Privacy Policy for the App “Whyzper”

Introduction

This Privacy Policy of Whyzper UG (haftungsbeschränkt) (“we”, “us”, or “Whyzper”) explains how and why we process personal data – including how we collect, store, use and (where applicable) share such data – when you use our services (“Services”), specifically:

• when you download and use our mobile application “Whyzper”
• when you interact with us in other ways, such as via support requests, marketing campaigns, or participation in events

This Privacy Policy is intended to help you understand your privacy rights and choices. If you do not agree with the practices described herein, please do not use our services. For any questions, you can contact us at: info@whyzper.com

Summary – Key Points at a Glance

This summary provides a quick overview of the most important aspects of this Privacy Policy:

• What data do we collect?
  We collect personal data such as your email address, a self-chosen nickname, optional information about your gender, as well as sensitive data concerning sexual preferences, sexual orientation, and relationship topics, as well as your selection of preferences and wishes within the Adventure Planner (e.g., preferred travel style, budget, activities).
• Do we process sensitive data?
  Yes. With your explicit consent, we may process sensitive data, such as sexual preferences, in accordance with strict data protection regulations.
• Do we share data with third parties?
  Yes – e.g., with Google (AdMob, Firebase, Vertex AI for AI-based plan generation, Places API for location data), Apple/Google (for login, in-app purchases), and OpenAI (for AI-powered story generation). We comply with all applicable data protection laws and sign data processing agreements as required by Art. 28 GDPR. Sensitive data, such as sexual preferences, are transmitted exclusively to the respective AI service provider (OpenAI for FlowSync Stories and DeepTalk, Google Vertex AI for the Adventure Planner) – and always in pseudonymized form. Except for your self-chosen nickname/display name, no data that could identify you personally is transmitted. Additionally, your data is stored on a European server at DigitalOcean, which is also subject to strict security and privacy standards.
• How do we protect your data?
  Through modern security standards such as TLS/SSL encryption, access control, and data minimization. Still, no online data transmission can ever be 100% secure.
• What rights do you have?
  You have the right to access, correct, or delete your data at any time and to revoke your consent. A GDPR-compliant contact form is available in the app.

1. Data Controller

The controller responsible for data processing within the meaning of data protection laws – particularly the General Data Protection Regulation (GDPR) – is:

Whyzper UG (haftungsbeschränkt)
Heisstraße 51
48145 Münster
Germany
📧 Email: info@whyzper.com
👤 Managing Director: Moritz Pilz

Whyzper UG is responsible for the collection, processing, and use of personal data in connection with the “Whyzper” app.

For any questions related to data protection or to exercise your rights (see Section 10), you can contact us at any time.

Representative in the EU:
As the company is based within the European Union, no additional EU representative is required.

1.1. Note for Users from the United Kingdom (UK)

As a company based in Germany, we are primarily subject to the EU General Data Protection Regulation (GDPR). We acknowledge that for users from the United Kingdom, the UK General Data Protection Regulation (UK GDPR) applies.

As we do not currently have a formal representative in the United Kingdom pursuant to Art. 27 UK GDPR, our central contact point in Germany also serves as the direct point of contact for all inquiries from users and supervisory authorities in the United Kingdom:

Whyzper UG (haftungsbeschränkt)
Heisstraße 51, 48145 Münster, Germany
Email: info@whyzper.com

We are committed to handling all inquiries from UK users in accordance with the principles of the UK GDPR and to cooperating fully with the UK’s supervisory authority (the Information Commissioner’s Office, ICO).

2. Purpose and Scope

This Privacy Policy informs you about how Whyzper UG (haftungsbeschränkt), Heisstraße 51, 48145 Münster, Germany (“Whyzper”, “we”, “our”) collects, processes, and protects your personal data when you use our mobile application (“App”) or interact with us in other ways – such as through support requests, feedback, or specific app features.

This Privacy Policy applies globally and is based in particular on the requirements of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and – where applicable – other international data protection laws (e.g., CCPA, UK GDPR, PIPEDA).

It applies to all services offered within the Whyzper app, specifically:

• Registering and using the app (iOS and Android)
• Selecting personal preferences and settings
• Communication with other users through the app
• AI-generated content based on your personal input
• Display of personalized advertisements (if enabled)
• Login via Apple or Google
• Push notifications via Firebase

By using our app, you consent to the data processing described in this Privacy Policy.

3. What Data We Process

We process personal data that you voluntarily provide when using the app, as well as data that is automatically collected during use. This includes, in particular:

3.1. Data Provided by You

These are data you actively enter in the app:

• Email address (mandatory)
• Nickname / display name (mandatory)
• Password (stored in encrypted form)
• Gender (optional)
• Relationship details (e.g. existing partnership, duration, etc.)
• Sexual preferences (selectable from a list; optional)
• Responses to questionnaires (e.g. on relationship topics, communication, emotional closeness)
• Use of gamification elements (e.g., badges, achievements) in the context of shared activities

⚠️ Note: These details may constitute sensitive personal data within the meaning of Art. 9 GDPR (e.g. information about sex life or sexual orientation). Processing takes place only with your explicit consent pursuant to Art. 6 (1)(a) in conjunction with Art. 9 (2)(a) GDPR.

3.2. Data from Third-Party Login

If you log in via Apple or Google, we receive the following:

• A pseudonymized user ID
• Your email address (if you grant permission)
• Your display name (if available)
• No access to your password or other account data

3.3. Automatically Collected Data

When using the app, we automatically collect the following data:

• Device information (device type, operating system, language settings)
• IP address (may be shortened or pseudonymized)
• Unique Device or Installation Identifier: To manage login sessions (e.g., via refresh tokens), ensure account security, and correctly associate devices with your account, we process a unique identifier for your device or app installation.
• Usage data (e.g. timestamps, feature usage, error messages)
• Push ID (for sending push notifications via Firebase)
• Ad interaction data (via Google AdMob, if advertising is enabled)

3.4. Data Processed by AI Features (Story & DeepTalk Generation)

To provide personalized content, Whyzper uses the OpenAI API. Data is processed solely for the purpose of personalized content delivery within the app. The following functions are differentiated:

Erotic Stories (Story Feature)
When generating stories based on your preferences and information, a so-called “prompt” is sent to the OpenAI API. This prompt contains:

• Your selected preferences
• Your display name (nickname)
• Optional: gender, relationship status, or other voluntarily provided information

DeepTalk Analysis
For the DeepTalk feature, an AI analyzes your voluntary responses to relationship-related questions (e.g. about closeness, communication, desires, conflicts, or intimacy). The prompt sent to OpenAI includes:

• Your response(s) to the specific DeepTalk questions
• Your display name (nickname)

➡️ No additional personally identifiable information is shared with OpenAI. Prompts are designed in such a way that no conclusions can be drawn about your real identity. Processing occurs solely for the delivery of the requested content and is based on your voluntary use of these features.

3.5. Data Processed by the Adventure Planner

When using the Adventure Planner, your voluntarily provided information is processed to create a personalized experience plan. For this, we use the Google Vertex AI API (including the Gemini family of models) and the Google Places API.

A “prompt” sent to the AI contains:

• Your and your partner’s matching wishes (e.g., “Vacation,” “relaxing,” “Restaurant”).
• The location you or your partner specified (e.g., “Münster”) to enable real-world suggestions.
• Your nicknames.

To enrich the plan with real-world location suggestions (including photos, addresses, and ratings), our server sends requests to the Google Places API. In this process, it is our server’s IP address, not yours, that is transmitted to Google. The images displayed to you in the app are loaded via our own server as a proxy to protect your data.

Here, too, no directly identifying data such as your email address is transmitted to the AI.

3.5.1. Data When Searching for Locations (Adventure Planner)

When you type a place into the Adventure Planner’s search field, we use the Google Places API (Autocomplete) to provide suggestions in real time. Your inputs and your IP address are transmitted directly to Google in order to deliver the search results. This processing is necessary to provide the search functionality.

3.6. Data Processed by the BucketList

For the shared BucketList, we process the content you enter and related status/system data in order to save, organize, and complete goals.

• Content data: Title, subtitle, personal notes (including author & timestamp), optional image (upload) or Google photo reference.
• Location data (optional): Place ID, name, and address (via Google Places). The BucketList does not use precise device geolocation.
• Status & process data: Current status (proposed, active, doing, done), confirmations by both partners, completion timestamp, creator, individual sorting per user.
• Source attribution: Origin of the item (e.g., ai_inspiration, flowsync_match, deeptalk_suggestion, adventure_planner_location) when suggestions are added from other modules (“Add to BucketList”).
• Gamification/badges: Unlocked badges and their assignment (couple/single badge), unlock timestamps, and an inbox for badge notifications.

BucketList content is, by default, visible only to you and your connected partner. It is not shared with third parties.

3.7. Data Related to Partner Communication and Connection

If you connect with your partner in the app, we store the following data:

• The user IDs of both accounts
• The status of your connection
• Interactions within shared features (e.g. responses to questions, yes/no selections in the FlowSync feature)

4. Processing Purposes & Legal Bases

We process personal data exclusively in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and—where applicable—other international data protection laws. Processing is only carried out where there is a valid legal basis.

4.1. For the Performance of a Contract (Art. 6 (1)(b) GDPR)

We process personal data to provide you with access to the Whyzper app and its functionalities, including:

• Setting up and managing your user account
• In-app communication (e.g., notifications, preference matching, DeepTalk)
• Use of AI-based features such as story or DeepTalk generation
• Use of the messaging system when connected with a partner
• Provision of the BucketList, including status management, mutual confirmations, notes, images, and reminders (“Done” history)
• Technical real-time synchronization (socket connection) to correctly reflect shared changes

➡️ This processing is necessary for fulfilling our contractual obligations to you or to take steps at your request prior to entering into a contract.

4.2. Based on Your Consent (Art. 6 (1)(a) GDPR)

For certain features (e.g. push notifications, transmission of sensitive data for story generation via OpenAI, voluntary information such as gender or relationship status), we ask for your explicit consent. You may withdraw your consent at any time with effect for the future. The lawfulness of any processing carried out before the withdrawal remains unaffected.

4.3. Based on Legitimate Interests (Art. 6 (1)(f) GDPR)

We process some data based on our legitimate interests, especially for:

• Improving and further developing our app and services
• Preventing abuse and fraud
• Exercising or defending legal claims
• Analyzing usage data (e.g., crash reports, technical logs) to ensure system stability and security
• Gamification and in-app notifications (e.g., badges) to increase user motivation – without marketing profiling
• Technical real-time synchronization (socket connection) for accurate, up-to-date shared views

➡️ In doing so, we always ensure that your fundamental rights and freedoms are not overridden.

4.4. To Fulfill Legal Obligations (Art. 6 (1)(c) GDPR)

In certain cases, we are legally required to store or disclose specific data—for example, to comply with tax regulations, respond to legal inquiries from authorities, or meet commercial recordkeeping obligations.

5. Sensitive Data & Special Categories of Personal Data

When using our Whyzper app, certain data may be processed that falls under the special categories of personal data as defined in Art. 9 (1) GDPR. This includes, in particular:

• Information about sexual preferences
• Relationship-related details
• Responses provided through the DeepTalk feature
• Inputs related to AI-generated stories
• Information about sexual orientation, if voluntarily provided or potentially deducible from selected preferences

5.1. Voluntariness and Explicit Consent

We only collect and process this type of sensitive data if you explicitly consent to it (Art. 9 (2)(a) GDPR).
You can generally use the app without providing this sensitive information; however, some features—particularly preference matching and AI-generated content—may only be available to a limited extent or not at all without it.

5.2. Purpose Limitation and Convenience Feature

The indication of sexual orientation is purely optional and used only for an internal filter function to help tailor your preference-based experience. It is designed purely for convenience and does not affect the usability of the app as a whole.
In some cases, a combination of selected preferences may indirectly reveal information about your sexual orientation—however, we do not evaluate or process this data automatically or systematically.

5.3. Pseudonymized Processing for AI Functions

For features such as story generation and DeepTalk analysis, selected user data (e.g., preferences, relationship status, voluntary personal details) may be transmitted to OpenAI, but only in pseudonymized form.
Only your self-chosen nickname is included in the prompt.
We do not transmit any directly identifying personal information that would allow your identity to be determined.

5.4. Protective Measures

All sensitive data is subject to enhanced security standards. We apply technical and organizational safeguards to prevent unauthorized access and misuse. These include, for example:

• Encryption of sensitive information
• Hosting on secure servers located in Germany (DigitalOcean, Frankfurt)
• Access restriction based on strict internal controls

6. Third-Party Services & International Data Transfers

To provide and improve our services, we rely on trusted third-party providers. In accordance with Art. 28 GDPR, we ensure through data processing agreements (DPAs) that these providers process your data solely on our behalf and in compliance with applicable data protection laws.

The following third-party services are currently in use:

6.2. International Data Transfers

Some of the above service providers are located outside the European Union (EU) or European Economic Area (EEA)—particularly in the United States. Therefore, it is possible that personal data may be transferred to countries considered “third countries” under EU data protection law.

To ensure an appropriate level of protection, we implement the following safeguards as required under Art. 44 ff. GDPR:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Technical safeguards such as encryption or pseudonymization
• Data minimization, ensuring that only strictly necessary data is transferred

6.3. Protection Despite U.S.-Based Companies

While some of our providers—such as OpenAI and DigitalOcean—are based in the United States, we take additional precautions:

• Data hosted via DigitalOcean is stored exclusively on servers located in Germany.
• Data sent to OpenAI (for content generation) does not contain real names or directly identifiable personal data.
• Only pseudonymized data, such as your nickname and selected preferences, is used for AI processing.

7. Tracking & Advertising

In the free version of Whyzper, we use Google AdMob to display personalized or contextual ads. AdMob is a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Integration is done via the Google Mobile Ads SDK.

As a result, the following data may be collected and processed by Google:

• Device information (e.g., model, operating system)
• App usage (e.g., impressions, clicks)
• Location data (depending on device settings)
• Advertising ID (e.g., IDFA / GAID)

This data processing is carried out by Google as an independent controller. For more information, please refer to Google’s Privacy Policy and the AdMob data privacy resources.

No Ads for Paying Users

If you have an active subscription (e.g., Whyzper Spark or Whyzper Flame), no advertisements will be shown. In these cases, no advertising-related data processing by AdMob takes place.

Tracking Tools

We use the PostHog analytics service for internal product improvement in accordance with the strict data protection requirements described in section 9. Beyond this, we do not use any other third-party tracking services such as Google Analytics or Facebook SDK.

7.2. Do Not Track Signals

Some web browsers and devices permit you to broadcast a preference that you not be “tracked” online. At this time, we do not modify your experience based on whether such a signal is broadcast or header is sent. However, you may opt out of personalized advertising by upgrading to a paid subscription (Whyzper Spark or Whyzper Flame), which removes all advertisements and associated tracking.

8. Data Deletion & Retention Periods

We store personal data only for as long as it is necessary to fulfill the respective purposes or as required by statutory retention periods.

8.1. Retention Overview

8.2. General Usage Data

General usage data (e.g., email address, nickname, preferences, questionnaire responses) is stored as long as your user account is active.

8.3. Upon Account Deletion

If you delete your account, all personal data will be permanently deleted — including your preferences, questionnaire responses, chat history, BucketList content, and unlocked badges. Deletion takes place without delay, and at the latest within 14 days of your request for deletion.

8.4. Backups

Backups are created regularly and stored in encrypted form. Personal data is also taken into account when processing a deletion request.
Please note: final deletion from encrypted backups may take up to 30 days due to technical constraints.

8.5. Retention Due to Legal Obligations

In some cases, we are legally required to retain certain data for longer periods (e.g., for tax-related documentation or app store payment processing).
In these cases, the data is locked and stored exclusively for the required legal purpose.

9. Analysis of App Usage & Product Improvement

To continuously improve the user experience of our app, identify errors, and understand which features are most valued, we use the analytics service PostHog.

Provider: PostHog, Inc., 220 9th St, San Francisco, CA 94103, USA. For users in the EEA/UK, the service is provided via PostHog Ltd., 7-10 Chandos Street, London, W1G 9DQ, United Kingdom. We have chosen the EU Cloud version of PostHog, which ensures that the processing servers are located within the European Union.

Data Processed:
When you use our app, pseudonymized usage data is transmitted to PostHog. This includes:

• Event Data: Interactions within the app (e.g., features used, buttons clicked, screens visited).

• Device Information: Device type, operating system version, app version.

• Pseudonymous IDs: A random installation ID and—after you log in—your internal user ID. We do not transmit clear names or email addresses as event properties unless it is necessary to identify the user account within the tool.

Purpose of Processing:
The analysis of this data helps us to ensure the stability and user-friendliness of Whyzper and to make data-driven decisions for the further development of our app. We use this data exclusively for internal product analysis and not for advertising purposes.

Legal Basis:
The processing of this data is based on our legitimate interests (Art. 6(1)(f) GDPR) in the analysis, optimization, and secure operation of our services.

Data Protection at PostHog:
We have concluded a Data Processing Agreement (DPA) with PostHog in accordance with Art. 28 GDPR. For more information on PostHog’s privacy practices, please visit: https://posthog.com/privacy

10. Data Security

We implement comprehensive technical and organizational measures to protect your data from loss, misuse, and unauthorized access. The security of your personal data is of utmost priority to us.

Technical Measures

• SSL/TLS Encryption: All communication between the app and the backend is conducted exclusively via encrypted HTTPS connections.
• Server Location: Our servers are hosted in a German data center provided by DigitalOcean. While the company is based in the USA, we have implemented additional data protection measures (see Chapter 6).
• Token-Based Authentication: Communication between the app and server is additionally protected by JWT tokens.
• Two-Factor Authentication (2FA): We offer an optional 2FA login feature to further enhance account security. We strongly recommend that all users activate this feature.
• Access Logging and Monitoring: Access to systems and data is logged and regularly monitored.
• Rate Limiting and Brute Force Protection: We use automated mechanisms to detect and block abuse or suspicious login attempts.

Organizational Measures

• Privacy by Design & Default: We ensure data minimization and privacy safeguards are implemented from the design stage onward.
• Access Restrictions: Only authorized personnel have access to personal data – for example, in the context of support services.
• Training and Awareness: All personnel involved in development and system management receive regular training on data protection and security.

Despite all our security measures, 100% protection cannot be guaranteed for data transmission over the Internet.
However, we do everything possible to minimize risks and keep your data secure.

11. Your Privacy Rights

As a user of the Whyzper app, you are entitled – especially under the provisions of the General Data Protection Regulation (GDPR) – to the following rights:

✅ Right of Access (Art. 15 GDPR)
You have the right to request information about whether we process personal data about you – and if so, which data, for what purpose, and for how long.

✅ Right to Rectification (Art. 16 GDPR)
If the data we have stored about you is inaccurate or incomplete, you have the right to request its correction or completion.

✅ Right to Erasure (“Right to be Forgotten”, Art. 17 GDPR)
You may request the deletion of your personal data – for example, if you delete your account or the processing is unlawful.
Note: When your account is deleted, your data is automatically erased.

✅ Right to Restrict Processing (Art. 18 GDPR)
In certain circumstances, you have the right to restrict the processing of your personal data – e.g., if you contest its accuracy or have filed an objection.

✅ Right to Data Portability (Art. 20 GDPR)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, or – if technically feasible – request the transfer of your data directly to another controller.

✅ Right to Object (Art. 21 GDPR)
You may object to the processing of your personal data if we are processing it based on legitimate interests (e.g., personalized advertising).

✅ Right to Withdraw Consent (Art. 7 para. 3 GDPR)
You can withdraw your consent to data processing at any time – for example, for push notifications or the AI-powered story feature.
The withdrawal applies only to future processing and does not affect the legality of data processing carried out prior to the withdrawal.

✅ Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)
If you believe that your data is being processed in violation of applicable data protection laws, you have the right to file a complaint with a supervisory authority.
For example, the responsible authority in our case is the State Commissioner for Data Protection in North Rhine-Westphalia (NRW).

🛠 How to Exercise Your Rights
You can exercise your rights at any time – either directly within the app (e.g., by deleting your account), via our privacy contact form, or by email to info@whyzper.com.

12. Protection of Minors

Protecting children and young people is especially important to us. Whyzper is strictly intended for adult users only.

🚫 No Use by Minors
Our app is intended exclusively for individuals aged 18 and over. Whyzper is labeled as “18+” in both the Apple App Store and Google Play Store and is not accessible to younger individuals through these platforms.
Additionally, an age verification (self-declaration) takes place during the app’s initial launch to confirm that users are of legal age.
Individuals under 18 are not permitted to use Whyzper.

🔍 Actions in Case of Violations
If we become aware that personal data from individuals under the age of 18 has been transmitted to us, we will:

• Immediately deactivate the associated account, and
• Delete all data related to the underage individual.

If you have questions or concerns regarding potential violations of this policy, you can contact us anytime at info@whyzper.com.

13. Jurisdiction-Specific Privacy Rights

Whyzper operates globally, and your data may be processed in countries outside your own. This section outlines the specific rights granted to you if you reside in certain jurisdictions.

13.1. For Users in the European Economic Area (EEA), United Kingdom (UK), and Switzerland

If you are a resident of the EEA, UK, or Switzerland, you have the rights detailed in Section 11 of this Privacy Policy, in accordance with the General Data Protection Regulation (GDPR) or the UK GDPR. The legal bases for our data processing are described in Section 4.

13.2. For Users in the United States

This section supplements the information in our Privacy Policy and applies solely to users who reside in the United States. We adopt this notice to comply with state privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and similar laws in Virginia, Colorado, Connecticut, and Utah.

Categories of Personal Information We Collect

We collect information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (“personal information”). In the last 12 months, we have collected the following categories of personal information:

Sources of Personal Information

We obtain the categories of personal information listed above from the following categories of sources:

• Directly from you: When you create an account, use app features, provide preferences, or contact us
• Automatically from your device: Through cookies, analytics tools (PostHog), and advertising services (Google AdMob)
• Third-party login providers: Apple and Google (when you use Sign in with Apple/Google)
• Service providers: Google Places API, OpenAI, Google Vertex AI (for AI-generated content)

Business or Commercial Purpose for Collecting Personal Information

We use the personal information we collect for the following business or commercial purposes:

• To provide, maintain, and improve our services
• To process your transactions and manage your account
• To personalize your experience and deliver AI-generated content
• To send you technical notices, updates, and support messages
• To respond to your comments, questions, and requests
• To monitor and analyze trends, usage, and activities
• To detect, prevent, and address technical issues, fraud, and security concerns
• To display relevant advertisements (in the free version)
• To comply with legal obligations and protect our rights

Sharing Personal Information

We may share your personal information with the following categories of third parties:

• Service providers: Google (AdMob, Firebase, Vertex AI, Places API), OpenAI, DigitalOcean, Mailjet, PostHog
• Analytics providers: PostHog (EU Cloud)
• Advertising networks: Google AdMob (free version only)
• Cloud storage providers: DigitalOcean (Germany-based servers)
• Payment processors: Apple and Google (for in-app purchases)
• Law enforcement and regulatory authorities: When required by law

Sale or Sharing of Personal Information:
We do not “sell” your personal information in the traditional sense for monetary consideration. However, the use of Google AdMob in our free version may constitute a “sale” or “sharing” of personal information under the CCPA, as AdMob may use your information for targeted advertising purposes. You can opt out of this by purchasing a subscription (Whyzper Spark or Whyzper Flame) to use the ad-free version of our app.

Your U.S. Privacy Rights

Subject to certain limitations and exceptions, you have the following rights under applicable U.S. state privacy laws:

• Right to Know and Access: You have the right to request that we disclose:
  • The categories of personal information we have collected about you
  • The categories of sources from which the personal information is collected
  • Our business or commercial purpose for collecting or selling personal information
  • The categories of third parties with whom we share personal information
  • The specific pieces of personal information we have collected about you
• Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing: You have the right to opt out of the “sale” or “sharing” of your personal information. You can exercise this right by subscribing to an ad-free version of the app.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit our use and disclosure of sensitive personal information to certain specified purposes. We only process such data based on your explicit consent for the core functionalities of the app (see Section 5). You can limit this by:
  • Not providing sensitive information when prompted
  • Adjusting your preferences in the app settings
  • Deleting your account
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising any of your privacy rights. We will not:
  • Deny you goods or services
  • Charge you different prices or rates for goods or services
  • Provide you a different level or quality of goods or services
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services
• Right to Use an Authorized Agent: You may designate an authorized agent to make a request on your behalf. We will require:
  • Written proof of the agent’s authority to act on your behalf
  • Verification of your identity directly with us
  • Confirmation that you provided the authorized agent permission to submit the request

How to Exercise Your Rights

To exercise any of your rights described above, please submit a verifiable request to us by either:

• Emailing us at: info@whyzper.com
• Using the GDPR-compliant contact form available in the app
• For account deletion: Directly through the app settings

Verification Process: To protect your privacy, we will verify your identity before processing your request. We will verify your identity using the email address associated with your account and may request additional information if necessary to prevent fraudulent requests. We will not use information provided in a verifiable request for any purpose other than verification.

Response Timing: We will acknowledge receipt of your request within 10 business days and respond to your request within 45 days. If we require more time (up to an additional 45 days), we will inform you of the reason and extension period in writing.

Additional Information for California Residents

“Shine the Light” Law (Cal. Civ. Code § 1798.83): California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not engage in this practice and therefore do not share your personal information with third parties for their direct marketing purposes.

Children’s Privacy (COPPA): As stated in Section 12, our service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn we have collected personal information from a child under 13, we will delete that information immediately.

13.2.1. Additional Rights for Users in Virginia, Colorado, Connecticut, and Utah

If you reside in Virginia, Colorado, Connecticut, or Utah, you may have additional rights under your state’s privacy laws, including:

• Right to Confirm: Right to confirm whether we process your personal data
• Right to Access and Portability: Right to access your personal data and obtain a copy in a portable format
• Right to Delete: Right to delete personal data you have provided
• Right to Opt-Out: Right to opt out of:
  • Targeted advertising (available by subscribing to ad-free version)
  • Sale of personal data (we do not sell personal data for monetary consideration)
  • Profiling in furtherance of decisions that produce legal or similarly significant effects (not applicable to Whyzper)
• Right to Correct: Right to correct inaccuracies in your personal data

To exercise these rights, contact us at info@whyzper.com or use the in-app contact form. You may appeal a decision regarding your request by contacting us at the same email address.

13.3. For Users in Canada

This section applies to you if you are a resident of Canada. Your personal information is handled in accordance with this Privacy Policy and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) or applicable provincial privacy legislation.

Consent

We process your personal information based on your consent, which you provide by:

• Creating an account and using our app
• Agreeing to this Privacy Policy
• Providing explicit consent for sensitive data processing (as described in Section 5)

You may withdraw your consent at any time (subject to legal or contractual restrictions and reasonable notice) by:

• Deleting your account through the app settings
• Contacting us at info@whyzper.com
• Adjusting specific privacy settings within the app

Important for Australian users: When we disclose your personal information to overseas recipients, we take reasonable steps to ensure the recipient does not breach the Australian Privacy Principles. However, where we have your consent or the disclosure is otherwise permitted under the Privacy Act, you agree that we are not required to take such steps and we will not be liable for any breaches by the overseas recipient.

Access and Correction

You have the right to:

• Access the personal information we hold about you
• Request information about how your personal information has been used and disclosed
• Request that we correct any inaccuracies in your personal information

To exercise these rights, contact us at info@whyzper.com. We will respond to your request within 30 days. In some cases, we may extend this period by an additional 30 days if the request is complex or we receive multiple requests.

International Transfers

Your personal information may be transferred, stored, and processed in countries outside of Canada, including:

• Germany: Where our primary servers are located (DigitalOcean, Frankfurt)
• United States: Where some of our service providers are based (OpenAI, Google services)
• Other countries: Where our third-party service providers operate

While outside of Canada, your information is subject to the laws of the country in which it is held, and may be subject to disclosure to the governments, courts, law enforcement, or regulatory agencies of that country, pursuant to the laws of that country.

We take the following steps to protect your information when it is transferred internationally:

• Entering into data processing agreements with service providers (Art. 28 GDPR equivalent)
• Implementing Standard Contractual Clauses where appropriate
• Using encryption and pseudonymization techniques
• Ensuring servers are located in jurisdictions with adequate data protection (e.g., Germany for our primary database)

Accountability

If you have questions about our privacy practices or wish to make a complaint, you can contact us at:

Email: info@whyzper.com
Address: Whyzper UG (haftungsbeschränkt), Heisstraße 51, 48145 Münster, Germany

We will investigate your complaint and respond to you within a reasonable timeframe. If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada:

Website: www.priv.gc.ca
Toll-free: 1-800-282-1060

Marketing and Communications

We do not use your personal information for direct marketing purposes. If this changes in the future, we will:

• Obtain your express consent before sending marketing communications
• Provide you with an easy way to opt out of marketing communications
• Honor opt-out requests promptly

13.4. For Users in Australia and New Zealand

This section applies to you if you are a resident of Australia or New Zealand. Your personal information is handled in accordance with this Privacy Policy, the Australian Privacy Act 1988 (including the Australian Privacy Principles), and the New Zealand Privacy Act 2020 (including the Privacy Principles).

Collection and Use of Personal Information

We collect and use your personal information for the purposes described in this Privacy Policy. We will only collect personal information that is reasonably necessary for our functions and activities, and we will collect it by lawful and fair means.

Access and Correction

You have the right to:

• Access: Request access to the personal information we hold about you
• Correction: Request correction of personal information that is inaccurate, incomplete, out-of-date, or misleading

To exercise these rights, contact us at info@whyzper.com. We will respond to your request:

• Australia: Within 30 days (may be extended by an additional 30 days in certain circumstances)
• New Zealand: As soon as reasonably practicable, and no later than 20 working days

We may charge a reasonable fee for providing access to your information, but we will inform you of any fees before processing your request. We will not charge for making a correction request.

Anonymous and Pseudonymous Dealings

For Australian users: Where it is lawful and practicable, you have the option to deal with us anonymously or by using a pseudonym. However, this may not be practical for most services we provide, as we need certain information to create and maintain your account and provide personalized features.

International Transfers

By using our app, you consent to the transfer of your personal information to countries outside Australia and New Zealand, including:

• Germany: Where our primary servers and database are located
• United States: Where some of our service providers are based
• Other countries: As listed in Section 6 of this Privacy Policy

We take steps to ensure that overseas recipients handle your information in a manner consistent with Australian and New Zealand privacy principles, including:

• Entering into data processing agreements that require compliance with data protection standards
• Implementing Standard Contractual Clauses approved by the European Commission
• Using encryption and security measures to protect data in transit and at rest
• Conducting due diligence on service providers’ data protection practices

Direct Marketing

We do not currently use your personal information for direct marketing purposes. If this changes:

• We will only send you direct marketing if you have consented or would reasonably expect to receive it
• We will provide you with a simple way to opt out of marketing communications
• We will honor opt-out requests promptly

Complaints

If you believe we have breached the applicable privacy principles, please contact us at:

Email: info@whyzper.com
Address: Whyzper UG (haftungsbeschränkt), Heisstraße 51, 48145 Münster, Germany

We will:

• Acknowledge your complaint within 7 days
• Investigate your complaint thoroughly
• Respond to you with our findings and proposed resolution within 30 days

If you are not satisfied with our response, you may contact the relevant privacy regulator:

For Australian residents:
Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au

For New Zealand residents:
Office of the Privacy Commissioner
Website: www.privacy.org.nz
Phone: 0800 803 909
Email: enquiries@privacy.org.nz

Data Breach Notification

For Australian users: In the event of an eligible data breach that is likely to result in serious harm to you, we will notify you and the OAIC as required by the Notifiable Data Breaches (NDB) scheme.

For New Zealand users: We will notify you and the Privacy Commissioner if we believe a privacy breach has caused, or is likely to cause, serious harm to you.

14. Contact & Data Controller

The controller responsible under data protection laws – in particular the EU General Data Protection Regulation (GDPR) – is:

Whyzper UG (haftungsbeschränkt)
Heisstraße 51
48145 Münster
Germany

Managing Director: Moritz Pilz
📧 Email: info@whyzper.com

If you have any questions about data protection, wish to exercise your rights, or have concerns about how we handle your personal data, you can contact us at any time using the details above.

15. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy as needed to reflect legal requirements, technical changes, or developments in our app. The version of the policy in effect at the time of your use will apply.

The current version of the Privacy Policy is always available within the app. In the event of significant changes that affect your rights or require renewed consent, we will inform you in advance within the app or by email.

16. Identity Verification for Data Subject Requests

To protect your privacy and prevent fraudulent requests, we have implemented the following verification process for data subject requests (access, correction, deletion, etc.):

16.1. Verification Methods

We will verify your identity using one or more of the following methods:

• Email verification: We will send a verification link or code to the email address associated with your account
• Account credentials: You may be required to log in to your account to verify your identity
• Additional information: We may request additional information that only you would know, such as:
  • Recent activity in your account
  • Specific preferences you have selected
  • Approximate date of account creation

16.2. Authorized Agent Verification

If you are submitting a request through an authorized agent, we will require:

• Written proof of the agent’s authority to act on your behalf (e.g., power of attorney)
• Verification of your identity directly with us
• Confirmation that you provided the authorized agent permission to submit the request

16.3. Information Use

We will not use information provided in a verifiable request for any purpose other than verification and fulfilling the request.

17. Record Keeping for Data Subject Requests

In compliance with various privacy laws (including CCPA, GDPR, and other applicable regulations), we maintain records of data subject requests for the following purposes:

17.1. What We Record

For each data subject request, we record:

• Date and time of request
• Type of request (access, deletion, correction, etc.)
• Method of request (email, in-app form, etc.)
• Date of our response
• Action taken (fulfilled, denied, partially fulfilled)
• Reason for denial (if applicable)
• Time taken to respond

17.2. Retention of Request Records

We retain records of data subject requests for:

• Minimum: 24 months from the date of the request (as required by some U.S. state laws)
• Maximum: As long as necessary to demonstrate compliance with applicable laws

17.3. Use of Records

These records are used solely for:

• Demonstrating compliance with privacy laws
• Responding to regulatory inquiries
• Improving our data subject request processes

18. Automated Decision-Making and Profiling

18.1. Use of AI and Automated Processing

We use artificial intelligence and automated processing in the following features of our app:

AI-Generated Content

• FlowSync Stories: We use OpenAI’s API to generate personalized erotic stories based on your preferences and input
• DeepTalk Analysis: We use OpenAI’s API to analyze your responses to relationship questions and provide insights
• Adventure Planner: We use Google Vertex AI (Gemini models) to create personalized date plans based on your and your partner’s preferences
• BucketList Inspiration: We use OpenAI’s API to generate suggestions for shared goals and experiences

18.2. Nature of Automated Processing

The automated processing we use:

• Does NOT make decisions that produce legal effects concerning you
• Does NOT significantly affect you in a similar way (e.g., credit scoring, insurance eligibility)
• Is limited to generating personalized content and suggestions for your use within the app
• Requires your active input and can be ignored or modified by you at any time

18.3. Your Rights Regarding Automated Processing

You have the right to:

• Choose not to use AI-powered features
• Request human review of AI-generated content if you have concerns
• Understand the logic involved in automated processing (as described above)
• Contest or object to automated processing (though this may limit certain app features)

18.4. No Profiling for Marketing or Discrimination

We do not use automated processing or AI for:

• Marketing profiling or targeted advertising (beyond basic ad delivery in the free version)
• Making decisions about your eligibility for services
• Discriminating against you based on protected characteristics
• Any purpose that would significantly affect your rights or interests

Effective date of this Privacy Policy: February 2026