Privacy Policy
Effective date: April 8, 2026
Last updated: May 11, 2026 (Website analytics: Google Analytics 4 on whisper.day; EEA/UK consent flows)
Whisper ("we", "our", or "us") operates the service available at whisper.day. This Privacy Policy explains how we collect, use, and protect your personal data, and your rights under applicable law including the General Data Protection Regulation (GDPR).
1. Data Controller
The data controller responsible for your personal data is:
Whisper
Contact: privacy@whisper.day
2. Data We Collect
2.1 Account Data (provided by you)
You choose a name or nickname for your profile. You do not have to use your legal name; the field is still personal data under GDPR and is used to personalise messages and may be sent to our subprocessors (for example Anthropic) as described below.
- Name or nickname — used to personalise your daily messages
- Date of birth — used as input for statistical calculations that generate your daily message
- Birth hour (optional) — used to improve calculation accuracy
- Birth location (optional) — used to improve calculation accuracy
2.2 Authentication Data (via Google OAuth)
When you sign in with Google, we receive your Google account ID and email address. We do not store your Google password.
2.3 Usage Data (generated by the service)
- Daily Whisper content we generate and store for your account (your personalised daily message and related fields we save in our database)
- Orbit readings: when you open an orbit, we generate a single daily reflection by sending the participants' birth data and a structured synthesis of synastry signals to Anthropic. We store the generated reflection (one per orbit, per user, per day) in our database, along with calculation metadata (token counts, prompt version, generation timing) used for cost monitoring and abuse prevention.
- Readings and Aura Portraits generated by The Whisper are associated with your account for the purpose of displaying your history within the app. We do not use the content of your readings to build advertising profiles or share reading content with third parties.
- Date and time of generation or related events where we log them for the service
2.4 Technical Data
- Session cookies required to keep you logged in
- Basic server logs (IP address, request timestamps) retained by our infrastructure providers
2.5 Website and marketing analytics (whisper.day and journal)
When you visit whisper.day (our marketing site and signed-out shell) or our public journal at blog.whisper.day, we may process pseudonymous usage data through Google Analytics 4 (and similar first-party measurement configured in our sites), such as:
- Pages and paths viewed, referrer, and coarse engagement signals
- Device and browser metadata (for example screen class, language, user agent-derived fields as processed by Google)
- Interaction events we configure in software (for example taps on “sign in with Google” on the landing page)
- Approximate location at a region/city level as inferred by Google from IP address — we do not use Google Analytics to collect your precise GPS location from the device
This data is used to understand aggregate traffic, improve our pages, and see whether marketing surfaces are effective. It is not used to read the content of your in-app Whisper readings from the analytics tag (those readings live in our application database and are governed elsewhere in this Policy).
Depending on your region, we only enable this measurement on whisper.day after you opt in on our cookie banner, or where permitted without such a banner we rely on legitimate interests in measuring our public web traffic—see the Cookie Policy for how to withdraw analytics consent where the banner is shown.
2.6 Orbits — Counterpart Data You Provide
Whisper's Orbits feature lets you receive a daily reflection about a relationship between you and another person. You may provide minimal information about that other person ("counterpart") so we can generate the reflection:
- A first name or nickname (≤ 40 characters) — used only to address the reflection
- The counterpart's birth date — used as input for the synastry calculation
- Optionally, their birth hour and a city/country
We deliberately limit this collection: we do not ask for, and you should not enter, the counterpart's surname, contact details, address, photographs, or any sensitive information.
You are responsible for ensuring the counterpart is comfortable with you using this information for a private daily reflection. The Orbits creation form displays a notice asking you to confirm this before submitting.
Terms of Service references for this feature are available in Terms §5.1 (Orbits — Counterpart Data and Consent).
If a counterpart later signs up for Whisper and accepts your invite link, the orbit is "activated": from that point onwards we use their own profile data (which they control) instead of the data you originally entered, and the previously stored ghost-profile fields become inactive.
Counterpart deletion requests. If you are a counterpart whose data has been entered into a Whisper orbit by someone else and you would like that data removed, please contact us at privacy@whisper.day with the inviter's name (if known) and your birth date. We will locate and delete the relevant orbit within 30 days.
2.7 Daily Whisper Email Data (if enabled)
If you enable Daily Whisper email in Settings, we process the following for email delivery:
- Your account email address
- Your delivery preferences (email enabled/disabled)
- Your timezone and recent activity timestamp (used to schedule delivery around your local morning)
- Your generated Daily Whisper content for that day (including related display fields such as theme/intensity)
- Delivery metadata such as provider message IDs, delivery status, and bounce/complaint events
3. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Generating personalised daily messages | Performance of contract (Art. 6(1)(b)) |
| Sending Daily Whisper email when enabled in your account settings | Performance of contract (Art. 6(1)(b)); where required, consent (Art. 6(1)(a)) |
| Authenticating your account via Google | Performance of contract (Art. 6(1)(b)) |
| Orbits: generating a daily relationship reflection from the participants' birth data | Performance of contract (Art. 6(1)(b)) |
| Usage limits (e.g. active-orbit caps per plan) | Performance of contract (Art. 6(1)(b)) |
| Maintaining service security and preventing abuse | Legitimate interests (Art. 6(1)(f)) |
| Website analytics (GA4) on whisper.day / blog — aggregate pages, events, device metadata, coarse location as processed by Google | Consent (Art. 6(1)(a)) where we show the cookie banner; otherwise legitimate interests (Art. 6(1)(f)) in measuring public web traffic where local law permits |
We do not use your data for advertising, profiling, or sale to third parties.
4. Third-Party Services
We share data with the following processors to operate the service:
| Provider | Purpose | Data shared | Privacy Policy |
|---|---|---|---|
| Authentication (OAuth 2.0) | Google account ID, email | google.com/privacy | |
| Anthropic | AI generation (Whisper daily synthesis and Orbit reflections) | Profile fields used in prompts (e.g. display name, birth date, optional birth time/location); that day's system/readings text where applicable; for Orbits, the orbit owner's profile and the counterpart's birth data (or ghost-profile data if the counterpart hasn't joined yet). | anthropic.com/privacy |
| Supabase | Database and authentication hosting | Data we store in our project: profile, stored oracle/daily content, orbit metadata and reflections, usage counters, etc. | supabase.com/privacy |
| Resend | Transactional email delivery (Daily Whisper email) | Recipient email, message content, delivery metadata (message ID/status, bounce/complaint signals) | resend.com/legal/privacy-policy |
| Inngest | Workflow orchestration and scheduling for Daily Whisper email | Job/event metadata needed to trigger and track email workflows | inngest.com/privacy |
| Vercel | Web hosting and deployment | Server request logs | vercel.com/legal/privacy-policy |
| Google (Analytics) | Website measurement (GA4) on whisper.day and our journal | Pseudonymous online identifiers, IP-derived coarse location, device/browser metadata, pages viewed, and configured events (e.g. sign-in CTA taps) as processed by Google | policies.google.com/privacy · Google Analytics terms |
| Lemon Squeezy | Payment processing | Email, billing information | lemonsqueezy.com/privacy |
All processors are contractually bound to protect your data and process it only on our instructions. Data may be transferred to and processed in the United States. Such transfers are covered by Standard Contractual Clauses or equivalent safeguards.
Anthropic retention: for how long Anthropic may retain API inputs and outputs, see their current privacy policy and terms.
5. Data Retention
| Data type | Retention |
|---|---|
| Account profile | Until you delete your account |
| Stored daily Whisper / oracle content | Until you delete your account |
| Daily Whisper email delivery metadata (send status, provider message IDs, bounce/complaint flags) | Until you delete your account |
| Active orbits and their daily reflections | Until you delete the orbit or your account |
| Pending (ghost) orbits not opened for 180 days | Owner is notified by email; archived 30 days later unless reactivated or pinned |
| Archived orbits | Up to 2 years from archival, then ghost-profile fields are erased; reflections are retained without identifying counterpart data |
| Feature usage metadata (e.g. active-orbit caps) | Until you delete your account |
| Server logs | Up to 90 days (held by infrastructure providers) |
5.1 Deletion and database backups (Supabase)
Our application database is hosted on Supabase. As of this policy version, the production project uses Supabase’s Free plan, under which scheduled project database backups are not included. After we delete your data from the live database in response to an account deletion or erasure request, we do not rely on Supabase daily backup snapshots to retain a copy on that plan.
If we later upgrade to a paid plan that includes scheduled backups, or enable Point-in-Time Recovery, deleted data could remain recoverable from provider backups for a limited period (for example, up to 7 days on typical Pro plan scheduled backups — confirm current terms in Supabase’s documentation). We will update this section if our backup configuration changes.
6. Your Rights (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights:
- Access — request a copy of the data we hold about you
- Rectification — correct inaccurate data
- Erasure ("right to be forgotten") — request deletion of your data
- Data portability — receive your data in a machine-readable format
- Restriction — ask us to limit how we process your data
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent
To exercise any of these rights, contact us at privacy@whisper.day. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, or your national DPA in the EU).
7. Children's Privacy
Whisper is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with their data, please contact us at privacy@whisper.day.
8. Entertainment Disclaimer
The personal data you provide (birth date, birth time, birth location) is used solely to generate personalised entertainment content via statistical calculation and artificial intelligence. Whisper does not use this data to make automated decisions that produce legal or similarly significant effects on you.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.
10. Contact
For any privacy-related questions or requests:
privacy@whisper.day