Privacy Policy
1. Introduction
This Privacy Policy explains how Whim Labs Inc ("Whim," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use the Whim mobile application ("App") and our website at letswhim.com ("Website"), collectively referred to as our "Services."
Whim is a social planning application that helps you discover activities, coordinate plans with friends, and explore venues in your city. We are committed to protecting your privacy and being transparent about how we handle your data.
By using our Services, you agree to the collection and use of your information as described in this Privacy Policy. If you do not agree, please do not use our Services.
2. Data Controller
Whim Labs Inc
Coquitlam, British Columbia, Canada
For all privacy-related inquiries, you can contact us at:
Email: legal@letswhim.com
If you are located in the European Economic Area (EEA), Whim Labs Inc is the data controller responsible for your personal information under the General Data Protection Regulation (GDPR).
3. What Data We Collect
3.1 Account and Profile Information
When you create an account, we collect:
- Full name (display name)
- Email address
- Phone number (optional, used for authentication)
- Username handle (unique @username, auto-generated if not provided)
- Profile photo or avatar (stored as WebP format)
- Bio (optional, free-form text)
- Age group (under 19, 19-24, 25-34, 35-44, 45+)
- Budget preference (on a 1-4 scale)
- Vibe tags you select during onboarding (minimum 3 from: outdoorsy, relaxed, food and drink, social, romantic, adventurous, artsy, nightlife, active)
- Favorite cuisines (optional, set via profile settings)
- Location (city name and geographic coordinates)
- Structured address (street address, city, province/state, country — used internally for friend search)
- Timezone (automatically detected, used for scheduling)
We also store the following preference settings:
- Push notification preference (on/off)
- Smart arrival detection (on/off, controls geofence-based arrival detection)
- Arrival status sharing (on/off, controls whether your arrival status is visible to Whim participants)
- Circle activity sharing (on/off, controls whether your venue interactions appear in your circle's feed)
3.2 Authentication Data
You can sign into Whim using one of the following methods:
- Google Sign-In: We receive your name, email address, and avatar through Google OAuth.
- Apple Sign-In: We receive your name and email address through Apple OAuth. You may choose to use Apple's email relay service to hide your real email.
- Email and Password: Your password is securely hashed and managed by our authentication provider, Supabase. We never store your password in plain text.
3.3 Contact Data
Whim uses a privacy-first approach to help you find friends on the platform:
- We store only SHA-256 cryptographic hashes of phone numbers and email addresses from your contacts.
- We do not store contact names, photos, or any other contact information.
- These hashes are used solely to match you with people you already know who also use Whim.
- The original contact data never leaves your device in readable form.
3.4 Location Data
- GPS coordinates: Collected only while the App is actively in use. We do not track your location in the background.
- Smart arrival detection: Uses geofence-based detection to notify your group when you arrive at a planned venue. This feature is opt-in and can be disabled in your settings at any time.
- Profile location: Your city and approximate geographic coordinates, used to show relevant local venues and activities.
3.5 Chat and Messaging Data
When you use Whim's messaging features, we collect:
- Message content (text messages you send)
- Message status (sent, delivered, read)
- Read receipts
- Message reactions (emoji reactions)
- Message edits and deletions (soft-deleted messages are marked as deleted but retained for conversation integrity)
- Typing indicators are transmitted in real time but are not stored.
3.6 User-Generated Content
- Venue photos you upload (reviewed by automated content moderation before being published)
- Venue ratings and reviews
- Venue interactions (likes, saves, shares)
- Plans you create (including title, description, date, and invitees)
- Arrival status (such as on the way, arrived)
3.7 Device Information
- Push notification tokens (Firebase Cloud Messaging device tokens)
- Device platform (iOS or Android)
- Device model and operating system version (collected only when you submit a bug report)
- App version
3.8 Feedback and Reports
- Bug reports, which may include screenshots you attach
- Flow testing feedback you provide
- Content reports you submit about other users or venues
3.9 Waitlist Data
If you join our waitlist before creating an account, we collect your name, email address, and city.
3.10 Data We Do NOT Collect
- We do not use advertising cookies, tracking pixels, or cross-site behavioral tracking.
- We do not display advertising or share data with advertisers.
- We do not process payments or collect financial information.
- We do not collect biometric data.
- We do not collect health data.
Our website uses one functional location cookie and privacy-respecting, anonymous usage analytics. Both are described in section 3.11 below. The mobile App uses neither.
3.11 Cookies and Analytics (Website)
Our website at letswhim.com uses the following. Neither is used in the mobile App:
- Location cookie (
whim_loc): A first-party functional cookie that we set only after you grant location permission through your browser. It stores your approximate location (coordinates rounded to roughly one kilometre) so we can show you nearby venues, events, and activities. It is retained for about 30 days. If you decline location access, we do not set it and instead show a Metro Vancouver view by default. You can delete it at any time through your browser settings. - Anonymous usage analytics (PostHog): We use PostHog (hosted in the European Union) to understand, in aggregate, how the website is used — such as which pages are viewed and which features are used. This data is not linked to your identity, is not used for advertising, and is not shared for cross-site tracking. PostHog stores a randomly generated, anonymous identifier in your browser for this purpose.
We honor Do Not Track (DNT) and Global Privacy Control (GPC) signals: if your browser sends either signal, website analytics are not loaded at all. See section 17.
4. How We Use Your Data
We use the information we collect for the following purposes:
- Providing the Service: Creating and managing your account, displaying your profile to other users, enabling you to create and join plans, and facilitating messaging with your groups.
- Personalization: Recommending venues, activities, and plans based on your vibe tags, favorite cuisines, budget preference, age group, and location.
- Friend Discovery: Matching you with friends who also use Whim by comparing hashed contact data.
- Location-Based Features: Showing nearby venues, enabling arrival detection for plans you join, and personalizing content to your city.
- AI-Powered Recommendations: Using artificial intelligence to suggest activities and venues tailored to your group's preferences.
- Content Moderation: Automatically reviewing user-uploaded photos to prevent harmful or inappropriate content from being published.
- Communication: Sending you push notifications about plan updates, messages, friend requests, and other activity relevant to you. Sending transactional emails such as account verification and password reset.
- Safety and Security: Detecting and preventing fraud, abuse, and violations of our terms of service. Processing content reports submitted by users.
- Improvement: Analyzing aggregated, de-identified usage patterns to improve features and fix bugs. Reviewing feedback and bug reports you submit.
- Legal Compliance: Complying with applicable laws, regulations, and legal processes.
5. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or the United Kingdom (UK), we process your personal data under the following legal bases:
| Legal Basis | Data and Purpose |
|---|---|
| Consent | Location data (GPS and arrival detection), contact hash matching, push notifications, AI-powered recommendations using your preferences, and photo uploads. You may withdraw consent at any time through your App settings or by contacting us. |
| Performance of a Contract | Account creation and management, messaging, plan creation, profile data necessary to deliver the Service as described in our Terms of Use. |
| Legitimate Interests | Content moderation to maintain platform safety, bug fixing using device and feedback data, fraud prevention, and improving our Service based on aggregated usage patterns. Our legitimate interests do not override your fundamental rights. |
| Legal Obligation | Responding to lawful government or law enforcement requests, and complying with applicable data protection laws. |
6. Third-Party Services
We share your data with the following third-party service providers, who process data on our behalf and under our instructions:
| Service | Provider Location | Purpose | Data Shared |
|---|---|---|---|
| Supabase | United States / Canada | Authentication, database hosting, file storage, real-time messaging infrastructure | Account data, profile data, messages, photos, and all data necessary to operate the Service |
| Firebase Cloud Messaging (Google) | United States | Delivering push notifications to your device | Device tokens and notification content |
| Google Sign-In (Google) | United States | Authentication when you choose to sign in with Google | OAuth tokens, name, and email address |
| Apple Sign-In (Apple) | United States | Authentication when you choose to sign in with Apple | OAuth tokens, name, and email address |
| Google Cloud Vision (Google) | United States | Automated photo content moderation | Photos you upload for venue reviews |
| OpenAI | United States | AI-powered activity recommendations and chat assistance | Your queries and relevant venue descriptions (no personally identifying information is sent unless included in your query). OpenAI does not use API data to train their models, and we do not permit any third-party AI provider to use your data for model training. |
| HERE Maps | Germany / United States | Converting addresses to geographic coordinates (geocoding) | Location coordinates |
| Meta / Instagram | United States | Retrieving publicly available Instagram post metadata for venue information | Public Instagram post URLs only |
| Brevo | France | Sending transactional emails (verification, password reset) | Email addresses |
| PostHog | European Union | Anonymous website usage analytics (page views and feature usage). Not used in the mobile App. | Pseudonymous usage events and a randomly generated analytics identifier. Not linked to your account or identity. |
We also use Slack internally for team alerts. Signup summaries and content report notifications are sent to our internal Slack channels, but no personally identifying user information is shared with Slack externally.
We do not sell your personal information to any third party.
7. Instagram Data
Whim may access publicly available Instagram post metadata to enrich venue information within the App. Specifically:
- We access only public post URLs and associated metadata (such as captions and post dates) related to venues and places.
- We do not access your private Instagram account, messages, followers, or personal posts.
- We do not store Instagram user credentials.
- Instagram data is used solely to enhance venue descriptions and is not used for advertising, profiling, or any purpose unrelated to the core venue discovery experience.
- We do not allow Meta or any third party to use Whim user data to train their AI or machine learning models.
If you wish to have any Instagram-related data removed from the App, you may contact us at legal@letswhim.com or use the data deletion process described in Section 13.
8. Data Storage and Cross-Border Transfers
Your data is primarily stored on servers operated by Supabase in the United States and Canada. Some of our third-party service providers are located in the United States, Germany, and France, as detailed in Section 6.
If you are located outside of North America, your personal data will be transferred to and processed in countries that may have different data protection laws than your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
- Ensuring our service providers maintain industry-standard security certifications (such as SOC 2 compliance).
- Data processing agreements with all third-party providers that require them to protect your data to at least the same standard as this Privacy Policy.
9. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period |
|---|---|
| Profile data | Until you delete your account |
| Chat messages | Until you delete a message or delete your account |
| User photos | Until you remove them or delete your account |
| Push notification records | 90 days, then automatically deleted |
| Inactive device tokens | 90 days, then automatically deleted |
| Waitlist entries | 1 year, then automatically deleted |
| Dismissed content reports | 1 year, then automatically deleted |
| Feedback and bug report screenshots | 1 year, then deleted |
When you delete your account, we delete or anonymize your personal data within 30 days, except where we are legally required to retain certain information (for example, to comply with tax, legal, or regulatory obligations).
10. Your Rights
10.1 Rights Under PIPEDA (Canada)
As a Canadian user, you have the right to:
- Access the personal information we hold about you.
- Correct inaccurate or incomplete information.
- Withdraw consent for processing that is based on your consent.
- Challenge compliance by filing a complaint with the Office of the Privacy Commissioner of Canada.
10.2 Rights Under GDPR (European Economic Area and UK)
If you are in the EEA or UK, you have the right to:
- Access your personal data and obtain a copy.
- Rectification of inaccurate or incomplete data.
- Erasure ("right to be forgotten") of your data under certain circumstances.
- Restrict processing of your data.
- Data portability to receive your data in a structured, machine-readable format.
- Object to processing based on legitimate interests.
- Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
- Lodge a complaint with your local data protection authority.
10.3 Rights Under US State Privacy Laws
If you are a resident of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), or other US states with privacy legislation, you have the right to:
- Know what personal information we collect, use, and disclose.
- Access your personal information.
- Delete your personal information.
- Correct inaccurate personal information.
- Opt out of the sale or sharing of personal information. Note: Whim does not sell or share your personal information for cross-context behavioral advertising.
- Non-discrimination for exercising your privacy rights.
California residents: In the preceding 12 months, we have collected the categories of personal information described in Section 3. We do not sell personal information. We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA/CPRA.
10.4 How to Exercise Your Rights
To exercise any of the rights described above, you may:
- In the App: Go to Settings and select "Delete Account" to delete your account and all associated data.
- By email: Send a request to legal@letswhim.com. We will verify your identity before processing your request.
We will respond to all verified requests within 30 days (or sooner if required by applicable law). If we need more time, we will notify you of the reason and the expected timeframe.
11. Children's Privacy
Whim is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at legal@letswhim.com and we will promptly delete that information.
Users between the ages of 13 and the age of majority in their jurisdiction should review this Privacy Policy with a parent or guardian before using the Service.
12. Contact Data Privacy
We want to be transparent about our approach to contact data, as it is central to how Whim helps you find friends:
- When you grant Whim access to your contacts, we generate HMAC-SHA256 cryptographic hashes of phone numbers and email addresses, using a secret key that is never exposed to any client or third party.
- Only these keyed hashes are sent to our servers. The original phone numbers, email addresses, contact names, and photos are never transmitted or stored.
- We compare these hashes against hashes from other Whim users to identify mutual contacts.
- This process is irreversible: we cannot reconstruct original phone numbers or email addresses from the stored hashes. The use of HMAC (keyed hashing) prevents pre-computed table attacks (such as rainbow tables), providing a stronger level of protection than standard hashing alone.
- You can revoke contact access at any time through your device's operating system settings. If you revoke access, your stored hashes will be deleted from our servers.
13. Data Security
We implement industry-standard technical and organizational measures to protect your personal information, including:
- Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
- Encryption at rest: Personal data stored in our databases is encrypted at rest.
- Authentication security: Passwords are cryptographically hashed and never stored in plain text. OAuth-based authentication (Google, Apple) uses industry-standard protocols.
- Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis.
- Row-Level Security (RLS): Our database enforces row-level security policies so that users can only access data they are authorized to view.
- Content moderation: User-uploaded photos are automatically reviewed by AI before being published to prevent harmful content.
- Secure deletion: When you delete your account, your data is permanently removed from our active systems within 30 days.
While we strive to protect your personal information, no method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please notify us immediately at legal@letswhim.com.
14. Data Deletion and Account Deletion
You can delete your Whim account and all associated data at any time:
- In the App: Open Settings, then select "Delete Account." This will permanently delete your profile, messages, photos, plans, and all other data linked to your account.
- By email: Send a deletion request to legal@letswhim.com from the email address associated with your account.
- Via our website: Visit letswhim.com/delete-account to submit a deletion request.
Upon receiving a verified deletion request:
- Your account will be deactivated immediately.
- All personal data will be permanently deleted from our active systems within 30 days.
- Data held by third-party processors (as listed in Section 6) will be deleted in accordance with their respective retention policies and our data processing agreements.
- Some data may be retained in encrypted backups for up to 90 days after deletion, after which it is permanently removed.
- We may retain limited data where required by law (for example, records needed for legal compliance or dispute resolution).
15. Business Transfers
If Whim Labs Inc is involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of its assets, your personal information may be transferred as part of that transaction. In such an event, we will:
- Notify you via email and/or a prominent notice in the App at least 30 days before your personal information becomes subject to a different privacy policy.
- Ensure that the acquiring entity agrees to honor the commitments made in this Privacy Policy, or provide you with the opportunity to opt out and request deletion of your data before the transfer.
16. Data Breach Notification
In the event of a data breach that compromises your personal information, we will:
- Notify affected users without undue delay and within 72 hours of becoming aware of the breach, as required by GDPR and other applicable laws.
- Notify the relevant data protection authorities as required by applicable law.
- Provide you with details about the nature of the breach, the data affected, the steps we are taking to address the breach, and recommendations for how you can protect yourself.
17. Cookies, Do Not Track, and Global Privacy Control
The Whim mobile App does not use cookies. Our website uses one functional location cookie and anonymous usage analytics, both described in section 3.11. We do not track users across third-party websites, and we do not use advertising or cross-site behavioral tracking cookies.
We honor Do Not Track (DNT) and Global Privacy Control (GPC) signals. If your browser or device sends a DNT or GPC signal, we do not load website analytics, and we treat GPC as a valid opt-out of any sale or sharing of personal information under applicable privacy laws.
18. Related Documents
19. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make changes:
- We will update the "Last Updated" date at the top of this page.
- For material changes, we will notify you through the App (via push notification or in-app notice) at least 14 days before the changes take effect.
- Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
We encourage you to review this Privacy Policy periodically.
20. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Whim Labs Inc
Coquitlam, British Columbia, Canada
Email: legal@letswhim.com
Website: letswhim.com
For privacy-specific inquiries, you can expect a response within 10 business days.
If you are not satisfied with our response, you have the right to lodge a complaint with the applicable data protection authority:
- Canada: Office of the Privacy Commissioner of Canada (priv.gc.ca)
- European Union: Your local Data Protection Authority
- United Kingdom: Information Commissioner's Office (ico.org.uk)
- California: California Attorney General (oag.ca.gov)