Legal

PRIVACY POLICY

April 27, 2026

PRIVACY POLICY

Version: 2.2.0 Last Updated: April 27, 2026 Effective Date: April 27, 2026

INTRODUCTION

This privacy notice for Whir Inc. ("Whir," "we," "us," or "our") describes how and why we might collect, store, use, and/or share ("process") your information when you use our services ("Services"), such as when you:

  • Visit our marketing website at getwhir.com, or any website of ours that links to this privacy notice;
  • Visit our consumer web application at whir.community;
  • Visit our business web application at business.whir.community;
  • Download and use our mobile application (Whir), or any other application of ours that links to this privacy notice;
  • Engage with us in other related ways, including any sales, marketing, or events.

This Privacy Policy operates alongside our Terms of Service. Capitalized terms not defined here have the meanings given to them in the Terms of Service.

Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you have any questions or concerns, please contact us at contact@getwhir.com.

TABLE OF CONTENTS

  1. Summary of Key Points
  2. Account Types
  3. What Information Do We Collect?
  4. How Do We Process Your Information?
  5. What Legal Bases Do We Rely On?
  6. When and With Whom Do We Share Your Information?
  7. Content You Submit and Public Display
  8. On-Device Text Recognition (SmartVision)
  9. How Long Do We Keep Your Information?
  10. How Do We Keep Your Information Safe?
  11. Do We Collect Information from Minors?
  12. What Are Your Privacy Rights?
  13. Controls for Do-Not-Track Features
  14. State Privacy Rights
  15. Updates to This Notice
  16. How to Contact Us
  17. How to Review, Update, or Delete Your Data

SUMMARY OF KEY POINTS

This summary provides key points from our privacy notice. You can find more details about any of these topics by clicking the link following each key point or by using our table of contents above.

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us, the choices you make, and the products and features you use. This includes information you submit as part of Deals, Events, and other User Content. Learn more about personal information you disclose to us.

Do we process any sensitive personal information? We do not process sensitive personal information.

Do we receive any information from third parties? Yes. We receive certain business information from third parties — specifically, the Google Places API — which we use to populate Unclaimed Business Listings on our Services. We may also receive information from authentication providers (such as Apple or Google) when you use them to sign in to your Account, and from our payment processor (Stripe) in connection with paid Business Subscriptions. Learn more in our data sharing section.

How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your information only when we have a valid legal reason to do so. Learn more about how we process your information.

In what situations and with which parties do we share personal information? We may share information in specific situations and with specific third parties, including the Businesses associated with Content you submit and Events you RSVP to. Learn more about when and with whom we share your personal information.

Is the information I submit publicly visible? Some information you submit is published publicly on the Services — including Deals and Events you submit, and your username (unless you choose to submit anonymously). Learn more about public display of submitted Content.

How do we keep your information safe? We have organizational and technical processes and procedures in place to protect your personal information. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure. Learn more about how we keep your information safe.

What are your rights? Depending on where you are located geographically, the applicable privacy law may give you certain rights regarding your personal information. Learn more about your privacy rights.

How do you exercise your rights? The easiest way to exercise your rights is by submitting a data subject access request, or by contacting us. We will consider and act upon any request in accordance with applicable data protection laws.

ACCOUNT TYPES

The Services support multiple Account types, and the data we process may differ depending on which type(s) you use. These are defined more fully in our Terms of Service:

  • Consumer Account — for individual users browsing, submitting, and RSVPing to Deals and Events.
  • Verified Business Account — for Businesses that have registered and been verified, allowing them to manage their presence on the Services.
  • Unclaimed Business Listing — a Business profile created by Whir (often automatically from public sources such as the Google Places API) for a Business that has not registered a Verified Business Account. No User account is associated with an Unclaimed Business Listing until claimed.

A single individual may hold both a Consumer Account and a Verified Business Account. References in this Privacy Policy to "your Account" apply to whichever Account type(s) you maintain.

1. WHAT INFORMATION DO WE COLLECT?

In Short: We collect personal information that you provide to us, information automatically collected from your use of the Services, information from third parties such as the Google Places API, and content you submit (such as Deals, Events, and RSVPs).

1.1 Personal Information You Disclose to Us

We collect personal information that you voluntarily provide to us when you register for an Account, express interest in our Services, participate in activities on the Services, or contact us. The personal information we collect depends on how you interact with us and may include:

For Consumer Accounts:

  • Names
  • Email addresses
  • Phone numbers
  • Passwords (stored encrypted; we do not have access to your plain-text password)
  • Contact preferences
  • Authentication data (e.g., backup email, security questions, optional two-factor authentication)
  • Username (which may be displayed publicly when you submit Content)

For Verified Business Accounts:

  • Business name
  • Business addresses
  • Business phone numbers
  • Business email addresses
  • Point of contact's first name, last name, and email address
  • Business verification information (see Section 1.4)
  • Payment information for paid Subscriptions (processed by Stripe — see Section 4)

1.2 Content You Submit

When you submit Deals, Events, RSVPs, or other Content to the Services, we collect the information you provide as part of that submission. This may include:

  • Title and description of the Deal or Event;
  • Business name and identifying information of the associated Business;
  • Date, time, and location information;
  • Optional images you choose to capture or select for SmartVision text recognition (processed entirely on your device — see Section 6);
  • Recognized text from SmartVision-processed images, if any;
  • Free-text fields you fill in;
  • Disclosed material connections (such as your relationship to the Business, in compliance with FTC requirements — see our Terms of Service);
  • Your visibility selection at the time of submission (publicly attributed by username, or anonymous);
  • For RSVPs to Events: the Event being RSVPed to, your username, and any associated profile information visible to the Business hosting the Event.

Important: Once submitted, your visibility selection (public or anonymous) cannot be changed. To remove identifying information from past submissions, you may delete your Account, which anonymizes your submission history (see Section 7).

1.3 Application Data

If you use our mobile application(s) or web applications, we may also collect the following information if you choose to provide us with access or permission:

  • Geolocation information: We may request access to track location-based information from your device, either continuously or only while the App is in use, to provide location-based features (such as showing nearby Deals and Events). You may change permissions at any time in your device settings.
  • Mobile device access: We may request access to certain device features, including:
    • Camera: For profile pictures, photo uploads, QR code scanning, and on-device text recognition (SmartVision) for Deal and Event submissions. Images processed via SmartVision are not transmitted to Whir or any third party — see Section 6 for details.
    • Photo library: For selecting existing images for upload or SmartVision processing.
    • Contacts: To help you connect with friends or invite others (only with your permission).
    • SMS messages: For account verification or two-factor authentication.
    • Social media accounts: For social login or sharing features.
  • Mobile device data: We automatically collect device information (device ID, model, manufacturer, OS version, network info, app usage, IP address, hardware model).
  • Push notifications: We may request permission to send you push notifications regarding your Account, RSVPed Events (including future Business-to-User communications about Event changes), or other features. You may opt out at any time in your device settings.

1.4 Business Verification Information

When you register a Verified Business Account, we may collect or generate information related to verifying your authority to operate the Business. This may include:

  • Information you provide (business license, domain ownership, point-of-contact details);
  • Information obtained from third-party verification services or APIs (including the Google Business API);
  • Records of communications during verification (such as confirmation calls, emails, or in-person visits);
  • Records of unsuccessful verification attempts.

If your verification fails, we may retain a record of the attempt for fraud prevention and audit purposes. Successful verification information is retained for the life of the Verified Business Account.

1.5 Information Automatically Collected

We automatically collect certain information when you visit, use, or navigate the Services. This information does not directly reveal your specific identity but may include:

  • IP address (your internet protocol address);
  • Browser and device characteristics (browser type, device model, screen resolution);
  • Operating system (your device's OS and version);
  • Language preferences;
  • Referring URLs (the website that brought you to our Services);
  • Usage information (how and when you use our Services, search queries, page views, feature usage, error reports, performance data).

This information is primarily needed to maintain security and operation of our Services and for internal analytics and reporting.

We also collect information through cookies and similar technologies, including log and usage data, device data, and approximate location data based on IP address.

1.6 Information from Third Parties

We may receive information from the following third-party sources:

  • Google Places API: We receive publicly available business information (such as business name, address, phone number, hours of operation, and Google Place ID) to create and populate Unclaimed Business Listings on the Services. Use of Google Places data is subject to Google's privacy policy and terms of use.
  • Authentication providers: If you choose to register or sign in using a third-party service (such as Sign in with Apple or Google), we receive basic profile information from those providers (such as your name and email address) per the permissions you grant.
  • Payment processor (Stripe): For paid Business Subscriptions, we receive transaction confirmation, last-four digits of the payment card, billing zip code, and similar limited information from Stripe. We do not receive or store full payment card numbers.
  • Public data sources: From time to time, we may use other publicly available data sources to enhance Business profile information.

1.7 Sensitive Information

We do not process sensitive information. This includes (but is not limited to):

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for identification purposes (SmartVision performs text recognition only — it does not perform facial recognition, biometric identification, or any person-identifying analysis on images)
  • Health data
  • Data concerning sex life or sexual orientation
  • Social security numbers
  • Full financial account information (credit cards, bank accounts) — payment information is handled by Stripe; Whir does not store full payment card or bank account numbers

If you accidentally provide sensitive information, please contact us immediately at contact@getwhir.com so we can remove it.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, to facilitate Content submissions and approvals, and to comply with law.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

  • Account management: To facilitate Account creation, authentication, and ongoing maintenance of Consumer and Verified Business Accounts.
  • Service delivery: To provide you with requested Services, including browsing Deals and Events, submitting Deals and Events, RSVPing to Events, and (for Businesses) managing your presence on the Services.
  • Content submission and approval workflow: To process Deal, Event, and other Content submissions through our review and approval process, including sharing submission information with the associated Business if it has a Verified Business Account, displaying submissions publicly, and tracking the relationship between Submitters and the Content they submit.
  • Business verification: To verify the legitimacy of Businesses and the authority of those who register Verified Business Accounts.
  • Communication: To respond to inquiries, send administrative information, and (where you have RSVPed to an Event) facilitate communication between you and the Business about Event details.
  • Marketing communications: To send marketing and promotional communications consistent with your preferences. You may opt out at any time.
  • Targeted advertising: To develop and display personalized content and advertising tailored to your interests.
  • Analytics and improvement: To analyze how our Services are used and identify ways to improve them.
  • Security and fraud prevention: To keep our Services safe, including detecting fraudulent activity and unauthorized access.
  • Content moderation: To review submissions, audit Content for accuracy, and enforce our Terms of Service.
  • Legal compliance: To comply with applicable laws, respond to legal processes, and protect rights and safety.

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law.

3.1 U.S.-Based Operations and International Users

The Services are currently offered to users located in the United States. Whir does not represent that the Services are fully compliant with the General Data Protection Regulation (GDPR), the UK GDPR, the Personal Information Protection and Electronic Documents Act (PIPEDA, Canada), or other non-U.S. privacy frameworks. We have designed our practices to support the principles underlying these frameworks, but we do not currently offer the Services to users in the European Economic Area (EEA), United Kingdom, Switzerland, or Canada and do not hold ourselves out as a controller or processor under those laws.

If you are located in the EEA, UK, Switzerland, or Canada, please do not provide personal information to Whir until we have specifically expanded availability to your jurisdiction and updated this Privacy Policy accordingly. The information in Sections 3.2 and 3.3 below is provided for informational purposes — to describe the principles we aim to support — and should not be read as a representation of full compliance with the laws referenced.

3.2 GDPR / UK GDPR Principles (For Reference)

If GDPR or UK GDPR were to apply, the legal bases we would rely on include:

  • Consent: When you have given us permission to use your personal information for a specific purpose. You may withdraw consent at any time.
  • Performance of a contract: When processing is necessary to fulfill our contractual obligations to you under our Terms of Service.
  • Legitimate interests: When reasonably necessary to achieve our legitimate business interests (such as Service improvement, marketing, fraud prevention, and analytics), provided these don't outweigh your rights.
  • Legal obligations: When necessary to comply with our legal obligations (such as cooperating with law enforcement).
  • Vital interests: When necessary to protect your vital interests or those of another person.

3.3 Canadian PIPEDA Principles (For Reference)

If PIPEDA were to apply, we would process your information based on your express or implied consent, except where applicable law permits processing without consent (e.g., investigations, emergencies, fraud prevention, journalistic/literary/artistic purposes).

3.4 U.S. State Privacy Laws

For users in the United States, our processing is conducted in compliance with applicable state privacy laws (see Section 12).

4. WHEN AND WITH WHOM DO WE SHARE YOUR INFORMATION?

In Short: We may share information in specific situations described below. We do not sell your personal information.

4.1 With Businesses Associated with Your Submissions and RSVPs

When you submit a Deal or Event, the submission (and your username, if you submitted publicly) is shared with the associated Business if that Business has a Verified Business Account, so the Business can review, approve, modify, or merge it. Anonymous submissions remain identifiable to Whir but are not attributed to you publicly or to the Business.

When you RSVP to an Event, the Business hosting the Event may have visibility into the fact that you RSVPed, including (subject to your privacy settings) your username and associated profile information. We may, in the future, enable Business-to-User communications regarding Events (such as cancellation notices, schedule changes, or other Event-related updates). By RSVPing, you agree that the Business and Whir may contact you in connection with the Event.

4.2 With Service Providers

We may share your information with third-party service providers we engage to perform business operations on our behalf. These service providers are contractually obligated to use your information only for the purposes for which it is shared and to protect it consistent with this Privacy Policy. Our key service providers include:

  • Stripe (payment processing): For paid Business Subscriptions, Stripe processes payment information including names, billing addresses, and payment card information. Whir does not receive or store full payment card numbers. Stripe's privacy practices are governed by Stripe's Privacy Policy.
  • Google (Maps, Places, Analytics):
    • Google Maps Platform APIs (e.g., Maps API, Places API): Used to display location information and to populate Business profile data. We obtain and may cache your device's location to enable location-based features. You may revoke consent at any time by emailing contact@getwhir.com.
    • Google Analytics: Used to track and analyze use of the Services. To opt out, visit https://tools.google.com/dlpage/gaoptout. For more information on Google's privacy practices, see the Google Privacy & Terms page.
  • Cloud infrastructure providers: We use leading cloud providers (such as Amazon Web Services) with enterprise-grade security certifications to host the Services and store data.
  • Authentication providers: Apple, Google, or other third-party authentication services, when you use them to sign in.
  • Email and notification services: For sending account-related emails, marketing communications, and push notifications.
  • Form/data-collection services: For handling data subject access requests and similar contact forms.

4.3 With Other Users (Public Display)

When you submit Content (such as Deals, Events, or comments), or otherwise interact with public areas of the Services, your submitted Content may be visible to all Users and may be publicly available outside the Services. Your username is displayed alongside your submissions unless you elected to submit anonymously. Information shared in public areas cannot be made fully private again and may be cached or archived by third parties.

4.4 With Affiliates (If Any)

If Whir is acquired by, merges with, or becomes affiliated with another entity in the future, your information may be shared with that affiliate, which would be required to honor this Privacy Policy. As of the date of this Policy, Whir Inc. has no parent company, subsidiaries, or other affiliates.

4.5 In Connection with Business Transfers

We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

We may share your information when required by law or to protect our rights and the safety of others, including:

  • To comply with applicable laws, regulations, court orders, or legal processes (including subpoenas or warrants);
  • To cooperate with law enforcement;
  • To protect the rights, property, or safety of Whir, our Users, Businesses, or others;
  • To detect, prevent, or address fraud, security, or technical issues;
  • To enforce our Terms of Service;
  • To respond to claims of intellectual property infringement, including DMCA takedown notices (see our Terms of Service §15 for details).

4.7 We Do Not Sell Personal Information

We do not "sell" personal information for monetary or other valuable consideration as that term is defined under applicable U.S. state privacy laws. Where we share personal information with service providers (such as Stripe, Google, or cloud infrastructure providers) and with Businesses (in connection with submissions and RSVPs), we do so only as necessary to deliver the Services and under appropriate contractual or legal protections.

5. CONTENT YOU SUBMIT AND PUBLIC DISPLAY

In Short: Deals, Events, and certain other Content you submit are published publicly on the Services. Your username is displayed unless you chose to submit anonymously. This visibility cannot be retroactively changed except by deleting your Account.

5.1 What Becomes Public

When you submit a Deal or Event, after our review and (where applicable) the associated Business's review, the submission may be published on the Services and made visible to:

  • All Users of the Services;
  • Visitors to public-facing pages on whir.community, business.whir.community, or getwhir.com;
  • Search engines that index public pages;
  • Third parties who copy, screenshot, or archive the public Content.

Information that may be publicly visible includes:

  • The Deal or Event itself (title, description, date/time, location, terms);
  • The associated Business name;
  • Your username, if you chose public attribution at the time of submission (or "Anonymous" if you chose anonymity);
  • The submission date;
  • Any disclosed material connection (e.g., "Submitted by an employee of [Business]") if Whir, in its discretion, displays such disclosure publicly;
  • Verification status indicators (e.g., "Submitted by [username]," "Not verified by [Business]," or "Business-approved").

5.2 Anonymous Submissions

If you elect to submit anonymously:

  • Your username will not be publicly displayed alongside the submission (it will appear as "Anonymous" or similar);
  • Whir retains the ability to identify you as the Submitter for purposes of moderation, audit, repeat-infringer tracking, FTC compliance, and (if applicable) any future compensation programs;
  • The anonymous designation cannot be changed retroactively to public attribution, or vice versa.

5.3 Visibility Cannot Be Changed Retroactively

Once you submit Content, your visibility selection (public or anonymous) is locked. If you wish to remove your name from already-published Content, your only remedy is to delete your Account, which will anonymize all of your past submissions (see Section 7.2).

5.4 Submissions to Unclaimed Business Listings

If you submit a Deal or Event for a Business that does not have a Verified Business Account, the submission may be published under an Unclaimed Business Listing for that Business. Such submissions are clearly marked as User-submitted and not Business-verified. The Business may later claim the Listing and gain audit, edit, and removal rights over previously published submissions, including the ability to see the username of the Submitter (or, for anonymous submissions, that the submission was made anonymously).

5.5 Removal of Public Content

You may request removal of submitted Content by contacting contact@getwhir.com. Whir may grant or deny such requests at its sole discretion. Information that has been publicly displayed may have been cached, archived, or copied by third parties beyond Whir's control, and we cannot guarantee complete removal from all locations.

5.6 Repeat Infringer and Moderation Records

We may retain records of Content moderation actions, removed submissions, and DMCA notices for the purpose of enforcing our Terms of Service, complying with legal obligations (including DMCA repeat-infringer requirements under 17 U.S.C. § 512), and operating the Services. See our Terms of Service §14–15 for the related processes.

6. ON-DEVICE TEXT RECOGNITION (SMARTVISION)

In Short: SmartVision processes images entirely on your device. No image data is transmitted to Whir or any third party. Only the recognized text — after your review — is submitted as part of your Deal or Event.

6.1 What SmartVision Does

SmartVision is an optional feature of our mobile App that allows you to:

  • Capture an image of a menu, deal sign, or similar source using your device's camera; or
  • Select an existing image from your device's photo library;

…and to extract text from the image to assist in completing a Deal or Event submission.

6.2 On-Device Processing Only

All image processing for SmartVision occurs entirely on your device. Specifically:

  • Text recognition is performed using on-device machine-learning libraries that run locally on your device's hardware;
  • No image, image data, or biometric information is transmitted to Whir's servers, to any third party, or to any external processing service;
  • Whir does not receive, store, or have access to the image you capture or select;
  • Only the recognized text — that is, the alphanumeric text extracted from the image, after your review and submission — is transmitted to Whir as part of your Deal or Event submission.

6.3 Image Storage on Your Device

When you capture or select an image for SmartVision processing, the image is temporarily written to your device's local app cache to enable processing. Following completion of text recognition and submission of the resulting Deal or Event, the App deletes the image from its cache. Notwithstanding the foregoing, copies of the image may continue to exist in:

  • Your device's general photo library, if you elected to save the original image there independently of the App;
  • Your device's operating-system-level cache, which is managed by your device manufacturer and outside Whir's control;
  • Backups of your device taken by you or by a third-party service.

6.4 No Facial Recognition or Biometric Identification

SmartVision performs text recognition only. Whir does not perform facial recognition, biometric identification, or any other person-identifying analysis on images you process through SmartVision. SmartVision is not subject to biometric privacy laws (such as the Illinois Biometric Information Privacy Act) because it does not collect, capture, or process biometric identifiers.

6.5 OCR'd Text Retention

Recognized text that you submit as part of a Deal or Event submission is retained as part of that submission, in accordance with the retention rules in Section 7.

6.6 Permissions

Use of SmartVision requires your express permission to access your device's camera and/or photo library. You may revoke this permission at any time in your device's settings, in which case SmartVision will be unavailable but you may continue to submit Deals and Events manually.

6.7 Artificial Intelligence and Machine Learning

As of the effective date of this Privacy Policy, Whir does not integrate user-facing artificial intelligence or machine-learning models ("AI/ML") into the Services, other than the on-device text recognition described above. We do, however, use AI tools internally to help build, test, and operate the Services (for example, AI-assisted coding tools used by our engineers). These internal tools generally do not process Users' personal data.

Whir may, in the future, introduce user-facing AI/ML capabilities — such as automated content moderation, deal categorization, recommendations, or similar features. If and when we do, we will update this Privacy Policy to describe what the feature does, what data it processes, and which AI providers (if any) we rely on. We will also list any third-party AI/ML providers as sub-processors where they process personal data on Whir's behalf.

For more information on how Whir thinks about AI/ML — including how researchers can report AI-related security concerns — see our Responsible Disclosure Program.

7. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements — except for User-submitted Content, which may persist after your Account is deleted but in anonymized form.

7.1 General Retention

We will only keep your personal information for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law (such as for tax, accounting, fraud prevention, or legal compliance purposes).

For most personal information categories, we retain data:

  • For Consumer Accounts: as long as you have an active Account, plus a reasonable post-termination period for legal and operational purposes;
  • For Verified Business Accounts: as long as the Account is active, plus a reasonable post-termination period;
  • For payment and transaction records: as required by tax and accounting laws (typically 7 years);
  • For marketing communications: until you opt out and a reasonable processing period thereafter.

When we no longer have a legitimate business need to process your personal information, we will either delete or anonymize it, or, if not possible, we will securely store it and isolate it from further processing until deletion is possible.

7.2 User-Submitted Content After Account Deletion

If you delete your Account, the Deals, Events, and other public Content you have submitted may remain on the Services, but your username and other identifying information will be anonymized (displayed as "Anonymous" or similar). This is described in our Terms of Service §9.4.

If you wish to receive a copy of the User Content you have submitted before deleting your Account, you may request a data export by emailing contact@getwhir.com or by submitting a data subject access request prior to deletion.

7.3 SmartVision Recognized Text

Text recognized via SmartVision and submitted as part of a Deal or Event submission is retained for as long as the associated Deal or Event remains on the Services, subject to the same anonymization rules as other submission text. Original images are not retained by Whir at any point (see Section 6).

We may retain certain records — including records of submissions, moderation actions, account-termination decisions, DMCA notices, repeat-infringer flags, and verification attempts — for longer periods as needed for legal compliance, fraud prevention, dispute resolution, and operational integrity, even after Account deletion.

8. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We use industry-standard technical safeguards and reasonable operational practices to protect your information, but no system is perfectly secure, and security is a shared responsibility.

8.1 Technical Safeguards

We use industry-standard encryption to protect personal information in transit between your device and our servers, and at rest in our databases. We rely on reputable cloud and infrastructure providers (including Amazon Web Services and MongoDB Atlas) that maintain their own security certifications, and we configure our use of those services consistent with their recommended security practices.

8.2 Organizational Practices

Whir is an early-stage company. The security practices we currently maintain include:

  • Multi-factor authentication (MFA) on high-importance administrative accounts used to operate the Services;
  • Role-based access to systems containing personal information, limited to those who need access to perform their work;
  • Use of reputable, security-certified cloud providers for infrastructure and data hosting (such as AWS and MongoDB Atlas);
  • Encryption of data in transit and at rest using industry-standard methods.

8.3 What We Do Not Currently Claim

To be transparent about our current posture, Whir does not currently hold formal third-party security certifications such as SOC 2, ISO 27001, or PCI-DSS. We do not currently maintain a 24/7 security operations team, subscribe to commercial threat intelligence feeds, or conduct regular third-party penetration testing. As Whir grows, we may pursue additional certifications and adopt additional safeguards, and we will update this Privacy Policy to reflect any material changes.

8.4 Security Is Shared — Your Role

Even strong technical safeguards depend on good practices from the people who use the Services. We encourage you to:

  • Use a strong, unique password for your Whir Account, and avoid reusing passwords across services;
  • Enable two-factor authentication (2FA) on your Account if available, for an additional layer of protection;
  • Review your Account periodically for unfamiliar activity or unauthorized access;
  • Keep your devices updated with the latest security patches and reputable anti-malware software;
  • Connect through trusted networks when possible, and be cautious on public or shared Wi-Fi;
  • Watch for phishing attempts — Whir will never ask for your password by email, SMS, or phone. If you receive a suspicious message claiming to be from Whir, please report it to us;
  • Be intentional about what you share publicly on the Services — once Content is publicly displayed (such as a Deal or Event submission), it may be cached or copied beyond Whir's control;
  • Log out when you finish using the Services on a shared or public device.

8.5 Reporting Security Concerns and Vulnerability Disclosure

If you believe you have discovered a security vulnerability in the Services, observed suspicious account activity, or received a suspicious communication claiming to be from Whir, please report it to security@getwhir.com.

We welcome good-faith reports from security researchers and users. We will acknowledge receipt of valid reports and work in good faith to investigate. We do not currently operate a paid bug bounty program.

8.6 Inherent Limits

Despite these safeguards, no electronic transmission or storage system is 100% secure. Internet communications can be intercepted, third parties may attempt to defeat our protections, and human error remains a risk. Whir cannot promise or guarantee that unauthorized parties will never gain access to personal information. By using the Services, you acknowledge that transmission of personal information to and from our Services is at your own risk.

8.7 Data Breach Notification

In the event of a security incident affecting your personal information, we will:

  • Promptly assess the scope and impact of the incident;
  • Take immediate steps to contain and mitigate it;
  • Investigate to understand what happened and prevent recurrence;
  • Notify affected users without undue delay, and in any event within the timeframes required by applicable law, by email or in-Service notification;
  • Provide clear information about what happened and what information was involved;
  • Explain what we are doing to address the incident;
  • Provide guidance on steps you can take to protect yourself.

9. DO WE COLLECT INFORMATION FROM MINORS?

In Short: We do not knowingly collect data from or market to children under 13 years of age.

We do not knowingly solicit data from or market to children under 13 years of age. By using the Services, you represent that you are at least 13, or that you are the parent or guardian of such a minor and consent to such minor dependent's use of the Services. If we learn that personal information from users less than 13 years of age has been collected, we will deactivate the Account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 13, please contact us at contact@getwhir.com.

10. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: Depending on your jurisdiction, you may have rights to access, correct, delete, or port your personal information, and to object to or restrict its processing.

You may have any of the following rights, depending on your jurisdiction:

  • Right to access: Request access to the personal information we have about you.
  • Right to rectification: Request correction of inaccurate personal information.
  • Right to erasure: Request deletion of your personal information.
  • Right to restriction: Request that we restrict processing of your information.
  • Right to data portability: Request a copy of your personal information in a machine-readable format.
  • Right to object: Object to certain processing, including for direct marketing.
  • Right to withdraw consent: Withdraw consent to processing for which we relied on your consent.
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

You may also have the right to lodge a complaint with your local data protection authority.

How to Exercise Your Rights

The easiest way to exercise these rights is by submitting a data subject access request or by emailing us at contact@getwhir.com. We will respond as required by applicable law (typically within 30–45 days, with possible extensions).

We may need to verify your identity before processing your request. Verification may involve confirming information already on file or contacting you through your registered email or phone.

Account Information

You may at any time:

  • Log in to your Account settings and update your personal information and preferences;
  • Change your communication and privacy settings;
  • Cancel your Account, in which case we will deactivate it and delete your information from active databases (subject to retention exceptions in Section 7).

11. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Policy.

12. STATE PRIVACY RIGHTS

If you are a resident of certain U.S. states, you may have additional rights under state privacy laws. The Services are currently offered to users located in the United States.

12.1 California Residents

This section applies to California residents. Under the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), you have the rights listed below.

Categories of personal information collected (last 12 months):

CategoryExamplesCollected
A. IdentifiersName, alias, postal address, IP address, email address, account name, online identifierYES
B. Personal information (Cal. Customer Records)Name, contact info, employment, financial informationYES
C. Protected classification characteristicsGender, date of birthYES
D. Commercial informationTransaction information, purchase history, payment informationYES
E. Biometric informationFingerprints, voiceprintsNO
F. Internet/network activityBrowsing history, search history, online behaviorYES
G. Geolocation dataDevice locationYES
H. Audio, electronic, visual, thermal, olfactory, or similarVisual data captured for SmartVision text recognitionYES (processed on-device only; not transmitted to or stored by Whir)
I. Professional or employment-relatedBusiness contact detailsYES (for Verified Business Accounts)
J. Education informationStudent recordsNO
K. Inferences from collected informationProfile or summary about preferences and characteristicsYES
L. Sensitive personal information(See Section 1.7)NO

Sources of information: Directly from you; from third parties such as the Google Places API, Stripe, and authentication providers; automatically through your use of the Services.

Purposes of collection: As described in Section 2.

Sharing: We have not sold personal information in the preceding 12 months, and we will not sell personal information in the future. We share personal information with service providers and Businesses as described in Section 4.

Your rights under CCPA/CPRA:

  • Right to know what personal information is collected, used, disclosed, or sold;
  • Right to access your personal information;
  • Right to request correction of inaccurate personal information;
  • Right to request deletion of your personal information;
  • Right to opt out of the sale or sharing of personal information (we do not sell personal information);
  • Right to limit use and disclosure of sensitive personal information (we do not process sensitive personal information);
  • Right to non-discrimination for exercising your rights.

To exercise these rights, email contact@getwhir.com or submit a data subject access request.

California "Shine the Light" Law: California Civil Code § 1798.83 permits California residents to request information regarding the disclosure of personal information to third parties for direct marketing purposes. Send such requests to contact@getwhir.com.

Minors under 18: California residents under 18 may request removal of content they have publicly posted on the Services by contacting us. We will remove such content from public display, although it may not be completely removed from all systems (such as backups).

12.2 Colorado Residents

Under the Colorado Privacy Act (CPA), you have the right to: be informed whether we are processing your personal data; access; correct; delete; obtain a copy; and opt out of targeted advertising, sale, or profiling. To exercise these rights, email contact@getwhir.com or submit a data subject access request. Appeals: email contact@getwhir.com; we will respond within 45 days.

12.3 Connecticut Residents

Under the Connecticut Data Privacy Act (CTDPA), you have the same rights as Colorado residents. Submit requests to contact@getwhir.com or data subject access request. Appeals: we will respond within 60 days.

12.4 Utah Residents

Under the Utah Consumer Privacy Act (UCPA), you have the right to: be informed of processing; access; delete; obtain a copy; and opt out of targeted advertising or sale. Submit requests to contact@getwhir.com or data subject access request.

12.5 Virginia Residents

Under the Virginia Consumer Data Protection Act (VCDPA), you have the rights to: be informed; access; correct; delete; obtain a copy; and opt out of targeted advertising, sale, or profiling. Submit requests to contact@getwhir.com or data subject access request. If you believe your rights have been violated, you may file a complaint with us and/or the Virginia Attorney General.

12.6 Other States

We honor privacy rights under all applicable state laws. If you reside in a state with comprehensive privacy legislation not specifically named above, please contact us to exercise your rights.

13. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws and to reflect changes in our Services.

We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Last Updated" date.

Consistent with our Terms of Service §21, we distinguish between material and non-material changes:

  • Material changes to this Privacy Policy (such as expanded data collection, new categories of sharing, or significant changes to user rights) will be communicated by email and/or prominent in-Service notice at least 30 days before the changes take effect.
  • Non-material changes (such as clarifications, formatting, or typo corrections) are effective immediately upon posting, with the "Last Updated" date refreshed.

We encourage you to review this Privacy Policy frequently to be informed of how we are protecting your information.

14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this Privacy Policy, you may contact us:

Whir Inc. 3760 Mercier St Kansas City, MO 64111

Privacy / general contact: contact@getwhir.com Security concerns and vulnerability reports: security@getwhir.com DMCA notices: dmca@getwhir.com Data subject access requests: https://getwhir.com/legal/data-request

15. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

You have the right to request access to the personal information we collect from you, change that information, or delete it. To request to review, update, or delete your personal information, please submit a data subject access request or email us at contact@getwhir.com.