Privacy Policy

2.1 Personal Information

When you create an account and use Waterfall, we collect:

• Account Information: Email address, name (when provided through OAuth providers)
• Authentication Data: OAuth tokens from Google or Microsoft, or password hashes for email authentication
• User Identifiers: Unique user IDs for service functionality
• Usage Metadata: Session information, feature usage patterns, timestamp data

2.2 Excel and Spreadsheet Data

When you use Waterfall to interact with your spreadsheets:

• Temporary Processing: Excel data you work with is processed temporarily to execute your requested operations
• No Persistent Storage: We do not store the contents of your spreadsheets, formulas, or cell values on our servers beyond the immediate processing required to fulfill your requests
• Prompt Metadata Only: We retain only necessary metadata about requests (such as timestamp, request type, token usage) but not the actual content of your prompts or spreadsheet data

2.3 Automatically Collected Information

We automatically collect certain information about your device and usage:

• Technical Data: Browser type, operating system, device type
• Log Data: IP address (for security purposes only), error logs, performance metrics
• Session Information: Login times, feature access patterns, session duration

3.1 Service Provision

• To authenticate your account and maintain your session
• To process your Excel operations and AI-assisted requests
• To maintain user isolation and ensure data security
• To provide customer support and respond to inquiries

3.2 Service Improvement

• To monitor and improve Service performance
• To debug issues and ensure reliability
• To understand usage patterns and optimize features
• To ensure API rate limiting and resource management

3.3 Legal and Security

• To comply with legal obligations
• To protect against fraudulent or illegal activity
• To enforce our terms of service
• To maintain the security and integrity of the Service

4.1 Processing Locations

Your information is processed at our operational facilities and through our third-party service providers:

• Primary Processing: United Kingdom & European Union
• Cloud Services: May involve processing in other regions where our service providers operate, including the United States

4.2 Data Retention

• Account Information: Retained for the duration of your account and as required by law
• Authentication Tokens: Refreshed periodically and deleted upon logout
• Metadata and Logs: Retained for up to 90 days for security and debugging purposes
• Spreadsheet Data: Not persistently stored; processed only in memory during active operations

4.3 No Logging of Prompts

We do not log or store the specific content of your prompts, Excel formulas, or spreadsheet data on Waterfall servers. Only essential metadata required for service operation is retained.

5.1 Third-Party Service Providers

We share information with service providers who assist in operating our Service:

• Authentication Providers: Supabase for authentication services (subject to their privacy policy and Data Processing Addendum)
• AI Processing:
  • Google Cloud (Vertex AI): Processes data under Google's Cloud Data Processing Addendum with confidentiality obligations
  • AWS (Bedrock): Does not store or log prompts/completions; processes data under AWS Data Processing Addendum
• Code Execution: E2B for secure Python code execution in sandboxed environments
• Infrastructure: Cloud hosting providers for service delivery

These service providers process data according to their respective privacy policies and data processing agreements. We have selected providers that maintain appropriate security and confidentiality standards. Specifically:

• Google Cloud and AWS have formal data processing addendums with confidentiality provisions
• AI providers do not use your prompts or outputs to train their models
• Data is encrypted in transit and at rest by our service providers

5.2 No Sale of Personal Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

5.3 Legal Disclosure

We may disclose your information if required to do so by law or in response to valid legal requests, including:

• Court orders or subpoenas
• Government agency requests
• To protect our rights, property, or safety
• To prevent fraud or illegal activity

6.1 Security Measures

We implement industry-standard security measures including:

• Encryption: Data transmitted between your device and our servers is encrypted using TLS/SSL
• Authentication: Secure authentication via OAuth 2.0 or encrypted password storage
• Access Controls: User isolation ensuring your data is accessible only to you
• Regular Audits: Security reviews and updates to maintain protection

6.2 Security Limitations

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but commit to notifying you of any data breaches as required by applicable law.

7.1 Access and Control

You have the right to:

• Access: Request information about the personal data we hold about you
• Correction: Update or correct inaccurate personal information
• Deletion: Request deletion of your personal data, subject to legal requirements
• Portability: Receive your personal data in a structured, machine-readable format
• Object: Object to certain types of processing of your personal data

7.2 Account Management

• You can update your account information through the Service settings
• You can delete your account by contacting us at support@getwaterfall.ai
• You can revoke OAuth permissions through your Google or Microsoft account settings

7.3 Communication Preferences

You can opt-out of non-essential communications by:

• Updating your preferences in account settings
• Following unsubscribe links in our emails
• Contacting us directly

9.1 Legal Basis for Processing

We process personal data under the following legal bases:

• Contract: Processing necessary to perform our services
• Consent: Where you have given explicit consent
• Legitimate Interests: For service improvement and security
• Legal Obligations: To comply with applicable laws

9.2 Your GDPR Rights

If you are in the European Economic Area or United Kingdom, you have additional rights including:

• Right to lodge a complaint with your local supervisory authority
• Right to withdraw consent where processing is based on consent
• Right to restriction of processing in certain circumstances
• Enhanced rights regarding automated decision-making

15.1 Office Add-in Specific Data Handling

When using Waterfall as an Excel Add-in:

• The add-in operates within the Microsoft Office environment
• Excel data is processed locally within your Office application when possible
• Only data necessary for AI processing is temporarily transmitted to our servers
• We do not access or store your broader Microsoft 365 data beyond what you explicitly share through the add-in

15.2 Compliance Certifications

Waterfall is committed to maintaining compliance with:

• UK General Data Protection Regulation (UK GDPR)
• EU General Data Protection Regulation (EU GDPR)
• California Consumer Privacy Act (CCPA)
• Industry standard security practices

15.3 Data Processing Agreement

Enterprise customers requiring a Data Processing Agreement (DPA) may contact us at support@getwaterfall.ai