Privacy Policy

Last updated: June 10, 2026

Whisper is an ephemeral, widget-first messaging app for two paired people. It is operated by Lula Apps ("Lula Apps", "we", "us"). This policy explains what information the app handles, how it is used, and the choices you have. We built Whisper to keep your conversations private by default — your messages are end-to-end encrypted and disappear after they are viewed.

In short

1. Information we collect

Account and sign-in

You sign in with either Sign in with Apple or an email one-time code:

Authentication is handled by our backend provider, Supabase. Your sign-in session tokens are stored securely on your device.

Profile

Pairing

Whisper connects exactly two people. To set up a pair we store which accounts are paired and the public cryptographic keys used to establish end-to-end encryption. We never receive your private keys.

Messages and media

The text, photos, voice notes, and videos you send are end-to-end encrypted on your device before they reach our servers. We store and relay only the encrypted form and cannot decrypt it. Encrypted messages are kept only long enough to deliver them and are removed after your pair views them, or after one week, whichever comes first.

Notifications

To deliver push notifications, we register a device token with Apple Push Notification service (APNs). Notification delivery is handled by Apple; the message content underlying a notification remains end-to-end encrypted.

Purchases and subscriptions

If you buy a subscription, the purchase is processed by Apple through the App Store, and we use RevenueCat to manage and verify subscription status. We receive your subscription tier and status — we never receive your payment card number or full billing details.

Diagnostics

To find and fix crashes and bugs, we collect technical diagnostic information such as your device model, operating system version, app version, and a trail of recent in-app events (breadcrumbs). These reports are processed using Sentry and do not include your message content.

Anonymous usage analytics

We record a small set of anonymous, content-free product events — for example, that a message was sent and its type (text, photo, voice, video), or that a pairing completed. These events are tied only to a random installation identifier, never to your name, account, pair, or message content, and the identifier is reset when you delete your account. This analytics data is processed on our own servers (Supabase), not shared with a third-party analytics provider.

2. What we do not collect

3. End-to-end encryption

Whisper protects your conversations with end-to-end encryption, using a key-agreement handshake and a forward-secret message ratchet. The private keys are generated on your device, stored in the iOS Keychain, and never leave your device. Because of this, our servers only ever hold ciphertext — neither we nor anyone who intercepts the data in transit can read your messages or media.

4. How we use information

5. How long we keep it

When you delete your account, we delete your profile and the data associated with it from our systems, remove your registered device token, and reset your anonymous analytics identifier.

6. Who we share it with

We do not sell your data. We share information only with the service providers (sub-processors) that we rely on to run Whisper, and only as needed to provide the service:

ProviderPurpose
AppleSign in with Apple, push notifications (APNs), App Store purchases.
SupabaseBackend hosting, database, authentication, encrypted message and media storage.
RevenueCatSubscription management and purchase verification.
SentryCrash and error diagnostics (no message content).
CloudflareHosting and delivery of our website and pairing links.

We may also disclose information if required by law, to enforce our terms, or to protect the rights, safety, and security of our users and the service.

7. Security

We protect your data with end-to-end encryption for message content, secure transport (HTTPS with certificate pinning), encrypted storage of media, and single-device session enforcement. No system is perfectly secure, but we work to protect your information using current best practices.

8. Your choices and rights

Depending on where you live, you may have additional rights to access, correct, or delete your personal information, or to object to or restrict certain processing. To make a request, contact us at the address below.

9. Children

Whisper is not directed to children, and we do not knowingly collect personal information from children under 13 (or the minimum age required in your country). If you believe a child has provided us information, please contact us and we will delete it.

10. International data transfers

We and our service providers may process and store information in countries other than where you live. Where required, we take steps to ensure your information receives an appropriate level of protection when it is transferred.

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will revise the "Last updated" date above and, where appropriate, provide notice in the app.

12. Contact us

If you have questions about this policy or your data, contact us at privacy@lulaapps.com.