicate with you. Sending transactional messages (such as password resets, security alerts, and important changes to the Service or these policies) and responding to your inquiries.
To enforce our terms and protect users. Investigating and addressing violations of our Terms of Service, fraud, abuse, harassment, or other harmful conduct, and protecting the rights and safety of Wax and our users.
To comply with law. Meeting our legal obligations, responding to lawful requests from authorities, and exercising or defending legal claims.
We do not use your information to serve advertising, build advertising profiles, or train third-party advertising or recommendation systems.
5. Legal Bases for Processing (EEA/UK Users)
If you are in the European Economic Area or the United Kingdom, our legal bases for processing your personal information are:
Performance of a contract (Article 6(1)(b) GDPR), to provide the Service you have signed up for — for example, hosting your rankings and showing them on your profile.
Legitimate interests (Article 6(1)(f) GDPR), for purposes such as securing and improving the Service, preventing abuse, and operating our business. We balance these interests against your rights and freedoms.
Consent (Article 6(1)(a) GDPR), where required — for example, for optional features that require explicit permission. You may withdraw your consent at any time.
Compliance with legal obligations (Article 6(1)(c) GDPR), for example to respond to lawful requests or to retain certain records.
Where we rely on legitimate interests, you have the right to object to that processing as described in Section 11.
6. How We Share Information
We share information in the following limited circumstances:
6.1 With other users
Wax is a social service. The following information is visible to other users:
- Your username, display name, profile photo, biography, and website link on your public profile.
- Your rankings, ratings, written notes, the year and artist information of albums you rank, and the order of your ranked list, visible on your profile.
- Your comments and reactions on rankings, visible to other users who can see those rankings.
- The users you follow and who follow you, visible through follower and following lists.
- Your activity (new rankings, ratings, follows, and reactions) shown in the chronological feeds of users who follow you.
6.2 With service providers
We share information with third parties that help us run the Service, under contractual obligations to handle it on our behalf:
- Supabase, Inc. provides our authentication, database, and file storage infrastructure. Supabase processes account credentials, profile data, rankings, comments, reactions, follows, and profile photos on our behalf. Supabase's privacy policy is available at https://supabase.com/privacy.
- Apple and Google process authentication when you choose Sign in with Apple or Google. They also operate the App Store and Google Play distribution channels through which you obtain the app.
6.3 For legal and safety reasons
We may disclose information to government authorities, law enforcement, or other third parties when we believe in good faith that disclosure is required by law, necessary to comply with a legal process, or necessary to investigate and prevent fraud, security issues, violations of our Terms of Service, or threats to the safety of any person.
6.4 In connection with a business transfer
If Wax is reorganized, merged, acquired, or its assets are sold (including in connection with the formation of a corporate entity to operate Wax), your information may be transferred to the successor entity. Any successor will be bound by this Privacy Policy or will provide you notice of any material change.
6.5 With your consent
We may share information for purposes not described in this Privacy Policy with your specific consent.
6.6 Aggregated or de-identified data
We may share information that has been aggregated or de-identified so that it can no longer reasonably be used to identify you.
We do not sell your personal information. We do not share your personal information with third parties for their own marketing or advertising purposes. We do not engage in "cross-context behavioral advertising" or "targeted advertising" as those terms are defined under California, Virginia, Colorado, Connecticut, and similar state privacy laws.
7. International Data Transfers
Wax is operated from the United States. Our primary service provider, Supabase, hosts our database, authentication, and storage infrastructure in the United States.
If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States, which may have data protection laws different from those of your country.
For transfers of personal information from the EEA, the United Kingdom, or Switzerland to the United States, we rely on appropriate safeguards, including the Standard Contractual Clauses approved by the European Commission (and the UK International Data Transfer Addendum, where applicable), entered into between us and our service providers. You may request a copy of those clauses by contacting legal@waxmusic.app.
We have not appointed an EU or UK representative under Article 27 GDPR because the Service is currently in a small-scale test phase. If our processing of EU or UK personal information becomes regular and substantial, we will appoint a representative and update this Privacy Policy accordingly.
8. Data Retention
We retain your information for as long as your account is active or as needed to provide the Service. Specifically:
- Account and profile information is retained while your account is active.
- User content (rankings, notes, comments, reactions, follows, listen-later items) is retained until you delete it or your account.
- Local storage on your device persists until you delete the app or sign out, which clears the local data.
- Logs and backups may be retained for a limited additional period (typically up to 30 days for active logs and up to 90 days for backups) to support security, debugging, and disaster recovery.
When you delete your account, we will delete your personal information from active systems within a reasonable period and remove it from backups in the ordinary course. We may retain a minimal record of the deletion event and limited information necessary to comply with legal obligations, resolve disputes, or enforce our agreements.
User content that has been shared with other users (for example, comments on another user's ranking) may continue to be visible to those users even after you delete your account, because we cannot retrieve copies that have been viewed, screenshotted, or republished outside our systems.
9. Security
We take reasonable administrative, technical, and organizational measures to protect your information, including encryption in transit (HTTPS), access controls on our backend, hashed password storage through our authentication provider, and database-level row security policies that restrict access to your data.
No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at legal@waxmusic.app.
You are responsible for keeping your account credentials confidential and for any activity that occurs under your account.
10. Children's Privacy
The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete it as soon as practicable.
If you reside in the European Economic Area, the United Kingdom, or another jurisdiction with a higher digital consent age, you must be at or above your local digital consent age (which may be 13, 14, 15, or 16, depending on jurisdiction) to use the Service. Below that age, the Service may only be used with verifiable parental consent.
If you are a parent or guardian and you believe your child has provided personal information without your consent, contact us at legal@waxmusic.app, and we will work with you to delete that information.
11. Your Choices and Rights
11.1 Choices available to all users
Update your profile. You can edit your display name, username, biography, website, and profile photo from the Settings screen in the Service.
Notifications. You can turn push notifications on or off from the Settings screen.
Delete content. You can delete individual rankings, comments, and reactions through the Service.
Delete your account. You can delete your account through the Settings screen, which initiates deletion of your personal information as described in Section 8.
Sign out. Signing out clears locally stored data on your device.
11.2 Your rights if you are in the EEA, the UK, or Switzerland
Subject to applicable law, you have the right to:
- Access your personal information and receive a copy of it.
- Rectify inaccurate or incomplete personal information.
- Erase your personal information ("right to be forgotten") in certain circumstances.
- Restrict our processing of your personal information.
- Object to processing based on our legitimate interests.
- Data portability — receive your personal information in a structured, commonly used, machine-readable format and transmit it to another controller.
- Withdraw consent at any time, where processing is based on consent (without affecting the lawfulness of processing before withdrawal).
- Lodge a complaint with a supervisory authority in the country of your habitual residence, place of work, or place of an alleged infringement.
To exercise these rights, contact us at legal@waxmusic.app. We may need to verify your identity before responding. We will respond within the time required by applicable law (generally one month under GDPR, extendable by two further months for complex requests).
11.3 Your rights if you are a California resident
Under the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), California residents have the following rights:
Right to know. You may request that we disclose (a) the categories of personal information we have collected about you; (b) the categories of sources from which we collected it; (c) the business or commercial purposes for collecting it; (d) the categories of third parties with whom we share it; and (e) the specific pieces of personal information we have collected about you.
Right to delete. You may request that we delete personal information we collected from you, subject to certain exceptions.
Right to correct. You may request that we correct inaccurate personal information we maintain about you.
Right to opt out of sale or sharing. You have the right to opt out of the "sale" or "sharing" of your personal information. We do not sell or share your personal information, as those terms are defined under the CCPA.
Right to limit use of sensitive personal information. You have the right to limit the use and disclosure of sensitive personal information. We do not collect or process sensitive personal information as defined under the CCPA for purposes that would trigger this right.
Right to non-discrimination. We will not discriminate against you for exercising any of these rights.
Categories of personal information collected in the past 12 months:
| CCPA Category | Examples |
|---|---|
| Identifiers | Email address, username, account ID, IP address |
| Customer records | Display name, profile photo, biography |
| Internet or other electronic network activity information | App usage logs, device type, app version |
| Audio, electronic, visual, or similar information | Profile photo you upload |
| Inferences (limited) | None drawn for advertising purposes |
Sources: directly from you; automatically from your device when you use the Service; from Apple or Google if you use Sign in with Apple or Google.
Business purposes: providing and operating the Service; security and fraud prevention; communicating with you; complying with law. See Section 4 for the full list.
Categories of third parties with whom we share: service providers (such as Supabase); identity providers (Apple, Google); other users to whom your profile is visible; legal and government authorities when required.
To exercise your California rights, contact us at legal@waxmusic.app. You may also designate an authorized agent to make a request on your behalf, subject to verification of the agent's authority. We will verify your identity by matching information you provide against information in our records, such as the email address associated with your account.
11.4 Your rights if you reside in another U.S. state with a comprehensive privacy law
If you reside in Virginia, Colorado, Connecticut, Utah, or another U.S. state with a comprehensive consumer privacy law, you have rights similar to those described in Section 11.3, which may include the rights to access, correct, delete, obtain a copy of, and opt out of certain processing of your personal information. To exercise these rights, contact us at legal@waxmusic.app.
12. Do Not Track and Global Privacy Control
Some browsers and devices transmit "Do Not Track" or Global Privacy Control ("GPC") signals. Because we do not engage in cross-context behavioral advertising and do not "sell" or "share" personal information as defined under applicable law, these signals do not change how we process your information. We will continue to honor opt-out rights as described in Section 11.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the Service or by email to the address associated with your account at least 7 days before the changes take effect, except where immediate changes are required by law. The "Last updated" date at the top of this Privacy Policy indicates when the most recent changes were made. Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes.
14. App Store Privacy Disclosures
Information we provide to Apple's App Store and (in the future) Google Play about our data practices through their respective privacy questionnaires is intended to be consistent with this Privacy Policy. If you notice any discrepancy, this Privacy Policy is the more detailed source — please let us know so we can correct any inconsistency.
15. Contact Us
If you have any questions, requests, or concerns about this Privacy Policy or our handling of your information:
Email: legal@waxmusic.app
Operator: Angelo Cecco, sole proprietor, doing business as "Wax"