Whimzy Logo

Privacy Policy

Effective Date: April 17, 2025

Please read this Privacy Policy carefully. By using the whimzy.io platform (the "Service"), you agree to the collection, use, and disclosure of your information as described in this policy. This Privacy Policy is incorporated into and subject to our Terms of Service, and is designed for a global audience in clear, legally sound English. If you do not agree with our practices, please discontinue use of the Service.

Introduction and Scope

This Privacy Policy explains how Whimzy LLC ("Whimzy", "we", "us" or "our"), a company based in Raleigh, North Carolina, USA, collects, uses, shares, and protects your personal information when you use whimzy.io (the "Service"). It applies to all users worldwide who access the Service, whether via web browser or any other interface.

We are committed to protecting your privacy and complying with applicable data protection laws, including U.S. law and the General Data Protection Regulation (GDPR) in the European Union, as well as similar laws in other jurisdictions. This policy covers all personal data we process in connection with the Service. It does not cover any third-party websites or services that may be linked from our platform; those are governed by their own privacy policies.

Information We Collect

We collect various types of information from and about you to provide and improve the Service. The types of information we may collect include:

  • Account Information: When you create an account on whimzy.io, we collect personal details such as your name, email address, username, password, and any profile information you provide. This is used to identify you, secure your account, and communicate with you. We may also collect account preferences and settings (e.g. whether you choose to save chats or use certain features).
  • User Content (Chats and Inputs): We collect the content of your interactions with the Service, including text conversations, prompts, feedback, or any files you upload or submit. This User Content includes the questions you ask and the AI's responses. You have the option to save or not save your chat history (see Accounts and Anonymity below for more details on this choice). If you choose not to save your chats, the content of your conversations will only be retained temporarily as needed to operate the Service and ensure safety, after which it will be deleted or de-identified. If you do choose to save chats, we will store them associated with your account so you can access them later.
  • Emotional and Biometric Data (Inferences): With your permission, we may collect and process data about your audio, video, or other biometric indicators to infer your emotional or physiological state. For example, if you use voice input or video features, we might analyze your tone of voice or facial expressions through our AI to detect sentiment or mood (such as happiness, frustration, or engagement). This "emotional inference" data helps us personalize and adapt your experience (for instance, the AI's responses might change if you seem confused or upset). We treat these inferences as sensitive personal data. We do not record or store any raw audio or video from your device without your explicit consent (see Audio/Video and Biometric Data section). Any biometric or emotion-derived data is collected and used only with your knowledge and agreement, and for the purposes described in this Policy.
  • Usage Data: We automatically collect certain technical information about your use of the Service. This includes:
    • Log and Device Data: When you use whimzy.io, our servers automatically record information ("log data"), such as your Internet Protocol (IP) address, browser type, device type, operating system, referring URLs, pages viewed, and the dates/times of access. We also gather device identifiers or unique IDs, and may infer your approximate location from your IP address (e.g. city or country level). This technical data helps us secure the Service, prevent fraud, and adapt content to your region (for example, enforcing regional restrictions or language settings).
    • Cookies and Similar Technologies: We use cookies, web beacons, local storage, and similar tracking technologies to collect information about your interactions with the Service. These technologies may record information such as your preferences, settings, login status, and usage patterns (see Cookies and Tracking below for details). If you use the Service without creating an account (for example, in a future anonymous mode), we may still use cookies or device identifiers to maintain your session and remember preferences since we wouldn't have an account profile for you.
    • Analytics Data: We use internal analytics and third-party analytics services to understand how users engage with our platform. These services may collect information on which features you use, how often you use the Service, crash reports, and performance data. This helps us troubleshoot issues and improve the Service's functionality and user experience.
    • Communication Data: If you contact us directly (for example, via customer support inquiries, feedback forms, or email), we will collect the information you provide in those communications. This may include your name, email, the content of your message, and any attachments or screenshots you send. We use this data to respond to you and improve our services and support processes.
    • Third-Party Information: We generally collect data directly from you or your device. In some cases, we may receive information about you from third parties, such as authentication providers (if you sign in via Google, Apple, etc., we receive your basic profile info from them), or referral partners. We treat any such third-party provided information according to this Privacy Policy and any additional restrictions imposed by the source.

We do not knowingly collect any sensitive personal data about you unless necessary (and with additional safeguards or consent). For example, we do not ask for social security numbers, credit card numbers (except through secure payment processors if you make a purchase), or precise biometric identifiers like fingerprints or face scans. Any analysis of emotions or biometrics is done in a privacy-conscious manner as described, without storing raw data.

How We Use Your Information

We use the collected information for the following purposes, all in accordance with applicable law:

  • To Provide the Service: We process your personal data to operate the whimzy.io platform and deliver its features. For example, we use your inputs and chat content to generate AI responses, and your account information to log you in and display your saved chats. Without collecting and using your data, we cannot provide the core functionality of the Service.
  • Personalization and User Experience: Information such as your past interactions, saved chats, and inferred emotional state may be used to personalize your experience. This can include tailoring the AI's responses or tone to better suit your needs, remembering your preferences (like language or theme settings), and enabling future features that enhance your experience. For instance, if our AI infers you are frustrated, it might adjust its style to be more helpful or patient. Cookies and similar technologies also help personalize content and remember you when you return.
  • Analytics and Performance: We use usage data and cookies to analyze how our Service is used. This helps us understand user behavior and preferences in the aggregate, diagnose technical issues, and improve the functionality and performance of whimzy.io. For example, we might track which features are most popular or identify where users encounter errors, so we can refine those areas. We also use aggregated chat data (with personal identifiers removed) to improve our AI models and algorithms. User Content you provide (such as chat messages) may be used to train and improve our AI systems only in accordance with our Terms of Service and your choices (for instance, if you opt out of such use, we will exclude your chats from model training). Any training or analysis on chat content is done in a manner that does not publicly reveal your personal information.
  • Communication: We may use your email or other contact information to send you service-related communications. This includes verification emails, password reset assistance, updates about new features or changes to the Service, and information about security or privacy updates. We may also send you promotional messages or newsletters about Whimzy's products and events if you have opted in to receive them. You can unsubscribe from marketing emails at any time by using the opt-out link in those messages or contacting us. (Service-essential communications, such as account notices or policy updates, may be sent even if you opt out of marketing, as they are necessary for the functioning of the service.)
  • Security and Abuse Prevention: Your information (especially usage and log data) is used to protect the integrity of our platform and our users. We may use data to detect and prevent fraudulent activity, bot abuse, spam, or other misuse of the Service. For example, we might use IP addresses to monitor for multiple accounts creating abuse, or use cookies to implement security features. If we detect illegal behavior or a violation of our Terms of Service, we may use relevant data to investigate and take appropriate action (which could include sharing information with law enforcement consistent with the Data Sharing section below).
  • Compliance with Legal Obligations: In certain cases we need to process and retain your data to comply with applicable laws, regulations, legal processes, or enforceable governmental requests. For example, we may retain records of transactions for tax and accounting purposes, or disclose information if required by a lawful subpoena or court order. We also use data to exercise or defend legal claims and to enforce our agreements (including our Terms of Service).
  • Aggregate and De-Identified Insights: We may aggregate or de-identify your information so that it can no longer reasonably be linked to you as an individual. We use this aggregated data for purposes such as research, statistical analysis, and improving or marketing our services. For instance, we might publish trends or insights (e.g., "X% of users engage with feature Y" or use anonymous emotional feedback to improve the AI's general responsiveness). These insights will not contain any personal information about you.

We will only use your personal data for the purposes outlined above. If we need to use your data for an unrelated new purpose, we will notify you and obtain any necessary consent or provide the appropriate legal justification. Where applicable law (such as GDPR) requires a "legal basis" for processing, our legal bases include: performance of a contract (providing you the Service you requested), legitimate interests (such as improving our product, securing our platform, and analyzing usage, balanced with your privacy rights), consent (for optional features like emotional analysis or marketing cookies where you have a choice), and compliance with legal obligations.

Cookies and Tracking Technologies

Cookies are small text files placed on your device that allow us to remember you. Tracking technologies can include cookies, pixel tags, browser local storage, and similar tools. We use these technologies for several reasons:

  • Authentication and Functionality: We use cookies to keep you logged in as you navigate through the site, and to enable basic functions like page navigation. For example, when you sign in, a session cookie remembers your login so you don't have to re-enter it on every page. These are often "essential" or "strictly necessary" cookies for providing the Service.
  • Preferences and Personalization: Cookies help store your preferences (such as language, UI theme, or whether you want to save chats by default). They also allow us to personalize content for you. For instance, a cookie might remember that you prefer anonymous mode, or that you dismissed a certain tutorial so we don't show it again. This enhances your future experience by making the site more tailored to you.
  • Analytics and Performance: We use both first-party and third-party cookies to understand how users interact with whimzy.io. For example, we might use Google Analytics or similar tools which set their own cookies to collect information about site traffic and user behavior. These analytics cookies gather data on things like which pages are visited, how long users stay, and which features are used. We use this information to identify performance issues, track the effectiveness of new features, and plan improvements.
  • Security: Certain cookies and tracking technologies help us prevent malicious activity and fraud. For example, they can be used to distinguish human users from bots, throttle request rates, or record when you've agreed to our cookie banner so it isn't repeatedly displayed.
  • Future Features: We may employ additional tracking technologies in the future to support new features or enhancements. For example, we might introduce a feature that analyzes user interaction patterns to recommend content, which could use a form of local storage or cookie. If we do so, we will update this Policy accordingly. All such uses will still respect your privacy and rights.

You have choices in managing cookies:

  • Cookie Consent Banner: Where required by law, our website displays a cookie consent banner on your first visit, allowing you to accept or reject non-essential cookies (like analytics or personalization cookies). You can update your preferences at any time through the provided Cookie Settings link or interface.
  • Browser Settings: Most web browsers let you refuse or delete cookies. You can set your browser to block all cookies or to alert you when cookies are being set. However, be aware that if you disable cookies entirely, the Service may not function properly (for example, you might not be able to log in or have preferences remembered).
  • Do Not Track: The Service currently does not respond to "Do Not Track" signals from browsers. If we develop the capability to honor such signals, we will update this Policy. In the meantime, using the cookie controls above is the best way to manage tracking.

For more details on our use of cookies and similar technologies, you can refer to our Cookies Notice (if available) or contact us with any questions. By using the Service, you agree that we can place these types of cookies on your device, as described, unless you disable them through the mechanisms above.

Accounts and Anonymity

Account-Based Access: Currently, whimzy.io primarily operates on an account basis. This means you need to register and log in to use the Service's full features. Account registration requires personal information (like email and a password) as described in Information We Collect. Using an account allows you to maintain a personalized experience, sync your data (such as saved chats) across devices, and enables us to provide customer support tailored to you.

Optional Anonymous Interaction: We recognize that some users may prefer not to create an account or may want to use the Service anonymously. While at present an account is generally required, we plan to offer anonymous or guest interaction options in the future. In an anonymous mode, you might be able to initiate a chat session without logging in. If and when such a feature is available, we will not require you to provide identifiable information for that session. You will be able to interact with the AI without tying the conversation to a personal account.

  • In anonymous mode, since we won't have your name or email, your privacy increases, but you may have limited functionality. For example, you might not be able to retrieve past conversations once you end the session, because we won't permanently store your chat history without an account.
  • We may still need to use cookies or device identifiers to maintain your session in anonymous mode (so the conversation can continue as you navigate) and to enforce usage limits or security measures. However, these identifiers won't be linked to your real identity.
  • Any data collected during an anonymous session (e.g. the chat content, or usage data) will be treated as described in this Policy. If we later introduce a way for you to save an anonymous session or convert it into a registered account, we will clearly explain how your data would transition in that case.

Chat History – Your Choice to Save or Not: Regardless of account status, we believe you should control your chat history:

  • When logged in, you can choose whether the platform saves your conversation transcripts to your account. The Service may provide a toggle or prompt allowing you to decide if a given chat is retained. By default, we may or may not save chats (we will communicate the default behavior), but you will have the ability to opt out of saving on a per-chat or global basis.
  • Saved Chats: If you opt to save a chat, the entire conversation (your messages and the AI's responses) is stored securely on our servers and linked to your account. This allows you to revisit the conversation later and provides continuity between sessions. Saved chats may also be used internally to improve the Service (for example, reviewing common questions to enhance the AI's knowledge) in accordance with this Policy.
  • Non-Saved (Temporary) Chats: If you choose not to save a chat, the conversation will not be attached to your account after your session ends. We will retain the content of that chat only temporarily in system memory or short-term storage as needed to facilitate the conversation in real-time and for a brief period thereafter for safety monitoring (for example, to ensure no content policy violations or to investigate any technical issues). After that, the chat content is deleted or irreversibly anonymized. It will not appear in your account history. Internally, we may retain an anonymized version of such chats for a limited time (e.g., a few days up to a few weeks) for abuse detection or to improve the AI, but without any data that identifies you personally.

Our goal is to give you meaningful choices: Use the Service with an account for a persistent personalized experience, or (when available) use it anonymously for a more private, ephemeral experience. We will continue to develop features that allow you to control your privacy, such as the ability to download your data, or switch off certain data collection (like turning off chat history globally, similar to an "incognito mode"). All these options will be explained in the user interface and supported by this Privacy Policy.

Audio, Video, and Biometric Data

No Audio/Video Recording Without Consent: whimzy.io may offer features that utilize audio or video – for example, voice-controlled AI interactions, video calls with an AI avatar, or emotion detection via your webcam. We will never access your device's microphone or camera without your permission. If you choose to enable a voice or video feature, your device will typically prompt you to grant camera or microphone access. You can always decline, in which case those features will not function and we will not receive any audio or video data from you.

If you do grant permission and use these features:

  • Real-Time Processing: Audio and video data you provide (such as speaking to the AI or showing facial expressions) will be processed in real time to enable the Service. For example, if you speak a question, our system (or a speech-to-text service acting on our behalf) will convert your voice into text for the AI to understand. Similarly, if a feature analyzes your facial expression, it might process video frames to infer your emotion.
  • No Unapproved Recording: By default, we do not store or keep recordings of your audio or video sessions. We do not eavesdrop or turn on your microphone/camera when you are not actively using a feature that requires it. Audio or video streams are used transiently — meaning our servers or your device process them on the fly to interpret your request or emotional state, and then they are discarded. We will only record or save audio/video content if you explicitly opt-in to such recording (for example, if in the future we introduce a feature to record your sessions for your own later playback, it will be your choice to activate it).
  • Emotional State Inference: One of the innovative aspects of our Service is using AI to gauge user emotions or engagement levels (often called "Emotional AI"). If you use voice or video, this might include analyzing vocal tone, speech patterns, or facial cues to infer emotions. Even if you only use text, our AI might analyze your word choice or typing speed as potential indicators of sentiment. We use these inferences to adjust the AI's responses and improve your experience (for example, offering help if you seem confused, or adjusting the conversational style if you appear to be in a certain mood).
  • Biometric Data Considerations: Some laws define biometric data to include things like faceprints or voiceprints. We want to clarify that we do not create or collect permanent biometric identifiers like a fingerprint, face ID template, or a voice ID tied to you. The emotional analysis is more transient and context-based. However, to the extent that analyzing your voice or face could be considered processing of biometric data or sensitive personal data, we will handle it with a high level of security and confidentiality. We will also obtain any specific consent required by law (for instance, if your jurisdiction requires written consent to analyze biometric data, we will present you with a consent form or clear notice when you attempt to use those features).
  • Storage of Inference Data: Any emotional or biometric inferences we derive may be stored as part of your session data or user profile. For example, if during a conversation the system infers that "user is frustrated at step 3," we might log that inference along with the conversation (perhaps to help customer support if there's an issue, or to let the AI know to adjust). This data is considered personal and will be protected accordingly. It is also optional — it only exists if you use the features that generate it. If you prefer not to have any emotional analysis, you may refrain from using the audio/video features or disable the "emotion-aware" mode if the Service provides such a toggle for text interactions.
  • Use of Inference Data: We will not use any audio/video or inferred emotional data for purposes other than providing and improving the Service, as described. We do not sell or share your raw audio/video or specific emotional profiles with third parties for their own purposes. Service providers (discussed below) might temporarily process audio or video on our behalf (e.g., a cloud speech-to-text service to transcribe what you said), but they are not allowed to use that data for anything other than serving our Service under our instructions.

In summary, your microphone and camera are under your control. If you enable them on whimzy.io, you understand that we will process that input to serve you, but we will always be transparent about what is happening. If at any time you want to withdraw permission, you can disable access via your browser or device settings and/or stop using those specific features. We are committed to respecting your biometric and sensory privacy and complying with all related laws.

Data Storage and Security

We use a hybrid cloud and node-based infrastructure to store and process data for whimzy.io:

  • Cloud Storage: Much of your data (account information, saved chats, etc.) is stored on secure cloud servers. These servers may be operated by us or reputable cloud providers under contract (for example, AWS, Azure, or other data hosting services). Cloud storage allows us to scale the Service and ensure high availability and performance globally. Data in the cloud is typically stored in encrypted form at rest, and we employ industry-standard security measures to prevent unauthorized access.
  • Node-Based Systems: In some cases, we utilize local nodes or edge servers to store or cache data closer to the user. For instance, if we deploy a server in a particular region for faster responses or if part of our AI runs on a user's device or a local network server (for enterprise customers), some data processing might occur there. These node-based systems might hold data temporarily or in a distributed manner rather than in a central cloud database. We design these systems with security in mind, ensuring that any data on nodes is protected and synchronized according to our policies.
  • On-Premises Options: We recognize that some customers (especially enterprise or institutional clients) may have requirements to keep data on-premises or within their own infrastructure. Our platform is built with flexibility in mind. In the future, for certain deployments or premium offerings, we may allow on-premise data storage or private cloud instances, meaning your data could be stored on servers operated by you or your organization, rather than Whimzy's general cloud. If we offer this, we will ensure that privacy protections travel with the data. In other words, whether your data is on our cloud or your own servers, it will be handled in compliance with this Privacy Policy and any specific agreements we have in place. We will also clearly document data flow and responsibilities in such cases (for example, an enterprise agreement might specify what data stays local versus what is sent to us for processing).
  • Data Localization: By default, we may store and process data in the United States (where our company is based) and other jurisdictions where we or our service providers maintain facilities. However, we understand some regions have laws about keeping data locally (for instance, EU data protection regulations, or other country-specific rules). If required or requested by customers, we can explore options to store certain data in specific geographic regions or isolated systems to meet those requirements. Our hybrid architecture makes it possible to be adaptable in this way.

Security Measures: We take the security of your data seriously. Some of the measures we implement include:

  • Encryption: We use encryption to protect data in transit and at rest. When you communicate with whimzy.io, HTTPS/TLS encryption safeguards the data transmitted between your device and our servers. Sensitive data in our databases is encrypted at rest. For example, passwords are stored in hashed form (never in plain text), and sensitive fields may be additionally encrypted.
  • Access Controls: We restrict access to personal data to Whimzy employees, contractors, and service providers who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations. Access to production databases or systems is limited to authorized personnel with multi-factor authentication and is logged and audited.
  • Monitoring and Testing: Our systems are monitored for vulnerabilities, attacks, and unauthorized access. We employ firewalls, intrusion detection systems, and routine security scans. We periodically test our infrastructure and applications (via security audits and penetration testing) to identify and fix potential security issues.
  • Data Segmentation: Where feasible, we segregate user data to add layers of protection. For instance, separating identifying information (like account details) from chat content, or using random identifiers in place of direct personal identifiers, so that a compromise of one dataset would not automatically grant access to another.
  • Employee Training and Policies: Whimzy LLC maintains internal policies to protect user privacy and security. Our team members are trained on data protection best practices and are required to adhere to company guidelines regarding the handling of personal data.

Despite our efforts, no method of transmission over the internet or electronic storage is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security. In the event of a data breach that affects your personal information, we will notify you and the appropriate authorities as required by law.

Data Sharing and Disclosure

We do not sell your personal information to third parties. However, in the course of running our business, we may share your information with certain parties in the following circumstances:

  • Service Providers and Vendors: We employ trusted third-party companies and individuals to perform services on our behalf. These include:
    • Hosting and Infrastructure: Companies that provide data center, cloud computing, and database services (to store data and run the application).
    • Analytics Providers: Third parties that assist in analyzing usage of our Service (e.g., Google Analytics or similar) so we can improve performance and UX.
    • Communication Tools: Services that help us send emails or other notifications to you (for account verification, support responses, etc.).
    • Payment Processors: If our Service involves payments or subscriptions, we use secure third-party payment processors; we don't store your full credit card info ourselves.
    • Support and Maintenance: Tools or contractors that might assist in customer support, debugging, or development.

    These service providers only receive the information necessary to perform their functions and are contractually obligated to protect your data and use it only for our specified purposes. They must adhere to confidentiality and data protection obligations consistent with this Policy and applicable law.

  • Affiliates and Partners: We may share your information with our affiliated companies (entities under common ownership or control with Whimzy LLC). Any such affiliates will use your information only as permitted by this Policy. We might also share certain data with business partners or collaborators if you engage in a service that we offer jointly with them. For example, if whimzy.io features an integration with a partner's service (like a special AI model provided by a partner company), we would disclose in the user experience what data is being shared and get your consent if required. All partners must agree to handle the data consistent with applicable privacy requirements.
  • Legal Compliance and Protection: We may disclose your information if we reasonably believe that doing so is necessary to:
    • Comply with applicable laws, regulations, legal processes, or governmental requests. For instance, responding to a lawful subpoena or court order, or to meet national security or law enforcement requirements.
    • Enforce our Terms of Service or other agreements, and investigate potential violations thereof.
    • Protect the rights, property, and safety of Whimzy LLC, our users, or the public. This includes exchanging information with other companies and organizations for fraud protection and spam/malware prevention, or in response to an emergency which we believe in good faith requires us to disclose data to prevent harm.

    When possible and legally permissible, we will inform affected users about any legal demands for their data. However, in some cases we may be prohibited from doing so (e.g., an order under seal). We will object to requests for data that we believe are improper or overly broad.

  • Business Transfers: If Whimzy LLC is involved in a merger, acquisition, investment, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We would ensure the acquiring or succeeding entity is bound by terms similar to this Privacy Policy in how they handle your data. If such a transfer results in a material change in how your personal data is used, we will give you appropriate notice (and choices, if applicable). Your information may also be disclosed during due diligence with potential acquirers under strict confidentiality conditions.
  • Your Consent or Direction: Apart from the cases above, we will ask for your consent before sharing your personal data with third parties for purposes not covered by this Policy. For example, if we ever want to share your contact info with a partner for their own marketing, we would only do so if you opt-in. Similarly, if you use features that explicitly share information (for instance, if you generate content and click a button to share it on social media or send it to a friend), we will do so at your direction. Any information you voluntarily share in public areas of the Service (like a public forum or community feature, if provided) may of course be visible to others; you control what you post publicly.
  • Aggregate or De-Identified Data: We may share aggregated information or de-identified data that cannot reasonably be used to identify you. For example, we might publish research or insights (as mentioned earlier) or share statistics with partners, like "X% of our users are based in Europe" or "we saw an increase in usage for this feature". Such information will not include your personal details.

In all cases of data sharing, we remain accountable for the protection of your personal information. We conduct appropriate due diligence on third parties and use contractual and operational measures to ensure your data is handled safely and lawfully. If you have questions about third parties we work with, you can contact us for more information.

Global Access and Local Laws

Worldwide Service: whimzy.io is accessible to users around the world. We strive to provide a consistent service to our global user base. However, due to legal and regulatory constraints, there are certain regions where our Service may not be available or is restricted. Specifically, if you are in a country or region where artificial intelligence, cryptocurrency, or general internet usage is prohibited or heavily regulated, you may be prevented by law from using our Service. Examples might include jurisdictions under sanctions or those that have banned AI tools. It is your responsibility to comply with your local laws when accessing the Service. If we become aware that a user is in a region where the Service is not allowed, we may restrict or disable access to comply with local law.

International Data Transfers: By using the Service, you acknowledge that your personal data may be transferred to and processed in the United States and other countries. These countries may have data protection laws that are different from those in your country of residence (and in some cases, not as protective). Whimzy LLC is headquartered in the USA, and the primary servers and databases for whimzy.io are likely located in the USA. However, we and our service providers may process data in multiple jurisdictions (for example, servers in the European Union or Asia to improve speed and reliability for users in those regions).

Whenever we transfer personal data out of its country of origin, we take steps to ensure appropriate safeguards are in place to protect it, as required by applicable law. For instance, if we transfer data from the European Economic Area (EEA) or UK to the U.S. or another country, we will rely on approved legal mechanisms such as:

  • Standard Contractual Clauses (SCCs): These are legal contracts approved by the European Commission that impose data protection obligations on the recipient of the data outside the EEA.
  • Adequacy Decisions: In some cases, we may transfer data to countries that the EU or other regulators have determined provide an adequate level of data protection.
  • Privacy Frameworks: We may also adhere to recognized frameworks such as the EU-U.S. Data Privacy Framework (if applicable) or others that facilitate compliant data transfer.

No matter where your data is processed, we will apply the protections described in this Privacy Policy and comply with applicable law. We also maintain internal policies to ensure that our global team accesses personal data only according to this Policy and applicable data localization requirements.

GDPR and Similar Laws: For users in the EEA, UK, Switzerland, and other regions with comprehensive data protection laws, we want to assure you that:

  • You have specific privacy rights (see Your Rights and Choices below) which we honor.
  • We will identify a valid legal basis for processing your data (as outlined earlier in How We Use Your Information).
  • You have the right to lodge a complaint with a data protection authority if you have concerns (for example, an EU user can complain to their country's supervisory authority).
  • If required, we will designate a representative or point of contact in your region for privacy matters.

We also strive to meet requirements of other privacy laws around the world, such as the California Consumer Privacy Act (CCPA) in the United States, Canada's PIPEDA, Brazil's LGPD, and others. For example:

  • If you are a California resident, you have rights to know about the personal information we collect and how we use and share it, to request access or deletion of your personal information, and to not be discriminated against for exercising these rights. We do not sell personal information as defined by the CCPA, and we will honor valid requests as required by law.
  • If local law requires parental consent for processing personal data of minors above our stated age minimum, we will comply with such requirements (see Children's Privacy below).

In summary, no matter where you live or use our Service, we intend to respect your privacy and comply with relevant regulations. If you have any questions about cross-border data handling or your country's laws, please reach out to us.

Your Rights and Choices

You have a number of rights regarding your personal data. These rights may vary depending on your jurisdiction, but we extend many of these rights to all our users, as we believe you should have control over your information. Your key rights include:

  • Access and Portability: You have the right to request a copy of the personal data we hold about you, and to obtain it in a structured, commonly used, and machine-readable format. This is often known as a data subject access request. For example, you can request a copy of your account information and chat history that we have stored. Where technically feasible, you may also request that we transmit this data to another service provider (data portability).
  • Correction (Rectification): If any of your personal information is inaccurate or incomplete, you have the right to ask us to correct it. You can update some of your account information directly through your profile settings. For any other corrections, contact us and we will rectify errors or omissions in your data.
  • Deletion: You have the right to request deletion of your personal data. This includes the ability to delete your account entirely (see Data Retention and Deletion below for more details on what happens when you do). When you ask us to delete data, we will remove or anonymize the personal information we have about you (unless certain exceptions apply where we are required to keep specific data, e.g., for legal compliance). We will also direct our service providers to delete your data from their records where applicable. Note that complete removal of data from backups might occur with a slight delay, but we'll ensure it's removed in the next deletion cycle.
  • Objection to Processing: You have the right to object to our processing of your data in certain situations. For example, if we are processing your data based on our legitimate interests, you can object if you believe our interests are overridden by your privacy rights. You also have an absolute right to object to direct marketing – if we ever send you marketing emails or messages, you can opt out at any time, and we will honor that.
  • Restriction of Processing: You can request that we temporarily or permanently stop processing some of your personal data. This could apply while you contest the accuracy of data (until we fix it), or if you have objected to processing and we're evaluating that request, or if you need us to preserve data for a legal claim even though we would otherwise delete it. When processing is restricted, such data will be marked and only processed for certain purposes (like with your consent or for legal reasons).
  • Withdrawal of Consent: Where we rely on your consent to process data (for example, if you consented to our use of optional cookies or to process biometric data for emotional analysis), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we already performed based on your consent, but it will mean we stop the consent-based processing going forward. For instance, if you withdraw consent for emotion tracking, we will disable or stop using that feature for your sessions.
  • Automated Decision-Making: The Service may include automated processing of your data to provide certain results (the AI responses themselves are a form of automated processing). Typically, this is not the type of automated decision-making that produces legal or similarly significant effects on you (like credit decisions or hiring decisions). However, if you believe that any automated decision from our Service has a significant impact on you, you have the right to request human review of that decision. We will also ensure we provide information about the logic involved in automated decisions as required by law.
  • Complaints: If you have concerns about our privacy practices, please contact us so we can try to resolve them. If you are in the EU/EEA or certain other jurisdictions, you also have the right to lodge a complaint with your local Data Protection Authority. In the EU, this is typically the authority in your country of residence or work, or where an alleged infringement occurred. In the UK, it's the Information Commissioner's Office (ICO). In Canada, the Office of the Privacy Commissioner, etc. We welcome the opportunity to address your concerns directly, but it's important you know this recourse exists.

Exercising Your Rights: Many of your rights can be exercised by logging into your account settings. For example, you can usually edit your profile, download data, or delete your account from the settings menu. Where that's not possible, or if you have a specific request, you can contact us at our privacy contact (see Contact Us at the end of this Policy). To protect your security, we may need to verify your identity before fulfilling certain requests (such as by asking you to confirm from your logged-in account or providing information that matches our records). We will respond to requests within the timeframe required by law (for instance, under GDPR, typically within one month) and will let you know if we need an extension or cannot fulfill a request for a legitimate reason.

There is no charge for exercising your rights, with a few exceptions (if requests are manifestly unfounded or excessive, some laws allow a fee or refusal, but we will generally work with you to provide what you need).

Your Choices: In addition to formal rights, you have control in various ways:

  • You can choose not to provide certain information (though it may limit your ability to register or use some features).
  • You can opt out of receiving marketing communications.
  • You can use privacy settings (like the chat saving toggle, or future anonymous mode) to adjust how your data is used.
  • You can disable cookies as described in Cookies and Tracking.
  • If you do not want any data collected at all, the only option would be to cease using the Service, which we hope to avoid by giving you flexible controls as described.

Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required for legitimate business purposes or legal obligations. How long we keep specific types of data can vary based on context:

  • Account Data: If you have an account, we retain your account information and profile data for as long as your account is active. We may deem an account inactive after a prolonged period of disuse and, in accordance with our internal policies, either reach out to you or delete the account, but generally we keep it until you choose to delete it. If you delete your account (or request deletion), we will remove or anonymize personal information associated with your account within a reasonable time frame (typically, we aim to do so within 30 days of confirming the request, barring any specific need to retain data longer as noted below).
  • Chat Content:
    • Saved Chats: Chat histories you choose to save are kept until you delete them or delete your account. You have the ability to delete individual conversations from your history at any time. When you do so, we purge the content of those conversations from our active databases. Residual copies may remain in system backups for a short period, but will be overwritten in the normal course of backup rotation.
    • Temporary/Unsaved Chats: If you use the Service without saving chats, the content of those conversations is only retained transiently. Typically, unsaved chat content is automatically deleted from our systems shortly after your session or after a brief retention window for safety (e.g., we might keep recent unsaved chats for up to 30 days in a secure environment solely to monitor for abuse or technical problems, then purge them). We do not tie unsaved chat content to your account or identity; it may be stored under an anonymous identifier if at all.
  • Emotional/Biometric Data: Any emotional state inferences or biometric-related data (from voice/video analysis) are kept only as long as needed for the purposes of the session and immediate analysis. We might store the results of an emotional analysis in aggregate form (e.g., "during March, user's average engagement was X") to improve our models, but not in a way that identifies you personally after your session ends. If such data is linked to your profile (say, if you allow the system to keep an "emotional profile" for tailoring responses), you can request its deletion at any time. Otherwise, raw sensor data from audio/video is not stored, and inference data is either short-lived or anonymized.
  • Logs and Analytics: System logs (which include IP addresses and usage logs) and analytics data are generally kept for a reasonable period to fulfill the purposes of security, analysis, and improvement. This could be, for example, 90 days for basic logs used for debugging and security, with aggregated analytic summaries kept longer. Where possible, we either delete or anonymize logs after we no longer need them. In some cases, security logs may be retained longer if we need to investigate incidents or if laws require (for instance, some jurisdictions might require retaining web logs for a certain time).
  • Legal Retention Requirements: We might have to retain some information for longer periods if required by law. For example:
    • Financial/Transaction Records: If the Service involves payments, financial regulations might require we keep transaction records and associated personal data (like billing info) for a number of years (commonly 7 years in some jurisdictions) for tax, audit, and compliance purposes.
    • Dispute Resolution: If you ever lodge a complaint or if your data is part of a legal dispute, we may retain relevant information until that issue is resolved, even if that extends beyond normal retention periods.
    • Account of Deletion Requests: When we delete an account, we may retain a minimal piece of information to document that the deletion occurred (like a record that X account was deleted on Y date, and perhaps the email hash to ensure we don't accidentally recreate it). This is standard to prove compliance with your request and to prevent fraud (e.g., someone can't later claim they are you and demand data by referencing a deleted account we have no record of).

When the retention period for a piece of data expires, or if you request deletion (whichever comes first), we ensure the data is either securely erased or irreversibly anonymized so that it can no longer be associated with you.

Account Deletion Requests: You may delete your account via the account settings or by contacting us. We may ask you to confirm your request (for security) and then will proceed with deletion. Once your account is deleted:

  • You will lose access to the Service features that require an account, and this action cannot be undone. Your profile info and login credentials will be removed from our active user database.
  • Any personal data associated solely with your account will be deleted or anonymized. This includes saved chat history (we recommend downloading any data you want to keep before deletion), your account profile information, and any preferences.
  • Data that is not personally identifiable, or that has been aggregated, may be retained by Whimzy LLC. Whimzy LLC reserves the right to use data you had previously provided in an aggregated or de-identified manner for analytics and to improve our services. For example, if your questions helped train our AI, the learning from those questions (now without any link to you) may remain as part of the AI's knowledge. Similarly, general usage statistics that included your usage will still count in overall metrics even after deletion, but nothing will tie those stats to you.
  • We may retain backup copies of your data for a short period as mentioned. Those backups are securely stored and only accessed if needed for disaster recovery. After the retention timeframe passes, backups containing personal data will be destroyed as well.
  • If you had any posts in community forums or similar (if our platform has those), deletion of account might render your past posts anonymous (e.g., showing a generic "deleted user" label) rather than erasing content that might be relevant to other users' discussions. We strive to delete personal references but keep public discourse intact when applicable.

Post-Deletion Contact: We value feedback and continually aim to improve. After you delete your account, we may reach out to you once at the email address associated with the account to confirm that your request was handled and optionally to ask about your experience or reasons for leaving. This can help us understand user needs and improve the Service. Responding is entirely optional. If you prefer not to be contacted at all after deletion, you may let us know as part of your deletion request or simply ignore the email. We will not continue to contact a user who has deleted their account beyond a possible single follow-up, unless that user initiates communication or there is a legal reason to do so (e.g., notifying you of a security incident that we discovered post-deletion which affected your data).

In essence, when you leave, your personal data leaves with you (aside from the limited exceptions noted). We aim to make the process of account and data deletion as transparent and straightforward as possible. If at any point you need further clarification on what data we have or how we handle deletion, please contact us.

Children's Privacy

The whimzy.io Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are under 13, you are not permitted to use the Service or provide any personal data to us.

If you are between 13 and 18 (or the age of majority in your jurisdiction), you may use the Service only with the involvement and consent of a parent or legal guardian. We encourage parents/guardians to supervise their teenagers' use of online services and educate them about safety and privacy.

In the event that we become aware that we have inadvertently collected personal information from a child under 13 (for example, if a child registers by falsifying their age), we will take immediate steps to delete such information from our records. If you believe that a child under 13 may have provided us with personal data, please contact us so that we can investigate and delete any such data.

We do not intentionally target any content or features of our Service toward children. We also do not use the information of users under 16 for any profiling or marketing purposes if we know their age. If in the future we decide to open parts of our Service to younger audiences (for example, a specific educational version intended for teens), we will do so in compliance with applicable child privacy laws such as the U.S. Children's Online Privacy Protection Act (COPPA) and EU GDPR provisions for children, including providing appropriate disclosures and obtaining verifiable parental consent where required.

Changes to This Privacy Policy

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will post any updates on this page with a new "Effective Date" at the top. If changes are significant, we may also notify you by additional means, such as by sending an email to the address associated with your account or by placing a prominent notice on our website.

Please review this Policy periodically to stay informed about how we are protecting your information. Your continued use of the Service after any update to this Privacy Policy becomes effective will signify your acceptance of the changes. If you do not agree to the revised policy, you should stop using the Service and may delete your account.

For any material changes that retroactively affect the way we handle previously collected data, we will seek your consent or provide notice as required by law. For example, if we ever decided to use your data for a new purpose not originally disclosed, we would inform you and, if necessary, get your permission first.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to contact us:

Whimzy LLC (Attn: THookz, Privacy Team)
355 South Grand Avenue, Suite 2450 PMB #2259
Los Angeles, CA 90071-3180

Privacy inquiries: privacy@whimzy.io (for privacy inquiries)
General support: support@whimzy.io (for general support, who can also route privacy questions appropriately)

You may also reach out to us through any contact form on our website or via direct communication channels provided in the app/Service.

We will respond to your inquiries as promptly as possible, and at most within any timeframes required by law. If you contact us to exercise a privacy right, please include sufficient information for us to verify your identity (for example, contacting us from the email associated with your account or providing some identifying details). This is to protect your data from unauthorized access or deletion by someone else.

Thank you for trusting Whimzy LLC and whimzy.io with your information. We are dedicated to safeguarding your privacy and creating a secure, enjoyable experience for all our users.