Gear Wave logoGEAR WAVE
Gear Wave logo

Gear Wave

Privacy Policy

Effective version: 2026-06-14

IMPORTANT: This Privacy Policy template is for startup planning purposes only and should be reviewed by a licensed attorney before production use.

1. Introduction

Gear Wave (“Gear Wave,” “we,” “our,” or “us”) values your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, store, and share information when you access or use the Gear Wave platform, website, mobile application, and related services.

2. Information We Collect

Gear Wave may collect the following categories of information:

Personal Information

  • Full name
  • Email address
  • Phone number
  • Mailing address
  • Profile photos
  • Government-issued identification when required

Payment Information

  • Payment method details handled by Stripe (Gear Wave never stores full card numbers)
  • Billing information
  • Transaction history
  • Authorization-hold status and capture history for security deposits

Identity Verification Data

  • Government ID image and selfie submitted to our verification provider (Stripe Identity)
  • Pass/fail verification result and verified-name match returned to Gear Wave
  • Boater license and insurance documentation where the rental category requires it

Location Information

  • GPS or browser-derived coordinates used to claim a Founding-Owner state spot or to surface nearby listings
  • Device location information
  • Rental pickup and return locations

Device & Usage Data

  • IP address
  • Browser type and device identifiers
  • App activity, search queries, and booking funnel events
  • Rate-limit, abuse, and scraping-detection signals

3. How We Use Information

Gear Wave may use collected information to:

  • Create and manage user accounts
  • Process payments, security-deposit authorization holds, and Net-15 owner payouts
  • Verify user identities through Stripe Identity before the first booking
  • Facilitate rentals and in-platform communication
  • Operate the Founding-Owner program (matching a user to a U.S. state and metro)
  • Improve platform performance and pricing
  • Detect fraud, scraping, automated access, and abuse
  • Provide customer support and resolve disputes
  • Send transactional notifications and, where opted in, marketing updates
  • Comply with legal obligations and respond to lawful requests

4. Payment Processing & Deposits

Payments are processed through Stripe. Security deposits are placed as Stripe authorization holds (capture_method = manual) — the deposit amount is reserved on the renter's card but is not transferred to the owner or to Gear Wave unless captured for documented damage, late fees, or policy violations. Gear Wave does not store complete payment card numbers.

5. Identity Verification

Renters and owners must complete government-ID and selfie verification through Stripe Identity before transacting. The ID image, selfie, and biometric matching data are collected and retained by Stripe under Stripe's privacy policy. Gear Wave receives only the pass/fail result, the verified legal name, and document metadata sufficient to display a verified badge. We do not retain raw ID images on our own servers.

6. Location Data

Gear Wave may collect and use location information to:

  • Display nearby rental listings
  • Facilitate pickup, delivery, and return coordination
  • Match Founding-Owner program claims to the correct U.S. state and metro
  • Improve search and marketplace functionality

7. Sharing of Information

Gear Wave may share information with:

  • Stripe (payments, Connect payouts, Identity verification)
  • Subprocessors used to operate the platform (hosting, email delivery, analytics, customer support tooling)
  • The other party to a confirmed booking — limited to first name, last initial, profile photo, verified badge, and the contact channel needed to coordinate pickup and return
  • Law enforcement when legally required, or to investigate fraud, scraping, or threats to platform integrity

8. Data Security

Gear Wave maintains a written information-security program with administrative, technical, and physical safeguards designed to protect personal and commercial information. Current controls include:

  • Encryption in transit using TLS 1.2 or higher for all client-server, server-server, and webhook traffic.
  • Encryption at rest for production databases, object storage (user uploads, ID images held by Stripe Identity, listing media), and database backups using AES-256 managed by the underlying cloud provider.
  • Full-disk encryption (FileVault, BitLocker, or equivalent) required on every laptop or workstation used to access Gear Wave production systems; encryption keys are protected by the device's Secure Enclave or TPM and are not stored on the device in plaintext.
  • Multi-factor authentication required for all administrative access to production infrastructure, source-code repositories, payment processor dashboards, email infrastructure, and the domain registrar. Removable media containing non-public information must be encrypted and unlockable only via two-factor authentication.
  • Wireless networks used for Gear Wave operations require WPA2 or WPA3 authentication and encryption; remote access to production resources additionally requires a second factor (TOTP, hardware security key, or VPN with certificate-based authentication).
  • Leaked-password protection on customer accounts: new and changed passwords are checked against the Have I Been Pwned breach corpus and rejected if found compromised.
  • Row-level security enforced at the database layer on all user-scoped tables, restricted service-role access, principle-of-least-privilege IAM, and audit logging on privileged operations.
  • Physical security controls limiting access to any premises where sensitive data is processed; production servers and data centers are operated by the underlying cloud provider and access is limited to authorized personnel only.
  • Annual review of vendor sub-processors, the suppression and unsubscribe pipeline, and incident-response runbooks.

9. Anti-Scraping & Automated Access Monitoring

To protect users and platform integrity, Gear Wave monitors traffic for patterns consistent with scraping, crawling, headless browsing, AI-training data collection, account takeover, and other automated abuse. Detection signals (IP, user agent, behavioral fingerprints, request cadence) may be retained and shared with fraud-prevention vendors and, where applicable, law enforcement. See our Terms of Service for prohibited automated-access conduct.

10. User Responsibilities

Users are responsible for:

  • Maintaining account confidentiality and not sharing login credentials.
  • Using a strong, unique password that has not been reused on other services; Gear Wave will reject passwords known to appear in public breach corpora.
  • Enabling two-factor authentication on the email address associated with their Gear Wave account.
  • Providing accurate information and keeping contact details current.
  • Not sharing their verified identity, government ID, or Stripe Identity session with another person.
  • Promptly reporting any suspected unauthorized access to support@gearwaveapp.com.

11. Cookies & Tracking Technologies

Gear Wave may use cookies, analytics tools, and similar technologies to improve user experience, analyze traffic, attribute partner referrals, and personalize content.

12. Data Retention

Gear Wave may retain information for operational, legal, accounting, tax, security, and compliance purposes even after account closure where permitted by law. Booking, payment, and dispute records are retained for at least seven (7) years to satisfy tax and chargeback-rebuttal requirements.

13. User Rights

Depending on applicable law (including the CCPA/CPRA for California residents and the GDPR/UK-GDPR for users in the EEA and UK), users may have rights to:

  • Access personal data we hold about them
  • Request corrections to inaccurate data
  • Request deletion of data (subject to legal-retention requirements)
  • Opt out of certain communications and the “sale” or “sharing” of personal information as defined under California law (we do not sell personal information)

14. Children’s Privacy

Gear Wave services are not intended for individuals under the age of 18. We do not knowingly collect information from minors. If we learn that we have collected personal information from a minor, we will delete it.

15. Third-Party Services

The platform may contain links or integrations with third-party services (Stripe, Mapbox, email providers, and others). Gear Wave is not responsible for the privacy practices of third parties.

16. Changes to This Policy

Gear Wave may update this Privacy Policy periodically. Material changes will be communicated by email or in-app notice. Continued use of the platform after the effective date of an update constitutes acceptance.

17. Contact Information

Questions regarding this Privacy Policy may be directed to Gear Wave at support@gearwaveapp.com — www.gearwaveapp.com

© 2026 Gear Wave · support@gearwaveapp.com