Privacy Policy

1. Introduction

Welcome to Whispers Within ("we", "our", "us", or the "Platform"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at whispers-within.in and use our anonymous messaging services.

Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Platform. By using Whispers Within, you consent to the data practices described in this policy. We reserve the right to make changes to this Privacy Policy at any time and for any reason, and we will notify you of any significant changes by updating the "Last Updated" date at the top of this page.

2. Information We Collect

We collect information in the following categories to provide, maintain, and improve our services:

2.1 Personal Information You Provide

When you create an account on Whispers Within, we collect the following personal information that you voluntarily provide to us:

• Account Registration Data: Your email address, username, and password (stored in hashed form). If you choose to complete your profile, we also store your display name and gender preference.
• User-Generated Content: Messages you receive through your anonymous link, confessions you post on the Confession Wall, and any optional "hints" or clues you provide with confessions.
• Communication Data: If you contact us for support, we collect the contents of your communication along with your email address.

2.2 Information Collected Automatically

When you access or use our Platform, we may automatically collect the following types of information:

• Device Information: We collect basic device type information (mobile, desktop, tablet) for the optional hint feature on confessions. This information is generalized and cannot be used to identify a specific device.
• Usage Data: We collect aggregated, anonymized data about how our Platform is used, including page views, session duration, and feature usage. This data is used solely for improving the Platform and does not identify individual users.
• Log Data: Our servers automatically record information when you access our Platform, including your browser type, operating system, the pages you visit, the time and date of your visit, and the time spent on those pages.

2.3 Information We Do NOT Collect About Anonymous Senders

This is critically important to understand: we do not collect, store, or track any personally identifiable information about people who send anonymous messages through user profile links. Senders are not required to create an account, and we do not place tracking cookies, log IP addresses, or use any other mechanism to identify message senders. The only optional metadata collected is generalized device type (e.g., "Mobile") and time period (e.g., "Evening") for the hint feature.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To create, maintain, and manage your user account; to facilitate anonymous messaging between users; and to provide the Confession Wall community feature.
• Safety & Moderation: To operate our AI-powered content moderation system that scans messages for harmful content including harassment, hate speech, threats, and abuse.
• Platform Improvement: To analyze aggregated usage patterns and improve the design, functionality, and performance of our Platform.
• Communication: To send you important account-related notifications such as verification emails, security alerts, and service updates.
• Legal Compliance: To comply with our legal obligations, resolve disputes, and enforce our Terms of Service.

4. How We Share Your Information

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following limited circumstances:

• Payment Processors: When you make a payment to reveal confession hints, your payment information is processed directly by our payment partner (Cashfree Payments). We do not store your credit card or bank account details on our servers.
• Service Providers: We use trusted third-party services for hosting (Vercel), database management (MongoDB Atlas), authentication (NextAuth.js), and email services. These providers only access the minimum data necessary to perform their services and are contractually obligated to protect your information.
• Legal Requirements: We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to comply with a legal obligation, protect and defend our rights or property, or protect the personal safety of users of the Platform or the public.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with our services. If you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal or regulatory purposes. Anonymous messages and confessions are retained as part of the platform's community content and cannot be traced back to any individual sender.

6. Data Security

We implement robust technical and organizational measures to protect your personal information, including:

• All data transmission is encrypted using HTTPS with TLS 1.3 encryption standards.
• Passwords are hashed using industry-standard bcrypt algorithms — we never store plaintext passwords.
• Database connections are encrypted and access is restricted through IP whitelisting and authentication credentials.
• Authentication sessions are managed securely through NextAuth.js with HTTP-only cookies and CSRF protection.
• We conduct regular security reviews and follow OWASP best practices for web application security.

While we take reasonable precautions to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining the highest practical level of protection for your data.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Right of Access: You can request a copy of the personal data we hold about you.
• Right to Rectification: You can update or correct your personal information through your account settings.
• Right to Deletion: You can request that we delete your account and associated personal data by contacting us.
• Right to Data Portability: You can request a copy of your data in a machine-readable format.
• Right to Withdraw Consent: Where we rely on your consent to process your data, you have the right to withdraw that consent at any time.

To exercise any of these rights, please contact us at shivasap27@gmail.com. We will respond to your request within 30 days.

8. Children's Privacy

Whispers Within is not intended for children under the age of 13. We do not knowingly collect, use, or disclose personal information from children under 13. If we become aware that we have collected personal data from a child under 13 without verification of parental consent, we will take steps to remove that information from our servers promptly. If you believe that we might have any information from or about a child under 13, please contact us at shivasap27@gmail.com.

9. Cookies & Tracking Technologies

Whispers Within uses essential cookies to maintain your authentication session. These are strictly necessary cookies that allow you to stay logged in and use the Platform's features. We do not use advertising cookies, analytics tracking cookies, or third-party marketing cookies. Our approach to cookies is minimal — we only use what is technically necessary for the Platform to function properly.

10. Third-Party Services

Our Platform may contain links to third-party websites, services, or content that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policies of every third-party site you visit. The third-party services we integrate with include:

• Vercel — Hosting and deployment infrastructure
• MongoDB Atlas — Encrypted database hosting and management
• Cashfree Payments — Secure payment processing for the hint reveal feature
• Google — Ad serving through the Google AdSense network (non-personalized contextual ads)

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by updating the "Last Updated" date at the top of this page that is visible on our website. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Platform after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: