Legal
Privacy Policy
How we collect, use, store, and share personal data, and the rights you have over it.
Last updated: 2026-05-01 · Operated by Wispu (the “Service”).
This Privacy Policy explains how Wispu (“Wispu,” “we,” “us”) collects, uses, discloses, and protects personal information when you visit our marketing site, sign up for an account, use the Service, or interact with us. It applies worldwide and meets the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), Brazil’s LGPD, Canada’s PIPEDA, and other applicable data-protection laws.
1. Who we are
Wispu is a content-marketing platform that lets creators, agencies, and consultants generate, organize, and publish branded content. The data controller for personal information processed under this Policy is Wispu.
Contact for privacy matters: team@wispu.app.
2. Personal data we collect
We collect personal data in three buckets:
2.1 Data you give us
- Account data: name, email address, password (hashed), team / workspace details, profile photo (optional).
- Brand context: voice, customer profile, content pillars, point of view, offers, and any other content you store inside your workspace. Treated as your confidential information.
- Content you create or import: drafts, ideas, sources, vault items, comments, and any media uploaded to the Service.
- Billing data: your billing address, tax ID where relevant, and the last four digits + brand of your payment card. Full card details are processed by Stripe; we never store them.
- Communications: emails, support tickets, newsletter signups, survey responses, and any other communication you send us.
2.2 Data we collect automatically
- Usage data: pages visited, features used, clicks, session duration, errors encountered, and similar product-analytics events. Captured via PostHog (see Sub-processors).
- Device and connection data: IP address, browser type and version, operating system, device identifiers, time zone, and language. Used for security, abuse prevention, and to render the Service correctly.
- Cookies and similar technologies: see our Cookie Policy.
- Error and performance data: runtime exceptions, stack traces, and performance metrics, captured via Sentry.
2.3 Data we receive from third parties
- Authentication providers: if you sign in with Google, GitHub, or another OAuth provider, we receive the basic profile data you authorize.
- Payment providers: Stripe shares subscription status, invoices, and payment outcomes with us.
- Social-publishing platforms: when you connect a social account, we receive the access tokens and metadata required to publish on your behalf via Zernio. We never store your social passwords.
- Marketing partners: we may receive aggregate attribution data from advertising platforms (Meta, Google, X, TikTok, LinkedIn) to measure the performance of our campaigns.
3. How we use personal data
We use personal data only for the purposes listed below.
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide, operate, and maintain the Service | Contract |
| Authenticate users and protect accounts | Contract / Legitimate interest |
| Bill subscriptions, process payments, prevent fraud | Contract / Legal obligation |
| Improve product through analytics and usage research | Legitimate interest |
| Diagnose errors and ensure service reliability | Legitimate interest |
| Send transactional emails (receipts, security alerts) | Contract |
| Send the marketing newsletter | Consent (you can unsubscribe at any time) |
| Run advertising campaigns and measure their performance | Consent (where required) / Legitimate interest |
| Comply with law and respond to lawful requests | Legal obligation |
3.1 Use of customer content for AI
Your Brand Context and the content you store inside your workspace are used only to power features inside your workspace (idea generation, drafting, repurposing, vault conversion, etc.). We do not train any general-purpose AI model on your data, and we do not allow our AI providers to do so. AI inference is delivered via OpenRouter and routed to underlying model providers (Anthropic, OpenAI, Google, and others). Each provider is bound by zero-retention and no-training agreements where available.
4. How we share personal data
4.1 First-party infrastructure (data stays with us)
Newsletter, CRM, transactional email lists, and the operational databases that store your account and content all run on infrastructure we control: Supabase (managed Postgres, authentication, storage, Edge Functions) and Railway (auxiliary services we self-host). These platforms host our data; they do not have access to it for their own purposes.
4.2 Sub-processors (process customer data on our behalf)
We rely on a small set of vetted sub-processors. The complete list is on our Sub-processors page. Each sub-processor is bound by a Data Processing Agreement that restricts processing to the purposes we specify.
4.3 Marketing and advertising partners
For marketing and advertising purposes (running paid campaigns and measuring their performance), we share limited marketing data (page visits, clicks, conversion events) with platforms including Meta (Facebook / Instagram), Google, X (Twitter), TikTok, LinkedIn, Pinterest, and others as we expand. Where required by law (e.g., the EU/UK), we obtain your consent through our cookie banner before activating these partners.
4.4 Other limited disclosures
- Compliance and law enforcement: when legally required.
- Corporate transactions: in connection with a merger, acquisition, or sale of assets, with prior notice.
- Professional advisors: auditors, lawyers, insurers, bound by confidentiality.
We do not sellpersonal data in the ordinary sense of the word. Some sharing with advertising partners may be classified as a “sale” or “sharing” under California law. See Section 7.
5. Where we store data and international transfers
Customer data is stored on Supabase and Railway in the United States and the European Union. When we transfer personal data out of the European Economic Area, the United Kingdom, or Switzerland to a country the European Commission has not deemed adequate, we rely on the EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or the Swiss equivalent, supplemented by appropriate technical and organizational measures.
6. How long we keep data
- Active account data and customer content: for the life of your account.
- After account deletion: we delete or anonymize customer content within 30 days. Backups are purged on a 90-day rolling cycle.
- Billing records: retained as long as required by tax and accounting laws (typically 7–10 years).
- Logs and analytics: usage events: 24 months. Error logs: 90 days.
- Marketing emails: until you unsubscribe.
7. Your rights
Depending on where you live, you have some or all of the following rights. To exercise any of them, email team@wispu.app. We respond within the legal deadline (typically 30 days; California residents: 45 days).
7.1 Rights under GDPR / UK GDPR (residents of the EU, UK, EEA)
- Access your personal data
- Rectify inaccurate or incomplete data
- Erase data (“right to be forgotten”)
- Restrict processing
- Object to processing based on legitimate interest
- Data portability: export your data in a machine-readable format
- Withdraw consent at any time without affecting prior processing
- Lodge a complaint with your supervisory authority
7.2 Rights under CCPA / CPRA (California residents)
- Know what personal information we collect, use, and disclose
- Delete personal information
- Correct inaccurate personal information
- Opt out of the “sale” or “sharing” of personal information
- Limit use of sensitive personal information
- Non-discrimination for exercising your rights
To opt out of sharing for cross-context behavioral advertising, click Do Not Sell or Share My Personal Information in our cookie banner, send a Global Privacy Control signal, or email team@wispu.app.
7.3 Rights for other regions
Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act), Japan (APPI), Switzerland (FADP), and most other jurisdictions grant similar rights. We honor these requests via the same process.
8. Security
We use industry-standard safeguards to protect personal data, including TLS 1.2+ in transit, encryption at rest on Supabase and Railway, strict role-based access control, audit logs, multi-factor authentication for privileged accounts, and a least-privilege policy for sub-processors. No system is absolutely secure; if we ever experience a breach affecting your personal data, we will notify you and the relevant regulators within the legally required timelines (within 72 hours under GDPR).
9. Children
Wispu is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Changes to this Policy
We may update this Policy. Material changes will be announced via email or in-product notice at least 30 days before they take effect. The “Last updated” date at the top reflects the most recent revision.
11. Contact
Privacy questions: team@wispu.app
Data Subject Requests: team@wispu.app
General legal inquiries: team@wispu.app
Other legal documents
Questions about these documents? Email team@wispu.app.