Privacy Policy

Effective Date: June 1, 2026

Operator: Whisker Tech LLC

1. Overview

This Privacy Policy describes how Whisker Tech LLC ("we," "us," or "our") collects, uses, and protects your information when you use Groundwave ("the Service"). We are committed to protecting your privacy and being transparent about our data practices.

2. Information We Collect

Information You Provide

  • Account information: Email address, name, amateur radio callsign
  • Profile information: License class, grid square, city, state (populated via QRZ verification or manual entry)
  • Club content: Messages, documents, event details, net check-in logs, and club page content that you create or upload
  • Election ballots: Your votes in club elections. Individual ballots are confidential. Only aggregated results are disclosed to club members. Club administrators cannot see how individual members voted.
  • Payment information: Processed by Stripe. We do not store credit card numbers. We receive transaction confirmations and subscription status from Stripe.

Information Collected Automatically

  • Usage data: Pages visited, features used, timestamps
  • Device information: Browser type, operating system, screen resolution
  • IP address: Used for security, rate limiting, and approximate geolocation for the marketing site map background

Information from Third Parties

  • QRZ.com: When you verify your callsign, we retrieve your FCC license data (name, callsign, license class, grid square, city, state, FCC email) from the QRZ XML API. This data is stored in your profile. The FCC email is used solely for the verification process (to send a confirmation link) and is stored to prevent duplicate verifications.
  • Stripe: Subscription and payment status for club billing and dues collection.

3. Legal Basis for Processing

We process your personal information based on the following legal grounds:

  • Contractual necessity: Processing required to provide the Service you signed up for (account management, club features, notifications)
  • Legitimate interest: Processing for security, fraud prevention, service improvement, and abuse prevention
  • Consent: Processing based on your explicit consent (e.g., callsign verification via QRZ, optional email notifications)
  • Legal obligation: Processing required to comply with applicable laws (e.g., financial record retention)

4. How We Use Your Information

  • To provide and maintain the Service
  • To authenticate your identity via magic link email login
  • To verify your amateur radio callsign
  • To display your profile information to other club members (name, callsign, verified status)
  • To send notifications about club activity (messages, events, membership changes)
  • To process subscription payments and dues collection
  • To enforce our Terms of Service and protect against abuse
  • To improve the Service based on aggregated, anonymized usage patterns

5. Information Sharing

We do not sell, rent, or trade your personal information. We share information only in these circumstances:

  • Within clubs: Your name, callsign, and verified status are visible to other members of clubs you join. Your email is visible to club administrators.
  • Public club directory: Club names, callsigns, cities, and states are publicly visible in the club directory. Individual member information is not publicly listed.
  • Service providers: We share data with the following third-party processors, with whom we maintain data processing agreements:
    • DigitalOcean (hosting and file storage)
    • Stripe (payment processing)
    • QRZ.com (callsign verification)
    • CartoDB/Stamen (map tiles, no personal data transmitted)
    • ipapi.co (IP-based approximate geolocation for marketing site, no personal data stored)
  • Legal requirements: We may disclose information if required by law, court order, or government request. We will notify you of such requests where legally permitted.
  • Business transfers: If Whisker Tech LLC is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

6. Data Storage and Security

Your data is stored on DigitalOcean infrastructure in the United States. Documents are stored on DigitalOcean Spaces (S3-compatible object storage) with encryption at rest. We use HTTPS/TLS encryption for all data in transit and follow industry-standard security practices.

Authentication uses JWT tokens with magic link email verification. We do not store passwords.

While we implement reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

7. Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

  • Notify affected users via email within 72 hours of confirming the breach
  • Describe the nature of the breach and the types of data involved
  • Describe the measures taken to address the breach and mitigate harm
  • Provide guidance on steps you can take to protect yourself
  • Notify relevant regulatory authorities as required by applicable law

8. Data Retention

  • Account data: Retained as long as your account is active. Deleted within 30 days of account deletion.
  • Club content: Retained as long as the club exists. Messages, documents, and net logs persist even if the author deletes their account (content is disassociated from the deleted account).
  • Magic links: Expire after 15 minutes and are marked as used after a single use.
  • Payment records: Retained for 7 years for accounting and tax purposes as required by IRS regulations.
  • Backups: System backups are purged within 30 days. Deleted data may persist in backups during this period.
  • Inactive accounts: Accounts inactive for more than 12 months may be deleted after 30 days' email notice, per our Terms of Service.

9. Your Rights

You have the right to:

  • Access your personal data via your Account page
  • Update your profile information at any time
  • Delete your account and associated personal data from the Account page
  • Export your data by contacting us at hello@groundwavehq.com. We will provide your data in a machine-readable format within 30 days.
  • Opt out of email notifications via your account settings

10. For California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to delete: You may request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, legal obligations).
  • Right to opt-out of sale: We do not sell your personal information to third parties. We have not sold personal information in the preceding 12 months.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at hello@groundwavehq.com. We will verify your identity before processing your request and respond within 45 days.

11. For European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to access: Request a copy of your personal data
  • Right to rectification: Request correction of inaccurate data
  • Right to erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing: Request that we limit how we use your data
  • Right to data portability: Request your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interest
  • Right to withdraw consent: Withdraw consent at any time for processing based on consent
  • Right to lodge a complaint: File a complaint with your local data protection supervisory authority

The data controller is Whisker Tech LLC. To exercise these rights, contact us at hello@groundwavehq.com. We will respond within 30 days.

The Service is hosted in the United States. By using the Service, your data is transferred to the US. We rely on Standard Contractual Clauses (SCCs) as the legal mechanism for such transfers where applicable.

12. Cookies and Tracking

Groundwave uses minimal cookies and local storage:

  • Authentication token: Stored in localStorage to maintain your login session
  • Theme preference: Stored in localStorage (light/dark mode)
  • View preferences: Stored in localStorage (grid/list view)

We do not use third-party analytics, advertising cookies, or tracking pixels.

13. Children's Privacy

The Service is not intended for children under 13 (or under 16 in the EEA). We do not knowingly collect information from children under these ages. If you believe a child has created an account, please contact us and we will promptly delete it.

14. International Users

The Service is hosted in the United States. If you access the Service from outside the US, your information will be transferred to and processed in the United States. For EEA/UK users, please see Section 11 regarding GDPR rights and transfer mechanisms.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes at least 30 days in advance via email or in-app notification. The effective date at the top of this page indicates when the policy was last updated.

16. Contact

For privacy-related questions, data requests, or complaints, contact us at:

Whisker Tech LLC
Data Protection Inquiries
hello@groundwavehq.com