Your data, kept quiet.
This policy explains how KwypeSoft (“we”, “us”) handles personal data when you use the Whispia mobile app and related services. We aim to collect as little as possible, keep it where it belongs, and let you take it back any time. Whispia is operated under the laws of France and complies with the EU General Data Protection Regulation (GDPR).
Who we are
The data controller for Whispia is KwypeSoft, a company registered in France. You can reach us, including our Data Protection Officer, at contact@whispia.app. For convenience, all privacy, security, and DPO requests can be sent to that single address — they are routed internally to the right team.
What we collect
We collect only what we need to run the service. Concretely:
| Category | Examples | Where it comes from |
|---|---|---|
| Account | Email, display name, language, hashed credentials or third-party auth identifier | You, or Apple / Google sign-in |
| Subscription & billing | Plan, renewal status, token balance, in-app receipt IDs | Apple, Google, Stripe / RevenueCat |
| Listening activity | Stories played, soundscapes saved, sleep-timer use, completion ratios | The app, on your behalf |
| Generation prompts | Mood inputs, voice / length choices, the text of stories you generate | You, when you create a story |
| Mood entries | Self-reported mood, optional notes, time of entry | You |
| Family profiles | Child profile name (or nickname), age band (0–3, 3–10), parental-consent record | You, as the parent / legal guardian |
| Device & diagnostics | OS version, app version, device model, crash reports, anonymous performance metrics | The app |
We do not collect precise location, contacts, photos, microphone recordings, or browsing history outside the app. We do not run third-party advertising SDKs.
How we use it
- To create and authenticate your account and let it sync across devices.
- To deliver Originals, generate AI stories, and play soundscapes you choose.
- To process subscriptions, token purchases, and renewals.
- To diagnose crashes, measure aggregate stability, and improve the product.
- To send essential service messages (e.g. receipts, security notices). We do not send marketing email unless you opt in.
- To detect and prevent fraud, abuse, or unsafe content.
Legal bases under GDPR
Each processing activity has a lawful basis under Articles 6 and (where relevant) 9 of the GDPR:
- Performance of a contract — running your account, delivering content you requested, processing subscriptions.
- Legitimate interest — security, fraud prevention, basic product analytics on aggregated data. You may object at any time.
- Consent — optional analytics cookies on the website, marketing email opt-in, mood-history retention beyond the default window, and parental consent for child profiles. You can withdraw consent at any time.
- Legal obligation — keeping invoices, responding to lawful requests from authorities.
AI generation and your prompts
When you generate a story, your prompt (mood, theme, length, voice choice, and any free-text input) is sent to one of our AI providers — currently OpenAI or Anthropic for text and ElevenLabs (or a comparable provider) for voice synthesis. We require these providers to:
- Process your prompt only to fulfil the request.
- Not use your prompt to train their models, where the provider offers that option, which we enable by default for paid API tiers.
- Delete prompts on a short retention schedule on their side (typically 30 days or less).
About AI outputAI-generated stories are produced on demand and may occasionally be unexpected, repetitive, lower quality than usual, or contain content that does not match your intent — even with the safety pipeline in place. By using the generation feature you accept this inherent variability. See the Terms for the full disclaimer.
Children and family profiles
Whispia accounts are reserved for adults (16+ in the EU, 13+ in jurisdictions where local law sets a lower threshold). Children listen via a family profile created and managed by a parent or legal guardian. To create a child profile we ask the parent to confirm their age, agree to the parental-consent statement, and pick an age band (0–3 or 3–10).
For child profiles we collect only the profile name (which may be a nickname), the age band, and listening activity. We do not ask for a child's email, location, or contact details. Parents can review, export or delete a child profile at any time from the family settings screen, or by writing to contact@whispia.app.
Sub-processors and sharing
We share the minimum data each provider needs to do its job. We do not sell personal data, ever.
| Provider | Purpose | Data shared |
|---|---|---|
| OpenAI / Anthropic | Story generation | Prompt, language, length |
| ElevenLabs (or equivalent) | Voice synthesis | Generated text, voice ID |
| Apple / Google | Sign-in, in-app purchases, app distribution | Auth identifier, receipt IDs |
| Stripe / RevenueCat | Subscription & entitlement management | Customer ID, plan, receipt IDs |
Each sub-processor is bound by a written data-processing agreement consistent with Article 28 GDPR. The current list is maintained and may be updated; material changes are announced at least 14 days before they take effect.
International transfers
Some of our sub-processors are based in the United States. Where personal data leaves the European Economic Area we rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. Supplementary measures (encryption in transit, minimisation, short retention) are applied to reduce risk.
How long we keep things
- Account & subscription — for as long as your account exists, then deleted within 30 days of closure (longer where law requires, e.g. invoices kept for 10 years in France).
- Generation prompts — kept for up to 30 days for safety review and abuse prevention, then deleted.
- Generated stories — stored in your library until you delete them, or until your account is closed.
- Mood entries — kept by default for 12 months; you may extend, shorten, or wipe them at any time.
- Diagnostic logs — 90 days, aggregated thereafter.
Your rights under GDPR
You have the right to access, correct, delete, restrict, or object to the processing of your data, and to data portability. You can exercise most of these directly from the app's Privacy & data screen, or by writing to contact@whispia.app. We respond within 30 days.
If you believe we have mishandled your data, you may lodge a complaint with the French data-protection authority, the CNIL, or with the supervisory authority in your country of residence.
Security
We use industry-standard practices: encryption in transit (TLS 1.2+), encryption at rest for sensitive fields, access controls, regular dependency updates, and isolated environments. No system is perfectly secure. If we ever suffer a breach affecting your data we will notify you and the CNIL within 72 hours of becoming aware, as required by Article 33 GDPR.
Changes to this policy
We may update this policy as the product, the law, or our sub-processors change. We will post the new version on this page with a revised effective date. For material changes, we will notify you in-app or by email at least 14 days before they take effect, so that you can review and, if you wish, close your account before the change applies to you.
Contact and DPO
Privacy questions, rights requests, and DPO contact: contact@whispia.app. Postal correspondence: KwypeSoft — Whispia Privacy, France. We will route your message internally to the right team.