Privacy Policy

Effective date: 10 November 2025 | Version 2.1

Aligned with UK GDPR and the Data Protection Act 2018

Your privacy tools

Manage your information directly from this page.

1. Who we are

Legal entity	WHISPSOCIO LTD
Company number	16817482 (registered in United Kingdom)
Registered office	Whispsocio PO Box 1227 NELSON BB9 4JU
Data controller	WHISPSOCIO LTD
Privacy lead	legal@whispsocio.com
ICO registration	Registration pending (we will update this policy once issued)

WhispSocio provides a social platform with live streaming, messaging, and a peer-to-peer marketplace for physical and digital goods. This policy explains how we collect, use, and protect personal information when you visit or use our services.

2. Data we collect

We collect information in three main ways: data you provide directly, data generated through your use of the platform, and data supplied by trusted third parties. We never sell personal data.

Category	Examples	Lawful basis	Typical retention
Account data	Email address, username, password hash, date of birth	Contract (to create your account)	Account lifetime + 30 days grace
Profile & content	Avatar, bio, posts, messages, streams, marketplace listings	Contract; legitimate interests (community safety)	Until deleted or account closes (with legal holds where required)
Transaction data	Order details, payout preferences, refund requests	Contract; legal obligation (financial reporting)	Seven years to comply with accounting rules
Support communications	Help tickets, moderation reports, appeal correspondence	Legitimate interests (support and dispute resolution)	Up to three years after closure of the ticket
Technical and usage	IP address, device type, browser, log events, security alerts	Legitimate interests (service security); legal obligation	90 days for logs; anonymised analytics retained up to 24 months
Third-party data	Payment status from Stripe, optional Twitter profile data, fraud risk scores	Contract; legitimate interests; consent (for social connections)	Aligned with the source system and our retention rules above

3. How we use personal information

We only process personal information when we have a lawful basis. The main purposes are listed below.

Provide and personalise the service	Operating accounts, feeds, live streams, and marketplace functionality. Basis: Contract performance.
Process payments and payouts	Collecting payments, sending seller payouts, handling refunds. Basis: Contract; legal obligations.
Safeguard the community	Moderating content, preventing fraud, enforcing policies, managing disputes. Basis: Legitimate interests; legal obligations.
Communicate with you	Service updates, security notices, onboarding guidance. Basis: Contract; legitimate interests. Marketing emails are sent only with consent.
Improve our platform	Diagnosing issues, analysing feature usage, developing new functionality. Basis: Legitimate interests (product development).
Comply with law	Responding to lawful requests, maintaining tax and accounting records. Basis: Legal obligations.

We share personal information with carefully selected service providers that help us operate WhispSocio. Each provider is bound by contract to safeguard data and may only use it for our documented instructions.

Recipient	Purpose	Location	Safeguards
Stripe Payments Europe, Limited	Payment processing, marketplace payouts, fraud screening	EU/USA	Data Processing Agreement, Standard Contractual Clauses (SCCs)
Cloud infrastructure partners	Hosting application servers, databases, and backups	United Kingdom & EU	Data stored within UK/EU regions; access controls and encryption
Transactional email provider (configurable SMTP)	Delivering verification and security emails	EU/USA (provider dependent)	SMTP credentials secured; SCCs or equivalent safeguards when outside UK/EU
Identity verification and fraud tools (where enabled)	Optional seller verification, risk scoring	UK/EU	Contracts limit use to verification, with strict retention controls

We may also disclose information when required by law, in response to valid legal requests, or to protect the rights, property, or safety of our users, employees, or the public.

5. International data transfers

Personal data may be transferred outside the UK or European Economic Area when we use providers such as Stripe or email services hosted in the United States.
Whenever we transfer data internationally, we rely on Standard Contractual Clauses or other legally recognised safeguards and perform risk assessments.
We monitor developments in international data transfer law and will update our safeguards where required.

6. Data retention

Data type	Retention period	Reason
Account information	Account lifetime + 30 days after deletion request	Allow reactivation during grace period; fraud prevention
Marketplace transactions	Seven years	Legal and tax obligations
Support and moderation logs	Up to three years from resolution	Evidence for disputes and policy enforcement
Security logs	90 days	Detecting and investigating security incidents
Anonymised analytics	Up to 24 months	Usage trend analysis

7. Security measures

Encryption in transit (TLS 1.3) and at rest for sensitive data.
Role-based access controls and multi-factor authentication for administrative accounts.
Automated monitoring, logging, and alerting to detect unusual activity.
Regular patching and infrastructure reviews, including backup and disaster recovery procedures.

8. Your privacy rights

If you are located in the UK or EU you have the following rights under the UK GDPR/EU GDPR:

Access: Request a copy of the personal data we hold about you.
Rectification: Ask us to correct inaccurate or incomplete information.
Erasure: Request deletion of your data when it is no longer needed or you withdraw consent.
Restriction: Ask us to pause processing while a request is investigated.
Portability: Receive your data in a machine-readable format.
Objection: Object to processing based on legitimate interests (including profiling) or direct marketing.
Withdraw consent: Withdraw consent for optional processing at any time.

To exercise your rights, email legal@whispsocio.com or use the self-service tools above. We may ask for proof of identity before responding. We aim to reply within one month and will let you know if we need longer for complex requests.

9. Marketing and cookies

We only send promotional emails with your explicit consent. You can withdraw consent via account settings or the unsubscribe link in any message.
Service announcements, security alerts, and transaction emails are essential and cannot usually be opted out of.
Our cookie practices are explained in the Cookie Policy. Non-essential cookies are only used after you provide consent through the cookie banner or settings.

10. Automated decision-making

We do not carry out automated decision-making that produces legal or similarly significant effects. Automated systems assist with spam and content detection, but human review is available and you can appeal moderation outcomes.

11. Children

WhispSocio is not directed at children under 13. We remove accounts where we learn that the user is under the minimum age or has provided false information. Parents or guardians can contact us at legal@whispsocio.com to request removal of unauthorised accounts.

12. Complaints and supervisory authority

If you have concerns about how we handle your data, contact us first at legal@whispsocio.com so we can resolve the issue. You also have the right to complain to the Information Commissioner's Office (ICO):

Website: https://ico.org.uk/make-a-complaint/
Telephone: +44 303 123 1113

13. Changes to this policy

We review this policy whenever we launch new features, update our processing, or to reflect legal requirements.
Material changes will be notified at least 30 days in advance via email or on-site notice. Minor updates take effect immediately upon publication.
The "Effective date" at the top shows when the latest version came into force.

14. Contact us

Email

legal@whispsocio.com

We aim to respond within 72 hours.

Postal

WHISPSOCIO LTD
14 Pendlemist View
Colne
England
BB8 8BD

15. Regional notices

We operate globally and apply additional privacy provisions where local law requires them. These regional notices supplement the rest of this policy:

Region	Additional information
EU/EEA data subjects	We rely on the EU Standard Contractual Clauses for any transfers of your data outside the EEA. Copies are available on request. You may lodge a complaint with your local supervisory authority in addition to the UK ICO. You can find contact details at https://edpb.europa.eu. Where we act as a processor for marketplace sellers, those sellers remain responsible for providing you with their own EU GDPR notices.
United States & California	We do not “sell” personal information as defined by the California Consumer Privacy Act (CCPA). If this changes we will provide an opt-out link. California residents may request disclosure or deletion of personal information by emailing legal@whispsocio.com. We will confirm receipt within 10 days and respond within 45 days. Authorized agents may submit CCPA requests on your behalf with written permission or power of attorney documentation.
Canada	We comply with PIPEDA and applicable provincial privacy statutes. Personal data may be stored in the UK or EU; by using the platform you consent to these transfers. Contact us to access or correct your personal information. If we refuse a request you will receive written reasons and information about escalation to the Office of the Privacy Commissioner of Canada.
Australia & New Zealand	Australian users may complain to the Office of the Australian Information Commissioner (OAIC) if you are unsatisfied with our response to a privacy concern. We take reasonable steps to ensure overseas recipients handle Australian or New Zealand personal information in accordance with local privacy principles.

Version history

Version 2.1 (10 November 2025) – Added regional privacy notices, clarified processors, and expanded international transfer detail.
Version 2.0 (15 September 2025) – Added GDPR alignment and self-service tools.
Version 1.0 (1 May 2024) – Initial policy.