This Privacy Policy explains how Whispers (“Whispers”, “we”, “us”) collects, uses, shares and protects personal data when you use the Whispers mobile app and the website at whispers.digital (together, the “Service”). Whispers is operated from Nigeria and designed for a primarily Nigerian audience.

By creating an account or using the Service you agree to this Policy. If you do not agree, please do not use the Service.

1. Who we are and how to reach us

Whispers is an invite-only events platform. For any privacy question, data request, or complaint, contact us through the feedback form on whispers.digital/#feedback or email the address listed inside the app under Profile → About.

2. What data we collect

Account and identity data

When you sign up we collect your email address, phone number, and password (stored hashed by Firebase Authentication). To become a verified guest or host you must complete identity verification, which means we also collect your full name, a government-issued identity document (image or PDF), and a live selfie for liveness comparison. This is what we call KYC data.

Profile data

You may choose to add a display name, profile photo, bio, date of birth and other optional profile fields. Anything you upload is your content; you control whether to keep it.

Event and guest data

When you host or attend an event we collect event title, description, location, date/time, pricing, guest lists, RSVP responses, check-in records, ticket QR tokens, and any media you post to the event’s Clan Feed (photos, videos, comments).

Payment data

Ticket and subscription payments are processed by Stripe. We never see your full card number. Stripe returns us a transaction ID, payment status, amount, currency, and (for payouts) bank destination. For Nigerian bank payouts you provide us with bank name, account number, and account name.

Device and usage data

We collect device identifiers (FCM push tokens, OS version, device model), app version, approximate IP-based location, crash reports, and in-app analytics events (screens viewed, actions taken). If you enable biometric authentication we store a local flag on the device; your fingerprint or Face ID template never leaves your device.

Location data

If you enable location services to discover nearby venues, we process your precise location on device to sort results. Event addresses you create or attend are stored server-side but are only revealed to verified guests at the time you set.

See also: Terms of Service.

3. How we use your data

  • To operate the Service — authenticating you, showing your events, processing payments and payouts
  • To verify identity and prevent fraud, abuse and unauthorised access
  • To deliver invites, reminders, push notifications and service messages
  • To power the Clan Feed, host journals and venue discovery
  • To improve the Service, debug crashes, and measure product performance
  • To comply with Nigerian law, regulatory requests, and to enforce our Terms

4. Legal basis for processing

We process personal data on the legal bases that apply under the Nigeria Data Protection Act (NDPA) 2023 and, where relevant to you, the EU General Data Protection Regulation (GDPR):

  • Contract — to deliver the Service you signed up for
  • Consent — for optional features like biometric auth, location and marketing communications
  • Legitimate interest — to keep the platform safe, prevent fraud, and improve our product
  • Legal obligation — to comply with financial and regulatory record-keeping

5. How we protect your data

Whispers runs on Google Cloud (Firebase). All data is encrypted in transit (TLS) and at rest. We apply the principle of least privilege for internal access, and payment card data is handled exclusively by Stripe, which is PCI-DSS Level 1 certified.

On the client we use rotating QR tokens (refreshing every 30 seconds), session-bound access to sensitive content, watermarking on Clan Feed media, and progressive anti-leak measures including screenshot detection and Face ID re-authentication. No system is perfect, but privacy is the core of our design.

6. How long we keep data

We retain account data for as long as your account is active. KYC documents are retained for the minimum period required by Nigerian financial regulations and then deleted or irreversibly anonymised. Clan Feed media is restricted to a 72-hour access window after an event and then becomes inaccessible to guests. Payment records are retained for the period required by tax and audit rules (typically 7 years).

7. Sharing your data

We do not sell your personal data. We share it only with:

  • Service providers who power the Service (Firebase, Stripe, Google Cloud, FCM push, crash reporting). Each is bound by contract to protect your data.
  • Event hosts and co-hosts you have chosen to share data with (e.g. your RSVP on their event, payment confirmation)
  • Law enforcement or regulators when required by a valid legal process in Nigeria or another applicable jurisdiction
  • Acquirers if Whispers is acquired, merged, or restructured — subject to the same privacy protections

8. Your rights

Under the NDPA and comparable laws, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your account and associated data (subject to legal retention rules)
  • Object to or restrict certain processing
  • Withdraw consent at any time (for consent-based processing)
  • Export your data in a portable format
  • Lodge a complaint with the Nigeria Data Protection Commission or your local supervisory authority

You can exercise these rights inside the app under Profile → Privacy, or by contacting us through the feedback form.

9. Children

The Service is not directed to children under 18. Many events on Whispers are adult-oriented. We do not knowingly collect data from anyone under 18. If you believe a child has registered, contact us and we will delete the account.

10. International transfers

Because we use Google Cloud and Stripe, personal data may be processed outside Nigeria, including in the United States and the European Union. We rely on standard contractual clauses and the safeguards required by the NDPA for such transfers.

11. Cookies and analytics on the website

The website uses minimal first-party cookies for anonymous analytics and to remember UI preferences. No advertising or cross-site tracking cookies are set.

12. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced in-app and via email at least seven days before they take effect. The “Last updated” date at the top of this page always reflects the current version.

13. Contact

If you have any privacy questions, send us a message via the Contact form on the homepage and we will respond within 7 business days.