Privacy Policy
Last updated: June 20, 2026
1. Overview
Whirl ("we," "us," "our") is an AI agent that connects to your team's tools to autonomously handle requests, research context, and draft actions. This policy explains what data we collect, why, and how we handle it.
We designed Whirl to be privacy-conscious: we don't serve ads, and we don't sell your data.
When a business customer connects its workspace and tools to Whirl, that customer is usually the controller of the personal data in those tools and Whirl acts as its processor. Whirl is the controller for our own account, billing, website, security, analytics, and support data.
2. Data We Collect
Account information
When you sign up, we collect your name and email address through Clerk, our authentication provider. If you sign up via Google OAuth, Clerk handles that flow — we receive your basic profile information.
Organization information
You may create or join an organization in Whirl. We store the organization name, industry, and website URL if provided. Integrations connected by any organization member are accessible to all members of that organization, so the agent can act on shared work; this is the same trust model as a shared inbox or shared drive folder.
Integration data
When you connect third-party tools, we collect and process data from those services to provide Whirl's functionality:
- Communication tools (Slack, Gmail, Aircall, WhatsApp): message content, sender/recipient information, timestamps, attachments
- Productivity tools (Google Drive, Google Docs, Google Sheets, Notion, GitHub, Linear, Basecamp): document content, page titles, issue details, project information
- Calendar (Google Calendar): event titles, descriptions, attendees, times
- Contacts (Google Contacts via Gmail): name and email of contacts you have interacted with, used only to resolve recipients when drafting emails
- Specialized tools (Breezeway, Smily, Granola): property data, booking information, meeting notes
- Commerce tools (Shopify): store profile information, orders, refunds, fulfillments, draft orders, products, inventory, locations, customer names, contact details, addresses, tags, notes, and related webhook events needed to power agent research and actions
- Browser tools: websites and base URLs you configure, browser-tool instructions, agent-provided inputs, run status and history, live browser URLs, screenshots, recordings where enabled, extracted outputs, and cost/usage metadata
Tokens, secrets, and browser profiles
We store encrypted OAuth access and refresh tokens to maintain your integration connections. These are encrypted using AES-256-GCM at rest and are only used to access your connected services on your behalf. When you disconnect an integration, we delete the stored tokens and, where the provider supports it, revoke the OAuth grant or remove provider-side subscriptions.
If you configure Browser tools, you may choose to store named secrets (for example, a login email or password) for that tool. Secret values are encrypted at rest and are not shown again after saving. Browser tools may also use an organization-level browser profile, which can include cookies, localStorage, saved login state, and similar browser state needed to keep the browser signed in across sessions. You can reset the browser profile from the Browser integration settings.
Usage data
We track AI token usage (input/output tokens and estimated cost) per task for our own operational monitoring. We also use PostHog analytics to understand product and website usage. On public marketing pages, PostHog runs in cookieless mode and we only send pageviews, referrers, and allowlisted campaign parameters. In the signed-in product, we may send limited product events such as integration setup, onboarding progress, billing actions, and approval actions. We do not use advertising pixels or sell analytics data.
3. How We Use Your Data
We process your data for these purposes:
- Monitoring channels: Reading messages from connected communication tools to identify actionable requests
- Context research: Searching across your connected tools to gather relevant information for tasks
- AI processing: Sending content to AI model providers (see Section 5) to understand requests and generate responses
- Action drafting: Preparing email drafts, messages, and task updates for your approval
- Action execution: Carrying out approved actions (sending emails, posting messages) through your connected tools
- Browser automation: Opening websites in a managed browser, using configured browser profiles and secrets, showing live previews, recording runs where enabled, and returning extracted results or action outcomes to the agent
- Operating and securing Whirl: Authentication, billing, abuse prevention, debugging, security monitoring, and customer support
We do not use customer content from connected tools to train generalized AI models, build cross-customer datasets, or create benchmarks unless you expressly instruct or opt into that use.
4. Google Workspace data (Limited Use disclosure)
Whirl's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, with respect to data accessed through Gmail, Google Drive (including Google Docs and Google Sheets), Google Calendar, and Google Contacts:
- We only use this data to provide and improve the user-facing features that you have explicitly opted into — namely, monitoring inbound messages for actionable requests, researching context to answer those requests, drafting replies and documents for your approval, and executing actions you authorize.
- We do not transfer this data to any third party except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
- We do not use this data, or allow our AI model subprocessors, routing providers, or browser automation subprocessors to use this data, to develop, improve, or train generalized or non-personalized AI/ML models. We access these providers via paid API tiers and processing terms or settings intended to prohibit such training, including Vercel AI Gateway's prompt-training opt-out setting where requests are routed through AI Gateway.
- We do not use this data to serve advertising, and we do not sell this data.
- We do not allow humans to read this data, except (a) with your explicit consent for specific messages or documents, (b) for security purposes (e.g., to investigate abuse), (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized for internal operations.
You can revoke Whirl's access to your Google account at any time by disconnecting the integration in Whirl, or via your Google Account permissions page.
5. Data Storage and Security
Your primary Whirl application data is stored in Convex, our backend database provider. Convex hosts data in the United States. Browser automation data may also be processed or stored by Browser Use as described in Section 6, including browser profile state and run artifacts needed to provide Browser tools.
- OAuth tokens are encrypted at rest using AES-256-GCM with keys managed in our hosting environment
- All connections use HTTPS/TLS in transit
- Authentication is handled by Clerk with industry-standard security practices
- File attachments (e.g., MMS images) are stored in Convex file storage with time-limited access URLs
- Access to production data by Whirl personnel is restricted to a small number of administrators and used only for the limited-use purposes described in Section 4
Where personal data is transferred outside the UK or EEA, we rely on applicable data processing terms and transfer mechanisms such as adequacy regulations, Standard Contractual Clauses, the UK Addendum, or the UK International Data Transfer Agreement.
6. Third-Party Services
Whirl relies on several third-party services to function. Your data may be processed by:
- Anthropic (Claude) — AI model provider for understanding messages and generating responses. Accessed via paid API tier; Anthropic does not train on API-tier data.
- OpenAI — AI model provider for certain processing tasks. Accessed via paid API tier; OpenAI does not train on API-tier data.
- Google AI — AI model provider for certain processing tasks. Accessed via paid API tier under terms prohibiting training on customer data.
- OpenRouter — AI request routing and model provider access for certain processing tasks.
- Vercel AI Gateway— AI request routing, provider access, observability, and cost reporting. Vercel states that AI Gateway has a zero-data-retention policy for prompts, outputs, and sensitive data. We also set AI Gateway's prompt-training opt-out on routed requests so the gateway avoids providers that train on prompt data.
- Browser Use — Managed browser automation for Browser tools, including browser sessions, live previews, run recordings, screenshots, extracted outputs, and persistent browser profiles. Browser Use states that profiles can persist browser state such as cookies, localStorage, and saved passwords, and that sensitive data can be injected into web pages without showing the raw secret to the language model.
- Clerk — Authentication and user management
- Convex — Backend database and serverless functions
- Resend — Transactional email delivery (for emails sent on your behalf and notifications)
- Vercel — Application hosting
- PostHog — Product analytics and cookieless website analytics
Each of these services has its own privacy policy. We select providers that offer appropriate data protection practices and bind them by data-processing agreements consistent with the Limited Use requirements in Section 4. Our current sub-processor list is available at /subprocessors.
7. Data Retention
We retain your data for as long as your account is active. This includes:
- Tasks created by Whirl and their associated context, messages, and research
- Integration message data used for conversation threading
- Automation configurations and execution history
- Browser tool configurations, run history, browser profiles, and encrypted browser secrets
You can disconnect integrations at any time, which removes Whirl's stored access tokens and, where supported by the provider, revokes provider-side access or subscriptions. To request deletion of your account and the data we hold about you, contact us at hello@whirl.sh. We will action deletion requests within 30 days.
8. Cookies
Whirl uses essential cookies required for authentication (session management via Clerk). Public marketing analytics run in cookieless mode and do not use cookies, localStorage, or sessionStorage. We do not use advertising cookies.
9. Your Rights
You can:
- Access your data through the Whirl app
- Disconnectany integration at any time to revoke Whirl's access to that service
- Delete your account and request deletion of your data by contacting us
- Review and approve or reject all write actions before they are executed
If you are located in the EU/EEA, you may have additional rights under GDPR including data portability, restriction of processing, and the right to lodge a complaint with a supervisory authority.
10. Children
Whirl is not intended for use by anyone under the age of 18. We do not knowingly collect data from children.
11. Changes to This Policy
We may update this policy as our practices evolve. We'll notify you of material changes via email or through the app. The "Last updated" date at the top reflects the most recent revision.
12. Contact
Questions about your data or this policy? Reach us at hello@whirl.sh.