WhisporWhispor Request a briefing
Legal

Privacy policy.

How we collect, use, store and protect personal data. Written to be read — no dark patterns, no fine-print tricks. If anything here is unclear, email us.

Version 1.0 Last updated: 1 April 2026 Effective: 15 April 2026

Who we are

Whispor ("Whispor", "we", "us", "our") is a negotiation-intelligence platform operated by Whispor LLC, a Delaware limited liability company based in the United States. We build software that helps procurement teams coach their negotiators and automate tail-end supplier conversations. We serve customers across the United States, the United Kingdom and the European Union.

Because we have customers and site visitors in the UK and the EU, we've written this policy to comply with the EU General Data Protection Regulation (GDPR) and the UK GDPR. For personal data you give us directly — through our website, marketing materials, sales conversations and career applications — Whispor is the data controller. For personal data our customers upload or generate inside the Whispor platform, Whispor acts as a data processor under the customer's instructions.

What personal data we collect

We keep the categories deliberately narrow. Here is everything:

CategoryExamplesSource
Identity & contact Name, work email, job title, company, phone number (optional) Briefing request form, email, events
Professional context Categories you spend in, pressure you're under, existing tools Briefing conversations, contact form
Website usage Pages visited, referral, device type, approximate region Cookies & similar — see the Cookie policy
Application data CV, cover letter, work history, salary expectation Careers page submissions
Customer platform data Spend files, supplier lists, negotiation transcripts you upload Processed under the customer's contract; Whispor is a processor

We don't collect special-category data (health, religion, biometrics, etc.) and we don't buy marketing lists.

How we use personal data

We use personal data for a small, specific set of purposes:

  • Answering your questions — responding to briefing requests, support, and sales conversations.
  • Running the platform — authenticating users, providing coaching feedback, generating supplier emails, producing analytics dashboards for the customer organisation that engaged us.
  • Recruiting — assessing applications and communicating with candidates.
  • Improving Whispor — measuring usage in aggregate, fixing bugs, understanding which content is useful.
  • Direct marketing — occasional product updates to existing customers and people who've asked to hear from us. Every email has a one-click unsubscribe.
  • Security & compliance — detecting fraud, enforcing our terms, meeting tax and accounting obligations.

We do not sell personal data and we don't use customer platform data to train models that are then deployed for other customers.

Under GDPR Article 6, we rely on one of these bases for every processing activity:

  • Contract (Art. 6(1)(b)) — to provide the Whispor platform and pilot to customers.
  • Legitimate interests (Art. 6(1)(f)) — for B2B marketing to professional contacts, product analytics, platform security, and replying to unsolicited queries. We've weighed these interests against your rights and documented that assessment; you can request a copy.
  • Consent (Art. 6(1)(a)) — for non-essential cookies and optional marketing to individuals who haven't yet bought from us. You can withdraw consent at any time via the cookie preferences panel or by emailing hello@whispor.com.
  • Legal obligation (Art. 6(1)(c)) — for tax, accounting and statutory reporting.

Who we share data with

We share personal data only with vetted processors who help us run the business, and only to the extent they need it. Every processor is under a written data-processing agreement with security and confidentiality obligations. Current processors include:

  • Cloud hosting — AWS (EU and US regions, depending on customer).
  • Email & CRM — for outbound briefing emails and customer conversations.
  • Analytics — privacy-preserving, cookieless website analytics.
  • AI inference — for LLM-powered coaching and email drafting; contractually prohibited from training on our data.
  • Payments, accounting & payroll — for invoicing customers and paying staff.

A current list of sub-processors is available on request. We'll give existing customers at least 30 days' notice before adding a new sub-processor that handles their content.

We also disclose data where we're legally required to (court orders, regulators) or to protect our rights. We don't volunteer data to law-enforcement fishing requests.

How long we keep data

  • Briefing & contact-form data — 24 months from last interaction, then deleted or anonymised.
  • Customer platform data — for the duration of the customer contract, then deleted within 60 days of termination (or returned, if requested).
  • Career applications — 12 months after the role is filled, unless you ask us to delete sooner or keep you on file.
  • Accounting records — 7 years, to meet US tax and accounting obligations.
  • Website analytics — aggregated, no personal identifiers retained beyond 14 months.

International transfers

Whispor LLC is based in the United States. When personal data of UK or EU residents is transferred to us in the US — or to our sub-processors outside the UK or the European Economic Area — we rely on a lawful transfer mechanism:

  • EU Standard Contractual Clauses (2021/914) for transfers from the EEA to the US.
  • UK International Data Transfer Agreement (or the UK Addendum to the EU SCCs) for transfers from the UK.
  • EU–US Data Privacy Framework, where a sub-processor is certified under it.

We supplement these with technical and organisational measures — encryption in transit (TLS 1.2+) and at rest (AES-256), strict access controls, data minimisation, and a policy of challenging any disproportionate government-access request. A transfer impact assessment is available on request. EU customers can ask for EU-region hosting of their tenant; we'll accommodate where operationally feasible.

Your rights

Under GDPR / UK GDPR you have the right to:

  • Access — ask for a copy of the personal data we hold about you.
  • Rectification — correct data that's wrong or incomplete.
  • Erasure — ask us to delete data ("right to be forgotten"), subject to legal retention.
  • Restriction — pause processing while a question is resolved.
  • Portability — receive data in a machine-readable format, or have it sent directly to another controller.
  • Objection — object to processing based on legitimate interests, including marketing.
  • Withdraw consent — at any time, without affecting processing that happened before.
  • Automated decisions — Whispor doesn't take automated decisions that have legal or similarly significant effects on individuals.
  • Complain — to your local supervisory authority. In the UK that's the Information Commissioner's Office; in the EU, your national data-protection authority (you can find yours via the EDPB members list). We'd rather you came to us first so we can fix it.

To exercise any right, email hello@whispor.com with the subject line "Data request". We'll respond within 30 days (or tell you why we need longer, up to an additional 60 days for complex requests, as permitted under GDPR Art. 12(3)).

Security

We operate a written information-security program based on ISO 27001 controls, with SOC 2 Type II in progress. Key measures:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access; least-privilege by default; MFA for all staff.
  • Production data segregated from staging; customer tenants logically isolated.
  • Regular penetration testing and dependency scanning.
  • Incident response plan with GDPR-compliant breach notification — affected supervisory authorities within 72 hours, and affected individuals without undue delay where the risk threshold is met (GDPR Art. 33–34).

Changes to this policy

We'll update this page as the business evolves. If changes are material, we'll post a notice on the homepage and email active customers at least 14 days before the new version takes effect. Historical versions are available on request.

EU & UK representative

As a US-based controller offering services to individuals in the EU and UK, Whispor LLC will appoint an Article 27 GDPR representative in the EU and a UK GDPR representative once EU/UK user volumes cross the threshold that requires one. In the meantime, the fastest route for any GDPR or UK GDPR enquiry is to email hello@whispor.com with the subject line "Data request" — we treat those in the same priority queue as a formal representative channel.

Contact

Questions, data-subject requests, or anything that doesn't sit right:

Whispor LLC
Delaware, United States
hello@whispor.com

Subject lines we watch: Data request, GDPR, Privacy, Security.