Privacy Policy

Introduction

Whispever is committed to protecting the privacy and security of your personal data. This privacy policy informs you about how we collect, use, store and protect your information in accordance with the General Data Protection Regulation (GDPR).

Data Controller

Data Collected

Data you provide to us

Whispever only collects data that you choose to provide to us for the use of our services:

• Identification data: last name, first name, email address
• Account data: password (encrypted), profile information
• Documents and files: personal documents, photos, videos, PDF files you upload
• Estate data: information about your wishes, precious object inventories, trusted contacts
• Messages and content: post-mortem messages, shared memories

Automatically collected data

• Connection data: IP address, browser type, pages visited
• Technical cookies: necessary for site functionality (see our Cookie Policy)

Payment data

Your banking information is processed directly by Stripe, our PCI-DSS Level 1 certified payment provider.

Whispever NEVER stores your banking data (card number, CVV, etc.). Stripe only transmits to us:

• A Stripe customer identifier (anonymous)
• Payment status (successful/failed)
• Transaction date and amount
• Last 4 digits of your card (for identification)

For more information about the protection of your banking data: Stripe Privacy Policy

Processing Purposes

We use your personal data to:

1. Provide our services: create and manage your account, store your estate information
2. Secure your data: protection through SHA-256 and AES-256 encryption
3. Manage transmission to trusted contacts: after death verification
4. Improve our services: usage analysis and development of new features
5. Communicate with you: customer support, important notifications, security alerts

Legal Basis for Processing

The processing of your data is based on:

• Your consent for the use of our services
• Performance of the contract between you and Whispever
• Our legitimate interest in improving and securing our services
• Our legal obligations regarding data retention

Data Security

Encryption

All your sensitive data is encrypted using:

• SHA-256 for password hashing
• AES-256 for user data encryption

Note: Zero-knowledge encryption system is currently being implemented for enhanced security.

Secure Hosting

Your data is hosted on secure servers:

• Database: Neon.tech (SOC 2 certified)
• User files: Amazon AWS S3 (ISO 27001 standard)
• Application: Vercel (secure infrastructure)
• Payments: Stripe (PCI-DSS Level 1 certified)

Restricted Access

Only authorized Whispever personnel have access to your data, particularly for:

• Verification of death certificate authenticity
• Technical support in case of issues

Retention Period

Your data is retained as long as your account is active.

You can delete your account at any time through the application interface. Upon deletion:

• All your personal data will be permanently deleted
• All your files will be removed from our servers
• This action is irreversible

Data Sharing

Technical Service Providers

We share certain data with our essential technical service providers:

These providers act as data processors under GDPR and are contractually bound to protect your data.

Trusted Contacts

Your trusted contacts only have access to data that you have explicitly chosen to share with them:

1. Before death: Access only to the "My Wishes" section (last wishes)
2. After death verification: Access to specific data you have assigned to them

Death Verification Process

When a trusted contact uploads a death certificate:

1. Automatic alert: You immediately receive an email alert to allow you to object if you are still alive
2. Human verification: A Whispever staff member verifies the authenticity of the death certificate
3. Objection period: Period of [X days] to allow for potential objection
4. Data release: If no objection and authentic certificate, the account is marked as deceased and data is transmitted according to your instructions

Each trusted contact accesses only the data you have assigned to them. Access can be different for each contact according to your wishes.

No Commercial Sharing

We never sell, rent or share your personal data with third parties for commercial or advertising purposes.

Your GDPR Rights

In accordance with GDPR, you have the following rights:

Right of Access

You can request a copy of all data we hold about you.

Right to Rectification

You can modify your data at any time through our application interface.

Right to Erasure ("right to be forgotten")

You can delete your account and all your data at any time.

Right to Data Portability

You can retrieve your data in a structured, commonly used and machine-readable format.

Right to Object

You can object to the processing of your data for legitimate reasons.

Right to Restriction of Processing

You can request the restriction of processing your data in certain circumstances.

How to exercise your rights?

To exercise your rights, contact us at: contact@whispever.com

We are committed to responding to your request within a maximum of one month.

Right to File a Complaint

If you believe your rights are not being respected, you can file a complaint with CNIL:

• Website: https://www.cnil.fr
• Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
• Phone: +33 1 53 73 22 22

Cookies

For more information about cookie usage, please see our Cookie Policy.

Data Transfers Outside EU

Your data may be stored or processed on servers located outside the European Union:

• AWS S3 (file storage): depending on regions, may include servers outside EU
• Stripe (payments): servers in the United States
• Google Analytics (analytics): servers located in the United States and the EU

These transfers are governed by appropriate safeguards in accordance with GDPR:

• Standard contractual clauses approved by the European Commission
• Security certifications (ISO 27001, SOC 2, PCI-DSS)
• Contractual commitment of our providers to GDPR compliance
• For Google: compliance with the [EU-U.S. Data Privacy Framework](https://www.dataprivacyframework.gov/)

Minors

Our services are intended for adults. We do not knowingly collect personal data concerning minors under 18 years of age.

Policy Changes

We reserve the right to modify this privacy policy at any time. Any changes will be posted on this page with a new update date. Significant changes will be notified to you by email.

Contact

For any questions regarding this privacy policy or the processing of your personal data:

Email: contact@whispever.com