# Privacy Policy. Whisper.

> What we collect to run the platform, why we collect it, how long we keep
> it, who we share it with, and the rights you hold over it.

Effective date: 2 July 2026
Controller: viaGraph B.V. (dba Whisper Security), Amsterdam, the Netherlands
Contact: hostmaster@whisper.online
Terms of Service: https://whisper.online/terms

## 1. Who we are

viaGraph B.V., doing business as Whisper Security, is a company established
in Amsterdam, the Netherlands. We operate the Whisper platform: policy-aware
DNS resolution, verifiable network identities for AI agents, and the related
websites at whisper.online and its subdomains (together, the "Service"). For
the personal data described in this policy, viaGraph B.V. is the data
controller within the meaning of the EU General Data Protection Regulation
(GDPR).

You can reach us about anything in this policy at hostmaster@whisper.online.

## 2. What this policy covers

This policy covers personal data we process when you visit our websites,
create an account, or use the Service — directly or through software
(including AI agents) acting on your behalf. It does not cover third-party
sites we link to; those have their own policies.

## 3. The data we collect

### a. Account data

- Contact and account details — your email address, and any organization
  name you provide.
- Credentials — the API keys issued to your account, and metadata about
  their use (creation time, scopes, last use).
- Billing details — if you buy a paid plan: the information needed to
  invoice you.

### b. Service data

Running a DNS and network-identity service means processing traffic
metadata. When you or your agents use the Service, we process:

- DNS query logs — the names queried, query type, timestamp, the answer
  given (including any policy decision), and the source address the query
  came from.
- Agent identity records — the agents registered to your account, the IPv6
  addresses (/128) allocated to them, and any labels or contact fields you
  attach to them.
- Egress connection metadata — for agents that route traffic through the
  Service: connection timestamps, source and destination addresses and
  ports, and volume. We do not inspect or store the content of your agents'
  encrypted traffic.
- TLS fingerprint samples — sampled TLS handshake fingerprints, used for
  abuse detection and service protection.
- Policy configuration — the resolution and access policies you set for
  your agents.

### c. Public registry data — public by design

An allocated agent address is published, on purpose, in public registry
systems: RDAP and WHOIS records for the address (including any label or
contact fields you chose to attach), reverse DNS, and entries in the public
transparency log that records identity issuance and revocation.
Verifiability is the point of the Service: anyone can look these records
up. Do not put personal data in a label or contact field unless you intend
it to be public.

### d. Website data

- Analytics — our websites use Google Tag Manager to load analytics tags,
  only after you consent.
- Cookies — consent is collected and enforced by Cookiebot; non-essential
  cookies are not set without your consent (see section 11).
- Technical data — IP address, browser type, and pages visited, as part of
  ordinary web-server operation.

## 4. Why we process it

- To operate and provide the Service — resolve DNS queries, allocate and
  publish agent identities, route egress traffic, apply the policies you
  configure, and show you your own logs.
- To verify identities — publish the registry, reverse-DNS, and
  transparency records that make an agent identity verifiable by anyone.
- Security and abuse prevention — detect, investigate, and stop abuse of
  the Service or of the internet from our network, and protect the Service
  against attacks.
- Billing — invoice and administer paid accounts.
- Legal compliance — meet obligations we are subject to, including
  responding to lawful requests from competent authorities.
- Product improvement — understand, in aggregate, how the Service is used,
  so we can improve it.

## 5. Legal bases (GDPR)

- Performance of a contract (Art. 6(1)(b)) — account data and service data
  processed to provide the Service you signed up for.
- Legitimate interests (Art. 6(1)(f)) — security, abuse prevention, network
  operations, and aggregate product improvement. We balance these interests
  against your rights, and you may object (section 10).
- Consent (Art. 6(1)(a)) — non-essential cookies and website analytics. You
  can withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)) — retention and disclosure required by
  law, including tax and accounting rules.

## 6. How long we keep it

- Service logs (DNS queries, egress metadata, TLS fingerprint samples) are
  kept for a defined, limited retention period for the purposes above, and
  then deleted automatically. We keep what we need to run the Service
  honestly and answer an abuse report, and no more.
- Account data is kept for the lifetime of your account, and after closure
  only as long as legal minimums (such as invoice retention rules) require.
- Public registry and transparency-log records are designed to be durable:
  the log is append-only so that issuance history stays verifiable.
  Personal data connected to a log entry is held in a form that lets us
  honour erasure — on a valid erasure request we destroy the key material
  that makes the entry's personal data readable, so the data becomes
  permanently unreadable while the public log stays mathematically
  consistent.

## 7. Who we share it with

We do not sell personal data. We share it only with:

- Infrastructure sub-processors — hosting and network providers that run
  the servers the Service operates on, bound by data-processing agreements.
- Payment and invoicing providers — for paid accounts.
- Competent authorities — when we are legally required to disclose, and
  only to the extent required.

Public registry data (section 3c) is, by design, available to everyone —
that is not "sharing" in the ordinary sense but publication you request
when you register an identity.

## 8. International transfers

The Service is operated from the European Union, and we keep processing in
the EU where we can. Where a sub-processor processes personal data outside
the European Economic Area, we rely on appropriate safeguards under GDPR
Chapter V — an adequacy decision where one exists, or the European
Commission's Standard Contractual Clauses.

## 9. How we protect it

- Encryption in transit — the websites and APIs are served over TLS;
  encrypted DNS (DNS over HTTPS) is available for resolution.
- Signed answers — our authoritative DNS is DNSSEC-signed, so identity
  records cannot be silently altered in transit.
- Access controls — access to personal data is restricted to personnel who
  need it, with authentication and audit trails.

No system is perfectly secure; if a breach affecting your rights occurs, we
will notify you and the supervisory authority as the GDPR requires.

## 10. Your rights

Under the GDPR you have the right to:

- Access the personal data we hold about you (Art. 15);
- Rectify inaccurate data (Art. 16);
- Erase your data (Art. 17) — including the crypto-shred mechanism for
  transparency-log entries described in section 6;
- Restrict processing (Art. 18);
- Receive your data in a portable format (Art. 20);
- Object to processing based on legitimate interests (Art. 21);
- Withdraw consent at any time, without affecting processing before
  withdrawal.

To exercise any of these, email hostmaster@whisper.online. We respond
within one month, as the GDPR requires. You also have the right to lodge
a complaint with the Dutch supervisory authority, the
Autoriteit Persoonsgegevens (https://www.autoriteitpersoonsgegevens.nl/),
or with the supervisory authority where you live.

## 11. Cookies & analytics

Our websites use Cookiebot to ask for and record your cookie consent, and
Google Tag Manager to load analytics tags. No non-essential cookie is set,
and no analytics tag loads, until you consent to it. You can change or
withdraw your consent at any time via the cookie banner. Strictly necessary
items (such as the consent record itself) do not require consent.

## 12. Children

The Service is not directed to children under 16, and we do not knowingly
collect personal data from them. If you believe a child has provided us
personal data, contact us and we will delete it.

## 13. Changes to this policy

When we change this policy, we post the new version here with a new
effective date. For material changes we will additionally notify account
holders by email. The current version is always at
https://whisper.online/privacy (this document:
https://whisper.online/privacy.md).

## 14. Contact

viaGraph B.V. (dba Whisper Security), Amsterdam, the Netherlands.
Email: hostmaster@whisper.online
