Privacy Policy

Intiwave Inc. ("Intiwave", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (intiwave.com), use our mobile application, or interact with our products and services. This Policy applies to all users worldwide and addresses specific regulatory requirements including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA), the Virginia Consumer Data Protection Act (VCDPA), and other applicable data protection laws.

We may collect the following types of information: **Account Information**: Email address (or alias), password hash, and optional display name when you create an account. We do not require your real name. **Purchase Information**: Shipping address, phone number, and order details when you make a purchase. Payment card details are processed exclusively by our third-party payment processors and are never stored on our servers. **Usage Data**: Aggregated, non-identifying information about how you interact with our app and website, including content category preferences, session frequency, and feature usage. **Device & Connection Data**: Device type, operating system version, Bluetooth connection status, and hardware pairing tokens when using our products. Bluetooth data is used solely for device communication and is not transmitted to our servers. **Analytics Data**: Anonymized, aggregated usage patterns collected to improve product quality and performance.

**Important Notice**: Given the nature of our products, certain usage data — such as device activation frequency, session duration, and content category preferences — may be considered data concerning your "sex life" under the GDPR (Article 9), "sensitive personal information" under the CCPA/CPRA, or "reproductive and sexual health data" under the VCDPA. **How we handle this data**: • **Local-first processing**: All sensory interaction data (haptic computations, audio synchronization, real-time device control) is processed entirely on your device. This data never leaves your phone. • **Minimal collection**: We collect only aggregated usage metrics (e.g., "3 sessions this week, average 12 minutes") for product improvement. We do not collect or store the specific content you engage with, device intensity settings, or real-time interaction patterns. • **Explicit consent**: Before collecting any usage analytics, we request your explicit, informed consent through a clear in-app prompt. You may withdraw consent at any time through Settings → Privacy → Data Preferences. • **No profiling**: We do not use sensitive data to build behavioral profiles, serve targeted advertising, or make automated decisions about you.

We use the information we collect to: • Provide, operate, and maintain our products and services • Process transactions and send order-related communications • Send promotional communications (only with your opt-in consent) • Improve and personalize your experience through anonymized analytics • Generate content recommendations (processed on-device using local models) • Comply with legal obligations • Protect against fraudulent or unauthorized activity • Respond to your support requests

We do not sell your personal information to third parties. We will never sell data concerning your sex life or sexual health. We may share limited information with: • **Payment processors** (e.g., CCBill, Apple, Google) — to process transactions. They receive only the data necessary to complete your purchase. • **Shipping partners** — name and address only, to deliver hardware orders. Shipments use discreet packaging with no product descriptions visible. • **Infrastructure providers** — encrypted data hosted on servers with SOC 2 Type II certification. • **Legal authorities** — only when required by law, court order, or to protect vital interests. All third-party service providers are bound by Data Processing Agreements (DPAs) and are prohibited from using your data for their own purposes.

We implement industry-leading security measures: • **In transit**: TLS 1.3 for all web and API communications • **At rest**: AES-256-GCM encryption for server-side data storage • **Bluetooth**: Encrypted BLE connections using Secure Connections (LE Secure Connections with AES-CCM) • **Client-side**: Sensitive tokens stored in iOS Keychain / Android Keystore • **Authentication**: bcrypt password hashing, optional two-factor authentication • **Infrastructure**: Regular third-party security audits and a vulnerability disclosure program No method of transmission over the Internet is 100% secure. If you become aware of any security incident, please contact security@intiwave.com immediately.

We retain your data only as long as necessary: • **Account data**: Retained while your account is active; deleted within 30 days of account deletion request. • **Purchase records**: Retained for 7 years for tax and legal compliance. • **Usage analytics**: Aggregated data retained for 24 months, then permanently anonymized. • **Support communications**: Retained for 3 years after resolution. • **Marketing consent records**: Retained for the duration of consent plus 3 years. You may request earlier deletion at any time (see "Your Rights" below).

If you are located in the European Economic Area, UK, or Switzerland, you have the following rights under the GDPR: • **Right of Access** (Art. 15): Obtain a copy of all personal data we hold about you. • **Right to Rectification** (Art. 16): Correct inaccurate or incomplete data. • **Right to Erasure** (Art. 17): Request deletion of your personal data ("right to be forgotten"). • **Right to Restrict Processing** (Art. 18): Limit how we process your data in certain circumstances. • **Right to Data Portability** (Art. 20): Receive your data in a structured, machine-readable format. • **Right to Object** (Art. 21): Object to processing based on legitimate interests. • **Right to Withdraw Consent**: Withdraw consent for sensitive data processing at any time without affecting the lawfulness of prior processing. • **Right to Lodge a Complaint**: File a complaint with your local Data Protection Authority. **Legal Bases**: We process personal data under: (a) your explicit consent (sensitive data), (b) contract performance (purchases, account), (c) legitimate interests (security, fraud prevention), and (d) legal obligations (tax records). To exercise any right, contact dpo@intiwave.com. We will respond within 30 days.

If you are a California resident, you have the following rights: • **Right to Know**: Request details about the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the third parties with whom we share it. • **Right to Delete**: Request deletion of your personal information. • **Right to Correct**: Request correction of inaccurate information. • **Right to Limit Use of Sensitive Personal Information**: Direct us to limit our use of sensitive personal information (including data concerning sex life) to what is necessary to perform our services. • **Right to Opt-Out of Sale/Sharing**: We do not sell or share your personal information for cross-context behavioral advertising. • **Right to Non-Discrimination**: We will not discriminate against you for exercising any of these rights. To exercise any right, email privacy@intiwave.com or use the in-app privacy controls. We will respond within 45 days.

If you are a Virginia resident, you have additional rights regarding reproductive and sexual health data under the Virginia Consumer Data Protection Act: • We will not process your reproductive or sexual health data without your specific, informed consent. • You have a private right of action if your reproductive or sexual health data is processed in violation of the VCDPA. • You may access, correct, delete, or obtain a portable copy of your data. To exercise any right, contact privacy@intiwave.com.

We use essential cookies for website functionality and optional analytics cookies to understand how visitors use our site. You can manage cookie preferences through our cookie consent banner or your browser settings. We do not use third-party advertising cookies, cross-site tracking, or retargeting pixels. We do not participate in any advertising exchange or data broker network.

Our products and services are intended exclusively for adults aged 18 and older. We do not knowingly collect personal information from individuals under 18. If we become aware that we have inadvertently collected information from a minor, we will promptly delete it and terminate the associated account.

Your data may be transferred to and processed in the United States or other countries. For transfers from the EEA/UK, we rely on: • **Standard Contractual Clauses (SCCs)** approved by the European Commission • **UK International Data Transfer Agreement** addendum where applicable We ensure all transfers are subject to appropriate safeguards and that your data receives an equivalent level of protection.

We may update this Privacy Policy from time to time. For material changes, we will notify you via email (if you have an account) and by posting a prominent notice on our website at least 15 days before the changes take effect.

If you have questions about this Privacy Policy or wish to exercise your data rights: **General Privacy**: privacy@intiwave.com **Data Protection Officer**: dpo@intiwave.com **Security Issues**: security@intiwave.com **Postal Address**: Intiwave Inc., [Address to be updated upon incorporation] For EEA residents, our EU representative can be contacted at eu-representative@intiwave.com.