Privacy Policy

I. Scope of this Privacy Policy

This Privacy Policy applies to the Wisper application. With regard to the general data processing on the website “wisperapp.com” regarding Swiss Federal Act on Data Protection (FADP), General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), we refer you to the “Privacy Policy – wisperapp.com”, available at https://wisperapp.com/data-protection-policy.

This Privacy Policy does not apply to personal data we process as a processor on behalf of third parties. This is especially the case with hosting personal data for third parties who run an organization on Wisper and their invitations to end users to join that organization. If you are an end user of one of those organizations, such as an employee or student, you should read that organization’s privacy policy and direct any privacy inquiries to the third party who runs that organization on Wisper.

II. Our privacy policy (data protection policy) under the FADP and GDPR

1. General information and principles of data processing

The protection of your privacy and the protection of your personal data is an important concern to us.
In accordance with Article 5 (a) FADP and Article 4 (1) GDPR, personal data means any information relating to an identified or identifiable natural person. This includes, for example, information such as first and last name, address, telephone number, email address, but also an IP address.
Data that cannot be linked to your person, for example through anonymisation, is not personal data. Under Article 6 (1) FADP personal data must be processed lawfully and the processing of sensitive personal data according to Article 6 (6) and (7) FADP requires a consent. Under the GDPR, processing of personal data (e.g. collection, storage, readout, retrieval, use, transmission, deletion or destruction) according to Article 4 (2) GDPR always requires a legal basis or a consent. Processed personal data must be deleted as soon as the purpose of their processing has been achieved, and there are no longer any legally prescribed retention obligations.
Here you will find information on the handling of your personal data while using the application Wisper. In order to provide the functions and services of Wisper, it is necessary for us to collect your personal data.
In the following, we explain the type and scope, purpose, legal basis and storage period of the respective data processing.

2. Controller

Responsible for the processing of personal data on Wisper is:

Wisper GmbH
c/o Mercandor AG
Unter Altstadt 28
6300 Zug
Switzerland

Phone: +41 (0) 41 710 2628
Email: info@wisperapp.com

3. Representative of Controller according to Article 27 GDPR

FamCap Partners GmbH
Menzelstraße 5
81679 Munich
Germany

Phone: +49 (0)89 2305 9692
Email: info@famcap.de

4. Download of the Application Wisper

When you download the mobile application Wisper from an app store (e.g. the Apple App Store or the Google Play Store), the required information is transferred to the app store, i.e. in particular the username, e-mail address and customer number of your account, time of download, payment information and the individual device identification number as well as other information that the app store owner requires you to provide in order to download the application. In addition, the app store independently collects various data and provides you with analysis results. We have no influence on this data processing and are not responsible for it. We process the data only insofar as it is necessary for downloading the mobile app to your mobile device.

5. Technically Necessary Data Processing for Using Wisper

a) Type and extent of data processing
When using Wisper, we process the personal data described below to enable convenient use of the functions. If you want to use Wisper, we process the following data, which are technically necessary for us to offer you the functions of the application and to ensure stability and security, so that they must be processed by us:

· Date and time of the request
· Access status/HTTP status code
· Amount of transferred data
· IP-address
· Operating system
· Connection information (including phone number, mobile operator or ISP)

b) Purpose of data processing
This data described above is technically necessary to enable you to use Wisper. In addition, the data is technically necessary to ensure the stability of the application and IT security, in particular to protect our IT systems from misuse and to defend against attacks.

c) Legal basis
As required under the GDPR, the legal basis for the collection and processing of the data is Article 6 (1) (f) GDPR.

d) Storage period
The aforementioned data will be deleted as soon as it is no longer required for the purpose for which it was collected.

To guarantee IT security, the IP-address will be saved for a short period of time of no more than seven calendar days.

e) Right of objection
Under the GDPR, if your personal data is processed in accordance with Article 6 (1) (f) GDPR you have a right of objection in accordance with Article 21 GDPR. However, in the case of the specific data processing operation, we have compelling legitimate grounds for processing the data that is necessary for the protection of these data, because without the processing of these data we cannot provide and operate Wisper.

6. Account Creation

a) Type and extent of data processing
In order for us to provide the functions and services of Wisper to you, you need to create a user account. For the account creation you only have to provide the following mandatory data. Without these data we will not give you access to the functions and services of Wisper:

· Phone number
· Username
· Passphrase
· Recovery PIN
· First Name
· Age*

*By virtue of your acceptance of the Wisper – End User License Agreement, you acknowledge you are at least the minimum age.

Additionally, corporate accounts (those used to communicate within an organization of a third party on Wisper) may require the following data:

• Email address
• Company name
• Job title

All other data that you can provide when creating the account are voluntary and not required for the use of Wisper. These may include the following data:

· Last Name
· Biography information (e.g., self-introduction)
· Profile Image
· Country (for corporate accounts)
· Department (for corporate accounts)

You can change or adjust the data you provided at any time in your account settings. Excluded from this is the username and your phone number. We reserve the right to modify the mandatory and optional nature of these fields as the product evolves, and may require new fields such as billing contact (name), billing address, and billing transaction information (e.g. credit card information, etc.) in the future.

If you allow access to the aforementioned data, Wisper will only access your data and transfer it to our server to the extent necessary to provide the functionality. Your data will be treated confidentially by us and deleted if you revoke the rights to use it or if it is no longer necessary for the provision of the services and there are no legal retention obligations.

b) Purpose of data processing
We process the above data for the purpose of providing our services to you and to detect, prevent and address fraud, security, or technical issues.

c) Legal basis
As required under the GDPR, the legal basis for this is Article 6 (1) (b) GDPR, the processing of the data serves the fulfilment of a contract or the implementation of pre-contractual measures. If the data is not required for the performance of the contract and you enter the data voluntarily, the legal basis is your consent pursuant to Article 6 (1) (a) GDPR.

Under the FADP to the extent that sensitive personal data should be processed, the legal basis is your explicit consent pursuant to Article 6 (6) and (7) FADP.

Under the GDPR, to the extent that special categories of personal data should be processed, the legal basis is your consent pursuant to Article 9 (2) (a) GDPR.

d) Recipients
Recipients of your personal data are possible processors who comply with the requirements of Article 9 FADP or Article 28 GDPR.

e) Storage period
Your account information will be stored as long as the account exits. If you delete your account your data will be deleted, unless you have explicitly consented to further use of your data or we are legally obligated to store you data.

7. Using Wisper

a) Type and extent of data processing
You can use Wisper to communicate with other individual users or groups of users (e.g. by text messages, video or audio meetings, exchange of media content and documents). In order to transmit any of your communication contents, we need to process your communication data. Furthermore, we may process user information in order to enable you to block users.

Typically your communication is stored on your device(s) and not on our servers (e.g. your message history). We temporarily store your communication in encrypted form while it is being delivered.

If Wisper provides the ability to sync your contacts in the future and you enable this functionality, Wisper may process contact information of other users of Wisper in the address book. We may also add a future feature to display a warning if the geolocation of multiple devices are very different when activating Wisper to help protect your account from unauthorized use.

b) Purpose of data processing
We process the above data for the purpose of providing our services to you.

c) Legal basis
As required under the GDPR, the legal basis for this is Article 6 (1) (b) GDPR, the processing of the data serves the fulfilment of a contract or the implementation of pre-contractual measures. If the data is not required for the performance of the contract and you enter the data voluntarily, the legal basis is your consent pursuant to Article 6 (1) (a) GDPR.

Under the FADP to the extent that sensitive personal data should be processed, for example, sending files and photos with sensitive content, the legal basis is your explicit consent pursuant to Article 6 (6) and (7) Swiss Data Protection Act.

Under the GDPR, to the extent that special categories of personal data should be processed, for example, sending files and photos with sensitive content, the legal basis is your consent pursuant to Article 9 (2) (a) GDPR.

d) Recipients
Recipients of your personal data are possible processors who comply with the requirements of Article 9 FADP or Article 28 GDPR.

e) Storage period
Once your communication is delivered, it is stored in encrypted form on our servers for 90 days.

If communication cannot be delivered, we keep it in encrypted form on our servers for up to 90 days while we try to deliver it. If communication is still undelivered after 90 days, we delete it. We cannot see the contents of undelivered messages stored on our servers as they are encrypted.

The method used to encrypt your communication is end-to-end encryption. End-to-end encryption means that your calls, messages, media within messages including content like images, audio, video, documents and files are encrypted while being delivered to protect against third parties from seeing that content.

8. System Security Monitoring and Testing

a) Type and extent of data processing
We regularly monitor, investigate and test the system security of Wisper. This includes the investigation of malfunctions, detecting and tracking unauthorized access attempts and accesses to our web servers and testing the system security with a focus on security exploits (e. g. platform security audits, establishing account recovery mechanisms, sending One-time Passcodes (OTPs) via SMS).

We use the HackerOne, Inc., 180 Geary Street, 5th Floor, San Francisco, CA 94108, USA, as a processor to assist us with our security tests. We would like to point out that the Court of Justice of the European Union (CJEU) has doubts about the adequacy of the level of data protection in the USA. In particular, there is a risk that personal data may be processed by government authorities for control and monitoring purposes, possibly also without any legal remedy.

b) Purpose of data processing
The purpose of the processing is to eliminate malfunctions, ensure system security and detect and track unauthorized access or access attempts.

c) Legal basis
As required by the GDPR, the legal basis for this is Article 6 (1) (c) GDPR, the processing of the data serves the fulfilment of our legal obligations in the area of data security as well as Article 6 (1) (f) GDPR, as we have a legitimate interest in maintaining the functionality of Wisper.

d) Storage period
Your data will be deleted as soon as it is no longer required for the purpose for which it was collected. This is generally the case for data processed during a security test, after the test is finished and the findings are evaluated.

e) Right of objection
Under the GDPR, if your personal data is processed in accordance with Article 6 (1) (f) GDPR you have a right of objection in accordance with Article 21 GDPR. However, in the case of the specific data processing operation, we have compelling legitimate grounds for processing the data that is necessary for the protection of these data, because without the processing of these data we cannot guarantee the system security of Wisper.

9. Use of cookies

Wisper does not use cookies.

10. Paid Subscriptions

a) Type and extent of data processing
If you have entered into a Customer Agreement or an agreement for a similar paid subscription in order to use Wisper or authorize a limited number of authorized end users to use Wisper, or your personal data was provided by the contracting third party for this reason, we process the provided contract data, the usage information that is necessary to determine the scope of your usage, as well as your payment and billing information.

The following contract data will be processed:

• Name
• Legal registration number
• Address (e.g. street name, no., zip code, city, country)
• Contact details (e.g. email, phone number)

Depending on the selected payment method, the following billing information will be processed:

• Invoice number, amount, date and payment cycle
• Debit or credit card number
• Financial account information

b) Purpose of data processing
We process the above data for the purpose of the fulfilment of the contract and your payment and the billing for the use of Wisper.

c) Legal basis
As required under the GDPR, the legal basis for this is Article 6 (1) (b) GDPR, the processing of the data serves the fulfilment of a contract or the implementation of pre-contractual measures. If you are not the contractual party and pay for the subscription, the legal basis is our legitimate interest pursuant Article 6 (1) (f) GDPR.

d) Storage period
Your stored data will be deleted as soon as it is no longer necessary for the purpose of its processing, i.e. providing our services to you or the contracting third party.

e) Right of objection
Under the GDPR, if your personal data is processed in accordance with Article 6 (1) (f) GDPR you have a right of objection in accordance with Article 21 GDPR. However, in the case of the specific data processing operation, we have compelling legitimate grounds for processing the data that is necessary for the payment, because without the processing of these data we cannot calculate the payment obligations of our contract party.

11. Support

a) Type and scope of data processing
Personal data may also be processed when you request our support, e.g. to solve technical problems.

b) Purpose and legal basis
The collected data will be processed exclusively for the purpose of providing support to you. The legal basis for this is Article 6(1)(b) GDPR.

c) Storage period
Your personal data will be deleted as soon as the processing is no longer necessary.

12. Processing on behalf of third parties

a) As stated above, we may process your personal data on behalf of a third party. In these cases, we either act as a processor for the third party which acts as a controller or as a sub-processor for a third party which acts as a processor. Generally, we act on behalf of a third party in the following situations:

Organizations on Wisper
In particular but not limited to we host your personal data on behalf of the third party who runs an organization on Wisper (e.g. your employer), if you are an end user that joined that organization.

The following personal data of end users may be processed on behalf of the owner of the organization:

• User ID
• First name
• Last name
• Phone number
• Email address
• Company ID

Invitations to organizations
Third parties who run an organization on Wisper (e.g. your employer) may invite you to join their organization. We process your personal data on behalf of the third party, if you are an end user that is invited to join that organization on Wisper.

The following personal data of end users may be processed on behalf of the owner of the organization:

• User ID
• First name
• Last name
• Phone number
• Email address
• Company ID
• Status of acceptance of invitation (e.g. pending or active)

Support and maintenance
Third parties may provide data to us so that we can provide support and maintenance to the third party. We may process your personal data if it is part of the data that is provided to us to provide support and maintenance on behalf of the third party.

b) Please consult the third party’s privacy policy or contact the third party for more information about how they might process your personal data and the ways for you to access, update, alter, or delete your personal data.

13. Categories of recipients of the personal data

Under the GDPR, we only pass on your personal data to third parties if:

a) you have given your explicit consent to do so in accordance with Article 6(1)(a) GDPR.

b) this is legally permissible and, in accordance with Article 6(1)(b) GDPR, is necessary for the fulfilment of a contractual relationship with you or the implementation of pre-contractual measures.

c) there is a legal obligation under Article 6(1)(c) GDPR for the transfer.
We are legally obliged to transfer data to state authorities, e.g. tax authorities and law enforcement agencies.

d) the disclosure in accordance with Article 6(1)(f) GDPR is necessary to safeguard legitimate corporate interests and to assert, exercise or defend legal claims, and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data.

We use external service providers (so-called processors) to process personal data in accordance with Article 9 FADP or Article 28(3) GDPR. These processors have been carefully selected by us and are obliged by a data processing agreement to handle personal data in accordance with data protection regulations.

We use such external service providers in the following areas:

IT service providers
Marketing
Support

FADP:
When transferring personal data abroad, we ensure that personal data is treated with the same care. We only transfer personal data abroad if the legislation of the state concerned or the international body guarantees an adequate level of protection. In the absence of a decision by the Federal Council we disclose personal data abroad only if an adequate level of data protection is guaranteed by a treaty under international law, data protection clauses in an agreement between the controller or the processor and its contractual partner, notice of which has been given to the FDPIC beforehand; specific guarantees drawn up by the competent federal body, notice of which has been given to the FDPIC beforehand, standard data protection clauses that the FDPIC has approved, issued or recognised beforehand; or binding corporate rules that have been approved in advance by the FDPIC or by the authority responsible for data protection in a state that guarantees an adequate level of protection.

GDPR:
When transferring personal data to so-called third countries, i.e. outside the EU or EEA, we ensure that your personal data is treated with the same care as within the EU or EEA. We only transfer personal data to third countries where the EU Commission has confirmed an adequate level of data protection or where we have ensured the careful handling of personal data by contractual agreements or other suitable guarantees.

14. Data security and security measures

We are committed to protecting your privacy and treating your personal data confidentially. For this purpose, we take extensive technical and organisational security precautions, which are regularly checked and adapted to technological progress.

These include the use of recognised encryption procedures. Unencrypted data, e.g. when sent by unencrypted email or customer support tickets, may be read by third parties. We have no influence on this. It is the responsibility of the respective user to protect the data provided by him/her against misuse by means of encryption or in any other way.

15. Your rights (as a data subject)

Here you will find your rights regarding your personal data. Details of this are set out in Chapter 4 and 5 of the FADP or Articles 7, 15-22 and 77 of the GDPR, as applicable. You can contact the controller (Section 2) or representative (Section 3) in this regard.

a) Under the FADP you have the following rights:

aa) Right to information according to Article 25 FADP
You have the right to request confirmation as to whether we process personal data relating to you. If this is the case, you have the right to be informed about your personal data and to receive further information, e.g. identity and the contact details of the controller; the processed personal data, the purpose of processing; the retention period for the personal data, the available information about the source of the personal data, recipients or the categories of recipients to which personal data is disclosed. We may refuse to provide information, or restrict or delay the provision of information according to Articles 26, 27 FADP

bb) Right to data portability according to Article 28 FADP
You have the right to request the controller to deliver the personal data that they have disclosed to it in a conventional electronic format.
The controller may refuse, restrict or delay the delivery or transfer of personal data for the reasons set out in Article 26 paragraphs 1 and 2 according to Article 29. The controller must give reasons why it has decided to refuse, restrict or delay the delivery or transfer.

cc) Right to correction according to Article 32 (1) FADP
You have the right to request that incorrect personal data be corrected unless: a statutory provision prohibits the correction or the personal data are processed for archiving purposes that are in the public interest.

b) Under the GDPR you have the following rights:

aa) Right to withdraw your data protection consent in accordance with Article 7(3) GDPR
You can withdraw your consent to the processing of your personal data at any time with effect for the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

bb) Right of access according to Article 15 GDPR
You have the right to request confirmation as to whether we process personal data concerning you. If this is the case, you have the right to be informed about your personal data and to receive further information, e.g. the purposes of processing, the categories of personal data processed, the recipients and the planned duration of storage or the criteria for determining the duration.

cc) Right to rectification and completion under Article 16 GDPR
You have the right to demand the correction of incorrect data without delay. Taking into account the purposes of the processing, you have the right to request the completion of incomplete data.

dd) Right to erasure („right to be forgotten“) in accordance with Article 17 GDPR
You have the right of erasure, as far as the processing is not necessary.
This is the case, for example, if your data is no longer necessary for the original purposes, if you have withdrawn your declaration of consent under data protection law or if the data was processed unlawfully.

ee) Right to restriction of processing in accordance with Article 18 GDPR
You have the right to limit the processing, for example if you believe that personal data is incorrect.

ff) Right to data portability according to Article 20 GDPR
You have the right to receive personal data concerning you in a structured, common and machine-readable format.

gg) Right to object according to Article 21 GDPR
You have the right to object at any time for reasons arising from your particular situation to the processing of certain personal data concerning you.
In the case of direct marketing, you, as the data subject, have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing, including profiling, insofar as it relates to such direct marketing.

hh) Automated individual decision-making, including profiling in accordance with Article 22 GDPR
You have the right not to be subject to a decision based solely on automated processing, including profiling, except in the exceptional circumstances referred to in Article 22 GDPR.
You will not be subject to a decision based solely on automated processing of your data, including profiling (Article 13 (2) (f) GDPR, Articles 22 (1) to (4) GDPR, Article 4 (4) GDPR, Articles 22 (1) to (4) GDPR), which would have legal effect on you or would have a similarly significant adverse effect on you.

ii) Right to lodge a complaint with a data protection supervisory authority according to Article 77 GDPR
You can also lodge a complaint with a data protection supervisory authority at any time, for example if you believe that data processing is not in compliance with data protection regulations.

16. Data Processing Restriction under iOS

If you use the operating system iOS, you have various options to largely restrict advertising and tracking. Tracking basically runs via the so-called "Advertising Identifier" (IDFA). This is a unique, but non-personalized and non-permanent identification number for a specific end device, which is provided by iOS. The data collected via the IDFA is not linked to any other device-related information. We use the IDFA to provide you with personalized advertising and to evaluate your usage.

If you access the "Privacy" option in the iOS settings, you can largely deactivate advertising analysis under "Tracking". If you activate the "Allow apps to request tracking" function, our app will ask you whether you agree to advertising measures the first time you use it and you can activate or deactivate advertising. In addition, in the "Privacy" option, you can select "Apple advertising" and disable "personalized advertising". In the "Analytics & Improvements" option, you can also disable "Share iPhone analytics" and "Improve Siri & Dictation", which will result in no static information about your iOS usage being transmitted to Apple. Please note that you may not be able to use all the features of our app if you restrict the use of IDFA.

17. Changes to this privacy policy

Our privacy policy serves the fulfilment of legal information duties. We update our data protection declaration as far as this becomes necessary.

III. Our privacy policy (data protection policy) under the CCPA

Pursuant to California law, we are providing additional information to California residents. Please read this information together with our Privacy Policy under Section II.

Under California law, certain organizations need to disclose whether the following categories of “personal information” are collected or disclosed for an organization’s “business purpose” as those terms are defined under California law.

Below please find the categories of personal information about California residents that we collect or disclose to third parties or service providers.

Note that while a category may be included below that does not necessarily mean that we have or collect information in that category about you. The personal information we collect depends on the nature of our interaction with you and the Services you may use.

We do not sell personal information.

Category of personal information collected	Categories of third parties to whom we disclose personal information for a business purpose
Identifiers such as a real name, alias, birth date, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers	· Our affiliates or subsidiaries · Our service providers · Product and service fulfillment companies · Subscribing, accrediting or professional organizations · Government authorities and regulators
Characteristics of protected classifications under California or federal law	· Our affiliates or subsidiaries · Our service providers · Government authorities and regulators
Commercial information, including products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	· Our affiliates or subsidiaries · Our service providers · Product and service fulfillment companies · Subscribing, accrediting or professional organizations
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement	· Our affiliates or subsidiaries · Our service providers · Product and service fulfillment companies · Subscribing, accrediting or professional organizations
Electronic information	· Our affiliates or subsidiaries · Our service providers · Product and service fulfillment companies · Subscribing, accrediting or professional organizations · Government authorities and regulators
Professional or employment-related information	· Our affiliates or subsidiaries · Our service providers · Product and service fulfillment companies · Subscribing, accrediting or professional organizations

We and our third-party service providers collect personal information from the following sources:

• Direct interactions, such as, when you register for our Services or make a purchase
• Data from third parties, such as, information on third-party websites or other information you may have made publicly available or information provided by third party sources, including but not limited to government entities and data resellers
• Automated tracking technologies, such as, information automatically collected about your interaction with our Services and websites using various technologies such as cookies, web logs and beacons and internet tags

Depending on how you interact with us and our Services, we may use and disclose personal information for the following business purposes:

• Auditing
• Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity,
• Detecting and repairing errors,
• Performing services on behalf of other businesses,
• Processing or fulfilling orders and transactions,
• Providing advertising or marketing,
• Conducting internal research for product and service development, and
• Improving, upgrading, and enhancing our services.

In addition to sharing personal information for the business purposes identified within the California Consumer Privacy Act, we also share personal information as needed, or required, with the following additional third parties:

• organizations involved in business transfers, e.g. to a purchaser or successor entity in the event of a sale or any other corporate transaction involving some or all of our business;
• other parties, e.g. as needed for external audit, compliance, risk management, corporate development and/or corporate governance related matters,
• business partners as directed by an individual, or as needed to process an individual’s request, and
• governmental authorities and regulators, as required under applicable law.

Exercising Rights to Request Access and Request Deletion

Subject to certain exceptions, California residents have the right to request access, deletion and portability of their personal information. This includes

• the right to know about the personal information a business collects about them and how it is used and shared;
• the right to delete personal information collected from them;
• the right to opt-out of the sale of their personal information; and
• the right to non-discrimination for exercising their CCPA rights.

For further rights, we refer to our privacy policy under Section II.

If you would like to submit a request or have additional questions about the personal information that we have about you, please contact us at info@wisperapp.com or via our contact form.

When you submit your request, we will take steps to attempt to verify your identity. We will seek to match the information in your request to the personal information we maintain about you. As part of our verification process, we may ask you to submit additional information, use identity verification services to assist us, or if you have set up an account on our website, we may ask you to sign in to your account as part of our identity verification process. Please understand that, depending on the type of request you submit, to protect the privacy and security of your personal information, we will only complete your request when we are satisfied that we have verified your identity to a reasonable degree of certainty.

We do not discriminate against individuals who exercise their rights under applicable law.

If we receive a request from an authorized agent, we have the right to verify with the data subject that the data subject indeed wants to take the action requested by the agent and will do so by contacting the data subject directly.