Privacy Policy
Whisperit SA
Prilly, Switzerland
Last updated: February 2026
1. Introduction
This Privacy Policy explains how Whisperit SA ("Whisperit", "we", "us", or "our") collects, uses, stores, and protects personal data when you visit our website (whisperit.ai) or use our software platform (app.whisperit.ai, app.whisperit.ch), collectively referred to as the "Services".
Whisperit is a multi-agent AI platform designed for professional document processing, analysis, and workflow automation, primarily serving legal professionals and regulated industries.
We process personal data in compliance with the Swiss Federal Act on Data Protection (FADP, in force since 1 September 2023), the EU General Data Protection Regulation (GDPR, Regulation 2016/679), and applicable national data protection legislation.
2. Controller
The data controller responsible for the processing described in this Privacy Policy is:
Whisperit SA
Unlimitrust Campus
Route des Flumeaux 46
1008 Prilly, Switzerland
| Role | Contact |
|---|---|
| General privacy enquiries | privacy@whisperit.ai |
| Data Protection Officer (DPO) | dpo@whisperit.ai |
| EU Representative (Art. 27 GDPR) โ Sebastien Bellon | eu-representative@whisperit.ai |
3. Data We Collect
3.1 Website (whisperit.ai)
When you visit our website, we may collect:
- Technical data: IP address, browser type, operating system, device type, screen resolution, referring URL, pages visited, and timestamps. This data is collected through server logs and analytics tools.
- Contact form data: Name, email address, company name, and the content of your message, when you contact us through forms on the website.
- Newsletter data: Email address, when you subscribe to our newsletter or marketing communications.
- Cookie data: See Section 10 (Cookies and Tracking) below.
3.2 SaaS Platform (app.whisperit.ai)
When you use the Whisperit platform, we process the following categories of data:
| Category | Examples | Retention |
|---|---|---|
| Identification data | Name, first name, professional email, function, organisation | Duration of contract + 90 days |
| Authentication data | Login events, session tokens, MFA status | 7 days (authentication logs) |
| Connection data | Access logs, IP addresses, timestamps | 90 rolling days |
| Document content | Texts, files uploaded and processed by the platform | Duration of contract + 90 days |
| Transcription data | Audio recordings, dictations, text transcriptions | Duration of contract + 90 days |
| Conversation data | Chat messages, AI prompts and responses | Duration of contract + 90 days |
| Usage metadata | Feature usage, preferences, configuration settings | Duration of contract |
| Billing data | Billing details, payment history | 10 years (legal obligation) |
3.3 Data We Do Not Collect
We do not intentionally collect sensitive personal data (data revealing racial or ethnic origin, political opinions, religious beliefs, health data, genetic or biometric data, or data concerning sex life or sexual orientation). If you upload documents containing such data to the platform, you are responsible for ensuring a valid legal basis for that processing.
4. Purposes and Legal Bases
4.1 Website
| Purpose | Legal basis (FADP) | Legal basis (GDPR) |
|---|---|---|
| Providing and operating the website | Legitimate interest | Art. 6(1)(f) โ legitimate interest |
| Responding to contact form enquiries | Performance of pre-contractual measures | Art. 6(1)(b) โ pre-contractual measures |
| Sending newsletters and marketing communications | Consent | Art. 6(1)(a) โ consent |
| Website analytics and performance improvement | Legitimate interest | Art. 6(1)(f) โ legitimate interest |
| Ensuring website security | Legitimate interest | Art. 6(1)(f) โ legitimate interest |
4.2 SaaS Platform
| Purpose | Legal basis (FADP) | Legal basis (GDPR) |
|---|---|---|
| Providing the Whisperit SaaS services | Performance of the contract | Art. 6(1)(b) โ contract performance |
| User authentication and access control | Performance of the contract | Art. 6(1)(b) โ contract performance |
| AI-assisted document processing, analysis, and research | Performance of the contract | Art. 6(1)(b) โ contract performance |
| Audio transcription | Performance of the contract | Art. 6(1)(b) โ contract performance |
| Technical maintenance and bug fixing | Legitimate interest | Art. 6(1)(f) โ legitimate interest |
| Customer support and technical assistance | Performance of the contract | Art. 6(1)(b) โ contract performance |
| Error monitoring and platform stability | Legitimate interest | Art. 6(1)(f) โ legitimate interest |
| LLM observability and quality assurance | Legitimate interest | Art. 6(1)(f) โ legitimate interest |
| Billing and administrative management | Legal obligation / contract | Art. 6(1)(b) and (c) โ contract / legal obligation |
| Compliance with legal obligations | Legal obligation | Art. 6(1)(c) โ legal obligation |
4.3 What We Never Do with Your Data
Your data is never used for:
- Training, fine-tuning, or improving artificial intelligence models โ whether by Whisperit or by any of our sub-processors
- Resale, rental, or commercial sharing with third parties
- Profiling, targeted advertising, or direct marketing (beyond opt-in newsletters)
- Automated decision-making producing legal effects
- Any purpose not described in this Privacy Policy or in the applicable contractual documents
5. AI Processing and Data Handling
5.1 How AI Processing Works
Whisperit uses large language models (LLMs) to assist with document processing, analysis, drafting, transcription, and research. When you interact with the AI assistant, relevant data (your messages, document context, and conversation history) is sent to an AI provider for processing.
5.2 No Model Training
All AI providers are bound by enterprise-level agreements that contractually prohibit the use of your data for model training, fine-tuning, or algorithm improvement. AI queries and responses are not retained by AI providers beyond the duration of the API call.
5.3 Data Residency Tiers
Whisperit offers three configurable data residency tiers โ Swiss Only, EU, and Global โ which determine where your data is processed by AI providers. Your tier is specified in your contract. Regardless of your tier, all persistent data (documents, conversations, transcripts) is stored exclusively in Switzerland.
For full details on which providers are involved per tier, see our Sub-processor List.
5.4 Deep Research Feature
The platform includes a Deep Research feature that uses the OpenAI API (United States) for advanced internet-based research. Only your research query is transmitted to OpenAI; no client documents or their contents are sent. OpenAI's data usage policy states that API data is not used for model training.
Deep Research is available on an opt-in basis across all tiers. Use is at your discretion. For users subject to professional secrecy, use of this feature requires acknowledgement that research queries transit through US infrastructure.
6. Data Storage and Security
6.1 Data Storage Location
All persistent client data โ including documents, conversations, transcripts, and user records โ is stored exclusively in Switzerland, regardless of the data residency tier selected.
Our primary infrastructure providers are:
- Infomaniak Network SA (Geneva, Switzerland): PostgreSQL database and frontend hosting
- Microsoft Azure (Switzerland North, Zurich): Compute, storage, document processing, and AI services
6.2 Security Measures
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit: TLS 1.2 minimum, TLS 1.3 negotiated by default. TLS 1.0 and 1.1 are disabled.
- Encryption at rest: AES-256 for all persistent storage.
- Access control: Role-based access control (RBAC), mandatory multi-factor authentication (MFA) for staff, and the principle of least privilege.
- Tenant isolation: PostgreSQL Row-Level Security (RLS) policies enforce strict data separation between client tenants at the database engine level.
- Network security: Web Application Firewall (WAF), network segmentation, private endpoints, and DDoS protection.
- Monitoring: Error monitoring (Sentry, EU), infrastructure logging (Azure Monitor), and authentication event logging (Zitadel, self-hosted, Switzerland).
- Backups: Daily full backups with incremental backups every 4 hours, geographically replicated within Switzerland. Monthly restoration tests.
- Vulnerability management: Monthly vulnerability scans, annual penetration tests by independent third parties, continuous code review (SAST/DAST).
6.3 Incident Response
We maintain a documented incident response procedure. In the event of a data breach, we notify affected clients within 24 hours for critical violations (data exfiltration, ransomware) or within 48 hours for other violations, and cooperate with any regulatory notification obligations.
7. Data Sharing and Sub-processors
7.1 Sub-processors
We engage third-party sub-processors to provide our Services. These are organised into three categories:
- Data Hosting & Infrastructure: Providers that host or store client data (Microsoft Azure, Infomaniak โ both Switzerland-based).
- AI Processing: Providers that process data through AI models on a transient basis, with no retention and no model training (Swisscom, Infomaniak, Requesty, OpenRouter, OpenAI, Azure OpenAI).
- Operational & Monitoring: Providers used for debugging, error monitoring, email delivery, and analytics. These do not process privileged client document content, except for LangSmith (LLM tracing), which processes LLM prompts and responses for debugging purposes and can be disabled upon request.
The complete, up-to-date list of sub-processors is available at: Sub-processor List
7.2 No Sale of Data
We do not sell, rent, or share your personal data with third parties for their own purposes. Sub-processors process data solely on our instructions and under contractual obligations equivalent to this Privacy Policy.
7.3 Legal Disclosure
We may disclose personal data if required by law, court order, or a binding request from a competent authority. In such cases, we limit disclosure to the strict minimum and, where legally permitted, inform you before any disclosure is made.
8. International Data Transfers
8.1 Primary Storage
All persistent client data is stored in Switzerland. Switzerland is recognised by the European Commission as providing an adequate level of data protection.
8.2 Transfers to the EU/EEA
Certain services involve data processing within the EU/EEA (e.g., LLM inference via Requesty, audio transcription via Azure Sweden, error monitoring via Sentry Germany, LLM tracing via LangSmith Germany). Switzerland recognises EU Member States as providing adequate data protection under the FADP. Microsoft Azure operates within the EU Data Boundary for all EU/EFTA regions.
8.3 Transfers to the United States
Certain operational services (Loops, Mixpanel) and opt-in features (Deep Research via OpenAI) involve data processing in the United States. For these transfers, we rely on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Implementing Decision 2021/914) and recognised by the FDPIC.
- Data Processing Agreements (DPAs) with each US-based sub-processor.
- Where applicable, the Swiss-U.S. Data Privacy Framework.
Swiss clients subject to professional secrecy may request the deactivation of any operational service involving non-Swiss processing (including LangSmith, Sentry, Loops, and Mixpanel) by written request to privacy@whisperit.ai. In this case, certain technical support and diagnostic capabilities may be reduced.
9. Data Retention
9.1 Platform Data
| Data category | Retention period |
|---|---|
| User accounts, documents, conversations, transcripts | Duration of contract + 90 days (restitution period), then deleted within 30 additional days |
| Connection and access logs | 90 rolling days |
| Authentication logs (Zitadel) | 7 days |
| Infrastructure logs (Azure Monitor) | 30 days |
| LLM traces (LangSmith) | 14 days |
| Error logs (Sentry) | 14 days |
| Billing data | 10 years (Swiss legal retention obligation) |
9.2 Website Data
| Data category | Retention period |
|---|---|
| Server logs | 30 days |
| Contact form submissions | 12 months after the enquiry is resolved |
| Newsletter subscriptions | Until you unsubscribe |
| Analytics data (Mixpanel) | Anonymised; no client content |
9.3 After Contract Termination
Upon contract termination, you have 90 days to request data restitution in standard formats (JSON, CSV, PDF, or original native format). After this restitution period, all data is securely deleted from all systems within 30 additional days. A destruction certificate is available upon request.
10. Cookies and Tracking
10.1 Website Cookies
Our website (whisperit.ai) uses the following categories of cookies:
| Category | Purpose | Examples | Duration |
|---|---|---|---|
| Strictly necessary | Essential for website functionality, authentication, and security | Session cookies, CSRF tokens | Session |
| Analytics | Understanding website usage and improving performance | Mixpanel | Up to 12 months |
10.2 SaaS Platform Cookies
The Whisperit platform (app.whisperit.ai) uses only strictly necessary cookies for authentication, session management, and security. No third-party advertising or marketing cookies are used on the platform.
10.3 Your Choices
You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may affect the functionality of the Services. We do not use third-party advertising cookies on any of our Services.
11. Your Rights
11.1 Under the Swiss Federal Act on Data Protection (FADP)
You have the right to:
- Access: Request information about whether and how we process your personal data, and obtain a copy of that data.
- Rectification: Request the correction of inaccurate personal data.
- Erasure: Request the deletion of your personal data, subject to legal retention obligations.
- Restriction: Request the restriction of processing in certain circumstances.
- Data portability: Receive your personal data in a structured, commonly used, machine-readable format.
- Objection: Object to the processing of your personal data on grounds relating to your particular situation.
11.2 Under the GDPR (for EU/EEA residents)
In addition to the rights above, you have the right to:
- Notification of recipients (Art. 19 GDPR): Be informed of any rectification, erasure, or restriction communicated to recipients of your data.
- Right not to be subject to automated decision-making (Art. 22 GDPR): We do not carry out automated decision-making producing legal effects.
- Lodge a complaint: You may lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
11.3 How to Exercise Your Rights
To exercise any of these rights, contact us at: privacy@whisperit.ai
We will acknowledge your request within 24 hours. Response deadlines depend on the nature of the right exercised, as specified in the applicable Data Processing Agreement (typically 3 to 10 business days). In any event, we will respond within 30 days at most. If we need additional time, we will inform you of the reason and the expected timeline.
You may also contact our Data Protection Officer at: dpo@whisperit.ai
12. Professional Secrecy
Whisperit acknowledges the professional secrecy obligations of Swiss attorneys under Article 321 of the Swiss Criminal Code and Article 13 of the Federal Act on the Free Movement of Lawyers (LLCA/BGFA). In the context of the relationship with clients subject to these obligations, Whisperit occupies the position of auxiliary within the meaning of Art. 321 para. 1 of the Swiss Criminal Code and Art. 13 LLCA/BGFA.
All personnel and sub-processors having potential access to client data receive training on the obligations arising from professional secrecy. Obligations relating to professional secrecy survive the end of the contractual relationship without limitation of time.
For clients subject to professional secrecy, we recommend the Swiss Only data residency tier, which restricts AI processing to Switzerland with no automatic fallback to alternative jurisdictions.
13. Children's Privacy
Our Services are designed for professional use and are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us at privacy@whisperit.ai so that we can take appropriate action.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website and, for platform users, by email notification at least 30 days before the changes take effect.
The "Last updated" date at the top of this page indicates when this Privacy Policy was last revised.
15. Contact
| Purpose | Contact |
|---|---|
| Privacy enquiries and rights requests | privacy@whisperit.ai |
| Data Protection Officer | dpo@whisperit.ai |
| EU Representative (Art. 27 GDPR) | eu-representative@whisperit.ai |
| Security incidents | security@whisperit.ai |
| General enquiries | info@whisperit.ai |
Whisperit SA
Unlimitrust Campus
Route des Flumeaux 46
1008 Prilly, Switzerland
| Related document | Link |
|---|---|
| General Terms and Conditions | Terms |
| DPA Switzerland (FADP) | DPA Switzerland |
| DPA European Union (GDPR) | DPA EU |
| Sub-processor List | Sub-processors |
| Technical Data Flow Documentation | Data Flow |