Skip to main content

Privacy Policy

Last updated: February 23, 2026

This Privacy Policy describes how Island Pitch Design LLC ("Island Pitch," "we," "us," or "our") collects, uses, and shares information when you visit nextwave.ing (the "Site") or use the NextWave Platform services, including account creation, subscription billing, and the NextWave WordPress plugin (collectively, the "Services"). By using the Site or Services, you agree to the practices described in this policy.

1. Information We Collect

Account Information

When you create a NextWave account, we collect:

  • First name and last name
  • Email address
  • Password (stored securely by AWS Cognito — we never have access to your plaintext password)
  • Company or organization name (optional)

Your account is authenticated through Amazon Web Services Cognito, a secure identity service. Account data (excluding your password) is stored in our database to manage your subscription and license.

Payment Information

If you subscribe to a paid plan, payment processing is handled entirely by Stripe, Inc.:

  • Credit or debit card details are collected directly by Stripe through their secure, PCI-compliant payment form embedded on our Site. We never receive, store, or have access to your full card number, expiration date, or CVV.
  • Stripe provides us with a limited set of information: a customer identifier, subscription identifier, payment status, and the last four digits of your card for display purposes.
  • If you use Stripe Link (Stripe's autofill service), your saved payment information is managed by Stripe under their privacy policy.

Early Access Form

If you submit our "Get Early Access" form (before creating an account), we collect your name, email, and optional organization. This information is submitted to HubSpot for lead management and marketing communications.

Information Collected Automatically

When you visit the Site, we and our third-party service providers may collect certain information automatically, subject to your cookie consent preferences:

  • Google Analytics 4 (Consent Mode v2): GA4 loads on every visit but operates in a privacy-preserving mode by default. Before you grant consent, GA4 sends only cookieless, anonymized pings — no cookies are set and no personally identifiable information is collected. If you grant analytics consent, GA4 sets cookies (_ga, _ga_*) to measure sessions, page views, approximate geographic location, device type, browser, and referral sources.
  • HubSpot (Consent API): The HubSpot tracking script loads on every visit but with tracking suppressed by default (doNotTrack mode). No cookies are set and no individual-level data is collected until you grant marketing consent. If you grant consent, HubSpot sets cookies (hubspotutk, __hstc, __hssc, __hssrc) to identify returning visitors and associate activity with your contact record.
  • PostHog: PostHog product analytics starts in an opted-out state by default — no cookies are set and no events are captured until you grant analytics consent. If you grant consent, PostHog tracks product usage events (login, signup, payment, and plugin activation actions) and may set cookies (ph_*) for session identification.
  • UTM Parameters: If you arrive via a marketing link (e.g., from an ad or email), we capture campaign attribution parameters (utm_source, utm_medium, utm_campaign) in your browser's session storage. This data is not stored in cookies and is cleared when you close your browser tab.
  • Server Logs: Our hosting infrastructure (Amazon Web Services CloudFront) automatically logs requests including IP address, user agent, requested URL, and timestamp.

2. How We Use Your Information

We use the information we collect to:

  • Create and manage your NextWave account and authenticate your identity
  • Process subscription payments and manage your billing cycle
  • Generate and deliver your NextWave license key for the WordPress plugin
  • Provide access to the Stripe Customer Portal for billing management
  • Send transactional emails (account verification, password reset, payment receipts)
  • Send product updates, launch announcements, and marketing communications (with your consent)
  • Analyze Site usage and improve the user experience (subject to your cookie consent)
  • Monitor and ensure the security and performance of the Site
  • Comply with legal obligations

3. How We Share Your Information

We do not sell your personal information. We share information only with the following service providers, each of which processes data on our behalf:

  • Stripe, Inc. — Payment processing, subscription billing, and customer billing portal. Stripe receives your payment card details directly and provides us only with limited identifiers and payment status. (Privacy Policy)
  • Amazon Web Services, Inc. — Authentication (Cognito), data storage (DynamoDB), site hosting (CloudFront/S3), serverless compute (Lambda), and email delivery (SES). (Privacy Policy)
  • HubSpot, Inc. — CRM, form processing, and email marketing (only when you grant marketing consent). (Privacy Policy)
  • Google LLC — Analytics and site performance measurement (subject to your cookie consent preferences). (Privacy Policy)
  • PostHog, Inc. — Product analytics and user behavior tracking to improve the platform experience (subject to your cookie consent preferences). (Privacy Policy)

We may also disclose information when required by law, subpoena, or other legal process, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4. Cookies and Tracking Technologies

No tracking cookies are set until you make a consent choice. When you first visit the Site, a cookie consent banner allows you to accept or reject non-essential cookies. Analytics scripts load in a privacy-preserving mode by default — they do not set cookies or collect personal data until you grant consent.

Cookie Categories

Cookie / TechnologyCategoryProviderPurpose
nwp_cookie_consentNecessaryNextWaveStores your cookie consent preferences (localStorage, not a cookie)
Cognito session tokensNecessaryAWS CognitoAuthentication session management (localStorage, required for login)
_ga, _ga_*AnalyticsGoogleDistinguish unique visitors and measure sessions (only set after analytics consent)
hubspotutkMarketingHubSpotIdentify returning visitors and link form submissions to browsing history (only set after marketing consent)
__hstc, __hssc, __hssrcMarketingHubSpotTrack visitor sessions and referral sources (only set after marketing consent)
ph_*AnalyticsPostHogTrack product usage events and identify sessions (only set after analytics consent)

How Consent Works

  • GA4 Consent Mode v2: Google Analytics loads in "denied" mode by default. In this mode, it sends only cookieless, aggregated measurement pings that cannot identify individual users. When you grant analytics consent, it switches to full tracking with cookies.
  • HubSpot Consent API: HubSpot loads in "doNotTrack" mode by default. No cookies are set and no individual tracking occurs. When you grant marketing consent, tracking is enabled.
  • PostHog: PostHog initializes in an opted-out state by default. No events are captured and no cookies are set. When you grant analytics consent, PostHog begins tracking product usage events.
  • Global Privacy Control (GPC): We honor the Global Privacy Control browser signal. If your browser sends a GPC signal, all non-essential cookies are automatically declined.
  • Consent Expiration: Your consent preferences expire after 365 days, at which point the consent banner will reappear.

When you revoke consent, we immediately delete all non-essential cookies that were previously set (GA4, HubSpot, and PostHog cookies).

You can manage your cookie preferences at any time:

5. Data Retention

  • Account data is retained for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., billing records).
  • Payment records are retained by Stripe in accordance with their retention policies and applicable financial regulations. We retain subscription status and billing metadata for the duration of your account.
  • Authentication data (email, name) is stored in AWS Cognito for as long as your account exists.
  • Early access form submissions are retained in HubSpot for as long as necessary for marketing purposes or until you request deletion.
  • Analytics data in Google Analytics is retained for 14 months.
  • Product analytics data in PostHog is retained in accordance with PostHog's data retention policies.
  • Server logs (CloudFront) are retained for 30 days.
  • Consent preferences are stored locally in your browser and expire after 365 days.

You may request deletion of your personal data at any time by contacting us at the address below.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access, correct, or delete your personal data
  • Object to or restrict certain processing
  • Withdraw consent for analytics and marketing cookies at any time via the cookie preferences tool
  • Withdraw consent for marketing communications at any time
  • Request a portable copy of your data
  • Delete your account and associated data

Every marketing email includes an unsubscribe link. You can manage your subscription billing through the Stripe Customer Portal accessible from your account dashboard. To exercise any other rights, contact us at the address below.

7. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information:

  • Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request that we delete your personal information, subject to certain exceptions.
  • Right to Correct: You may request that we correct inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell personal information. Analytics and marketing cookies may constitute "sharing" under CPRA. You can opt out by clicking "Do Not Sell My Info" in the site footer or by managing your cookie preferences below.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

To exercise your rights, contact us at privacy@islandpitch.com or use the cookie preferences tool:

8. Children's Privacy

The Site is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

9. Security

We use industry-standard security measures to protect your information, including:

  • Encryption in transit: All data is transmitted over HTTPS/TLS.
  • Encryption at rest: Account data is encrypted using AWS server-side encryption.
  • PCI DSS compliance: Payment card data is handled exclusively by Stripe (PCI DSS Level 1 certified). Card numbers never touch our servers.
  • Secure authentication: Passwords are managed by AWS Cognito using industry-standard hashing. We support Secure Remote Password (SRP) protocol for authentication.
  • Secrets management: API keys and credentials are stored in AWS Systems Manager Parameter Store using SecureString encryption.
  • Access controls: API endpoints require authenticated JWT tokens. Stripe webhook endpoints verify cryptographic signatures.

However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Island Pitch Design LLC

Email: privacy@islandpitch.com

Web: islandpitch.com