Privacy Policy

Information you provide directly:

• Account: username, email address, password (we hash this; we never see or store the plaintext)
• Profile: optional display name, bio, avatar image, theme preference, language preference
• Content you create: confessions, diary entries, stories, aspirations, reviews, autographs, comments, reactions, bookmarks, and any media (images/videos) you upload
• Direct messages you send to other users (see §4 for encryption details)
• Optional contact-sync hashes (only if you explicitly enable contact sync — see §3 for details)
• Payment information when you make a donation, buy a premium subscription, purchase an autograph, or run an ad campaign (handled by our payment processor — see §5)
• Reports you submit, feedback, support requests, and identity-reveal NDA acknowledgements
• Aspirations activity: timeline updates, completion status, and timestamps used to enforce our anti-spam rules (see §3)
• Friend graph: friend requests you send and receive (with timestamps + status pending/accepted/declined/cancelled), and accepted friendships (the user IDs of you and the other person, plus the date you became friends). Friend lists are private to each side and never published
• Public-profile visibility preferences: six toggle settings (show posts / diaries / aspirations / autographs / friend count / member-since) that control what the /u/{username} viewer renders for visitors
• Private-mode preference: a single boolean controlling whether non-friends can DM you

Information collected automatically:

• IP address at signup and at each login (used for fraud detection, VPN/proxy identification, and ban enforcement)
• Browser and device information (user agent string)
• Approximate geolocation derived from your IP address (country/region — never precise GPS coordinates derived from IP)
• Session token (HTTP-only secure cookie) used to keep you signed in
• Failed login attempts (email hash + IP + timestamp) for brute-force protection
• Login alerts: when you sign in from a new IP, we send you a notification email
• Aggregate usage metrics via Google Analytics — only after you opt in to analytics cookies (see §8)
• Optional location tags you attach to a post (these are intentionally obscured by 0.5–2 km before storage to prevent doxxing)

• To create and operate your account, deliver the platform's features, and remember your preferences
• To send transactional emails: account verification, password resets, login alerts from new IPs, payment receipts, account-deletion confirmations
• To enforce our Terms of Service, community guidelines, and anti-spam limits (e.g., the 3-aspirations-per-day creation cap requires us to count your recent aspiration timestamps)
• To detect, prevent, and respond to abuse, fraud, brute-force attacks, ban evasion, and security incidents
• To process payments for donations, premium subscriptions, autographs, and ad campaigns via our payment processor (we never see your full card number)
• To run automated content safety scans on posts and messages — this is a fully-automated system that may flag content for human moderator review or temporarily restrict an interaction. You have the right to request human review of any automated decision that affects your account (see §7)
• To respond to your support requests, feedback, and reports against other users
• To match optional contact-sync uploads against existing HuniWhisp users — see "Contact Sync" below for the strict no-retention rule
• To send important service announcements (e.g., scheduled maintenance, terms updates, breach notifications) — these are not marketing emails and you cannot opt out of them while your account is active

Contact Sync (optional, off by default):

If you choose to enable contact sync from the mobile app, we hash each contact's phone number and email address using SHA-256 on your device, send only the hashes, match them against existing user hashes server-side, and discard the hashes immediately after the matching query completes. We never store raw contact data, hashed contact data, or names. You can disable contact sync at any time, and there is nothing on the server to delete because nothing was retained.

Android Contact Picker:In line with Google Play's Contacts Permissions policy (effective 2026), HuniWhisp uses the Android Contact Picker for one-off contact selection flows (e.g., inviting a friend). The Contact Picker does not grant HuniWhisp broad access to your address book — only the specific contact you pick in that moment is shared, and nothing is retained on our servers. Broad READ_CONTACTS access is only requested when you explicitly enable full Contact Sync as described above, and the hashes-then-discard pipeline applies.

Location Data:

HuniWhisp does not request precise (GPS) location in the background, and does not use geofencing. The only location signals we use are:

• IP-derived approximate location (country/region) — never precise GPS coordinates.
• Optional per-post location tags — only when you explicitly attach one to a post. On Android, this uses the one-time precise location button (Android's recommended minimum scope); we never ask for always-on background location. The raw coordinates are obscured by 0.5–2 km before being stored to prevent doxxing.

We do not use any foreground-service location, and we do not use the Geofence API.

Health and Fitness Data:

HuniWhisp does not integrate with Health Connect, does not request any health or fitness permissions, and does not collect, store, or process menstrual-cycle, alcohol-consumption, symptom, or other health-category data. If this ever changes, we will update this policy and request the minimum granular permissions required, and we will never use such data to determine employment or insurance eligibility, or share it for unauthorized social purposes.

Automated Decision-Making:

HuniWhisp uses automated systems to scan content (text and images) for safety violations, hate speech, illegal content, CSAM, and spam patterns. Automated systems may temporarily restrict an interaction (e.g., delay a post, require re-verification) pending human review. If your account is affected by an automated decision, you have the right to request a human moderator to review it (see §7) — we will respond within 14 days.

We take security seriously. The following measures are in place at the time of writing:

• At rest: Email addresses, display names, and bios are encrypted using AES-256-GCM with a per-environment key. The key is stored in environment variables, not in the database, and the application refuses to start if the key is missing.
• In transit: All traffic is served over HTTPS with HSTS (Strict-Transport-Security) and TLS 1.2+. HTTP requests are rejected.
• Passwords: Hashed with bcrypt (cost factor 12) and stretched. We never see, store, or log your plaintext password.
• Email lookups: Performed via SHA-256 hash, so we can verify a sign-in without scanning ciphertext.
• Session tokens: 30-day expiry, rotated on password change, stored in an httpOnly + secure + sameSite=strict cookie. Stolen tokens are revoked when the user changes their password.
• Brute-force protection: Login attempts are rate-limited per IP and per account. After 5 failed attempts in 15 minutes, the account is temporarily locked.
• Direct messages: See the next paragraph for the truthful E2EE story.
• Two-factor authentication (2FA): Optional TOTP-based 2FA is available; if enabled, login requires both your password and a one-time code.
• Database: Hosted on AWS RDS MySQL with automated daily backups, point-in-time recovery, and network isolation in a private subnet.
• Admin-issued temporary passwords: A super-admin can issue a temporary password for support cases (e.g., user is locked out and the forgot-password email failed). This action invalidates every existing session for the affected account, sets a one-time password generated from cryptographically-strong randomness, and forces the user to choose a new password on next login. The action is recorded in the admin audit log. The temporary password is delivered to the email on file; we never communicate it through other channels.

Direct Messages and End-to-End Encryption (E2EE):

HuniWhisp supports an optional client-side end-to-end encryption layer for direct messages. When both participants have provisioned their E2EE keys, messages are encrypted in your browser before being sent and the server cannot read them — only the recipient can decrypt. Important honesty note: if a participant has not enabled E2EE, messages between you fall back to transport-layer encryption only — the server can technically decrypt them with its server key. We do not market all DMs as end-to-end encrypted, and we do not keep plaintext hashes of message content (a previous design that did has been removed).

Data Breach Notification:

If we discover a security incident affecting your personal data, we will notify affected users and relevant supervisory authorities without undue delay and in any case within 72 hours of becoming aware of the breach, except where law enforcement has requested a delay for an ongoing investigation. The notification will describe the nature of the breach, the data categories affected, and the steps we are taking in response.

We do not sell, rent, or trade your personal data. We share data with third parties only in the limited circumstances and with the limited services listed below.

Service providers we use:

• Hosting + database: Amazon Web Services (AWS) — EC2 (compute), RDS MySQL (database), Route 53 (DNS). AWS is a sub-processor; data is hosted in the us-east-2 (Ohio) region.
• Email delivery: SMTP transactional email provider for verification codes, password resets, login alerts, and payment receipts. We do not use third-party marketing email lists.
• Payment processing: When you make a donation, buy a premium subscription, purchase an autograph, or run a paid ad, your payment information is processed by our payment processor (PayPal and/or Stripe depending on the transaction). We share the transaction amount, currency, and your billing email; we never see your full card number. Refer to the payment processor's own privacy policy for their data practices.
• Analytics: Google Analytics (gtag) is loaded ONLY after you opt in to analytics cookies in our consent banner. When loaded, it collects aggregate usage statistics (page views, session duration, anonymized IP). We do not use it for cross-site tracking or ad targeting. You can withdraw consent at any time via the "Cookie Settings" link in the footer.
• CDN / static asset delivery: Static assets and Capacitor mobile app distribution use standard AWS CloudFront-style delivery. Public assets only; no personal data is sent.

We may also disclose data when:

• Required by law: A valid court order, subpoena, or government request that we are legally obligated to comply with
• Safety: When we have a good-faith belief disclosure is necessary to prevent imminent harm to a user or third party
• Law enforcement (CSAM): Suspected child sexual abuse material is reported to the National Center for Missing & Exploited Children (NCMEC) and relevant authorities, regardless of any other request
• Business transfer: In the unlikely event of a merger, acquisition, or sale of HuniWhisp's assets, user data may transfer to the successor entity, who will be bound by this policy

The following retention periods apply. Where law requires longer retention (e.g., financial records for tax purposes, law enforcement preservation orders), the legal requirement takes precedence.

• Account data (active): Retained for the life of your account.
• Account deletion request: When you request deletion, your data enters a 30-day grace period during which you can cancel the deletion. After the grace period, your data is purged from active systems and replaced with an anonymized placeholder. Encrypted archives may be retained for 90 days for fraud-detection and law-enforcement preservation purposes, then permanently deleted.
• Direct messages: Retained as long as the conversation is active. When you or the other participant deletes a conversation, the messages are removed within 30 days. E2EE messages are server-side blobs we cannot decrypt, even before deletion.
• Login history (login_attempts table): 90 days for fraud detection, then deleted.
• Signup IP and last-login IP: Retained for 180 days for ban-evasion and abuse detection, then deleted.
• IP-derived geolocation: Retained for 180 days alongside the IP record.
• Session tokens: 30-day expiry from last use; immediately invalidated on logout, password change, or account deletion.
• Password reset tokens: 1-hour expiry, single-use, invalidated immediately after redemption.
• Email verification codes: 15-minute expiry, single-use.
• Failed-login records (login_attempts): 90 days, used for brute-force lockout windows.
• Anonymized analytics: Retention is governed by Google Analytics's default 14-month window, configurable per their settings. We do not retain personally identifying information in our analytics layer.
• Law enforcement preservation: If we receive a valid preservation request, relevant data may be retained beyond its normal retention window pending legal proceedings, then deleted once the legal process concludes.

You have the following rights regardless of where you live. Where local law (GDPR for EU/EEA + UK, CCPA/CPRA for California, LGPD for Brazil, PIPEDA for Canada, Australia Privacy Act, etc.) provides additional or stronger rights, those apply in addition to what is listed here.

• Right of access: View your account data through your profile and dashboard at any time.
• Right to data export (portability): Request a machine-readable copy of your data (JSON or CSV) by contacting privacy@huniwhisp.com. We will respond within 30 days. The export includes your profile, posts, comments, reactions, bookmarks, transaction history, and message metadata. End-to-end encrypted message content is exported as opaque ciphertext (we cannot decrypt it for you).
• Right of correction: Update your profile, username, email, and content directly through the app at any time.
• Right of deletion (right to be forgotten): Delete your account from your dashboard. A 30-day grace period applies, during which you can cancel. After the grace period, your data is purged. See §6 for the full retention table.
• Right to object / restrict processing: Contact us to object to specific processing activities (e.g., automated content scanning of your account). We will evaluate the request against our legitimate interests and legal obligations.
• Right to withdraw consent: Where processing is based on consent (e.g., analytics cookies), you can withdraw consent at any time via the Cookie Settings link in the footer.
• Right to human review of automated decisions: If an automated content scan affects your account, you can request a human moderator to review it. We will respond within 14 days.
• Right to lodge a complaint: If you believe we have mishandled your data, you can lodge a complaint with your local supervisory authority (e.g., your country's Data Protection Authority for EU users, the California Attorney General's office for California residents).
• Right to opt out of "sale" of personal information (CCPA): We do not sell personal information as defined under CCPA/CPRA. You have nothing to opt out of, but you may submit a verifiable request to confirm this.
• Right to control your public profile: Your profile at huniwhisp.com/u/{your-username} is published by default for indexing and discoverability. You can dial each section off (posts, diaries, aspirations, autographs, friend count, member-since) from Profile » Preferences » Public Profile. Only your chosen username (your pseudonym) is shown — your real name, email, and IP are never visible on any public surface.
• Right to gate inbound DMs: Toggle Private Mode (Profile » Preferences » Privacy) to restrict new DMs to confirmed friends only. Existing conversation history stays visible to both sides; this is not retroactive deletion.

All rights requests can be submitted to privacy@huniwhisp.com. We will respond within 30 days for most requests; complex requests may take up to 60 days with notice.

HuniWhisp uses the following cookies and browser storage. You can manage your preferences via the cookie consent banner that appears on your first visit, or via the "Cookie Settings" link in the footer. The choices are stored in your browser; clearing your browser data will reset them.

Essential (always active, cannot be disabled):

• huni_session — your login session token (httpOnly, secure, sameSite=strict, 30-day expiry)
• huni_consent — records which non-essential categories you have opted into
• CSRF and security tokens used by the app for state-changing requests

Functional (off by default, opt-in):

• huni-color-theme — your selected color theme (localStorage)
• huni-theme — your dark/light mode preference (localStorage)
• Language preference and other UI settings

Analytics (off by default, opt-in):

• Google Analytics (gtag): _ga, _ga_*, _gid, _gat — page views, session duration, aggregate usage. Loaded ONLY after you accept analytics cookies. IP anonymization is enabled.

Marketing (not currently used):

• HuniWhisp does not currently use marketing or advertising cookies. The "Marketing" toggle in the consent banner is reserved for future use; if we ever add marketing partners, your existing consent setting will be respected.

HuniWhisp is intended for users aged 13 and older. We are committed to protecting young users and comply with the Children's Online Privacy Protection Act (COPPA) in the United States and equivalent regulations elsewhere.

• Minimum age: 13 years old. By creating an account, you confirm that you meet this requirement.
• Users 13–17: Parental or guardian consent is required as part of agreeing to our Terms of Service.
• No targeted advertising to minors: We do not use personal data to target advertising to users under 18.
• If we discover an account belongs to a child under 13 without parental consent: We will disable the account and delete the personal data within 14 days.
• CSAM reporting: Suspected child sexual abuse material is immediately reported to the National Center for Missing & Exploited Children (NCMEC) CyberTipline. See our Child Safety Standards page for details.
• If you believe a child under 13 has provided us with personal information: Please contact privacy@huniwhisp.com immediately so we can investigate and remove the data.

For users in the EU/EEA, UK, and other jurisdictions that require a stated legal basis, we process your personal data under the following bases:

• Contract (Art. 6(1)(b) GDPR): Account creation, login sessions, delivering platform features, processing payments, and fulfilling your requests — these are necessary to provide the service you signed up for.
• Consent (Art. 6(1)(a) GDPR): Analytics cookies (Google Analytics), optional contact sync, and optional location tags. You can withdraw consent at any time via Cookie Settings or your account preferences, and withdrawal does not affect prior processing.
• Legitimate interest (Art. 6(1)(f) GDPR): Fraud prevention, brute-force protection, ban enforcement, IP logging for abuse detection, automated safety scanning, and service-level communications. We have conducted balancing tests for each; users can object per §7.
• Legal obligation (Art. 6(1)(c) GDPR): CSAM reporting to NCMEC, responding to lawful subpoenas and court orders, tax record retention for financial transactions, and data breach notification.

The HuniWhisp Android app (Capacitor wrapper around the live website) requests only the minimum Android permissions needed for the features you actually use. Android permissions are requested at runtime — declining any of them does not prevent you from using the rest of the app.

• INTERNET + ACCESS_NETWORK_STATE — required for the WebView to load huniwhisp.com and detect online/offline state. Granted automatically; not user-prompted.
• POST_NOTIFICATIONS (Android 13+) — only used after you grant the runtime prompt. We send notifications for new direct messages, comment replies on your posts, friend requests, and important account events. You can disable notifications in your phone's app settings without affecting other features.
• READ_CONTACTS — only requested if you explicitly enable Contact Sync (see §3). For one-off invites, we use Android's Contact Picker, which does not require READ_CONTACTS — only the specific contact you tap is exposed to the app, nothing else.
• VIBRATE — for the haptic-tap micro-interaction on buttons. No-op if your device's haptics are disabled. No location, biometric, or sensitive data flows through this permission.
• RECEIVE_BOOT_COMPLETED — to re-register push-notification listeners after a phone reboot. No background activity beyond that.
• WAKE_LOCK — to keep the screen on while you compose a long post or watch a Live Huni stream. Released as soon as the activity goes to background.

We do notrequest: location (background or foreground service), camera (other than via the system file picker when you upload media), microphone, calendar, SMS, call log, body sensors, biometric, accessibility-service, or any "package usage stats" / device-admin permissions. The app does not run any background service or foreground service.

Crash reports collected by Google Play Vitals (when enabled by your device-level settings) are governed by Google's privacy policy and are not visible to us as individual user records — we only see aggregate crash-rate metrics in the Play Console.

The app distributes via the Google Play Store (package com.huni.app) under standard staged rollouts. Updates are pushed to the website continuously and to the native app on a separate cadence — fixes that don't require new permissions or native plugins reach you immediately the next time the app loads the WebView.

For any questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern, contact us at:

• Privacy inquiries & rights requests: privacy@huniwhisp.com
• Security disclosures: security@huniwhisp.com
• DMCA / copyright: dmca@huniwhisp.com (see Terms of Service §46 for the takedown procedure)
• General support: via the in-app feedback widget
• Child safety reports: see /child-safety for direct CSAM reporting + NCMEC CyberTipline

We will respond to most requests within 30 days. Complex requests may require up to 60 days with advance notice.