Privacy Policy

• Account data — email address, display name, and hashed password when you register.
• Usage data — pages visited, filters applied, signals viewed, vault saves, and feature interactions, used to improve feed relevance and product quality.
• Subscription data — billing tier (Pulse / Insight / Pro). Payment details are processed exclusively by Stripe and are never stored on our servers.
• Preference data — watchlist assets, notification settings, and social source preferences (RSS feeds, Reddit subreddits, YouTube channels) you configure.
• Technical data — IP address, browser type, device type, and approximate location (country level) for security, fraud prevention, and analytics.
• Communications — emails you send us, including support requests and feedback.

We do not collect sensitive personal data such as financial account numbers, government ID, or health information.

• Deliver and personalise your intelligence feed and radar.
• Send email digests and instant alerts you have opted into.
• Process payments and manage your subscription via Stripe.
• Detect and prevent fraud, abuse, and security incidents.
• Improve our AI scoring and signal ranking algorithms using aggregated, anonymised signals — no personal data is included in model training.
• Respond to your support requests and feedback.
• Comply with legal obligations.
• Send product updates and marketing communications (with your consent; unsubscribe any time).

If you are in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following lawful bases under GDPR / UK GDPR:

• Performance of a contract (Art. 6(1)(b) GDPR) — to create and manage your account, deliver the Service you subscribed to, and process your payments.
• Legitimate interests (Art. 6(1)(f) GDPR) — fraud prevention, security monitoring, service improvement, and anonymised analytics. We have assessed that our interests do not override your fundamental rights.
• Consent (Art. 6(1)(a) GDPR) — marketing emails and optional analytics cookies. You may withdraw consent at any time without affecting prior processing.
• Legal obligation (Art. 6(1)(c) GDPR) — where required by applicable law, regulation, or court order.

We do not sell your personal data. We share data only with the following sub-processors, each of which is contractually bound to process your data only for the stated purpose:

• Supabase (database, authentication, and storage) — data stored in EU or US regions depending on configuration.
• Stripe (payment processing) — your payment data is subject to Stripe’s privacy policy.
• Resend (transactional email delivery).
• Anthropic (Claude AI — news content enrichment). No personal data is included in API requests to Anthropic; only scraped public news content is sent.
• Vercel (hosting, CDN, and edge functions).
• Railway (background scraper infrastructure).

We may also disclose data to law enforcement, regulators, or courts where legally required, or to protect the rights and safety of Whisper Media or others.

Some of our sub-processors (Supabase, Stripe, Resend, Anthropic, Vercel, Railway) are based in or may process data in the United States or other countries outside the EEA and UK. Where such transfers occur from EEA/UK jurisdictions, we rely on one or more of the following safeguards:

• Adequacy decision — where the European Commission or UK Secretary of State has recognised the destination country as providing an adequate level of protection.
• Standard Contractual Clauses (SCCs) — where transfers rely on SCCs approved by the European Commission (or the UK equivalent International Data Transfer Agreements), we ensure our sub-processors have executed the relevant SCCs.

You may request further information about international transfer safeguards by emailing us at contact@whispermedia.ai.

We retain personal data for the following periods:

• Account data — retained for as long as your account is active. Deleted within 30 days of a verified account deletion request.
• Usage and preference data — retained for up to 24 months after your last activity for product improvement, then anonymised or deleted.
• Billing records — retained for 7 years to comply with financial record-keeping obligations (Stripe retains transaction records under its own policy).
• Signal / news content — public news data is retained indefinitely for historical analysis; it contains no personal data.
• Support communications — retained for up to 3 years then deleted.

We use the following categories of cookies:

• Strictly necessary cookies — required for authentication and basic platform functionality. Cannot be disabled without breaking the Service.
• Preference cookies — remember dismissed banners, theme settings, and UI preferences.
• Analytics cookies — aggregated, anonymised usage statistics to improve the platform. These are only set with your consent.

You can manage cookie preferences at any time. Disabling non-essential cookies may affect certain personalisation features.

Depending on your jurisdiction, you have the following rights over your personal data. To exercise any right, email contact@whispermedia.aiwith subject line “Data Request”. We will respond within 30 days (or the period required by applicable law).

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure(“right to be forgotten”) — request deletion of your personal data, subject to legal retention obligations.
• Restriction of processing — request that we limit how we use your data in certain circumstances.
• Data portability — receive your account and preference data in a structured, machine-readable format (JSON or CSV).
• Object to processing — object to processing based on legitimate interests or for direct marketing.
• Withdraw consent — withdraw any consent-based processing at any time via the unsubscribe link in emails or by contacting us.
• Lodge a complaint — you have the right to lodge a complaint with your local data protection authority. In the EU, find your national authority at edpb.europa.eu. In the UK, the relevant authority is the ICO.

If you are a California resident, you have the right to: know what personal data we collect and how it is used; request deletion of your data; correct inaccurate data; and opt out of any sale or sharing of personal data. We do not sell or share personal data for cross-context behavioural advertising.

To exercise your rights, contact us at contact@whispermedia.aiwith subject line “Data Request — California”.

The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with data, contact us immediately and we will delete it promptly.

We use industry-standard security measures including HTTPS/TLS encryption in transit, hashed passwords, row-level security on our database, and access controls limiting data access to authorised personnel. However, no system is completely secure. We cannot guarantee absolute security and are not responsible for breaches caused by factors outside our reasonable control.

In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay as required by applicable law.

We may update this policy from time to time. We will notify you of material changes via email and with an in-app notice at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

Whisper Media is the data controller for personal data processed through the Service.

Whisper Media
Email: contact@whispermedia.ai
For data / privacy requests, use subject line “Data Request”.

For any data protection inquiries, please use the email above with the subject line “Data Request”. A formal registered address will be added once the company is fully incorporated.