Introduction
Welcome to Whispr, a real-time voice communication app that turns standard TWS (True Wireless Stereo) earbuds into a walkie-talkie system between two phones. This Privacy Policy explains how we collect, use, and protect your information when you use our app.
1. Who We Are
Whispr is developed and maintained by MERAF Digital Solutions.
2. Information We Collect
We collect minimal information necessary to provide our service:
Account Information:
- Email address for account creation
- Optional social media login metadata (Google, Apple, or Facebook)
- Display name for account identification
Session Data:
- Pairing session codes and connection history
- Device information (platform, model, OS version) for compatibility
- Connection mode used (Wi-Fi Direct, Bluetooth, or WebRTC)
Automatically Collected Data:
- Device IDs (FCM tokens) for push notifications — optional, can be disabled in settings
- User IDs (Firebase Authentication identifiers) — required for app functionality
- Crash logs and error reports — automatically collected for debugging and stability
- App performance metrics — load times, feature usage, error tracking
We do NOT collect:
- Voice audio data — all voice communication is peer-to-peer and never passes through our servers
- Location data — location permission is used solely for Wi-Fi Direct peer discovery as required by Android
- Device contacts or call logs
- Behavioral advertising data
- Biometric data
Voice communication in Whispr is transmitted directly between devices (peer-to-peer via Wi-Fi Direct, Bluetooth, or WebRTC). Audio data is never stored, recorded, or routed through Whispr's servers.
2.a Voice and Audio Data
Whispr is designed with privacy-first voice communication:
Free Tier (Direct Mode):
- Voice data travels directly between phones via Wi-Fi Direct or Bluetooth
- No internet connection is used — audio never leaves the local network
- No audio data is stored or recorded
Premium Tier (Cloud Mode):
- Voice data is transmitted peer-to-peer via WebRTC with end-to-end encryption (DTLS/SRTP)
- Firebase is used only for the initial signaling handshake — audio never passes through Firebase
- Even when relayed through a TURN server, the audio remains encrypted and cannot be decrypted by the relay
2.b In-App Purchase Data
If you subscribe to Whispr+ (premium tier), we collect the following purchase-related data:
- Purchase transaction IDs and timestamps
- Subscription status, plan type, and renewal dates
- Product IDs and pricing information
- Purchase verification receipts (provided by Apple/Google)
All payment processing is handled securely by Apple App Store or Google Play Store. Whispr never has access to your payment card details, billing address, or financial information. We only receive confirmation of successful purchases and subscription status.
Purchase data is used solely for billing management, customer support, subscription status tracking, and revenue analytics. It is never sold to third parties or used for advertising.
3. Permissions We Request
Whispr requests only the permissions necessary for voice communication:
- Microphone — required to capture voice audio from your TWS earbud
- Bluetooth — required for Bluetooth pairing and audio routing to earbuds
- Location (Android only) — required by Android OS for Wi-Fi Direct peer discovery; Whispr does not track or store your location
- Nearby Wi-Fi Devices (Android 13+) — required for Wi-Fi Direct connections
- Camera (optional) — only used if you choose to scan a QR code to join a session
- Internet — used only by premium tier for WebRTC connections and push notifications
4. How We Use Information
- To create and manage your account
- To facilitate pairing between two devices via session codes or QR codes
- To send push notifications about session events (partner connected, disconnected)
- To manage premium subscriptions and billing
- To improve app functionality, fix bugs, and optimize performance
- To provide customer support
We never sell or share your data with third-party advertisers.
5. Storage & Security
All data is securely stored using Google Firebase infrastructure with industry-standard encryption and access controls.
We use the following Google Firebase services:
- Firebase Authentication — user login and account management
- Cloud Firestore — secure database for session and user data
- Firebase Cloud Messaging — push notifications for session events
- Firebase Crashlytics — crash reporting for app stability
- Firebase Cloud Functions — server-side subscription validation and session management
We use encryption (HTTPS/TLS in transit, automatic encryption at rest), role-based access controls, and Firestore security rules to protect your data.
5.a Third-Party Services
Whispr uses Google Firebase as our backend service provider. Firebase is owned by Google and complies with industry-standard security and privacy practices.
Data is only shared with:
- Google Firebase (for backend infrastructure and services)
- Apple/Google payment processors (for in-app purchase verification only)
- No other third parties
We never sell, rent, or share your data with third parties for advertising, marketing, or commercial purposes.
6. Data Retention and Deletion
How long we keep your data:
Active Accounts:
- Account data retained while your account is active
- Session data (pairing history) retained for 30 days, then auto-deleted
Account Deletion:
- Firebase Authentication credentials deleted after 30 days of deletion request
- All Firestore data (sessions, profile, subscriptions) deleted or anonymized after 90 days
You can request complete data deletion through Settings > Account > Delete Account. This process is irreversible.
7. Your Rights
You have the right to:
- Access your personal data stored in the app
- Request correction of inaccurate data
- Request deletion of your account and all associated data
- Opt out of push notifications at any time
- Export your account data upon request
8. Contact Us
If you have any questions or concerns:
- Email: hello@whisprtalk.com
- Website: https://whisprtalk.com/
We respond to all privacy requests within 24-48 hours and complete data deletion requests within 30 days as required by law.