Your data stays
on your device.

2. What We Collect

WayWhisper is designed with privacy at its core. We collect only what is necessary:

Data stored on your device only (never sent to us)

• Exploration preferences, saved places, badges, visit history
• Narration depth preference, playback settings, interest tags
• Downloaded city packs and cached audio files
• GPS/location data — processed on-device for proximity features, not transmitted or stored server-side

Data we process server-side

• Session cookie — a secure, HttpOnly cookie for access control. Contains no personal information.
• Anonymous device identifier — a randomly generated ID stored on your device, used solely for basic analytics aggregation. Not linked to your identity.
• Listening analytics — which narrations were played and for how long, aggregated anonymously to improve content quality.
• Place ratings — your ratings and optional approximate location (to verify proximity), not linked to your identity.

Data you provide voluntarily

• Account registration — email address, display name (if you create an account for contributor or premium features)
• Beta application — email, name, city of interest
• Contributor submissions — stories, corrections, and related content you choose to submit
• Support emails — any information you send when contacting us

Payment data

Payments are processed by Stripe. We do not store, see, or have access to your credit card number or bank details. Stripe provides us with a customer identifier, transaction amounts, and subscription status. See Stripe's Privacy Policy.

3. What We Do Not Collect

• No GPS tracking or location history on our servers
• No advertising or marketing cookies
• No cross-device or cross-site tracking
• No social media tracking pixels
• No sale, rental, or sharing of your data with advertisers or data brokers
• Uploaded images are stripped of EXIF metadata (GPS coordinates, device info) before storage

4. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

• Consent — analytics cookies (you can opt out via cookie settings), marketing emails
• Contract performance — account creation, subscription management, content delivery
• Legitimate interest — service improvement, fraud prevention, security monitoring
• Legal obligation — tax and accounting records for paid transactions

5. Third-Party Services

We use the following third-party services that may process data on our behalf:

• Hetzner (Germany) — server hosting. Data stays in the EU.
• Stripe (US, EU data processing) — payment processing. Subject to Standard Contractual Clauses for EU data protection.
• Resend (US) — transactional email delivery (verification, password reset, notifications). Only your email address and message content are shared.
• OpenAI (US) — AI content generation during our editorial pipeline. Only place-related content data is sent. No user data, device identifiers, or location information is shared.
• OpenStreetMap / Wikimedia — map tiles and reference data. Your device loads map tiles directly; standard web request data (IP address) may be logged by tile servers.

We do not sell, rent, or share your personal data with any other third parties except as required by law.

6. Cookies

WayWhisper uses minimal cookies:

• Session cookie (essential) — required for authentication. HttpOnly, secure, same-site. Cannot be opted out of while using the Service.
• Cookie consent preference (essential) — remembers your cookie choices. Stored in localStorage.
• Analytics (optional) — anonymous usage data to improve content. Enabled by default during beta; you can opt out via the cookie settings banner or the Settings page.

We do not use advertising cookies, retargeting pixels, or any third-party tracking scripts. You can manage your cookie preferences at any time via the cookie banner or Settings page.

7. Data Retention

• Analytics events — 90-day rolling window, then aggregated and anonymized
• Account data — retained while your account is active; deleted within 30 days of account deletion request
• Beta applications — retained for 1 year after the beta period ends, then deleted
• Payment records — retained as required by tax and accounting law (typically 7 years in Hungary)
• Support emails — retained for up to 2 years for service improvement
• Device-local data — stored on your device until you clear it; we have no access to it

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate data
• Right to erasure (“right to be forgotten”) — request deletion of your personal data
• Right to data portability — receive your data in a machine-readable format
• Right to restrict processing — request that we limit how we use your data
• Right to object — object to processing based on legitimate interest
• Right to withdraw consent — withdraw consent for analytics or marketing at any time

To exercise any of these rights, contact us at privacy@waywhisper.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) or your local EU data protection authority.

9. Data Export & Deletion

Most of your data lives on your device and is fully under your control:

• Export: Use the Settings page to export your profile data, preferences, and exploration history as a JSON file.
• Clear local data: Remove downloaded city packs, cached audio, and all local preferences from the Settings page.
• Delete account: If you have a registered account, contact us at privacy@waywhisper.com to request full account deletion. We will remove all server-side data within 30 days.

10. Data Security

We take reasonable technical and organizational measures to protect your data, including:

• HTTPS encryption for all data in transit
• Secure, HttpOnly cookies with SameSite protection
• Password hashing with industry-standard algorithms
• Server hosted in the EU (Hetzner, Germany) with regular security updates
• Principle of least privilege for data access

However, no system is 100% secure. In the event of a data breach affecting your personal data, we will notify you and the relevant data protection authority within 72 hours as required by GDPR.

11. International Data Transfers

Your data is primarily stored on servers in the European Union (Germany). Some third-party services (Stripe, Resend, OpenAI) may process data in the United States. Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or the service provider's participation in recognized data protection frameworks.

12. Children's Privacy

WayWhisper is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at privacy@waywhisper.com and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy as our practices evolve. Material changes will be communicated through the Service or via email. The “Last updated” date at the top indicates when the policy was last revised. Continued use after changes constitutes acceptance.

14. Contact

For privacy-related questions, data requests, or concerns:

• Email: privacy@waywhisper.com
• General support: support@waywhisper.com

If you are not satisfied with our response, you may contact the Hungarian National Authority for Data Protection and Freedom of Information (NAIH): naih.hu