WhisperEar

Privacy Policy

Last updated: March 21, 2026

This Privacy Policy (“Policy”) describes what personal data we process when you use the website, mobile apps and related WhisperEar services (“Service”), for what purposes and on what legal bases. The data controller is the Service owner listed in the contacts below (“we”, “us”).

Use of the Service is also governed by the Terms of Service.

1. What data we process

Depending on how you use the Service, we may process the following categories:

  • Account: email address, name (if provided), user ID, password hash for email sign-up (passwords are not stored in plain text), email verification status, subscription and usage limits.
  • Sign-in with Google or Apple: provider ID, email, name and profile photo — as permitted by you during authorization, per Google and Apple policies.
  • Session and website security: technical tokens and cookies (including session cookies), device and browser data, IP address and request timestamps — for authentication, abuse prevention and reliability.
  • Guide usage and API: server requests may include object identifiers (e.g. from open map data), language, and usage within plan limits. Precise coordinates are primarily processed on-device; the server receives the minimum needed to deliver audio and enforce limits.
  • Payments: when you purchase a subscription, payment details may be processed by a payment provider (e.g. Stripe) or app stores (Apple App Store, Google Play). We receive payment status, subscription and transaction identifiers, not full card data on our servers unless the payment UI states otherwise.
  • Support: message content and contact details you provide.

2. Purposes and legal bases

We process personal data to:

  • provide Service features and perform our contract with you (registration, guides, plans);
  • comply with legal obligations (tax/accounting, lawful requests);
  • ensure security and prevent fraud and abuse (legitimate interest or enforcement of Service rules);
  • improve the Service and analytics in anonymized or aggregated form where applicable — legitimate interest or consent where required;
  • send service emails (email confirmation, password reset, subscription changes).

Marketing emails — only with separate consent, if introduced, with unsubscribe in each message.

3. Sharing with third parties

We do not sell your personal data. Limited sharing may occur when necessary to operate the Service:

  • hosting, infrastructure and backup providers;
  • payment systems and app stores — as needed for payment;
  • transactional email services (e.g. address confirmation and account recovery);
  • Google / Apple — when you sign in with those accounts, per their policies;
  • when required by law or by a competent authority.

We aim to use data processing agreements (DPAs) or standard contractual clauses for cross-border transfers where required.

4. International transfers

Servers and vendors may be located outside your country, including countries without an adequacy decision. Where applicable, we seek appropriate safeguards (e.g. EU SCCs).

5. Retention

We retain data no longer than necessary: while your account is active, to perform the contract or comply with law, or to defend legal claims. Logs may be kept briefly for security. After account deletion we erase or anonymize data within reasonable time, except where law requires longer retention.

6. Your rights

Depending on applicable law (including GDPR for EEA/UK residents), you may have the right to:

  • information about processing and a copy of your data;
  • rectification of inaccurate data;
  • erasure (“right to be forgotten”) under certain conditions;
  • restriction or objection to processing;
  • data portability in machine-readable form where applicable;
  • withdraw consent where processing is consent-based;
  • lodge a complaint with a supervisory authority.

To exercise rights, use the contacts below. We may ask for identity verification. For data processed only by Google or Apple, you may need to contact them directly.

7. Children

The Service is not intended for users below the age of valid consent for data processing in your jurisdiction (often 13–16). We do not knowingly collect children’s data. If you believe we have, contact us and we will take steps to delete it.

8. Security

We use organizational and technical measures: encryption in transit (HTTPS), access controls, environment separation. Absolute security cannot be guaranteed — use a strong unique password and do not share account access.

9. Cookies and similar technologies

The site may use cookies and local storage for sign-in, preferences and UI. You can limit cookies in your browser; some features may not work without them.

10. Changes to this Policy

We may update this Policy. The current version is always on this page with an update date. Material changes may be communicated via the Service or email.

11. Contact

Questions about privacy and your rights: via Support or the production support email address.