Privacy Policy

Whistle Technologies ("Whistle," "we," "us," or "our") operates an enterprise communications platform that provides voice calling, messaging, web chat, and AI-powered communication tools to businesses ("Customers"). This Privacy Policy describes how we collect, use, disclose, and protect personal information when you:

• Visit our websites, including getwhistle.ai and getwhistle.app;
• Use our platform, applications, and services (collectively, the "Services");
• Communicate with us through any channel.

Whistle Technologies is a Canadian company. This policy is designed to comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and is aligned with the General Data Protection Regulation (GDPR) for individuals in the European Economic Area (EEA) and United Kingdom (UK).

When we act as a service provider processing data on behalf of our Customers (for example, when handling call recordings or messages sent by a Customer's end users), the Customer is the controller of that data and their own privacy policy governs. This policy applies to the data we collect and control directly.

2.1 Information you provide directly

• Account information: name, email address, phone number, company name, job title, and billing address when you create an account or contact us.
• Payment information: credit card details, billing address, and tax identifiers processed through our third-party payment processor. We do not store full payment card numbers on our systems.
• Communications: information you provide when you contact our support team, submit forms, or respond to surveys.
• Identity verification: business name, registration details, and authorized representative information submitted for regulatory compliance (e.g., STIR/SHAKEN caller identity verification, Know Your Business requirements).

2.2 Information collected through your use of the Services

• Call detail records (CDRs): metadata about calls made and received, including date, time, duration, source number, destination number, and call disposition.
• Message metadata: sender, recipient, timestamp, channel (SMS, MMS, WhatsApp, web chat), and delivery status for messages processed through the platform.
• Call recordings and transcriptions: audio recordings and text transcriptions of calls, when enabled by the Customer.
• AI-generated outputs: call summaries, sentiment analysis results, and other outputs produced by our AI features when enabled.
• Device and access information: IP address, browser type, operating system, device identifiers, and access timestamps.
• Usage data: features accessed, configuration changes, and platform interaction patterns.

2.3 Information from other sources

• Single sign-on providers: if you authenticate via a third-party identity provider (SAML, OAuth), we receive the attributes you authorize for sharing.
• Integrated services: data from CRM systems, helpdesk tools, or collaboration platforms that you connect to your Whistle account.
• Telecommunications data: caller name (CNAM) information, number reputation data, and carrier routing details obtained from telecommunications network sources in the course of delivering voice and messaging services.

We process personal information for the following purposes:

• Providing the Services: routing calls and messages, maintaining user accounts, processing payments, and delivering platform features you have enabled.
• Platform operations: monitoring service performance, detecting and preventing fraud or abuse, enforcing acceptable use policies, and maintaining platform security and availability.
• AI-powered features: generating call summaries, transcriptions, sentiment analysis, and intelligent call routing when these features are enabled by the Customer (see Section 4 for details).
• Compliance and legal obligations: meeting telecommunications regulatory requirements, responding to lawful requests from authorities, enforcing our terms of service, and maintaining records required by law.
• Billing and account management: invoicing, payment processing, usage metering, and subscription management.
• Customer support: responding to inquiries, troubleshooting issues, and providing technical assistance.
• Product improvement: analyzing aggregate usage patterns to improve our Services, develop new features, and enhance reliability. We use de-identified or aggregated data for this purpose whenever possible.
• Communications: sending service-related notices, security alerts, and administrative messages. Marketing communications are sent only with your consent and include opt-out mechanisms.

Under PIPEDA, we process personal information with consent (express or implied, depending on the sensitivity of the information) and for purposes that a reasonable person would consider appropriate in the circumstances. Under GDPR, our legal bases include performance of a contract, legitimate interests, legal obligations, and consent where required.

Whistle's mobile application and web platform support authentication via Google Sign-In (OAuth 2.0). This section specifically describes how we handle Google user data in compliance with Google's API Services User Data Policy.

Data Accessed

When you choose to sign in with Google, we request access to the following Google account data through the OAuth 2.0 protocol:

• Basic profile information: your full name and profile picture URL as stored in your Google account.
• Email address: the primary email address associated with your Google account, used as your account identifier.
• Google account identifier: a unique, non-personal subject ID used to link your Google account to your Whistle account.

We do not request access to Google Drive, Gmail, Calendar, Contacts, or any other Google service data. We request only the minimum scopes necessary for authentication (openid, email, profile).

Data Usage

Google user data is used exclusively to:

• Verify your identity and authenticate you to the Whistle platform.
• Create or link your Whistle account using your Google email address as your identifier.
• Pre-populate your display name and profile picture within the platform for your convenience.

We do not use Google user data for advertising, analytics profiling, or any purpose unrelated to authentication and account management. Google user data is never used to train AI models.

Data Sharing

Google user data is not sold, rented, or shared with any third party for their independent use. It may be disclosed only to:

• Infrastructure and hosting providers who process data solely on our behalf under confidentiality obligations.
• Law enforcement or government authorities when required by applicable law.
• A successor entity in the event of a merger or acquisition, with prior notice to affected users.

Whistle's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Data Storage and Protection

Google user data is stored in our secure, encrypted database infrastructure and subject to the same security measures applied to all user data (see Section 8 — Data Security):

• Encryption at rest using AES-256 and in transit using TLS 1.2 or higher.
• Role-based access controls limiting access to authorized personnel only.
• Immutable audit logging of all access to user account data.
• Multi-factor authentication enforced for all administrative access.

Data Retention and Deletion

Google user data (name, email address, profile picture, and account identifier) is retained for the duration of your active Whistle account and is deleted when your account is closed.

To request deletion of your Google user data or your entire Whistle account:

• By email: send a deletion request to privacy@getwhistle.ai from the email address associated with your account.
• Data deletion page: getwhistle.ai/delete-account

All associated Google user data will be deleted within 30 days of receiving a valid deletion request, except where retention is required by applicable law.

Whistle offers AI-powered features including call transcription, call summarization, sentiment analysis, and intelligent call routing. This section explains how these features handle data.

4.1 AI infrastructure

AI processing is performed on infrastructure operated and controlled by Whistle. Customer data — including call recordings, transcripts, and conversation content — is processed within our controlled environment and is not used to train models shared with other customers or third parties.

4.2 What AI features process

• Call transcription: converts audio recordings to text. The audio and resulting transcript are stored within the Customer's isolated data environment.
• Call summaries: generates concise summaries of calls from transcripts. Summaries are stored alongside the associated call record.
• Sentiment analysis: evaluates the tone and sentiment of conversations to provide quality insights. Results are associated with the specific call record.
• Intelligent routing: uses call patterns and trunk performance data to optimize call routing decisions. Routing decisions are logged for auditability.

4.3 Customer control

AI features are enabled and configured by the Customer administrator. Customers can enable or disable individual AI features at any time. AI-generated outputs (summaries, transcripts, sentiment scores) are subject to the same data retention and deletion policies as other Customer data.

4.4 PII redaction

Our AI pipeline includes automatic redaction of personally identifiable information (such as credit card numbers and government identification numbers) from transcripts before storage. This redaction is applied by default and is designed to reduce the risk of sensitive information persisting in text-based records.

Call recording and transcription are optional features that Customers enable at their discretion. When enabled:

• Recordings are encrypted at rest using strong encryption standards with per-tenant encryption keys.
• Recordings are stored in tenant-isolated storage paths. No other Customer can access another Customer's recordings.
• Access to recordings is logged in the immutable audit trail.
• Recordings are retained according to the Customer's configured retention policy (default 90 days; configurable from 30 days to 7 years for compliance-regulated industries).

Important: It is the Customer's responsibility to comply with applicable call recording consent laws in their jurisdiction, including but not limited to one-party and two-party consent requirements. Whistle provides the technology; Customers are responsible for obtaining any required consent from call participants.

We retain personal information only for as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

When a Customer account is deleted, we initiate an asynchronous data purge process that removes all tenant data from our systems. Completion of the purge is logged for verification purposes.

We do not sell personal information. We share personal information only in the following circumstances:

7.1 Service providers

We engage third-party service providers to assist with payment processing, email delivery, infrastructure hosting, and other operational functions. These providers are contractually bound to use personal information only as necessary to perform services on our behalf and are subject to confidentiality obligations.

7.2 Telecommunications providers

Delivering voice calling, SMS, MMS, and WhatsApp messaging services requires the involvement of underlying telecommunications carriers and messaging platforms. When calls are placed or messages are sent through Whistle, certain information (such as phone numbers, caller identification data, and message routing metadata) is necessarily shared with these providers to complete the communication. These providers operate under their own privacy policies and regulatory obligations, and their handling of data may be subject to additional terms. The specific providers involved may vary depending on your service configuration, geographic region, and the communication channels in use.

7.3 Customer-configured integrations

When Customers enable integrations with third-party services (such as CRM platforms, helpdesk tools, collaboration platforms, or webhook endpoints), data is shared with those services as configured by the Customer. The Customer is responsible for reviewing the privacy practices of any third-party service they integrate.

7.4 Legal and compliance

We may disclose personal information when required by law, regulation, legal process, or governmental request. We may also disclose information to protect the rights, property, or safety of Whistle, our Customers, or others, and to enforce our terms of service.

7.5 Business transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction. We will provide notice before personal information becomes subject to a different privacy policy.

7.6 AI data handling

As described in Section 4, AI processing is performed on infrastructure controlled by Whistle. Customer data is not shared with external parties for AI processing, model training, or any purpose beyond delivering the requested feature.

We implement administrative, technical, and organizational security measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. Key measures include:

• Encryption in transit and at rest: all data transmitted between clients and our platform is encrypted using TLS. Sensitive data at rest, including call recordings, credentials, and authentication secrets, is encrypted using strong encryption standards.
• Per-tenant data isolation: each Customer's data is logically separated at every layer of the platform, including database queries, caching, file storage, and API access. No Customer can access another Customer's data.
• Access controls: role-based access control with least-privilege principles. Multi-factor authentication is enforced for administrative roles. All administrative access to customer data is logged.
• Audit logging: every significant action on the platform is recorded in an immutable, append-only audit trail with actor identification, timestamps, and change history.
• Encrypted media: voice communications use encrypted signaling and encrypted media streams.
• Vulnerability management: dependencies are pinned and monitored for known vulnerabilities. Production deployments require review.

While we strive to protect personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to implementing and maintaining safeguards appropriate to the sensitivity of the information.

9.1 Rights under PIPEDA (Canada)

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

• Access: request a copy of the personal information we hold about you.
• Correction: request correction of inaccurate or incomplete personal information.
• Withdraw consent: withdraw your consent to our processing of your personal information, subject to legal or contractual restrictions.
• Complaint: file a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated.

9.2 Rights under GDPR (EEA and UK)

If you are located in the European Economic Area or the United Kingdom, you have the following additional rights under the GDPR:

• Right of access: obtain confirmation of whether your personal data is being processed and receive a copy of that data.
• Right to rectification: request correction of inaccurate personal data.
• Right to erasure: request deletion of your personal data, subject to legal retention requirements.
• Right to restriction: request that we restrict processing of your personal data in certain circumstances.
• Right to data portability: receive your personal data in a structured, commonly used, machine-readable format.
• Right to object: object to processing of your personal data based on legitimate interests or for direct marketing purposes.
• Rights related to automated decision-making: not be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects on you.
• Right to lodge a complaint: file a complaint with your local data protection supervisory authority.

9.3 Exercising your rights

To exercise any of these rights, contact us at privacy@getwhistle.ai. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

If you are an end user of a Customer's Whistle deployment (for example, a person who called or messaged a business that uses Whistle), your data is controlled by that Customer. Please direct your privacy requests to the business you communicated with. We will cooperate with our Customers to fulfill such requests.

Our Services are designed for business use and are not directed at individuals under the age of 16 (or 13 in jurisdictions where that is the applicable threshold). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@getwhistle.ai.

Whistle Technologies is headquartered in Canada. Your personal information may be processed and stored in Canada and, where necessary for service delivery, in other jurisdictions.

Canada has been recognized by the European Commission as providing an adequate level of data protection. Where personal information is transferred to jurisdictions that have not received an adequacy decision, we implement appropriate safeguards, including standard contractual clauses approved by the European Commission, to ensure that your personal information receives a level of protection consistent with the GDPR.

Certain aspects of our Services involve underlying telecommunications carriers that may process call and message routing data in the jurisdiction where the communication originates or terminates. This is inherent to the operation of telecommunications networks and is necessary to deliver the Services.

Our websites use cookies and similar technologies for the following purposes:

• Strictly necessary cookies: required for the operation of our websites, including authentication and security functions. These cannot be disabled.
• Functional cookies: remember your preferences (such as language and region) to provide a personalized experience.
• Analytics cookies: help us understand how visitors interact with our websites so we can improve their design and content. We use analytics data in aggregate form.
• Marketing cookies: used to deliver relevant advertising and measure the effectiveness of marketing campaigns. These are only set with your consent.

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Note that disabling certain cookies may affect the functionality of our websites.

We honor Do Not Track (DNT) and Global Privacy Control (GPC) signals sent by your browser.

Whistle delivers voice calling and messaging services through a combination of our own infrastructure and underlying telecommunications carriers and messaging platforms. The specific providers used may vary based on your geographic location, service plan, and configuration.

These underlying providers are independent entities with their own privacy policies and data handling practices. While we select providers that maintain appropriate privacy and security standards, certain data (such as phone numbers, call routing metadata, and message delivery information) is necessarily processed by these providers as part of delivering the communication service.

Where Customers use their own telecommunications provider accounts ("Bring Your Own Trunk" configurations available on certain plans), the Customer's direct relationship with that provider and the provider's own terms govern the handling of data processed through that provider's network.

If you have questions about which providers are involved in processing your communications, please contact us at privacy@getwhistle.ai.

We comply with Canada's Anti-Spam Legislation (CASL) regarding commercial electronic messages. We will only send you marketing or promotional communications with your express or implied consent, as defined by CASL. Every marketing communication includes a clear and functioning unsubscribe mechanism. Unsubscribe requests are processed within 10 business days.

Service-related communications (such as security alerts, billing notices, and platform status updates) are transactional in nature and do not require CASL consent, but you may manage your notification preferences in your account settings.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on our website with a revised "Last updated" date and, where appropriate, by email or through the platform.

We encourage you to review this policy periodically. Your continued use of the Services after the effective date of a revised policy constitutes your acceptance of the changes.

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how your personal information is handled, please contact us: