WhirlWhirlBack to home

Privacy Policy

Last updated: February 25, 2026

1. Overview

Whirl ("we," "us," "our") is an AI agent that connects to your team's tools to autonomously handle requests, research context, and draft actions. This policy explains what data we collect, why, and how we handle it.

We designed Whirl to be privacy-conscious: we don't use analytics trackers, we don't serve ads, and we don't sell your data.

2. Data We Collect

Account information

When you sign up, we collect your name and email address through Clerk, our authentication provider. If you sign up via Google OAuth, Clerk handles that flow — we receive your basic profile information.

Organization information

You may create or join an organization in Whirl. We store the organization name, industry, and website URL if provided.

Integration data

When you connect third-party tools, we collect and process data from those services to provide Whirl's functionality:

  • Communication tools (Slack, Gmail, Aircall, WhatsApp): message content, sender/recipient information, timestamps, attachments
  • Productivity tools (Google Drive, Notion, GitHub, Linear, Basecamp): document content, page titles, issue details, project information
  • Calendar (Google Calendar): event titles, descriptions, attendees, times
  • Specialized tools (Breezeway, Smily, Granola): property data, booking information, meeting notes

OAuth tokens

We store encrypted OAuth access and refresh tokens to maintain your integration connections. These are encrypted using AES-256-GCM at rest and are only used to access your connected services on your behalf.

Usage data

We track AI token usage (input/output tokens and estimated cost) per task for our own operational monitoring. We do not use third-party analytics services, cookies for tracking, or any advertising pixels.

3. How We Use Your Data

We process your data for these purposes:

  • Monitoring channels: Reading messages from connected communication tools to identify actionable requests
  • Context research: Searching across your connected tools to gather relevant information for tasks
  • AI processing: Sending content to AI model providers (see Section 5) to understand requests and generate responses
  • Action drafting: Preparing email drafts, messages, and task updates for your approval
  • Action execution: Carrying out approved actions (sending emails, posting messages) through your connected tools

4. Data Storage and Security

Your data is stored in Convex, our backend database provider. Convex hosts data in the United States.

  • OAuth tokens are encrypted at rest using AES-256-GCM
  • All connections use HTTPS/TLS in transit
  • Authentication is handled by Clerk with industry-standard security practices
  • File attachments (e.g., MMS images) are stored in Convex file storage with time-limited access URLs

5. Third-Party Services

Whirl relies on several third-party services to function. Your data may be processed by:

  • Anthropic (Claude) — AI model provider for understanding messages and generating responses
  • OpenAI — AI model provider, used for certain processing tasks
  • Google AI — AI model provider, used for certain processing tasks
  • Clerk — Authentication and user management
  • Convex — Backend database and serverless functions
  • Resend — Transactional email delivery (for emails sent on your behalf and notifications)
  • Vercel — Application hosting

Each of these services has its own privacy policy. We select providers that offer appropriate data protection practices.

Content from your connected tools is sent to AI model providers for processing. These providers may have their own data retention policies. We use API access (not consumer-tier), which typically means your data is not used to train their models, but we encourage you to review their policies directly.

6. Data Retention

We retain your data for as long as your account is active. This includes:

  • Tasks created by Whirl and their associated context, messages, and research
  • Integration message data used for conversation threading
  • Automation configurations and execution history

You can disconnect integrations at any time, which revokes Whirl's access to that service. To request deletion of your data, contact us at hello@whirl.sh.

7. Cookies

Whirl uses only essential cookies required for authentication (session management via Clerk). We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

8. Your Rights

You can:

  • Access your data through the Whirl app
  • Disconnect any integration at any time to revoke Whirl's access to that service
  • Delete your account and request deletion of your data by contacting us
  • Review and approve or reject all write actions before they are executed

If you are located in the EU/EEA, you may have additional rights under GDPR including data portability, restriction of processing, and the right to lodge a complaint with a supervisory authority.

9. Children

Whirl is not intended for use by anyone under the age of 18. We do not knowingly collect data from children.

10. Changes to This Policy

We may update this policy as our practices evolve. We'll notify you of material changes via email or through the app. The "Last updated" date at the top reflects the most recent revision.

11. Contact

Questions about your data or this policy? Reach us at hello@whirl.sh.