Privacy Policy

Last updated: June 29, 2026

Whispurr is a private intimacy tracker built and operated by WhispurrApp, LLC ("Whispurr", "we", "us", or "our"). This policy explains what data Whispurr collects when you use the iOS app, why we collect it, and what we do — and don't — do with it.

We built Whispurr because intimate data deserves to be treated with extraordinary care. Our guiding principle is simple: your intimate life stays on your device, and syncs peer-to-peer with the devices you choose.

1. What we don't do

2. How Whispurr stores and syncs your data

2.1 No accounts, no sign-in

Whispurr does not have user accounts. There is no email, password, or username. The app does not call Firebase Authentication, Stream Chat, or any other identity provider. The first time you open the app, it generates a private cryptographic seed on your device and shows you a 24-word recovery phrase derived from that seed. Write it down somewhere safe — it is the only way to access your data from another device or recover it if you lose this one. We never see it.

2.2 Records (encounters, activities, notes, profiles)

Records are stored in encrypted documents on your device using iroh-docs, an open-source peer-to-peer document store. Each document is encrypted with AES-256-GCM using a key derived (via HKDF-SHA256) from a per-namespace seed. The seed lives on your devices and your paired partner's device — it never reaches our servers because we do not run servers that hold your data.

2.3 Photos, videos, and other media

Photos and videos are encrypted on your device with AES-256-GCM and stored as content-addressed blobs using iroh-blobs. The hash advertised to the network is the hash of the ciphertext; only devices that hold the namespace seed can decrypt the bytes. Bytes replicate peer-to-peer between your devices and your partner's devices — they are not uploaded to any media CDN, R2 bucket, or chat service.

2.4 Messages with your partner

Chat messages flow through the same iroh-docs document as your records, under the partner-shared namespace minted when you pair. Message bodies are encrypted end-to-end with the same per-namespace AES-256-GCM key. Whispurr does not use Stream Chat, Sendbird, or any other third-party chat backend.

2.5 Multi-device sync (your own devices)

To add a second device to your account (e.g. an iPad alongside your iPhone), open the new device, choose Settings → Add this device, and type the 24-word recovery phrase from your primary device. The second device derives the same seed and joins your peer-to-peer sync. Your partner's device is not involved in this step. We cannot link or unlink your devices — that authority belongs entirely to whoever holds the recovery phrase.

2.6 Pairing with a partner

Pairing is initiated by scanning a QR code shown by one device with the other. The QR code carries an iroh network address and a one-time handshake token. After both sides confirm a shared fingerprint (shown as a sequence of emoji on both screens), each device agrees on the partner-shared namespace seed. From that point on, your records and chat replicate peer-to-peer between the paired devices.

2.7 Diagnostic information

Whispurr does not use Firebase Analytics, Crashlytics, or any third-party analytics or crash-reporting service. The only diagnostics you may see are those provided by Apple's standard "Share with App Developers" opt-in, which you control through iOS Settings → Privacy & Security → Analytics & Improvements.

2.8 Projecting media to a paired device

Whispurr can stream your photos to a paired "Whispurr Projector" app running on another device (typically a TV-connected computer in your home). The stream is point-to-point and ephemeral — nothing is stored at our end.

3. How we use the data

Because your data does not reach our servers, we cannot — and do not — use it for anything. The app uses your recovery phrase only to derive encryption keys on your own devices, and the iroh relays only see encrypted bytes they cannot read.

We do not use your data to train machine-learning models, to advertise to you, or to make automated decisions about you.

4. Third-party processors

Whispurr's peer-to-peer architecture means we use very few third-party processors. None of them are used for advertising or tracking.

As of this version, Whispurr no longer uses Google Firebase Authentication, GetStream Chat, or Cloudflare R2 storage. They have been replaced by the peer-to-peer iroh-docs / iroh-blobs stack described above.

5. Data storage and security

Records, messages, and media are stored on your device under the iOS sandbox, with Data Protection set to "Complete until first user authentication" so the underlying files are inaccessible until you unlock the phone after a reboot. Your recovery phrase and namespace seeds are held in the iOS Keychain. Every value written to an iroh-docs document is encrypted with AES-256-GCM before reaching the storage layer; every media byte sent to iroh-blobs is encrypted before the hash is computed. Network traffic between peers and the iroh relays uses QUIC with TLS 1.3.

No system can be guaranteed perfectly secure. Whispurr is designed so that an attacker would need both physical access to one of your unlocked devices and the recovery phrase to read your intimate content — there is no server-side trove to compromise.

6. Data retention and deletion

Data persists on the devices that hold the namespace seed. Deleting Whispurr from a device deletes the local copy. If you lose every device that holds the seed without having written down the recovery phrase, the data is unrecoverable — there is no server-side backup we can restore from. If you wish to remove your data from a paired partner's device, ask them to delete the relevant Connection from within the app.

For privacy-policy questions, email privacy@whispurr.app.

7. Children

Whispurr is not directed at children. The app is rated 17+/18+ and is not intended for use by anyone under the age of 18 (or the equivalent age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact privacy@whispurr.app and we will delete it.

8. Your rights

Depending on where you live, you may have the right to:

To exercise any of these rights, email privacy@whispurr.app. We will respond within 30 days.

9. International transfers

Whispurr is operated from the United States. By using Whispurr, you understand that your information may be processed in the United States and other countries that may have different data-protection laws than your country of residence.

10. Changes to this policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top and, for material changes, notify you in the app. Your continued use of Whispurr after a change indicates your acceptance of the updated policy.

11. Contact us

Questions, concerns, or requests related to this policy can be sent to:

WhispurrApp, LLC
Email: privacy@whispurr.app