Privacy Policy

About this notice

This Privacy Policy explains what Whisp3r Auth collects about you, how we use it, who we share it with, and the rights you have over it. Our Terms of Service live at /terms. Our cookie policy lives at /cookies.

Information we collect

Directly from you:

• Email address — required to sign in and receive transactional messages.
• Name and avatar — when you provide them in your profile.
• Password — stored only as a salted cryptographic hash. We never see your plaintext password and cannot recover it.
• Two-factor authentication secret — if you enable 2FA, we store the TOTP shared secret needed to verify your codes.
• Backup codes — one-way hashes of the codes shown to you once at 2FA setup.

From third-party identity providers (only when you sign in with them):

• From Google: your Google account ID, the email address on that account, and your display name. We request the scopes openid, email, and profile — nothing more.
• From GitHub: your GitHub user ID, public email, and login. We request the read:user and user:email scopes.

Automatically, while you use the service:

• Session metadata — IP address, user-agent, and timestamps. Used to bind a session to a device, enforce rate limits, and surface "where you're signed in" in your security settings.
• Authorization records — which Authorized Applications you have granted access to, which scopes, and when.
• Audit log — sign-ins, sign-outs, password changes, 2FA changes, account deletions, and token issuance events.

We do not collect device fingerprints, behavioral analytics, location data beyond IP-derived approximations, or any biometric data. We do not run third-party analytics or advertising trackers on this site.

How we use it

We use the information described above only to:

• Authenticate you and maintain your signed-in session.
• Issue OIDC tokens to Authorized Applications you explicitly consent to.
• Detect and respond to suspicious activity (failed sign-in spikes, token replay attempts, credential-stuffing patterns).
• Send transactional emails only: email verification, password reset, magic-link sign-in, and security alerts. We do not send marketing email from this address.
• Comply with applicable law and respond to lawful legal process.

We do not use your information to train machine-learning models. We do not sell or rent your information to anyone. We do not share your information with advertisers.

Authorized Applications and OIDC

When you sign in to a third-party app via Whisp3r Auth, you see a consent screen that names the app and lists the identity claims it is requesting. Granting consent authorizes Whisp3r Auth to release those specific claims to that specific app, in the form of a short-lived signed token.

Connected applications receive a per-app pairwise subject identifier, the scopes you consent to, and your cookie preferences. The subject identifier is different for every app, so two applications you have authorized cannot collude to recognize you as the same person.

Connected applications do not receive your email address directly. If an app needs to email you, it requests Whisp3r Auth to send the message on its behalf via our authenticated relay endpoint. Each relay is logged. Disconnecting an application immediately revokes its ability to email you.

You can see how many emails each application has sent you in the last thirty days in your dashboard under "Applications," alongside the controls to revoke access. Revoking access invalidates all outstanding tokens for that app within a few minutes.

Whisp3r Auth has no control over what an Authorized Application does with the claims it receives. Each Authorized Application is responsible for its own privacy practices. Review the privacy policy of each app before granting access.

Privacy by design

A few choices baked into how Whisp3r Auth works that you don't have to opt into:

• Pairwise subject identifiers. The sub claim each Authorized Application receives is unique to that application — derived from your account, the app's client ID, and a server-side secret. Two apps cannot compare sub values to discover you are the same user across them.
• API email relay. Connected apps never see your email address. When they need to email you, they call our authenticated relay endpoint with their access token; we deliver the email from noreply@auth.whisp3r.com and record only the metadata (which app, which user, which subject line) — not the body.
• Cookie preferences travel with sign-in. The consent you give via our cookie banner is included as a cookie_preferences claim in the id_token so connected apps can honor it without re-prompting you.

Subprocessors

We rely on the following providers to operate the service:

• Neon (Neon, Inc., US) — managed PostgreSQL hosting. All account records and audit data are stored on Neon's infrastructure, currently in the US East region.
• Resend (Resend, Inc., US) — delivery of transactional emails.
• Google LLC (US) — only when you choose to sign in with Google. Subject to Google's OAuth and privacy terms.
• GitHub, Inc. (US, owned by Microsoft) — only when you choose to sign in with GitHub. Subject to GitHub's OAuth and privacy terms.
• Our hosting provider (currently Vercel, Inc., US) — receives request metadata necessary to serve the site.

International transfers

Our infrastructure is hosted in the United States. If you access Whisp3r Auth from outside the US, your information will be transferred to and processed in the US. We rely on Standard Contractual Clauses or equivalent safeguards where required by applicable law.

Retention

• Account profile (name, email, hashed password, avatar): retained while your account exists; deleted on account closure.
• OAuth provider linkage records: retained while the link is active; deleted on disconnection or account closure.
• Active sessions: up to seven days, then deleted automatically.
• Email verification tokens: 24 hours.
• Magic-link tokens: 10 minutes.
• Password reset tokens: one hour.
• OIDC consent records: retained until you revoke the corresponding Authorized Application.
• Email relay log entries (which app sent you what subject line and when, no body): 90 days, then deleted.
• Audit log entries: 90 days, then deleted.

Sale of personal information

Whisp3r Auth does not sell or share your personal information. Ever. We have no advertising business. We do not operate a data brokerage. We do not license, rent, or transfer your information to third parties for marketing or analytics purposes. We do not sell, share, or disclose personal information for cross-context behavioral advertising under the California Consumer Privacy Act (CCPA), and have not done so in the preceding twelve months.

The narrow exceptions to this commitment are listed elsewhere in this notice and apply only where we have no choice:

• Subprocessors we use to operate the service (listed above) necessarily process the data we send them under data processing agreements that prohibit secondary use.
• Lawful legal process may compel us to disclose specific records. We notify affected users where lawful.
• Authorized Applications you sign in to receive only the identity claims you consented to release at sign-in.
• Business transfer — if Whisp3r Auth is acquired or merged, your account moves with the service under the same commitments.

Your rights

Subject to applicable law, you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information through your profile settings.
• Delete your account, which deletes all associated personal data, revokes all outstanding tokens, and notifies your Authorized Applications.
• Export a portable copy of your data.
• Object to or restrict certain processing (GDPR).
• Withdraw any consent you have given.
• Lodge a complaint with a supervisory authority (GDPR) or attorney general (CCPA).

To exercise any of these rights, email auth@whisp3r.com. We respond within thirty days.

Security

We employ security measures that are reasonable for an identity provider, including: TLS for all traffic, password hashing with a memory-hard function, server-side rate limiting, brute-force lockouts, signed and short-lived session tokens, optional TOTP-based two-factor authentication, encrypted-at-rest database storage (provided by Neon), and CSRF protection on all state-changing endpoints.

If you suspect your account is compromised, change your password and sign out all sessions from your security settings immediately, then email auth@whisp3r.com.

Children

Whisp3r Auth is not directed to children under thirteen. If we learn we have collected information from a child under thirteen, we delete it.

Changes to this notice

We may update this Privacy Policy. The effective date at the top reflects the most recent revision. For material changes, we will email signed-in users and post a notice at sign-in.

Contact

For privacy requests, security disclosures, or anything else in this document, email auth@whisp3r.com.