PRIVACY POLICY
Effective Date: 2026/01/01
Last Updated: 2026/01/01
- WHO WE ARE & SCOPE
This Privacy Policy describes how Let’s Whisper s.r.o., with its registered office at Křižíkova 148/34, Karlín, 186 00 Praha 8, Czechia, Identification No.: 23849959, registered in the Commercial Register maintained by the Municipal Court in Prague (“Whisper”, “we”, “us” or “our”), collects, uses, and protects personal data.
- Scope
This Policy applies to:
- Visitors of our website.
- Customers (entities) and their Users (individuals) using our SaaS platform (“Service”).
- Prospects interacting with our sales team or marketing content.
- Controller vs. Processor
To understand your rights, we must distinguish between two roles we play under the GDPR:
- We act as a CONTROLLER regarding your Account Data, Usage Telemetry, and Marketing Data. This is information about you as a user (e.g., login, billing info, behavior on our site). We decide why and how this data is processed.
- We act as a PROCESSOR regarding the Customer Data (Content). This includes the emails, messages, CRM records, and business context you connect to the Service. You (the Customer) act as the Controller. We process this data solely on your instructions to provide the Service.
- DATA WE PROCESS AS A CONTROLLER
We process the following data based on the listed legal grounds:
Category | Types of Data | Purpose | Legal Basis (GDPR) |
Account & Billing Data | Name, work email, job title, company name, billing address, VAT ID, transaction history. | Account creation, identity verification, invoicing, subscription management. | Art. 6(1)(b) Contract & Art. 6(1)(c) Legal Obligation |
Communication Data | Messages sent to support, demo requests, feedback forms. | Customer support, pre-contractual negotiations, sales inquiries. | Art. 6(1)(b) Contract & Art. 6(1)(f) Legitimate Interest |
Usage & Telemetry | IP address, device/browser info, timestamps, feature usage logs, error logs, performance metrics. | Security, fraud prevention, ensuring service reliability, product improvement. | Art. 6(1)(f) Legitimate Interest |
Marketing Data | Email address, interaction with newsletters. | Sending B2B newsletters, product updates, and webinar invitations. | Art. 6(1)(f) Legitimate Interest (existing clients) or Art. 6(1)(a) Consent |
- DATA WE PROCESS AS A PROCESSOR (SERVICE CONTENT)
When you use the Whisper Service to automate your communication, we process Customer Data on your behalf.
- Categories of Processed Data
- Email Data: Senders, recipients, subject lines, timestamps, message bodies, attachments, labels/folders (via integration with Gmail/Outlook).
- Business Context: Data from connected systems (CRM, ERP, E-commerce platforms) such as orders, invoices, delivery status, and customer profiles.
- Generated Content: Drafts, replies, and summaries generated by our AI.
- Principles of Processing
- Strict Purpose Limitation: We only access and process this data to perform the requested automation (e.g., drafting a reply, checking an order status).
- No training on Data: We do not use your specific Customer Data (emails, business records) to train our general-purpose Artificial Intelligence models (LLMs). Your data remains isolated.
- Confidentiality: Our employees do not access the content of your communications unless explicitly authorized by you for support/configuration purposes or required by law.
- THIRD PARTY INTEGRATIONS AND DATA USAGE
Our Service allows you to connect third-party email accounts, calendars, and business systems (hereinafter “Connected Accounts”) provided by third parties.
We acknowledge that data from these Connected Accounts (especially email content) is highly sensitive. Therefore, we apply the highest industry standards of data protection and limited use principles to all data received via these integrations, regardless of the provider.
- Strict Usage Limits
Regarding any data accessed via APIs from Connected Accounts (“Restricted Data”), we commit to the following:
- User-Facing Features Only: We use Restricted Data solely to provide or improve user-facing features that are prominent in the Service's user interface (e.g., reading an email to draft a relevant reply, analyzing context to suggest an action). We do not use this data for any other purpose.
- No Transfer: We do not transfer Restricted Data to third parties, except:
- To our authorized Sub-processors (e.g., cloud storage, AI providers) strictly necessary to provide the Service, who are bound by equivalent confidentiality obligations;
- To comply with applicable laws; or
- As part of a merger, acquisition, or sale of assets (where the successor must adhere to this Policy).
- No Advertising: We strictly prohibit the use of Restricted Data for serving advertisements, including retargeting, personalized, or interest-based advertising.
- No Human Access: No human (including our employees or contractors) will read the content of your emails or Connected Account data, unless:
- You have given us specific, explicit consent for specific messages (e.g., for technical support);
- It is necessary for security purposes (e.g., investigating abuse or a data breach);
- It is required to comply with applicable laws; or
- The data is aggregated and anonymized for internal operations (stats).
- AI Model Training
We do not use data from Connected Accounts (e.g., your emails, calendar entries, CRM records) to train, fine-tune, or improve general-purpose Artificial Intelligence or Machine Learning models (whether ours or those of third parties like OpenAI or Google) for the benefit of general public.
However, we leverage Customer Data and user feedback to perform automatic improvement of environment configuration specifically for your organization. This process allows us to refine system prompts, adjust automation rules, and enhance context retrieval logic based on your usage patterns and corrections. This ensures the Service adapts to your specific communication style and needs without sharing your data for third-party general model training.
- ARTIFICIAL INTELLIGENCE & SUB-PROCESSORS
Our Service utilizes third-party Large Language Models (LLMs) to provide intelligence.
- Authorized Providers: We currently use enterprise-grade models from providers such as Anthropic and Google.
- Data Privacy in AI: We access these models via Enterprise APIs. Our agreements with these providers ensure that your data is not used to train their models.
- Transparency: A full list of our sub-processors (hosting, AI, email delivery) is available in our Data Processing Agreement (DPA) or upon request.
- DATA SHARING & INTERNATIONAL TRANSFERS
We do not sell your personal data. We share data only with:
- Service Providers (Sub-processors): Who assist us in operating the Service (cloud hosting, AI processing, payment gateways). They are bound by strict Data Processing Agreements.
- Legal Authorities: If required by law.
International Transfers:
Whisper operates primarily within the EU. However, some of our sub-processors (e.g., Google, OpenAI) may process data in the United States.
- For transfers to the U.S., we rely on the EU-U.S. Data Privacy Framework (DPF) where the provider is certified.
- Alternatively, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring appropriate safeguards.
- DATA RETENTION
We retain data only as long as necessary:
- Customer Content: Processed in real-time or stored for a limited period to provide context. Upon termination of the contract, all Customer Data is deleted within 30 days (subject to backup cycles).
- Account/Billing Data: Retained for the duration of the relationship + 10 years as required by Czech tax/accounting laws.
- Logs & Telemetry: Retained for 12 months for security auditing.
- Third party: If you revoke access to your Connected Account, we immediately cease collection and delete retained data according to our deletion policy.
- YOUR RIGHTS
Under the GDPR, you have the following rights regarding the personal data where we act as a Controller:
- Right of Access: You can ask us for a copy of your personal data.
- Right to Rectification: You can ask us to correct inaccurate data.
- Right to Erasure: You can ask us to delete your data (e.g., if you close your account), subject to our legal retention obligations.
- Right to Restriction: You can ask us to limit how we use your data.
- Right to Data Portability: You can ask for your data in a structured, machine-readable format.
- Right to Object: You can object to the processing of your data based on legitimate interest (e.g., marketing).
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
How to exercise rights: Contact us at [email protected]. We will respond within 30 days.
Note: If your request relates to data stored within a Customer's workspace (where we are a Processor), we will refer your request to the relevant Customer (your employer).
- SECURITY
We implement robust technical and organizational measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Strict access controls (MFA, Role-Based Access Control).
- COOKIES
We use cookies strictly necessary for the operation of the Service (authentication, security). We may use analytics cookies only if you grant us consent via our Cookie Banner. You can manage your preferences at any time in the website settings.
- CHANGES TO THIS POLICY
We may update this Policy. If we make material changes, we will notify you via email or a prominent notice within the Service.
Contact Us:
Let’s Whisper s.r.o.
Email: [email protected]
Data Box: 3e7q2vh