Data protection practice
Personal data is infrastructure. Handle it like a utility.
- Primary regulations
- GDPR · CPRA · UK DPA 2018
- Data controller
- Wavestar Holdings LLC
- DPO
- dpo@wavestar.space
- Standard response
- 30 days (GDPR) · 45 days (CPRA)
Lawful basis
Every processing activity has a documented basis.
Article 6 lawful bases · by processing activity
- Contract (Art. 6(1)(b))
- Operator and member onboarding, provisioning did:orbit credentials, settlement, invoicing, and account management.
Primary basis for direct contractual processing with members.
- Legal obligation (Art. 6(1)(c))
- BSA/AML record-keeping, SAR filing, Travel Rule data retention, tax reporting, sanctions screening, and regulator information requests.
Retention periods set by the applicable statute, typically five years past relationship end.
- Legitimate interest (Art. 6(1)(f))
- Fraud prevention, platform security, aggregate analytics, and direct business communications with enrolled members.
Balanced against data-subject rights; documented in a Legitimate Interest Assessment.
- Consent (Art. 6(1)(a))
- Non-essential website cookies, marketing communications, and opt-in research studies.
Freely given, specific, informed, and unambiguous; withdrawable at any time without detriment.
- Public interest (Art. 6(1)(e))
- Reserved for processing connected to the Orbital Interchange Foundation's protocol governance where applicable.
Not currently active.
- Vital interests (Art. 6(1)(d))
- Reserved for narrowly defined safety-of-life situations.
Not relied on for commercial processing.
Core principles
Six principles. Applied always.
- 01
Lawfulness, fairness, transparency
Every data subject is informed of processing purposes, legal bases, retention periods, and rights at the point of collection. Privacy notices are reviewed annually and versioned. - 02
Purpose limitation
Data collected for clearing, settlement, and regulatory compliance is not repurposed for unrelated product experimentation or external marketing without a new lawful basis. - 03
Data minimisation
We collect only the fields necessary for the stated purpose. Free-text fields are replaced by typed enumerations wherever feasible. Fields without a consumer are deprecated. - 04
Accuracy
Members may update their own records through the Terminal. Compliance-owned records are reviewed on each CDD refresh and on any rectification request. - 05
Storage limitation
Retention schedules are set per data class, with BSA/AML fields held five years past relationship end and non-statutory operational telemetry held 24 months. - 06
Integrity and confidentiality
TLS 1.3 for all transit. AES-256-GCM for storage at rest. Role-based access control on every data store, audited quarterly. Personal data is segregated from registry telemetry.
Data Subject Rights
How to exercise your rights.
Rights · response window
- Right of access
- GDPR Art. 15 · CCPA §1798.110 · 30 days (GDPR) · 45 days (CCPA)
Receive a copy of the personal data held about you and information on processing purposes, recipients, and retention.
- Right to rectification
- GDPR Art. 16 · 30 days
Correct inaccurate or incomplete personal data held about you.
- Right to erasure ('right to be forgotten')
- GDPR Art. 17 · CCPA §1798.105 · 30 days (GDPR) · 45 days (CCPA)
Limited by our BSA/AML and tax-record retention obligations; we will delete where no statutory retention applies.
- Right to restrict processing
- GDPR Art. 18 · 30 days
Pause processing while a dispute is resolved; data retained but not used.
- Right to data portability
- GDPR Art. 20 · 30 days
Receive your data in a structured, commonly used, machine-readable format.
- Right to object
- GDPR Art. 21 · 30 days
Object to legitimate-interest or direct-marketing processing.
- Right to opt out of sale or sharing
- CCPA §1798.120 · 15 days to honour
We do not sell personal data. We provide a clear opt-out where applicable.
- Right to correct (CPRA)
- CPRA §1798.106 · 45 days
Correct inaccurate personal data held about you.
Breach response
72 hours to supervisory authority. No delay.
Under GDPR Article 33, personal-data breaches that are likely to result in a risk to the rights and freedoms of natural persons are notified to the competent supervisory authority within 72 hours of becoming aware. Where the risk is high, affected data subjects are notified without undue delay under Article 34. CCPA/CPRA breach notifications follow California Civil Code §1798.82. Our incident response runbook distinguishes security incident, personal-data incident, and material-risk personal-data incident at detection, with pre-drafted notification templates.
DPO
The Data Protection Officer.
Wavestar has appointed a Data Protection Officer under GDPR Article 37, independently reporting to the Audit Committee. The DPO is the contact point for data subjects, supervisory authorities, and internal teams on any privacy matter, and oversees Data Protection Impact Assessments, Records of Processing Activities, and data-transfer-impact assessments for international transfers.
DPO contact
- Name
- Data Protection Officer
- dpo@wavestar.space
- Postal
- Wavestar Holdings LLC, Attn: DPO, Wyoming, USA
- Office hours
- Monday–Friday · 09:00–18:00 US Eastern
- Escalation
- Acknowledged within four business hours
Exercise your rights
Submit a data-subject request.
Access, rectification, erasure, and portability requests can be submitted via email to the Data Protection Officer. Requests are authenticated before any personal data is released.