Send Feedback

We'd love to hear from you

Privacy Policy

Last updated: June 17, 2026

1. Introduction

HuniWhisp is operated by Nexude LLC, a New Jersey limited liability company (NJ Entity ID 0451490388). Nexude LLC ("we", "our", "us") operates the HuniWhisp platform and its mobile applications (built with Capacitor). This Privacy Policy explains what data we collect, how we use it, with whom we share it, how long we keep it, and the rights you have over it. This policy is written to be readable by humans, not lawyers — if anything is unclear, contact us.

By using HuniWhisp you accept the practices described here. If you live in a region with stronger statutory privacy rights (EU/EEA, UK, California, Brazil, Canada, Australia, etc.), those rights apply in addition to anything described below — your local law always wins where there is conflict.

Pseudonymity model: Huni does not display real names, email addresses, or IP addresses on posts. Your chosen username serves as your pseudonym on every surface readers can see. Effective anonymity therefore depends on you choosing a username that cannot be connected back to you — avoid your real name, work nickname, email handle, and any username you already use on other platforms. We have taken extensive measures (encrypted PII at rest, no public profile fields beyond the username, no cross-platform tracking, internal-only IP retention), but there is always a small residual risk of re-identification if you pick a recognisable username.

2. Information We Collect

Information you provide directly:

  • Account: username, email address, password (we hash this; we never see or store the plaintext)
  • Username history: when you change your username we keep a record of the change (old name, new name, timestamp) in an identity ledger used for moderation and anti-abuse. Your recent former usernames may be shown publicly on your profile as “Also known as” so other members can recognise you across a rename — except any former username that itself violated our rules (for example a slur), which is withheld from public display and visible to our moderation team only (see Terms §13)
  • Profile: optional display name, bio, avatar image, theme preference, language preference
  • Age information: an age group you select at signup, and an optional exact date of birth you may choose to provide. Any date of birth is stored privately, is never displayed to other users and never used for advertising, and is used solely for age assurance and age-appropriate protections — keeping your age accurate over time (your age group updates automatically when you turn 18) and enforcing the minor-messaging safeguards described in our Terms and Safety pages (see §9)
  • Content you create: confessions, diary entries, stories, aspirations, reviews, autographs, comments, reactions, bookmarks, and any media (images/videos) you upload
  • Direct messages you send to other users (see §4 for encryption details)
  • Optional contact-sync hashes (only if you explicitly enable contact sync — see §3 for details)
  • Transaction records for your in-app wallet activity — donations, premium subscriptions, autograph purchases, ad campaigns, and the like (amount, currency, timestamp, and the counterparties). These run on Huni's internal virtual economy (see Terms §10a); no real-money payment processor is currently wired in. If we later enable real-money funding or payouts, payment details would be handled by a payment processor (see §5)
  • Reports you submit, feedback, support requests, and identity-reveal NDA acknowledgements
  • Aspirations activity: timeline updates, completion status, and timestamps used to enforce our anti-spam rules (see §3)
  • Shoutout view records: which shoutouts you (as a signed-in member) have viewed, with a timestamp. This drives the rotating "unseen-first" Shoutouts rail so you aren't shown the same one twice, and it powers an aggregate "seen" count visible alongside a shoutout. The count is aggregate only — a shoutout's sender sees how many members viewed it, never who (see Terms §25a)
  • Friend graph: friend requests you send and receive (with timestamps + status pending/accepted/declined/cancelled), and accepted friendships (the user IDs of you and the other person, plus the date you became friends). Friend lists are private to each side and never published
  • Public-profile visibility preferences: six toggle settings (show posts / diaries / aspirations / autographs / friend count / member-since) that control what the /u/{username} viewer renders for visitors
  • Optional self-declared region: a country — and, if you choose, a state/province and city — you may add at signup or later from your Account page. Each of the three fields has its own public-profile visibility toggle; by default only the country can appear publicly, and state and city stay private until you switch them on. This is information you typed, shown only as you allow, and it is kept separate from the coarse IP-derived location described below, which is internal analytics only and is never shown to other users
  • Private-mode preference: a single boolean controlling whether non-friends can DM you

Information collected automatically:

  • IP address at signup and at each login (used for fraud detection, VPN/proxy identification, and ban enforcement)
  • Browser and device information (user agent string)
  • Approximate geolocation derived from your IP address (country/region — never precise GPS coordinates derived from IP)
  • Session token (HTTP-only secure cookie) used to keep you signed in
  • Failed login attempts (email hash + IP + timestamp) for brute-force protection
  • Login alerts: when you sign in from a new IP, we send you a notification email
  • Aggregate usage metrics via Google Analytics — only after you opt in to analytics cookies (see §8)
  • Optional location tags you attach to a post (these are intentionally obscured by 0.5–2 km before storage to prevent doxxing)
  • Referral attribution: if you arrive via a shared link carrying a referral code (e.g. ?ref=CODE), we store that code in a first-party, time-limited cookie (huni_ref, ~60 days, first-touch) so a later signup can be credited to the member who referred you. The cookie holds only the short referral code — no name, email, or tracking identifier — and is used solely for referral attribution, not advertising (see §8 and Terms §35b)
  • Feedback intercept poll: we run a small, dismissible site-wide poll that surfaces at most once per visitor (triggered by a dwell timer or exit-intent, whichever comes first). If you choose to respond, we record a client-generated visitor_id (a random identifier kept in your browser's local storage to de-duplicate responses — it is not derived from, or linked to, your real-world identity), an audience classification (new vs. returning visitor), an optional sentiment rating (1–5), an optional free-text comment, and the page path you answered on. If you happen to be logged in we also associate your account id; logged-out visitors are recorded with no account id at all. We do not store dismissals server-side.
  • Email-verification status: a single email_verified flag on your account is checked when you attempt certain abuse-prone actions (sending donations, initiating DMs, creating groups, applying for an organization account, sending member-created shoutouts). It is a light deterrent only — see §3 and Terms §10b.

3. How We Use Your Information

  • To create and operate your account, deliver the platform's features, and remember your preferences
  • To send transactional emails: account verification, password resets, login alerts from new IPs, payment receipts, account-deletion confirmations
  • To enforce our Terms of Service, community guidelines, and anti-spam limits (e.g., the 3-aspirations-per-day creation cap requires us to count your recent aspiration timestamps)
  • To detect, prevent, and respond to abuse, fraud, brute-force attacks, ban evasion, and security incidents
  • To record and reconcile in-app wallet transactions for donations, premium subscriptions, autographs, and ad campaigns within Huni's internal virtual economy — and, if real-money funding or payouts are later enabled, to process those payments via a payment processor (we never see your full card number)
  • To run automated content safety scans on posts and messages — this is a fully-automated system that may flag content for human moderator review or temporarily restrict an interaction. You have the right to request human review of any automated decision that affects your account (see §7)
  • To respond to your support requests, feedback, and reports against other users
  • To assess product satisfaction and improve the platform using feedback intercept poll responses — we use the ratings and comments to gauge how members feel about recent updates and to identify pain points. Responses are reviewed and analysed in aggregate; individual comments may be read by our team but are never associated with your account for marketing, and this data is not shared with third parties
  • To enforce the email-verification gate — we check your email_verified flag when you try to send a donation, start a DM, create a group, apply for an organization account, or send a member-created shoutout. This is a deterrent-only check: your email address is never shared with any third-party abuse-detection service and is used solely to gate these specific abuse-prone features (see Terms §10b)
  • To match optional contact-sync uploads against existing HuniWhisp users — see "Contact Sync" below for the strict no-retention rule
  • To send important service announcements (e.g., scheduled maintenance, terms updates, breach notifications) — these are not marketing emails and you cannot opt out of them while your account is active

Contact Sync (optional, off by default):

If you choose to enable contact sync from the mobile app, we hash each contact's phone number and email address using SHA-256 on your device, send only the hashes, match them against existing user hashes server-side, and discard the hashes immediately after the matching query completes. We never store raw contact data, hashed contact data, or names. You can disable contact sync at any time, and there is nothing on the server to delete because nothing was retained.

Contact Picker:HuniWhisp uses the operating system's Contact Picker for one-off contact selection flows (e.g., inviting a friend). The Contact Picker does not grant HuniWhisp broad access to your address book — only the specific contact you pick in that moment is shared, and nothing is retained on our servers. Broad contacts access is only requested when you explicitly enable full Contact Sync as described above, and the hashes-then-discard pipeline applies.

Location Data:

HuniWhisp does not request precise (GPS) location in the background, and does not use geofencing. The only location signals we use are:

  • IP-derived approximate location (country/region) — never precise GPS coordinates.
  • Optional per-post location tags — only when you explicitly attach one to a post. This uses the operating system's one-time precise-location option (the recommended minimum scope); we never ask for always-on background location. The raw coordinates are obscured by 0.5–2 km before being stored to prevent doxxing.
  • Optional self-declared region — a country (and, if you choose, a state/province and city) you enter yourself on your Account page, never derived from GPS. Visibility is per-field and entirely yours to control: by default only the country can appear on your public profile, and state and city remain private unless you enable them. You can change or clear these fields at any time.

We do not use any foreground-service location, and we do not use the Geofence API.

Health and Fitness Data:

HuniWhisp does not integrate with Health Connect, does not request any health or fitness permissions, and does not collect, store, or process menstrual-cycle, alcohol-consumption, symptom, or other health-category data. If this ever changes, we will update this policy and request the minimum granular permissions required, and we will never use such data to determine employment or insurance eligibility, or share it for unauthorized social purposes.

Automated Decision-Making:

HuniWhisp uses automated systems to scan content (text and images) for safety violations, hate speech, illegal content, CSAM, and spam patterns. Automated systems may temporarily restrict an interaction (e.g., delay a post, require re-verification) pending human review. If your account is affected by an automated decision, you have the right to request a human moderator to review it (see §7) — we will respond within 14 days.

Automated Media Screening:

Images, voice notes, and audio/video clips you upload are automatically screened for safety by automated systems after they are posted. This screening may include third-party AI processing of the media content itself — for example, automated transcription of audio so the transcript can pass through the same safety scanner as written posts, or automated analysis of an image (see §5 for the providers involved). Screening checks only for the safety categories described above — it is never used for advertising, profiling, or any purpose other than safety. Screening runs in the background and never delays or blocks your post from publishing. Screening results (the verdict and, where applicable, an audio transcript) are retained as moderation records; no human reviews media that screens clear — a person only looks at media the automated system flags or that another user reports. The right to human review of automated decisions (§7) applies to media screening exactly as it does to text scanning.

3b. Communications & Re-engagement Notifications

We use the channels you have enabled — push notifications, email, and in-app messages — to send you two kinds of communication. This section explains what we send, how it is personalized, and how to turn it off. The corresponding consent terms are in Terms of Service §12a.

  • Service & transactional messages — verification, password resets, login alerts from new IPs, payment/donation receipts, security and moderation notices, and policy updates. These are necessary to operate your account and, while your account is active, are sent regardless of marketing preferences (you cannot opt out of them without deleting your account).
  • Activity & re-engagement messages— reminders, "while you were away" summaries of activity waiting for you (unread reactions, replies, mentions, new followers, or messages), and prompts to return. These are the messages you can opt out of.

What data drives these messages:

  • Your notification preferences and channel settings.
  • Your device push token (if you granted push) and your verified email address.
  • Activity signals we already hold — your unread notifications and their types, and a derived estimate of the hour of day you are typically active (and, where you have provided it, your time-zone offset) — used so a return-reminder can be sent at a sensible local time and can reference the activity actually waiting for you.
  • A send log recording that a re-engagement message was sent to you and when, so we can enforce frequency caps and not over-message you.

First-party only. This personalization uses your own account data and happens on our own systems. We do notsell, rent, or share your email address or push token with third parties for their marketing, and re-engagement messages are not advertiser-paid placements. The only third parties involved are the infrastructure providers that physically deliver a message (your device's push service, your OS/browser, and our transactional email provider) — see §5.

Frequency caps & no delivery guarantee. We rate-limit re-engagement messages (for example, a return-reminder email is capped to roughly once per day and is subject to a multi-day cooldown; personalized pushes fire only after a period of inactivity). We do not guarantee the delivery, timing, or receipt of any notification, as delivery depends on services outside our control.

How to opt out.Turn off activity and re-engagement messages per category in Profile » Preferences; disable push at the OS or browser level; and use the unsubscribe link in any re-engagement email. Service and security messages continue while your account is active.

App installs without an account (guest reminders). If you use the mobile app without signing up and tap an in-app option to be notified, we store an anonymous device push token — not linked to any account, email, or identity — and may send a small, capped number of reminder notifications (spaced at least 48 hours apart) inviting you to create a free account. The legal basis is your consent(Art. 6(1)(a) GDPR), given by tapping that option; you can withdraw at any time by declining or disabling notifications at the operating-system level, or by uninstalling the app. If you later create an account, the token is linked to it and governed by the rules above; if you never do, the anonymous token is automatically deleted after 180 days (see §6).

Minors. Members who are, or indicate they are, under 18 receive reduced messagingand are excluded from personalized active-hour and vulnerability-window push nudges. See §9 (Children's Privacy).

4. Data Encryption and Security

We take security seriously. The following measures are in place at the time of writing:

  • At rest: Email addresses, display names, and bios are encrypted using AES-256-GCM with a per-environment key. The key is stored in environment variables, not in the database, and the application refuses to start if the key is missing.
  • Saved payment cards: If you save a card on the web, we store only the card brand and last 4 digits, the expiry, and an optional cardholder name (the name is encrypted at rest). We never receive, store, or log your full card number (PAN) or security code (CVV/CVC) — those are read in your browser only and never sent to us. Saved card details are used solely inside HuniWhisp and are never sold or shared with third parties. When real-money charging is enabled, your card is tokenized by a PCI-compliant payment processor that holds the chargeable data — not us.
  • In transit: All traffic is served over HTTPS with HSTS (Strict-Transport-Security) and TLS 1.2+. HTTP requests are rejected.
  • Passwords: Hashed with bcrypt (cost factor 12) and stretched. We never see, store, or log your plaintext password.
  • Email lookups: Performed via SHA-256 hash, so we can verify a sign-in without scanning ciphertext.
  • Session tokens: 30-day expiry, rotated on password change, stored in an httpOnly + secure + sameSite=strict cookie. Stolen tokens are revoked when the user changes their password.
  • Brute-force protection: Login attempts are rate-limited per IP and per account. After 5 failed attempts in 15 minutes, the account is temporarily locked.
  • Direct messages: See the next paragraph for how DM encryption works.
  • Deleting a message: Deleting a message you sent removes it from the conversation and moves it to your personal archive, from which you can restore it. Deletion is a soft-delete: the message is hidden, not immediately purged, and a copy is retained for safety and moderation audit (a moderator may also remove a message; such removals are not user-restorable). Permanent erasure follows the retention schedule below and your account-deletion rights in §7/§8.
  • Two-factor authentication (2FA): Optional TOTP-based 2FA is available; if enabled, login requires both your password and a one-time code.
  • Database: Hosted on AWS RDS MySQL with automated daily backups, point-in-time recovery, and network isolation in a private subnet.
  • Admin-issued temporary passwords: A super-admin can issue a temporary password for support cases (e.g., user is locked out and the forgot-password email failed). This action invalidates every existing session for the affected account, sets a one-time password generated from cryptographically-strong randomness, and forces the user to choose a new password on next login. The action is recorded in the admin audit log. The temporary password is delivered to the email on file; we never communicate it through other channels.

Direct Messages and Encryption:

Direct messages are encrypted in transit (HTTPS) and encrypted at rest with AES-256-GCM using a server-held key. This is not end-to-end encryption: because the key is held server-side, HuniWhisp can decrypt message content. We do not market DMs as end-to-end encrypted. For safety, legal compliance, and moderation, authorized staff (administrators and super-administrators) can review DM content, and every such access is recorded in a tamper-evident admin audit log.

Safety scanning of messages (Guardian Scan™):

A safety scan runs server-side on the message text. Only if that scan detects a serious safety pattern is the flagged message surfaced to moderators for review and a flag recorded; every such access is written to the admin audit log. The plaintext is not retained beyond the scan — only the resulting verdict and the encrypted-at-rest message are stored. Depending on the pattern you may see no notice (serious predatory/illegal content), crisis-support resources (self-harm or distress), or a gentle caution (personal-information or scam patterns).

Reporting a conversation (moderation access):

Encryption protects your messages from outsiders — it is not a shield for abuse between the people in a conversation. If you report a direct-message conversation, its contents are disclosed to our moderation team for review. We use the disclosed contents only to investigate the report and enforce our Terms, and every moderator access is recorded in our admin audit log.

Data Breach Notification:

If we discover a security incident affecting your personal data, we will notify affected users and relevant supervisory authorities without undue delay and in any case within 72 hours of becoming aware of the breach, except where law enforcement has requested a delay for an ongoing investigation. The notification will describe the nature of the breach, the data categories affected, and the steps we are taking in response.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We share data with third parties only in the limited circumstances and with the limited services listed below.

Service providers we use:

  • Hosting + database: Amazon Web Services (AWS) — EC2 (compute), RDS MySQL (database), Route 53 (DNS). AWS is a sub-processor; data is hosted in the us-east-2 (Ohio) region.
  • Email delivery: SMTP transactional email provider for verification codes, password resets, login alerts, and payment receipts. We do not use third-party marketing email lists.
  • AI media safety screening: When automated media screening is active (see §3, "Automated Media Screening"), uploaded media files may be sent to a third-party AI provider — an automated transcription service (OpenAI-compatible, e.g. Whisper) for voice notes and audio/video, and/or Google AI (Gemini) for image analysis — solely to produce a safety verdict. Only the media file itself is transmitted: never your name, email address, account identity, IP address, or any other profile data. The provider's output is used only for the safety screening described in §3 and for nothing else.
  • Payment processing: Donations, premium subscriptions, autographs, and in-app transactions currently run on Huni's internal virtual wallet (see Terms §10a) and are recorded by us directly — no third-party payment processor is involved today and we do not collect or store card numbers for them. If and when we enable real-money funding or payouts, your payment information would be processed by a payment processor (e.g. PayPal and/or Stripe depending on the transaction); we would share the transaction amount, currency, and your billing email, and never see your full card number. In that case, refer to the payment processor's own privacy policy for their data practices.
  • Apple In-App Purchase (iOS app): When you buy Huni Coins or other digital goods through the iOS app, the purchase is made via Apple In-App Purchase and Apple processes the payment. Apple shares a transaction identifier with us, which we verify with the App Store and use solely to credit the corresponding coins to your wallet. We do not receive your card details, billing address, or Apple ID password for these purchases. Apple's handling of your payment is governed by Apple's own privacy policy and Media Services terms — see Apple's privacy terms at apple.com/legal/privacy.
  • Analytics: Google Analytics (gtag) is loaded ONLY after you opt in to analytics cookies in our consent banner. When loaded, it collects aggregate usage statistics (page views, session duration, anonymized IP). We do not use it for cross-site tracking or ad targeting. You can withdraw consent at any time via the "Cookie Settings" link in the footer.
  • Advertising & conversion measurement: When you opt in to marketing cookies (a separate toggle from analytics), we load conversion-measurement tags for the ad platforms we run campaigns on — Google Ads, and, when configured, TikTok and Reddit. These let us measure whether an action such as a signup came from one of our ads, so we don't waste budget. For Google Ads Enhanced Conversions, a one-way hashed (SHA-256) version of your email may be sent so the conversion can be matched to an ad click — the email is hashed inside your browser before it is sent, and we never share your plaintext email with advertising partners. None of this runs until you accept marketing cookies, and you can withdraw consent at any time via "Cookie Settings" in the footer.
  • CDN / static asset delivery: Static assets and Capacitor mobile app distribution use standard AWS CloudFront-style delivery. Public assets only; no personal data is sent.

We may also disclose data when:

  • Required by law: A valid court order, subpoena, or government request that we are legally obligated to comply with
  • Safety: When we have a good-faith belief disclosure is necessary to prevent imminent harm to a user or third party
  • Crisis intervention (break-glass): If a senior administrator reasonably suspects you are in an imminent life-safety crisis, they may access your identity and your approximate location (derived from your IP address, which can be imprecise) and share them with the trusted contact you set up and/or relevant emergency services solely to get help to you. This is the only circumstance in which we lift your pseudonymity for your own protection. Every such action requires step-up authentication and is permanently logged to an internal oversight record (who, when, and why).
  • Law enforcement (CSAM): Suspected child sexual abuse material is reported to the National Center for Missing & Exploited Children (NCMEC) and relevant authorities, regardless of any other request
  • Business transfer: In the unlikely event of a merger, acquisition, or sale of HuniWhisp's assets, user data may transfer to the successor entity, who will be bound by this policy

6. Data Retention

The following retention periods apply. Where law requires longer retention (e.g., financial records for tax purposes, law enforcement preservation orders), the legal requirement takes precedence.

  • Account data (active): Retained for the life of your account.
  • Account deletion request: When you request deletion, your data enters a 30-day grace period during which you can cancel the deletion. After the grace period, your data is purged from active systems and replaced with an anonymized placeholder. Encrypted archives may be retained for 90 days for fraud-detection and law-enforcement preservation purposes, then permanently deleted.
  • Direct messages: Retained as long as the conversation is active. When you or the other participant deletes a conversation, the messages are removed within 30 days. Messages are stored encrypted at rest with AES-256-GCM using a server-held key.
  • Login history (login_attempts table): 90 days for fraud detection, then deleted.
  • Signup IP and last-login IP: Retained for 180 days for ban-evasion and abuse detection, then deleted.
  • IP-derived geolocation: Retained for 180 days alongside the IP record.
  • Session tokens: 30-day expiry from last use; immediately invalidated on logout, password change, or account deletion.
  • Password reset tokens: 1-hour expiry, single-use, invalidated immediately after redemption.
  • Email verification codes: 15-minute expiry, single-use.
  • Failed-login records (login_attempts): 90 days, used for brute-force lockout windows.
  • Guest device push tokens: Anonymous push tokens from app installs that enabled notifications without an account are retained until you create an account (after which they are linked to it) or for 180 days, whichever comes first, then automatically deleted.
  • Anonymized analytics: Retention is governed by Google Analytics's default 14-month window, configurable per their settings. We do not retain personally identifying information in our analytics layer.
  • Law enforcement preservation: If we receive a valid preservation request, relevant data may be retained beyond its normal retention window pending legal proceedings, then deleted once the legal process concludes.

7. Your Rights

You have the following rights regardless of where you live. Where local law (GDPR for EU/EEA + UK, CCPA/CPRA for California, LGPD for Brazil, PIPEDA for Canada, Australia Privacy Act, etc.) provides additional or stronger rights, those apply in addition to what is listed here.

  • Right of access: View your account data through your profile and dashboard at any time.
  • Right to data export (portability): Request a machine-readable copy of your data (JSON or CSV) by contacting privacy@huniwhisp.com. We will respond within 30 days. The export includes your profile, posts, comments, reactions, bookmarks, transaction history, and your direct-message content (decrypted, since it is encrypted at rest with a server-held key).
  • Right of correction: Update your profile, username, email, and content directly through the app at any time.
  • Right of deletion (right to be forgotten): Delete your account from your dashboard. A 30-day grace period applies, during which you can cancel. After the grace period, your data is purged. See §6 for the full retention table.
  • Right to object / restrict processing: Contact us to object to specific processing activities (e.g., automated content scanning of your account). We will evaluate the request against our legitimate interests and legal obligations.
  • Right to withdraw consent: Where processing is based on consent (e.g., analytics cookies), you can withdraw consent at any time via the Cookie Settings link in the footer.
  • Right to human review of automated decisions: If an automated content scan affects your account, you can request a human moderator to review it. We will respond within 14 days.
  • Right to lodge a complaint: If you believe we have mishandled your data, you can lodge a complaint with your local supervisory authority (e.g., your country's Data Protection Authority for EU users, the California Attorney General's office for California residents).
  • Right to opt out of "sale" of personal information (CCPA): We do not sell personal information as defined under CCPA/CPRA. You have nothing to opt out of, but you may submit a verifiable request to confirm this.
  • Right to control your public profile: Your profile at huniwhisp.com/u/{your-username} is published by default for indexing and discoverability. You can dial each section off (posts, diaries, aspirations, autographs, friend count, member-since) from Profile » Preferences » Public Profile. Only your chosen username (your pseudonym) is shown — your real name, email, and IP are never visible on any public surface.
  • Right to gate inbound DMs: Toggle Private Mode (Profile » Preferences » Privacy) to restrict new DMs to confirmed friends only. Existing conversation history stays visible to both sides; this is not retroactive deletion.

All rights requests can be submitted to privacy@huniwhisp.com. We will respond within 30 days for most requests; complex requests may take up to 60 days with notice.

8. Cookies and Local Storage

HuniWhisp uses the following cookies and browser storage. You can manage your preferences via the cookie consent banner that appears on your first visit, or via the "Cookie Settings" link in the footer. The choices are stored in your browser; clearing your browser data will reset them.

Essential (always active, cannot be disabled):

  • huni_session — your login session token (httpOnly, secure, sameSite=lax; expires after 30 days of inactivity — active use extends it)
  • huni_authed — a yes/no flag set alongside your session so the app can show the right logged-in interface immediately; contains no token or personal data and expires with the session
  • huni_consent — records which non-essential categories you have opted into
  • huni_ref — a first-party referral-attribution cookie (set only when you arrive via a link carrying ?ref=CODE). It stores the short referral code on a first-touch basis for ~60 days so a later signup can be credited to your referrer. It contains no name, email, or cross-site tracking identifier and is not used for advertising. See §2 and Terms §35b.
  • CSRF and security tokens used by the app for state-changing requests

Functional (off by default, opt-in):

  • huni-color-theme — your selected color theme (localStorage)
  • huni-theme — your dark/light mode preference (localStorage)
  • Language preference and other UI settings

Analytics (off by default, opt-in):

  • Google Analytics (gtag): _ga, _ga_*, _gid, _gat — page views, session duration, aggregate usage. Loaded ONLY after you accept analytics cookies. IP anonymization is enabled.

Marketing (not currently used):

  • HuniWhisp does not currently use marketing or advertising cookies. The "Marketing" toggle in the consent banner is reserved for future use; if we ever add marketing partners, your existing consent setting will be respected.

8b. Sharing, QR Codes & On-Device Offline Copies

External sharing & link previews.When you share a post or your anonymous profile — by copy-link, QR code, your device's native share sheet, a social network, or an embeddable card — the outbound link and its preview (Open Graph / Twitter card) carry only your public pseudonym and the post's public content. No email, IP address, real name, exact join date, or other account identifier is attached. Sharing is visibility-aware: posts that are private, in a group, deleted, moderated, or anonymous never generate a public preview card or QR code (Huni Visibility-Aware Share™).

Anonymous profile links (Huni Profile Share™).Your shareable anonymous profile (/u/anon/<handle>) shows only your handle, aggregate post/comment counts, and a month-precision member-since — never your username, email, avatar, or identity. These pages are not indexed by search engines.

On-device offline copies. If you turn on offline reading, a small number of recent public posts are cached only on your device, encrypted at rest (AES-256-GCM with a non-extractable key), and automatically deleted or refreshed when you reconnect. No offline copy of your content is ever stored on our servers; the offline service worker likewise caches only the app shell and your opted-in content on your device. See also Terms Section 9 and Section 28c(r).

9. Children's Privacy

HuniWhisp is intended for users aged 13 and older. We are committed to protecting young users and comply with the Children's Online Privacy Protection Act (COPPA) in the United States and equivalent regulations elsewhere.

  • Minimum age: 13 years old. By creating an account, you confirm that you meet this requirement.
  • Users 13–17: Parental or guardian consent is required as part of agreeing to our Terms of Service.
  • No targeted advertising to minors: We do not use personal data to target advertising to users under 18.
  • Age assurance: An optional exact date of birth (see §2) is collected only to keep a member's age accurate for age-appropriate protections; it is stored privately, is never shown publicly, and is not used for any purpose other than age assurance and safety.
  • Minor-messaging safeguard: Direct messaging is age-partitioned — under-18 members can direct-message only other under-18 members, and adults cannot message minors. This runs alongside our automated safety scanning (including grooming detection) and block/report tools.
  • If we discover an account belongs to a child under 13 without parental consent: We will disable the account and delete the personal data within 14 days.
  • CSAM reporting: Suspected child sexual abuse material is immediately reported to the National Center for Missing & Exploited Children (NCMEC) CyberTipline. See our Child Safety Standards page for details.
  • If you believe a child under 13 has provided us with personal information: Please contact privacy@huniwhisp.com immediately so we can investigate and remove the data.

10. International Data Transfers

HuniWhisp is hosted in the United States (AWS us-east-2 region). If you access HuniWhisp from outside the United States, your data will be transferred to and processed in the United States. We rely on the AWS GDPR Data Processing Addendum and Standard Contractual Clauses (SCCs) for lawful international transfers from the EU/EEA, UK, and Switzerland. By using HuniWhisp from these regions, you consent to this international transfer.

12. Legal Basis for Processing (GDPR)

For users in the EU/EEA, UK, and other jurisdictions that require a stated legal basis, we process your personal data under the following bases:

  • Contract (Art. 6(1)(b) GDPR): Account creation, login sessions, delivering platform features, processing payments, and fulfilling your requests — these are necessary to provide the service you signed up for.
  • Consent (Art. 6(1)(a) GDPR): Analytics cookies (Google Analytics), optional contact sync, and optional location tags. You can withdraw consent at any time via Cookie Settings or your account preferences, and withdrawal does not affect prior processing.
  • Legitimate interest (Art. 6(1)(f) GDPR): Fraud prevention, brute-force protection, ban enforcement, IP logging for abuse detection, automated safety scanning, and service-level communications. We have conducted balancing tests for each; users can object per §7.
  • Legal obligation (Art. 6(1)(c) GDPR): CSAM reporting to NCMEC, responding to lawful subpoenas and court orders, tax record retention for financial transactions, and data breach notification.

12b. Mobile App Permissions

The HuniWhisp mobile app (a Capacitor wrapper around the live website) requests only the minimum device permissions needed for the features you actually use. Permissions are requested at runtime — declining any of them does not prevent you from using the rest of the app.

  • Network access — required for the app to load huniwhisp.com and detect online/offline state. Granted automatically; not user-prompted.
  • Notifications — only used after you grant the runtime prompt. We send notifications for new direct messages, comment replies on your posts, friend requests, and important account events. You can disable notifications in your phone's app settings without affecting other features.
  • Contacts — only requested if you explicitly enable Contact Sync (see §3). For one-off invites, we use the system Contact Picker, which does not require broad contacts access — only the specific contact you tap is exposed to the app, nothing else.
  • Haptics (vibration) — for the haptic-tap micro-interaction on buttons. No-op if your device's haptics are disabled. No location, biometric, or sensitive data flows through this permission.
  • Restart re-registration — to re-register push-notification listeners after a device reboot. No background activity beyond that.
  • Keep screen awake — to keep the screen on while you compose a long post or watch a Live Huni stream. Released as soon as the app goes to background.

Exact permission names and prompts vary by device platform; the scope above is the same everywhere.

We do notrequest: location (background or foreground service), camera (other than via the system file picker when you upload media), microphone, calendar, SMS, call log, body sensors, biometric, accessibility-service, or any "package usage stats" / device-admin permissions. The app does not run any background service or foreground service.

Crash reports collected by the app-distribution platform (when enabled by your device-level settings) are governed by that platform's privacy policy and are not visible to us as individual user records — we only see aggregate crash-rate metrics.

The app is distributed through the app stores under standard staged rollouts. Updates are pushed to the website continuously and to the native app on a separate cadence — fixes that don't require new permissions or native plugins reach you immediately the next time the app loads the WebView.

13. Do Not Track Signals

HuniWhisp respects Do Not Track (DNT) browser signals. When your browser sends a DNT header, we treat it equivalently to declining analytics cookies — Google Analytics will not be loaded and no non-essential tracking will occur. This applies regardless of your cookie consent banner selection. Note that essential cookies (session token, CSRF) are always active as they are required for the platform to function.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through an in-app notification, an email to your verified address, or both. The "Last updated" date at the top of this page is always current. Continued use of HuniWhisp after a material change has been communicated constitutes acceptance of the revised policy. You always have the right to delete your account if you do not agree with a change.

15. Account Access After Death, Incapacity & Legal Process

We provide a structured, audited channel for the limited situations in which someone other than the account holder needs to access, close, or compel disclosure of a HuniWhisp account — for example, a family member after a death, a guardian after incapacity, or a government authority acting under a valid legal order. All such requests are submitted, verified, and tracked through our Legal Access Request system at /legal-requests.

Who can submit a request:

  • Next of kin — spouse, parent, adult child, or sibling of a deceased user.
  • Executor or administrator of the deceased user's estate.
  • Legal guardian appointed by a court for an incapacitated user.
  • Attorney acting on behalf of any of the above.
  • Law enforcement officers acting in their official capacity.
  • Government authority with statutory jurisdiction over the account or data.
  • The account holder themselves (e.g., for a GDPR Data Subject Access Request or erasure request, where you prefer the formal documented channel over the in-app self-service tools).

Required documents by request type:

  • Deceased — access to account data: government-issued photo ID of requester, death certificate, and proof of kinship (birth/marriage certificate, executor letter, or equivalent).
  • Deceased — account closure (no data release): government-issued photo ID of requester and death certificate.
  • Incapacity — access to account data: government-issued photo ID of requester, a medical incapacity letter from a treating clinician, and proof of kinship.
  • Guardianship: government-issued photo ID of requester and a guardianship court order.
  • Court order: government-issued photo ID of requester and a certified copy of the court order.
  • Subpoena: government-issued photo ID of requester and the issued subpoena.
  • Search warrant: government-issued photo ID of requester and the signed search warrant.
  • Law-enforcement investigation: government-issued photo ID of requester, law-enforcement credentials, and an agency letterhead request describing the legal basis.
  • GDPR Data Subject Access Request / erasure: government-issued photo ID of the subject (or authorised representative).

Response timelines (SLA):

  • Routine requests: we respond within 14 days of receiving a complete submission.
  • Complex requests (multi-jurisdiction, contested kinship, large data exports, or legally ambiguous orders): up to 30 days, with status updates.
  • Verified emergency law-enforcement requests involving an imminent threat to life: 7 days, and frequently much faster in practice.

What we release on approval:

For approved access requests, we produce a structured export of the account in the same shape as the self-service export at /api/account/export: the user's profile, posts, comments, reactions, bookmarks, follows / friend graph, transaction history, settings, and any other first-party content tied to the account. For requesters whose legal basis specifically requires it (e.g., a court order or verified next-of-kin access request), we additionally decrypt and include the personally identifying fields stored encrypted at rest — the account holder's name, email address, and phone number on file. Direct-message content is encrypted at rest with a server-held key, so it can be decrypted and included where the legal basis requires it.

What happens after a closure request:

Approved closure requests trigger a soft-delete of the account: the public profile is removed, login is disabled, and the user's content is taken out of all feeds and search. An encrypted archive of the account is retained per the retention windows described in §6 of this policy (notably the 90-day post-deletion archive for fraud-detection and law-enforcement preservation purposes), and is then permanently deleted. No data is released to the requester under a closure request — closure and access are separate request types.

Verification process:

Every submission requires a declaration under penalty of perjury that the requester is who they say they are and has the legal authority they claim. We verify the uploaded documents against the request type before approving:

  • Executors and next of kin: we cross-check the photo ID against the death certificate and kinship/executor documents, and contact the issuing registry where doubt exists.
  • Guardians: we verify the court order is current, unrevoked, and authorises the specific scope of access being requested.
  • Authorities: we verify credentials, agency letterhead, and the legal instrument (court order, subpoena, or search warrant). We comply with valid orders. Consistent with Terms of Service §7 (pseudonymity and de-anonymization), we do not volunteer information about users absent valid legal compulsion or a documented imminent-harm exception.
  • Self-service requesters (DSAR / erasure): we match the photo ID against the account-holder details on file before releasing or deleting data.

False declarations under penalty of perjury are referred to law enforcement. All requester PII (name, email, phone) and all uploaded documents are encrypted at rest using AES-256-GCM, kept only as long as needed to verify and process the request, and then deleted or retained per the minimum legal-preservation window.

File upload requirements:

  • Maximum 8 MB per document.
  • Maximum 25 MB total per submission.
  • Accepted file types: PDF, JPEG, PNG, WEBP, HEIC.
  • Document bytes are encrypted at rest with AES-256-GCM; the encryption key is held outside the database.

How to submit:

Submit your request through the secure form at huniwhisp.com/legal-requests. On submission you will receive a 256-bit hexadecimal status token — keep this token safe; it is the only way to check on the progress of your request without re-identifying yourself. For questions about the process before submitting, or to follow up on a submitted request, contact privacy@huniwhisp.com.

16. Contact Us

For any questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern, contact us at:

  • Privacy inquiries & rights requests: privacy@huniwhisp.com
  • Security disclosures: security@huniwhisp.com
  • DMCA / copyright: dmca@huniwhisp.com (see Terms of Service §46 for the takedown procedure)
  • General support: via the in-app feedback widget
  • Child safety reports: see /child-safety for direct CSAM reporting + NCMEC CyberTipline

We will respond to most requests within 30 days. Complex requests may require up to 60 days with advance notice.