Privacy Policy
What we collect to run the platform, why we collect it, how long we keep it, who we share it with, and the rights you hold over it — written to be read.
1. Who we are
viaGraph B.V., doing business as Whisper Security, is a company established in Amsterdam, the Netherlands. We operate the Whisper platform: policy-aware DNS resolution, verifiable network identities for AI agents, and the related websites at whisper.online and its subdomains (together, the Service). For the personal data described in this policy, viaGraph B.V. is the data controller within the meaning of the EU General Data Protection Regulation (GDPR).
You can reach us about anything in this policy at hostmaster@whisper.online.
2. What this policy covers
This policy covers personal data we process when you visit our websites, create an account, or use the Service — directly or through software (including AI agents) acting on your behalf. It does not cover third-party sites we link to; those have their own policies.
3. The data we collect
a. Account data
- Contact and account details — your email address, and any organization name you provide.
- Credentials — the API keys issued to your account, and metadata about their use (creation time, scopes, last use).
- Billing details — if you buy a paid plan: the information needed to invoice you.
b. Service data
Running a DNS and network-identity service means processing traffic metadata. When you or your agents use the Service, we process:
- DNS query logs — the names queried, query type, timestamp, the answer given (including any policy decision), and the source address the query came from.
- Agent identity records — the agents registered to your account, the IPv6 addresses (
/128) allocated to them, and any labels or contact fields you attach to them. - Egress connection metadata — for agents that route traffic through the Service: connection timestamps, source and destination addresses and ports, and volume. We do not inspect or store the content of your agents' encrypted traffic.
- TLS fingerprint samples — sampled TLS handshake fingerprints, used for abuse detection and service protection.
- Policy configuration — the resolution and access policies you set for your agents.
c. Public registry data — public by design
An allocated agent address is published, on purpose, in public registry systems: RDAP and WHOIS records for the address (including any label or contact fields you chose to attach), reverse DNS, and entries in the public transparency log that records identity issuance and revocation. Verifiability is the point of the Service: anyone can look these records up. Do not put personal data in a label or contact field unless you intend it to be public.
d. Website data
- Analytics — our websites use Google Tag Manager to load analytics tags, only after you consent.
- Cookies — consent is collected and enforced by Cookiebot; non-essential cookies are not set without your consent (see section 11).
- Technical data — IP address, browser type, and pages visited, as part of ordinary web-server operation.
4. Why we process it
- To operate and provide the Service — resolve DNS queries, allocate and publish agent identities, route egress traffic, apply the policies you configure, and show you your own logs.
- To verify identities — publish the registry, reverse-DNS, and transparency records that make an agent identity verifiable by anyone.
- Security and abuse prevention — detect, investigate, and stop abuse of the Service or of the internet from our network, and protect the Service against attacks.
- Billing — invoice and administer paid accounts.
- Legal compliance — meet obligations we are subject to, including responding to lawful requests from competent authorities.
- Product improvement — understand, in aggregate, how the Service is used, so we can improve it.
5. Legal bases (GDPR)
- Performance of a contract (Art. 6(1)(b)) — account data and service data processed to provide the Service you signed up for.
- Legitimate interests (Art. 6(1)(f)) — security, abuse prevention, network operations, and aggregate product improvement. We balance these interests against your rights, and you may object (section 10).
- Consent (Art. 6(1)(a)) — non-essential cookies and website analytics. You can withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)) — retention and disclosure required by law, including tax and accounting rules.
6. How long we keep it
- Service logs (DNS queries, egress metadata, TLS fingerprint samples) are kept for a defined, limited retention period for the purposes above, and then deleted automatically. We keep what we need to run the Service honestly and answer an abuse report, and no more.
- Account data is kept for the lifetime of your account, and after closure only as long as legal minimums (such as invoice retention rules) require.
- Public registry and transparency-log records are designed to be durable: the log is append-only so that issuance history stays verifiable. Personal data connected to a log entry is held in a form that lets us honour erasure — on a valid erasure request we destroy the key material that makes the entry's personal data readable, so the data becomes permanently unreadable while the public log stays mathematically consistent.
7. Who we share it with
We do not sell personal data. We share it only with:
- Infrastructure sub-processors — hosting and network providers that run the servers the Service operates on, bound by data-processing agreements.
- Payment and invoicing providers — for paid accounts.
- Competent authorities — when we are legally required to disclose, and only to the extent required.
Public registry data (section 3c) is, by design, available to everyone — that is not "sharing" in the ordinary sense but publication you request when you register an identity.
8. International transfers
The Service is operated from the European Union, and we keep processing in the EU where we can. Where a sub-processor processes personal data outside the European Economic Area, we rely on appropriate safeguards under GDPR Chapter V — an adequacy decision where one exists, or the European Commission's Standard Contractual Clauses.
9. How we protect it
- Encryption in transit — the websites and APIs are served over TLS; encrypted DNS (DNS over HTTPS) is available for resolution.
- Signed answers — our authoritative DNS is DNSSEC-signed, so identity records cannot be silently altered in transit.
- Access controls — access to personal data is restricted to personnel who need it, with authentication and audit trails.
No system is perfectly secure; if a breach affecting your rights occurs, we will notify you and the supervisory authority as the GDPR requires.
10. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you (Art. 15);
- Rectify inaccurate data (Art. 16);
- Erase your data (Art. 17) — including the crypto-shred mechanism for transparency-log entries described in section 6;
- Restrict processing (Art. 18);
- Receive your data in a portable format (Art. 20);
- Object to processing based on legitimate interests (Art. 21);
- Withdraw consent at any time, without affecting processing before withdrawal.
To exercise any of these, email hostmaster@whisper.online. We respond within one month, as the GDPR requires. You also have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens, or with the supervisory authority where you live.
11. Cookies & analytics
Our websites use Cookiebot to ask for and record your cookie consent, and Google Tag Manager to load analytics tags. No non-essential cookie is set, and no analytics tag loads, until you consent to it. You can change or withdraw your consent at any time via the cookie banner. Strictly necessary items (such as the consent record itself) do not require consent.
12. Children
The Service is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, contact us and we will delete it.
13. Changes to this policy
When we change this policy, we post the new version here with a new effective date. For material changes we will additionally notify account holders by email. The current version is always at whisper.online/privacy (machine-readable: /privacy.md).
14. Contact
viaGraph B.V. (dba Whisper Security), Amsterdam, the Netherlands.
Email: hostmaster@whisper.online