Privacy Policy

Effective February 22, 2026

Whistle LLC ("Whistle," "we," "us," or "our") operates the whistle.report website and related services (collectively, the "Service"). We are committed to protecting the privacy and security of our users, particularly given the sensitive nature of whistleblower reports and evidence submitted through our platform.

This Privacy Policy explains what information we collect, how we use and protect it, and your rights regarding your personal data. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

We understand that the information you share with us may be extraordinarily sensitive. Our platform is designed from the ground up with security and confidentiality as foundational principles, not afterthoughts.

1. Information We Collect

We collect information in several ways depending on how you interact with our Service. We are intentional about minimizing the data we collect to only what is necessary to provide and improve the Service.

1.1 Information You Provide Directly

  • Account Information: When you create an account, we collect your email address and a password. You may optionally provide your name, phone number, or other contact information.
  • Case Assessment Data: When you submit a case assessment, we collect details about your situation, including the nature of the alleged violation, the parties involved, and any supporting context you choose to share.
  • Evidence and Documents: You may upload files, documents, screenshots, photographs, audio recordings, or other materials as evidence to support your case. This evidence may contain highly sensitive information about you, third parties, or organizations.
  • Communications: When you contact us via email, through the Service, or through any support channel, we collect the content of those communications along with associated metadata (timestamps, subject lines, etc.).
  • Payment Information: When you subscribe to a paid plan, your payment details (credit card number, billing address) are collected and processed directly by Stripe. We do not store full credit card numbers on our servers. We receive and store only a tokenized reference, the last four digits of your card, card brand, and expiration date for display purposes.

1.2 Information Collected Automatically

  • Log Data: Our servers automatically record information when you access the Service, including your IP address, browser type and version, operating system, referring URL, pages visited, timestamps, and general location data derived from your IP address.
  • Device Information: We collect information about the device you use to access the Service, including device type, screen resolution, unique device identifiers, and browser settings.
  • Usage Analytics: We collect anonymized and aggregated data about how users interact with the Service, including feature usage patterns, session duration, and navigation paths.

1.3 Information From Third Parties

  • Authentication Providers: If you sign in using a third-party authentication provider, we may receive your name, email address, and profile information as permitted by your settings with that provider.
  • Public Records and Databases: In connection with case assessment and investigation services, we may access publicly available records, corporate filings, regulatory databases, and other open-source intelligence to supplement your case information.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service: To create and manage your account, process case assessments, store and organize evidence, generate reports, deliver alerts and notifications, and facilitate the whistleblower reporting process.
  • Case Research and Analysis: To conduct research into reported violations, identify relevant regulatory programs, assess potential reward eligibility, and provide you with actionable intelligence about your case.
  • Payment Processing: To process subscription payments, manage billing cycles, issue refunds when applicable, and maintain accurate financial records.
  • Communications: To send you transactional emails (account confirmations, password resets, case updates), respond to your inquiries, and, with your consent, send you product updates or educational content related to whistleblower protections.
  • Security and Fraud Prevention: To detect, investigate, and prevent fraudulent, unauthorized, or illegal activity; to protect the rights, safety, and property of Whistle, our users, and the public.
  • Service Improvement: To analyze aggregated and anonymized usage data to understand how the Service is used, identify areas for improvement, develop new features, and optimize performance.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests; to enforce our Terms of Service; and to protect against legal liability.

We will never sell your personal information to third parties. We will never use your case data or evidence for marketing purposes. We will never share identifiable case information with third parties except as necessary to provide the Service or as required by law.

3. Data Storage & Security

Given the sensitive nature of whistleblower data, we employ rigorous security measures to protect your information at every layer of our infrastructure.

3.1 Encryption

  • In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). We enforce HSTS (HTTP Strict Transport Security) to prevent protocol downgrade attacks.
  • At Rest: All stored data, including uploaded evidence, case files, and personal information, is encrypted at rest using AES-256 encryption, the same standard used by government agencies and financial institutions worldwide.
  • Database: Our database layer employs encryption at the storage level, with encryption keys managed separately from the data they protect.

3.2 File Storage

Uploaded evidence and documents are stored on Cloudflare R2, a globally distributed object storage service. Files are encrypted at rest using AES-256 and are accessible only through authenticated, time-limited signed URLs. Files are not publicly accessible and cannot be discovered or accessed without proper authorization through the Service.

3.3 Infrastructure Security

  • Our application is hosted on infrastructure that maintains SOC 2 Type II compliance.
  • We implement role-based access controls to limit internal access to user data to only those team members who require it for legitimate business purposes.
  • We conduct regular security reviews of our codebase and dependencies.
  • We maintain detailed access logs and audit trails for all data access events.

3.4 Incident Response

In the unlikely event of a data breach, we will notify affected users and relevant regulatory authorities within 72 hours of discovery, in accordance with applicable breach notification laws. Our notification will include the nature of the breach, the types of data potentially affected, and the steps we are taking to mitigate the impact.

4. Third-Party Services

We use the following third-party service providers to operate the Service. Each provider has been selected for its security practices and compliance certifications. These providers may have access to limited categories of your data only as necessary to perform their specific function:

  • Stripe (stripe.com) — Payment processing. Stripe receives your payment information directly and is PCI DSS Level 1 certified, the highest level of certification in the payment industry. We never store your full credit card number. Stripe's privacy policy applies to payment data they process.
  • Supabase (supabase.com) — Database and authentication services. Supabase hosts our primary database and manages user authentication. Data is stored in isolated, encrypted PostgreSQL databases. Supabase maintains SOC 2 Type II compliance.
  • Cloudflare R2 (cloudflare.com) — Object storage for uploaded evidence and documents. All files are encrypted at rest using AES-256. Cloudflare maintains SOC 2 Type II, PCI DSS, and ISO 27001 certifications.
  • Resend (resend.com) — Transactional email delivery. Resend processes email addresses and email content necessary to deliver system notifications, case updates, password resets, and other transactional communications. We do not use Resend for marketing emails without your explicit consent.
  • Vercel (vercel.com) — Application hosting and deployment. Vercel hosts and serves the Service. Vercel may process your IP address and request metadata as part of normal web hosting operations. Vercel maintains SOC 2 Type II compliance.

We maintain data processing agreements with each of these providers. We do not permit any third-party provider to use your data for purposes other than providing their specific service to us. We regularly review the security practices and compliance certifications of our providers.

5. Your Rights

We respect your rights over your personal data. Depending on your jurisdiction, you may have some or all of the following rights:

5.1 General Rights

  • Right to Access: You may request a copy of the personal information we hold about you. We will provide this information in a structured, commonly used, and machine-readable format.
  • Right to Correction: You may request that we correct any inaccurate or incomplete personal information we hold about you.
  • Right to Deletion: You may request that we delete your personal information, subject to certain exceptions (such as data we are required to retain for legal or regulatory purposes, or data necessary to complete an active case).
  • Right to Data Portability: You may request a copy of your data in a portable format to transfer to another service.
  • Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
  • Right to Opt-Out of Marketing: You may opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email or by contacting us directly.

5.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business purpose for collecting or selling personal information, and the categories of third parties with whom we share personal information.
  • Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions provided by law.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge you different prices, or provide a different level of quality.
  • No Sale of Personal Information: We do not sell personal information as defined by the CCPA. We do not share personal information for cross-context behavioral advertising.

5.3 Exercising Your Rights

To exercise any of these rights, please contact us at support@whistle.report with the subject line "Privacy Rights Request." We will verify your identity before processing any request and will respond within 30 days (or 45 days for CCPA requests, with the possibility of a 45-day extension with notice). We may ask for additional information to verify your identity to prevent unauthorized access to your data.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Our specific retention periods are:

  • Account Data: Retained for the duration of your account and for 30 days following account deletion to allow for account recovery.
  • Case Data and Evidence: Retained for the duration of your account and for up to 7 years after case closure, as whistleblower statutes of limitation and regulatory proceedings may extend for several years. You may request earlier deletion, but we may need to retain certain records for legal compliance.
  • Payment Records: Retained for 7 years to comply with financial record-keeping and tax obligations.
  • Server Logs: Automatically purged after 90 days.
  • Analytics Data: Aggregated and anonymized analytics data may be retained indefinitely. This data cannot be used to identify individual users.

When data reaches the end of its retention period, it is securely deleted or irreversibly anonymized. Deletion of encrypted data includes destruction of the associated encryption keys.

7. Children's Privacy

The Service is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13 years of age. If we become aware that we have inadvertently collected personal information from a child under 13, we will take prompt steps to delete that information.

Users between the ages of 13 and 18 should use the Service only with the involvement and consent of a parent or legal guardian. If you are a parent or guardian and believe your child has provided personal information to us without your consent, please contact us at support@whistle.report and we will delete the information promptly.

8. Cookies & Tracking Technologies

We use cookies and similar technologies to operate and improve the Service:

  • Essential Cookies: Required for authentication, session management, and security. These cookies are necessary for the Service to function and cannot be disabled.
  • Functional Cookies: Used to remember your preferences and settings (such as theme or language) to provide a more personalized experience.
  • Analytics Cookies: Used to collect anonymized usage data to help us understand how the Service is used and identify areas for improvement. We use privacy-focused analytics that do not track users across websites.

We do not use third-party advertising cookies or tracking pixels. We do not participate in cross-site tracking or retargeting networks. You can manage your cookie preferences through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the Service.

9. International Data Transfers

Whistle LLC is based in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and potentially other countries where our service providers maintain facilities.

By using the Service, you consent to the transfer of your information to the United States and other jurisdictions that may have different data protection laws than your country of residence. We take appropriate safeguards to ensure that your personal information remains protected in accordance with this Privacy Policy regardless of where it is processed.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Effective" date at the top of this page.
  • Notify you via email to the address associated with your account at least 30 days before the changes take effect.
  • Post a prominent notice on the Service indicating that the policy has been updated.

Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms. If you do not agree with any changes, you may close your account and request deletion of your data.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Questions about this policy? Contact us at support@whistle.report