Privacy Policy
NewsWave Effective Date: 21 March 2026 Last Updated: 29 April 2026 Version: 1.1
GDPR Compliant | ePrivacy Directive Compliant | Swedish Data Protection Act (2018:218) Compliant
1. Introduction
NewsWave — a sole trader business (Swedish enskild firma) operated by Sadashiv Gour ("NewsWave", "we", "us", "our") — is committed to protecting your privacy and processing your personal data transparently and lawfully. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the NewsWave mobile application, web application, and related services (collectively, the "Service").
This Policy is issued in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), the Swedish Data Protection Act (Dataskyddslag 2018:218), the ePrivacy Directive 2002/58/EC, and other applicable EU data protection law.
Please read this Policy carefully. By using the Service, you acknowledge that you have read and understood how we process your personal data. Where processing is based on your consent, we will ask for your explicit agreement before collecting or using your data.
2. Data Controller Information
| Field | Details |
|---|---|
| Data Controller | Sadashiv Gour — sole trader (Swedish enskild firma) operating as NewsWave |
| Country of Establishment | Sweden |
| General Contact Email | privacy@thenewswave.app |
| Data Protection Officer (DPO) | dpo@thenewswave.app |
2.1 Data Protection Officer
NewsWave has designated a Data Protection Officer (DPO) contact point responsible for overseeing our data protection practices and handling data-protection enquiries. As a sole trader, NewsWave is not obliged to appoint a DPO under Article 37(1) GDPR; this designation is made voluntarily under Article 37(4) GDPR to ensure clear accountability.
Contact the DPO: Email: dpo@thenewswave.app
You may contact the DPO for any questions related to your personal data, the exercise of your rights, or to raise concerns about our data processing activities.
3. Categories of Personal Data Collected
We collect and process the following categories of personal data:
3.1 Account and Registration Data
| Data Element | Description |
|---|---|
| Email address | Required for account creation and communication |
| Username / Display name | For account identification |
| Password (hashed) | Account authentication; stored as a cryptographic hash only |
| Account creation date | Service administration |
3.2 Demographic Data (User-Provided)
| Data Element | Description | Special Category? |
|---|---|---|
| Age group | Broad range (e.g., 18–24, 25–34) — not exact date of birth | No |
| Employment status | Student / Employed / Unemployed / Self-employed / Retired | No |
| Immigration / Residency status | Expat / Permanent resident / Citizen / Other | Potential — see Section 5 |
| Country of residence | Current country of habitual residence | No |
3.3 Behavioral and Preference Data
| Data Element | Description |
|---|---|
| News category preferences | User-stated topics of interest |
| Reading history | Articles viewed within the Service |
| Interaction data | Clicks, reading duration, saves, shares |
| Notification preferences | Push/email notification settings |
3.4 Technical and Device Data
| Data Element | Description |
|---|---|
| IP address | Collected automatically; used for geolocation and security |
| Device type and model | For Service optimization |
| Operating system and version | For compatibility and analytics |
| Browser type and version | For web application performance |
| App version | For feature compatibility |
| Session identifiers | For session management |
| Crash logs and error data | For Service debugging and improvement |
3.5 Cookie and Tracking Data
See our separate Cookie Policy for full details on cookies and tracking technologies used.
4. Legal Bases for Processing (Article 6 GDPR)
We process your personal data only where we have a valid legal basis to do so. The following table sets out our processing activities and the applicable legal basis:
4.1 Legal Basis Mapping Table
| Processing Activity | Data Categories Involved | Legal Basis (Art. 6 GDPR) | Legitimate Interest (if applicable) |
|---|---|---|---|
| Account creation and authentication | Account data | Art. 6(1)(b) — Contract | — |
| Delivering the Service (news aggregation, search) | Account data, preferences | Art. 6(1)(b) — Contract | — |
| Personalizing news content | Demographic data, behavioral data | Art. 6(1)(a) — Consent | — |
| Analytics and Service improvement | Technical data, behavioral data | Art. 6(1)(f) — Legitimate Interest | Improving service quality and user experience |
| Security and fraud prevention | Technical data, IP address | Art. 6(1)(f) — Legitimate Interest | Protecting platform integrity and users |
| Push notifications (opted-in) | Account data, preferences | Art. 6(1)(a) — Consent | — |
| Legal compliance | Account data, as required | Art. 6(1)(c) — Legal Obligation | — |
| Customer support | Account data, communication records | Art. 6(1)(b) — Contract | — |
| Marketing communications (if applicable) | Account data, preferences | Art. 6(1)(a) — Consent | — |
| Profiling for content recommendations | Behavioral data, demographic data | Art. 6(1)(a) — Consent (see Section 5.3) | — |
4.2 Withdrawal of Consent
Where processing is based on your consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. You may withdraw consent through:
- In-app privacy settings ("Manage My Data");
- Contacting our DPO at dpo@thenewswave.app;
- Unsubscribing from marketing communications via the unsubscribe link in any email.
5. Special Category Data and Risk Considerations
5.1 Immigration and Residency Status
⚠ RISK FLAG: Immigration status may, depending on context, constitute or reveal information about racial or ethnic origin, which is a special category of personal data under Article 9 GDPR, requiring explicit consent under Article 9(2)(a) GDPR.
NewsWave takes a cautious and protective approach to collecting immigration and residency status. Specifically:
- We collect only broad, self-described residency categories ("Expat", "Permanent Resident", "Citizen", "Other") that do not, on their face, reveal specific national or ethnic origin;
- We do not use this data to infer or process information about racial or ethnic origin, political opinions, or other special categories;
- Collection of this data is voluntary and based on explicit consent;
- This data is used solely to tailor news content relevant to the user's residency context (e.g., expat-relevant news for the country of residence);
- We apply strict access controls and data minimization practices to this data.
Regardless of this classification, we apply the following safeguards:
- Explicit consent obtained via a clear, affirmative action before collection;
- Granular data mapping to ensure this field is stored and processed separately from general personal data;
- Regular review to assess whether collection remains necessary and proportionate;
- Explicit inclusion in our Data Protection Impact Assessment (DPIA) (see GDPR Compliance Statement).
5.2 No Other Special Category Data
We do not intentionally collect other categories of special data under Article 9 GDPR, including health data, biometric data, genetic data, religious or philosophical beliefs, trade union membership, or data concerning criminal convictions.
6. Purposes of Processing
6.1 Service Delivery and Personalization
We process your demographic and behavioral data to:
- Present news content tailored to your location, language, and stated interests;
- Recommend articles based on your reading patterns;
- Remember your preferences across sessions.
6.2 Analytics and Product Development
We use aggregated and pseudonymized technical and behavioral data to:
- Understand how users interact with the Service;
- Identify and fix bugs and performance issues;
- Develop and test new features;
- Measure content engagement.
We use Firebase Analytics (Google Ireland Limited, EU data region) and PostHog (PostHog Inc., EU Cloud at eu.posthog.com) for product analytics. Both are consent-gated — no analytics events are emitted before you grant explicit consent, and revoking consent immediately opts the device out of further collection at the SDK level.
The analytics events we emit are designed to prevent the leakage of personal data at the point of collection:
- Search queries are never logged in raw form — only the bucketed character-length and a boolean for whether results were returned;
- Article URLs and webview errors record the hostname only (e.g.,
svt.se), never the full path or query string; - Error reports use a six-bucket category (network / timeout / auth / rate-limited / render / unknown), never the raw error message or stack trace;
- Profile-field changes log the field name only (e.g.,
primary_language), never the new value; - API calls are sampled at 10% and the URL path is bucketed (UUIDs and numeric IDs replaced with
:id) before any event is emitted.
Server-side analytics events (emitted by our backend services) follow the same constraints and additionally never carry user IDs, device tokens, alert IDs, geographic data, prompt content, source text, or translated text in event parameters.
The full event registry is documented in the source code (mobile/src/services/analytics/events.ts) and a list of pinned PostHog dashboards is available in docs/analytics-dashboards.md. We do not use these analytics tools to track you across other websites or apps and we do not build individual advertising profiles.
6.3 Security and Fraud Prevention
We process technical data, including IP addresses and session data, to:
- Detect and prevent unauthorized access, fraud, and abuse;
- Protect the integrity of user accounts;
- Comply with applicable security obligations.
6.4 Legal Compliance
We may process and retain personal data to:
- Comply with EU and Swedish legal obligations;
- Respond to lawful requests from competent supervisory authorities or law enforcement;
- Establish, exercise, or defend legal claims.
6.5 Communications
With your consent, we may send:
- Push notifications for breaking news or personalized news digests;
- Service-related emails (account confirmations, security alerts);
- Marketing updates about new features (opt-in only, easily unsubscribed).
6.6 AI-Driven Content Processing
The Service uses third-party machine-learning processors to summarise and translate publicly-available news articles and public-safety alerts before presenting them to you. This processing operates solely on the source content — the article body, the alert text, and the article title — and does not involve your personal data.
| Processing | Provider | Data sent | Data NOT sent |
|---|---|---|---|
| Article and alert summarisation | Google Vertex AI (Gemini 2.5 Flash, Google Cloud Platform) | Article / alert title and body, source language tag | Account ID, email, IP, reading history, demographics, location |
| Article and alert translation (primary) | DeepL (DeepL SE, Germany) | Article / alert text, source language, target language | Account ID, email, IP, reading history, demographics, location |
| Article and alert translation (fallback) | Google Cloud Translation API (Google Cloud Platform) | Article / alert text, source language, target language | Account ID, email, IP, reading history, demographics, location |
No personal data is included in prompts or translation requests. Our test suite enforces this: prompt content, source text, and translated text are never carried in analytics or telemetry events.
Cross-border transfers. Vertex AI is configured with a global Dynamic Shared Quota location, which means Google may route a given request to any region — including regions outside the EEA — based on capacity. Where this results in a transfer outside the EEA, the transfer is governed by Standard Contractual Clauses (SCCs) in our data processing agreement with Google Cloud and the supplementary measures described in Section 9.3. DeepL processing occurs within the EEA (Germany).
Automated decision-making. The summarisation and translation outputs are presented to you as content; they are not used to make decisions about you, do not produce legal or similarly significant effects, and do not constitute automated decision-making within the meaning of Article 22 GDPR.
AI transparency. Article and alert summaries produced by these systems are clearly labelled as AI-generated within the mobile app and on the web, consistent with the transparency principle of the EU AI Act (Regulation (EU) 2024/1689). These summaries are derived solely from the publicly available source content — the original publisher did not write them and is not responsible for them.
7. User Rights Under GDPR (Articles 15–22)
As a data subject, you have the following rights regarding your personal data:
7.1 Right of Access (Art. 15)
You have the right to obtain confirmation of whether we process your personal data, and if so, to receive a copy of that data along with information about how it is processed.
7.2 Right to Rectification (Art. 16)
You have the right to request correction of inaccurate or incomplete personal data we hold about you.
7.3 Right to Erasure — "Right to Be Forgotten" (Art. 17)
You have the right to request deletion of your personal data where:
- The data is no longer necessary for the purposes for which it was collected;
- You withdraw consent and there is no other legal basis for processing;
- You object to processing and there is no overriding legitimate interest;
- The data has been unlawfully processed;
- Deletion is required by EU or Member State law.
Note: This right is not absolute and does not apply where processing is necessary for compliance with a legal obligation, or for the establishment, exercise, or defence of legal claims.
7.4 Right to Restriction of Processing (Art. 18)
You may request that we restrict the processing of your data while we investigate a dispute about its accuracy, our legal basis for processing, or your objection.
7.5 Right to Data Portability (Art. 20)
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) and to transmit it to another controller without hindrance.
7.6 Right to Object (Art. 21)
You have the right to object to processing based on legitimate interest or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately.
7.7 Rights Related to Automated Decision-Making and Profiling (Art. 22)
⚠ RISK FLAG: Content personalization through algorithmic profiling may constitute automated decision-making under Article 22 GDPR. Where profiling produces legal or similarly significant effects, explicit consent is required and the user has the right not to be subject to such decisions.
Our personalization features use profiling to recommend content. This profiling does not produce legal or similarly significant effects — it affects only which news articles are displayed. Nevertheless, we:
- Obtain explicit consent before enabling profiling features;
- Provide a clear explanation of how profiling works in-app;
- Offer a non-personalized mode that delivers content without profiling;
- Honour any objection to profiling immediately.
7.8 How to Exercise Your Rights
To exercise any of the above rights, please:
- Use the "Manage My Data" section in your account settings; or
- Email our DPO at dpo@thenewswave.app with subject line "Data Subject Request — [Your Right]"
We will respond to your request within 30 days (extendable by a further 60 days for complex requests, with notice). We will not charge a fee for reasonable requests.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law.
8.1 Retention Schedule
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account + 2 years after deletion | Legal obligation, disputes |
| Demographic preferences | Duration of account; deleted upon account deletion | Contractual necessity |
| Reading history / behavioral data | 12 months rolling (anonymized thereafter) | Legitimate interest (analytics) |
| IP addresses (access logs) | 90 days | Security, legitimate interest |
| Crash logs and error data | 60 days | Legitimate interest |
| Consent records | 5 years from consent withdrawal | Legal obligation (GDPR accountability) |
| Marketing consent records | Until withdrawal + 3 years | Legal obligation |
| Customer support correspondence | 3 years from resolution | Legal claims |
| Invoicing / billing records (if applicable) | 7 years | Swedish Bookkeeping Act (Bokföringslagen) |
8.2 Post-Retention Deletion
At the end of the applicable retention period, data is securely deleted or anonymized using technically sound methods that prevent re-identification.
9. Data Sharing and Third-Party Processors
We do not sell your personal data. We may share data with the following categories of third parties under appropriate data processing agreements (DPAs) in accordance with Article 28 GDPR:
9.1 Data Processors
The following sub-processors handle personal data on our behalf under written data processing agreements (DPAs) compliant with Article 28 GDPR. Where a processor is located, or may host data, outside the EEA, we rely on the safeguards described in Section 9.3.
| Category | Provider (legal entity) | Data shared | Purpose | Hosting region |
|---|---|---|---|---|
| Database & authentication backend | Supabase Inc. (USA) — project hosted on EU infrastructure | Account data, profile preferences, reading history, saved articles, consent records | Primary data store; account auth | EU (Frankfurt) |
| Cloud compute & storage | Google Cloud Platform — Google Ireland Limited (EU entity) | All backend processing (Cloud Run, Cloud Tasks, Cloud Storage, Secret Manager) | Hosting NewsWave's API and worker microservices | EEA (europe-north1) |
| Push notifications | Firebase Cloud Messaging — Google Ireland Limited | Device token, alert payload (topic, headline, region) | Delivering push notifications | EEA / USA — see §9.3 |
| Authentication identity providers | Apple Inc. ("Sign in with Apple"); Google LLC ("Sign in with Google") | OAuth identifier, email (where granted by user) | Federated login | USA — see §9.3 |
| Mobile product analytics | Firebase Analytics — Google Ireland Limited | Bucketed event data (no raw queries, no full URLs, no PII payloads); user properties (primary_language, current_country, home_country, is_expat, is_test_user) |
Product analytics, retention measurement | EEA (project configured for EU data region) |
| Mobile + server product analytics | PostHog Inc. (USA) — EU Cloud at eu.posthog.com |
Same bucketed events as above; server-side events emitted by our backend services (no user IDs, device tokens, alert IDs, geographic data) | Product analytics, dashboards, feature-flag delivery | EU (Frankfurt) |
| Article & alert summarisation (AI) | Google Vertex AI (Gemini 2.5 Flash) — Google Ireland Limited | Article / alert title and body only — no user PII | Generating summaries displayed in the feed and in alert details | Routed by Google's Dynamic Shared Quota (global) — see §6.6 and §9.3 |
| Article & alert translation (primary) | DeepL SE (Germany) | Article / alert text only — no user PII | Translating content into your preferred language | EEA (Germany) |
| Article & alert translation (fallback) | Google Cloud Translation API — Google Ireland Limited | Article / alert text only — no user PII | Translation fallback when DeepL is unavailable | EEA / global — see §9.3 |
| Feed discovery (server-only) | Brave Software, Inc. (USA) — Brave Search API | Search queries we issue server-side to discover candidate news feeds; no user data is sent | Discovering new RSS sources to ingest | USA — see §9.3 |
We do not use payment processors, advertising networks, third-party email-marketing platforms, or behavioural-advertising vendors. We do not sell, rent, or share personal data with brokers or marketing partners.
9.2 Legal Disclosure
We may disclose your personal data to competent authorities (courts, law enforcement, regulators) where required by applicable EU or Swedish law, or to enforce our legal rights.
9.3 Cross-Border Data Transfers
Where we transfer personal data to processors or recipients outside the EEA, we ensure appropriate safeguards are in place in accordance with Chapter V GDPR, specifically:
- Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914/EU);
- Adequacy decisions by the European Commission where applicable (e.g., transfers to countries with recognized adequate protection);
- Binding Corporate Rules (BCRs) where applicable for intra-group transfers.
A list of our sub-processors and their data transfer safeguards is available upon request at dpo@thenewswave.app.
10. Security Measures
We implement appropriate technical and organizational measures (TOMs) to protect your personal data against unauthorized access, accidental loss, alteration, disclosure, or destruction, in accordance with Article 32 GDPR:
10.1 Technical Measures
- Encryption in transit: TLS 1.2 or higher for all data in transit;
- Encryption at rest: AES-256 encryption for stored personal data;
- Password hashing: bcrypt with appropriate work factor; plaintext passwords are never stored;
- Access controls: Role-based access control (RBAC); principle of least privilege applied to all systems;
- Network security: Firewalls, intrusion detection systems, DDoS protection;
- Vulnerability management: Regular penetration testing and security audits;
- Pseudonymization: Analytics data is pseudonymized to reduce risk of re-identification.
10.2 Organizational Measures
- Mandatory data protection training for all staff with access to personal data;
- Data protection clauses in all employment and contractor agreements;
- Formal data breach response plan and incident management procedures;
- Regular internal privacy audits and compliance reviews;
- A maintained Record of Processing Activities (Article 30 GDPR).
11. Data Breaches
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the Integritetsskyddsmyndigheten (IMY) (Swedish supervisory authority) within 72 hours of becoming aware of the breach (Article 33 GDPR);
- Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR);
- Document all breaches in our internal breach register, regardless of whether notification is required.
To report a security vulnerability or suspected breach, contact: security@thenewswave.app
12. Supervisory Authority
You have the right to lodge a complaint with the competent data protection supervisory authority. NewsWave's lead supervisory authority under the GDPR one-stop-shop mechanism is:
Integritetsskyddsmyndigheten (IMY) Box 8114, 104 20 Stockholm, Sweden Website: www.imy.se Email: imy@imy.se Phone: +46 8-657 61 00
You may also contact the supervisory authority in your country of habitual residence within the EU.
13. Changes to This Privacy Policy
We will notify you of any material changes to this Privacy Policy at least 30 days before the changes take effect, via in-app notification, push notification, or email. The date of the most recent revision is indicated at the top of this document. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
14. Contact Us
For all privacy-related enquiries:
Data Protection Officer NewsWave — Sadashiv Gour (sole trader) Email: dpo@thenewswave.app General Privacy: privacy@thenewswave.app
This Privacy Policy has been prepared in compliance with GDPR (Regulation (EU) 2016/679), the Swedish Data Protection Act (Dataskyddslag 2018:218), and other applicable EU privacy legislation, as of the effective date stated above.