Privacy Notice

1. Who We Are

Lee Tagg Pty Ltd ATF Tagg Family Trust (ABN 63 193 632 093, T/A The Mix Bus) ("we", "us", or "our") is the data controller responsible for the personal data you provide when using our service at https://waveplan.live. We are registered and located in Australia.

This privacy notice provides information about how we collect, use, and protect your personal data when you use WavePlan.

Contact: privacy@themixbus.com.au | PO BOX 57, Mount Nebo 4520 Queensland Australia

If you have questions about how we handle your data or wish to exercise your rights, please use the contact details above.

2. Personal Data We Collect

We collect only the minimum data required to operate, secure, and deliver our service. Data collection is strictly purpose-limited and falls into three categories:

• Account & Authentication Data: Full name, email address, and password (stored exclusively as a cryptographic hash)
• Technical & Session Data: IP address, browser/device user-agent strings, and framework session tokens
• Security & Infrastructure Logs: Authentication attempts, rate-limit triggers, threat indicators, and system health metrics (automatically generated)

Providing this data is necessary to fulfill our service contract. You cannot create or use an account without providing at least an email address and password. All other technical data is collected automatically as part of standard web infrastructure operation.

3. Why & How We Process Your Data

We process your personal data only for explicit, legitimate purposes:

We do not use your data for marketing, profiling, cross-site tracking, analytics, or any purpose unrelated to service delivery and security. We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

4. Data Retention & Account Lifecycle

We retain your personal data only as long as necessary to deliver our service, fulfill our contract, or comply with legal obligations.

Active Accounts

• Free-tier accounts: Data is retained while your account remains active and your storage usage stays within the free threshold.
• Paid subscription accounts: Data is retained while your subscription remains active. Billing and usage records are processed by Stripe under strict GDPR-compliant data processing agreements.

Downgrading to Free Tier

If your storage needs decrease below the free-tier threshold:

1. You may request or trigger a switch to the free subscription.
2. The downgrade takes effect at the end of your current billing period.
3. Once the billing cycle concludes, your account operates under free-tier rules.

Account Deletion (Right to Erasure)

Deletion is immediate and automated. When you initiate account deletion:

• Your recurring subscription is terminated effective immediately.
• Your personal data is anonymized or permanently purged from active systems within 24 hours.
• Encrypted infrastructure backups may retain residual data for up to 30 days for disaster recovery.

If you delete mid-cycle, you forfeit access to paid-tier features for the remainder of that period. Your right to delete is absolute and not contingent on your billing cycle.

Legal & Financial Record Retention

After account deletion, we may retain minimal, anonymized transaction records (e.g., invoice IDs, payment timestamps) for up to 7 years to comply with tax, accounting, or consumer protection laws. These records contain no usable personal data.

5. Security Measures

We implement technical and organizational measures designed to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

These include encryption for data in transit, secure credential storage, strict access controls, continuous security monitoring, and regular maintenance of our infrastructure. Detailed information about our security practices is available upon request.

• Automated threat detection, rate limiting, and intrusion monitoring
• Regular infrastructure updates and vulnerability patching

6. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Access a copy of the data we hold about you
• Rectify inaccurate or incomplete information
• Erase your data ("Right to be Forgotten")
• Restrict processing under specific legal conditions
• Data portability (receive your data in a structured, machine-readable format)
• Object to processing based on legitimate interests

7. Cookies & Essential Technologies

Our application uses only strictly necessary cookies and browser storage required to maintain your authenticated session, prevent cross-site request forgery (XSRF), and preserve application state.

These technologies are exempt from prior consent under the ePrivacy Directive and GDPR. We do not deploy analytics, advertising, social tracking, or any non-essential cookies.

8. Third Parties & Data Sharing

We do not sell, rent, or share your personal data with third parties for marketing or commercial purposes. Data may only be processed by essential infrastructure providers (e.g., cloud hosting, CDN, payment processors) under strict GDPR-compliant Data Processing Agreements (DPAs).

9. Children's Privacy

WavePlan is designed for a general audience and is not specifically intended for minors. The platform does not include social features, external tracking, or data-sharing functionality.

If a minor chooses to use WavePlan, the same privacy protections, security measures, and data handling practices apply to their information as they do for all users.

We do not knowingly collect personal information from individuals under the age of 13, and if we learn that we have inadvertently collected such data, we will take steps to delete it.

If you are a parent or guardian and believe that your child has provided personal information to us, please contact us at privacy@themixbus.com.au so we can take appropriate action.

10. International Data Transfers

Our primary infrastructure is hosted in Australia. To optimize performance, we route user accounts to servers in the geographic region closest to your location. If you access WavePlan from the European Economic Area (EEA) or United Kingdom, this may involve transferring your personal data outside these regions.

Whenever personal data is transferred outside the EEA or UK, we ensure an adequate level of protection through Standard Contractual Clauses (SCCs), UK-approved transfer mechanisms, or other GDPR-compliant safeguards. You may request details of the specific safeguards applied by contacting privacy@themixbus.com.au.

A summary of our Transfer Impact Assessment for data transfers to Australia is available upon request. Contact privacy@themixbus.com.au.

11. Complaints & Supervisory Authority

You have the right to lodge a complaint with a data protection authority if you believe your data has been processed in violation of applicable privacy laws.

• UK: Information Commissioner's Office (ICO) — ico.org.uk/make-a-complaint
• EU: Your national supervisory authority — edpb.europa.eu/about-edpb/about-edpb/members_en

We encourage you to contact us first at privacy@themixbus.com.au so we can resolve your concern directly.

12. Changes to This Notice

We may update this notice to reflect changes in our service, technical infrastructure, or legal requirements. Where changes significantly affect how we process your data, we will notify you via email or a prominent notice on our platform prior to implementation.