Privacy Policy
Last updated: June 29, 2026
Whispurr is a private intimacy tracker built and operated by WhispurrApp, LLC ("Whispurr", "we", "us", or "our"). This policy explains what data Whispurr collects when you use the iOS app, why we collect it, and what we do — and don't — do with it.
We built Whispurr because intimate data deserves to be treated with extraordinary care. Our guiding principle is simple: your intimate life stays on your device, and syncs peer-to-peer with the devices you choose.
1. What we don't do
- We do not have user accounts, email addresses, or passwords.
- We do not sell your data.
- We do not use third-party advertising or tracking SDKs.
- We do not use analytics services to profile your behavior.
- We do not share your data with data brokers.
- We do not store your records, messages, or media on a server. Everything you create lives encrypted on the devices you own and, if you choose to pair, on your partner's device.
2. How Whispurr stores and syncs your data
2.1 No accounts, no sign-in
Whispurr does not have user accounts. There is no email, password, or username. The app does not call Firebase Authentication, Stream Chat, or any other identity provider. The first time you open the app, it generates a private cryptographic seed on your device and shows you a 24-word recovery phrase derived from that seed. Write it down somewhere safe — it is the only way to access your data from another device or recover it if you lose this one. We never see it.
2.2 Records (encounters, activities, notes, profiles)
Records are stored in encrypted documents on your device using iroh-docs, an open-source peer-to-peer document store. Each document is encrypted with AES-256-GCM using a key derived (via HKDF-SHA256) from a per-namespace seed. The seed lives on your devices and your paired partner's device — it never reaches our servers because we do not run servers that hold your data.
2.3 Photos, videos, and other media
Photos and videos are encrypted on your device with AES-256-GCM and stored as content-addressed blobs using iroh-blobs. The hash advertised to the network is the hash of the ciphertext; only devices that hold the namespace seed can decrypt the bytes. Bytes replicate peer-to-peer between your devices and your partner's devices — they are not uploaded to any media CDN, R2 bucket, or chat service.
2.4 Messages with your partner
Chat messages flow through the same iroh-docs document as your records, under the partner-shared namespace minted when you pair. Message bodies are encrypted end-to-end with the same per-namespace AES-256-GCM key. Whispurr does not use Stream Chat, Sendbird, or any other third-party chat backend.
2.5 Multi-device sync (your own devices)
To add a second device to your account (e.g. an iPad alongside your iPhone), open the new device, choose Settings → Add this device, and type the 24-word recovery phrase from your primary device. The second device derives the same seed and joins your peer-to-peer sync. Your partner's device is not involved in this step. We cannot link or unlink your devices — that authority belongs entirely to whoever holds the recovery phrase.
2.6 Pairing with a partner
Pairing is initiated by scanning a QR code shown by one device with the other. The QR code carries an iroh network address and a one-time handshake token. After both sides confirm a shared fingerprint (shown as a sequence of emoji on both screens), each device agrees on the partner-shared namespace seed. From that point on, your records and chat replicate peer-to-peer between the paired devices.
2.7 Diagnostic information
Whispurr does not use Firebase Analytics, Crashlytics, or any third-party analytics or crash-reporting service. The only diagnostics you may see are those provided by Apple's standard "Share with App Developers" opt-in, which you control through iOS Settings → Privacy & Security → Analytics & Improvements.
2.8 Projecting media to a paired device
Whispurr can stream your photos to a paired "Whispurr Projector" app running on another device (typically a TV-connected computer in your home). The stream is point-to-point and ephemeral — nothing is stored at our end.
- The projector displays a QR code that encodes only a public network address. Your phone scans it to start the connection.
- Photos are decrypted only on your phone, then transmitted over an iroh QUIC session (TLS 1.3) directly to the projector. The iroh relay servers operated by Number Zero (n0) are used to bootstrap the connection and, when direct hole-punching across NAT is not possible, to forward already-encrypted bytes that they cannot read.
- Once the projector window is closed (or the session is stopped from your phone), the connection ends. No images are persisted on the projector unless you explicitly save them there.
3. How we use the data
Because your data does not reach our servers, we cannot — and do not — use it for anything. The app uses your recovery phrase only to derive encryption keys on your own devices, and the iroh relays only see encrypted bytes they cannot read.
We do not use your data to train machine-learning models, to advertise to you, or to make automated decisions about you.
4. Third-party processors
Whispurr's peer-to-peer architecture means we use very few third-party processors. None of them are used for advertising or tracking.
- Apple Inc. — distributes the app through the App Store and provides anonymous diagnostics if you opt in via iOS Settings. Apple privacy.
- Cloudflare, Inc. — hosts whispurr.app and may log basic request metadata (IP address, user agent) for the duration required to serve the page and protect against abuse. Cloudflare privacy.
- Number Zero (n0) — operates the public iroh relay network used to bootstrap peer-to-peer connections and, when direct connectivity across NAT cannot be established, to forward already-encrypted traffic between you and your partner or projector. n0 sees the network metadata required to route traffic; it cannot read your records, messages, or media. See the iroh project.
As of this version, Whispurr no longer uses Google Firebase Authentication, GetStream Chat, or Cloudflare R2 storage. They have been replaced by the peer-to-peer iroh-docs / iroh-blobs stack described above.
5. Data storage and security
Records, messages, and media are stored on your device under the iOS sandbox, with Data Protection set to "Complete until first user authentication" so the underlying files are inaccessible until you unlock the phone after a reboot. Your recovery phrase and namespace seeds are held in the iOS Keychain. Every value written to an iroh-docs document is encrypted with AES-256-GCM before reaching the storage layer; every media byte sent to iroh-blobs is encrypted before the hash is computed. Network traffic between peers and the iroh relays uses QUIC with TLS 1.3.
No system can be guaranteed perfectly secure. Whispurr is designed so that an attacker would need both physical access to one of your unlocked devices and the recovery phrase to read your intimate content — there is no server-side trove to compromise.
6. Data retention and deletion
Data persists on the devices that hold the namespace seed. Deleting Whispurr from a device deletes the local copy. If you lose every device that holds the seed without having written down the recovery phrase, the data is unrecoverable — there is no server-side backup we can restore from. If you wish to remove your data from a paired partner's device, ask them to delete the relevant Connection from within the app.
For privacy-policy questions, email privacy@whispurr.app.
7. Children
Whispurr is not directed at children. The app is rated 17+/18+ and is not intended for use by anyone under the age of 18 (or the equivalent age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact privacy@whispurr.app and we will delete it.
8. Your rights
Depending on where you live, you may have the right to:
- Access the personal information we hold about you.
- Correct inaccurate personal information.
- Delete your account and associated personal information.
- Object to or restrict certain processing of your data.
- Receive a copy of your personal information in a portable format.
- Lodge a complaint with a data protection authority.
To exercise any of these rights, email privacy@whispurr.app. We will respond within 30 days.
9. International transfers
Whispurr is operated from the United States. By using Whispurr, you understand that your information may be processed in the United States and other countries that may have different data-protection laws than your country of residence.
10. Changes to this policy
We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top and, for material changes, notify you in the app. Your continued use of Whispurr after a change indicates your acceptance of the updated policy.
11. Contact us
Questions, concerns, or requests related to this policy can be sent to:
WhispurrApp, LLC
Email: privacy@whispurr.app