1 Introduction

Welcome to Shockwave. We build AI-powered automation platforms that help service businesses capture, qualify, and convert leads through intelligent communication systems—without warehousing your customers' data in yet another proprietary silo.

Our Core Privacy Commitment

We designed Shockwave around data minimization. Unlike traditional software platforms that store customer data indefinitely in their own databases, we operate on a temporary operational data model where your existing CRM or Practice Management System remains the single source of truth. We process data to deliver automation—then it's gone from our systems within 30 days.

This Privacy Policy explains what information flows through our systems, what we temporarily process for operational purposes, and your rights regarding your data.

Questions? Contact us at [email protected]

2 Who This Policy Applies To

This policy covers three groups:

Website Visitors — Anyone browsing shockwavehq.com
Clients — Businesses subscribing to our automation services
End Users — Your customers who interact with Shockwave-powered AI agents

Important Note for End Users: If you're texting or calling a business using Shockwave (such as a dental practice, HVAC company, or law firm), that business is the "data controller" responsible for your information. Shockwave processes data on their behalf as a "data processor." For questions about how that business uses your data, please contact them directly.

3 Our Data Architecture: Temporary Processing, Not Long-Term Storage

3.1 How We're Different

Most SaaS Platforms

Store customer data in proprietary databases indefinitely — you lose control, face lock-in, and increase breach exposure.

Shockwave's Approach

Your CRM/PMS = Source of Truth — All customer records, conversation histories, and business data remain in YOUR systems (OpenDental, HubSpot, ServiceTitan, Clio, etc.)
30-Day Operational Logs Only — We process data through n8n workflows, retain minimal operational logs for 30 days (auto-deleted), then it's gone from our infrastructure
API-Only Architecture — We query your systems in real-time, process data in-memory, write results back to YOUR systems

3.2 What "Temporary Operational Data" Means

We retain workflow execution logs for 30 days (automatically deleted by n8n platform) containing:

Phone numbers and timestamps (when workflows executed)
Workflow outcomes (SMS delivered, appointment booked, lead qualified)
Minimal conversation metadata (for system diagnostics and troubleshooting)

We do NOT retain:

Long-term customer records (names, addresses, emails stored permanently)
Full conversation transcripts beyond 30 days (those are written to YOUR CRM)
Medical records, legal case files, or payment information (these never touch our systems)

After 30 Days

Operational logs auto-delete. ALL historical data lives exclusively in your CRM — not ours.

4 Information We Collect

4.1 From Website Visitors & Prospective Clients

Contact Forms & Demo Requests

Name, email, phone number, company name
Industry, annual revenue range, number of locations, job role
Business challenges, timeline, preferred communication methods

Pilot Program Setup

CRM/calendar integration credentials (encrypted, API tokens only)
Business policies and FAQs (for AI training)
Example customer questions and booking procedures

Website Analytics

IP address, browser type, device type, pages visited
Cookies (see Section 10 for details)

4.2 From Automation Systems (Temporary Processing)

Communication Data (Processed, Not Stored Long-Term)

Phone call metadata (caller ID, call duration, timestamp)
SMS message content (for AI response generation)
Voice conversation data (transcribed for booking/routing logic)
Web form submissions (captured and routed to your CRM)

Operational Logs (30-Day Retention)

Workflow execution history (which automations ran, when, success/failure status)
System performance metrics (response times, API call latency)
Error logs (for troubleshooting failed workflows)

What Happens After Processing

Customer data is immediately written to your CRM/PMS
AI-generated responses sent via Twilio (SMS/voice)
Minimal operational metadata retained in n8n logs for 30 days
After 30 days, logs auto-delete — data lives only in YOUR systems

4.3 From Third-Party Integrations

Your CRM/PMS Systems (API Access)

Contact records (queried in real-time, not stored by us)
Appointment availability (checked via API, not cached)
Customer preferences and history (pulled for AI context, not retained)

Communication Platforms

Twilio: SMS/voice delivery status, call recordings (Twilio retains per their policy)
Email providers: Delivery/open/click metrics

5 How We Use Your Information

5.1 Service Delivery

For Clients

Respond to inquiries and schedule 48-hour pilot programs
Configure and deploy automation workflows
Operate AI-powered lead capture and routing systems
Generate real-time dashboards (pulling data from YOUR CRM via API)
Provide technical support and system monitoring

For End Users (Your Customers)

Answer inquiries and schedule appointments
Send booking confirmations and reminders
Qualify leads and route to appropriate staff
Follow up on missed opportunities

5.2 Temporary Operational Processing

Troubleshoot failed automations
Monitor system performance and uptime
Optimize conversation flows based on outcomes
Generate aggregate performance reports (anonymized)

Important: After 30 days, operational logs are permanently deleted. For historical reporting, dashboards pull from YOUR CRM—we do not maintain our own long-term analytics database.

5.3 Business Operations

Billing and payment processing (via Stripe — we never store full card numbers)
Legal compliance (respond to lawful requests, prevent fraud)
Product improvement (aggregate anonymized data for AI model training)
Marketing to prospects only (with consent — see Section 10)

6 Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), UK, or other GDPR jurisdictions, we process data based on:

Contract Performance — Necessary to deliver services you've requested
Legitimate Interests — System security, fraud prevention, operational diagnostics (balanced against privacy rights)
Consent — Marketing communications, optional analytics cookies
Legal Obligations — Tax records, compliance with lawful government requests

7 Data Sharing & Sub-Processors

7.1 Third-Party Service Providers

We use vetted sub-processors to deliver services:

Sub-Processor	Purpose	Data Shared	Location	Retention
Twilio	SMS/voice communication	Phone numbers, message content, call recordings	USA	30 days (Twilio policy)
OpenAI	AI language processing	Anonymized conversation text (no names/PII when possible)	USA	Per OpenAI API terms (not stored long-term)
n8n (Self-Hosted)	Workflow automation engine	Execution logs (phone numbers, outcomes)	DigitalOcean (USA)	30 days (auto-delete)
DigitalOcean	Infrastructure hosting (n8n server)	System logs (no direct access to customer data)	USA	Per DigitalOcean terms
Stripe	Payment processing	Billing info (tokenized — we never see full card numbers)	USA	Per Stripe terms

Data Processing Agreements (DPAs): Enterprise clients can request signed DPAs to meet GDPR Article 28 requirements. Contact [email protected].

7.2 Client Access to Their Data

Clients have full access to:

Workflow execution history (via n8n dashboard, 30-day window)
Performance analytics (real-time, pulled from YOUR CRM)
Configuration backups (n8n workflow JSON exports)

Data Exports: We provide tools to export n8n workflows (for portability). Customer data exports = direct access to YOUR CRM (you already own that data).

7.3 Legal Disclosures

We may disclose data if required by law, court order, or to protect our rights and prevent fraud. We'll notify affected parties unless legally prohibited.

7.4 Business Transfers

If Shockwave is acquired or merges, your data may transfer to the new entity. We'll provide 30 days' notice and opt-out options if terms materially change.

8 Your Privacy Rights

8.1 All Users

Access — Request operational logs we hold (30-day window)
Correction — Update account information and business data
Deletion — Request removal of operational logs (we'll delete within 15 days)
Opt-Out — Unsubscribe from marketing emails (link in every email)

8.2 Additional Rights (GDPR, CCPA, PIPEDA)

For EEA/UK Residents (GDPR)

Data Portability — Receive n8n workflow configurations in JSON format
Restrict Processing — Limit how we use operational logs (for specific legal reasons)
Withdraw Consent — For marketing and analytics cookies (anytime)
Right to Object — Stop processing based on legitimate interests

For California Residents (CCPA/CPRA)

Know — What personal information we process (30-day operational logs)
Delete — Request deletion of operational logs
Opt-Out of Sale — We do NOT sell personal data (never have, never will)
Non-Discrimination — We won't penalize you for exercising CCPA rights

For Canadian Residents (PIPEDA)

Access operational logs, challenge accuracy, withdraw marketing consent

8.3 How to Exercise Rights

Email: [email protected]
Subject: "[Your Right] Request - [Your Name]"
Response Time: 30 days (GDPR), 45 days (CCPA)

9 Data Security

9.1 Security Measures

Encryption — Data encrypted in transit (TLS 1.3) and at rest (AES-256 for credentials)
Access Controls — Role-based permissions, multi-factor authentication for our team
Monitoring — 24/7 system monitoring, automated security alerts
n8n Self-Hosted — We control the infrastructure (DigitalOcean), no third-party access to workflow data
Minimal Attack Surface — No long-term customer database = reduced large-scale breach risk

Note: No system is 100% secure. While we use industry best practices, we cannot guarantee absolute protection.

9.2 Data Retention

Data Type	Retention	Reason
Prospect Contact Info	2 years from last contact	Follow-up, marketing (with consent)
n8n Execution Logs	30 days (auto-delete)	Operational diagnostics, troubleshooting
Client Account Data	Duration of service + 90 days	Final reporting, billing reconciliation
Billing Records	7 years	Tax compliance
Aggregate Analytics (Anonymized)	Indefinitely	Product improvement, industry benchmarks

Client-Requested Early Deletion: Contact [email protected] — we'll delete operational logs within 15 days and provide confirmation.

10 Cookies & Tracking

10.1 Essential Cookies (Always Active)

Session management, security tokens, form submissions
Required for website functionality — no opt-in needed

10.2 Analytics Cookies (Opt-In)

Google Analytics (anonymized IP, traffic sources)
Helps us improve website UX

How to Manage: Use our cookie banner (first visit) or browser settings to block/delete cookies.

Do Not Track (DNT): We respect browser DNT signals for analytics cookies.

11 International Data Transfers

Primary Location: United States (DigitalOcean US data centers for n8n hosting)

For EEA/UK Clients

Data may be transferred to the US for processing
We rely on Standard Contractual Clauses (SCCs) — EU-approved contracts ensuring GDPR protection
Sub-processors (Twilio, OpenAI, Stripe) have GDPR-compliant transfer mechanisms

Enterprise Clients: Can request data residency in specific regions (EU, Canada) for additional fees. Contact [email protected].

12 Children's Privacy

Shockwave is a B2B service not directed at individuals under 16. We do not knowingly collect data from children. If we discover we've inadvertently collected such data, we will delete it immediately.

13 Changes to This Policy

We may update this policy to reflect legal changes, new features, or business practices.

Material Changes — 30 days' advance notice via email + website banner
Non-Material Changes — Updated "Last Updated" date at top

Continued use after changes = acceptance. If you disagree, contact us to terminate service before the effective date.

14 Contact Us

General Privacy Questions: [email protected] (3-5 business days response)

Data Protection Officer (GDPR): [email protected]

Enterprise / DPAs: [email protected]

END OF PRIVACY POLICY