Whirlwind

This Privacy Policy describes how Whirlwind (“we,” “us,” or “our”) collects, uses, and protects your information when you visit https://whirlwindai.xyz (the “Site”) and purchase or use the Whirlwind product (the “Service”).

By using the Site or Service, you agree to this Policy. If you do not agree, please do not use the Site or Service.

1. Information We Collect

1.1 Information you provide directly

Email address. Required to purchase, sign in, and receive product communications.
Payment information. Card details, billing address, and tax IDs are collected and processed by Stripe. We never see or store your full card number — Stripe handles all card data ourselves we only retain a customer reference and the email used.
GitHub username. When you accept the GitHub invitation to access the Whirlwind repository, GitHub records your username. We can see which usernames have accepted invitations.

1.2 Information collected automatically

Authentication cookies. Set by Supabase to keep you signed in across visits. These are first-party, essential to the Service, and do not track you across other sites.
Server logs. Standard request logs (IP address, user agent, request path, timestamp) retained briefly for security and debugging.
Analytics (optional). If we enable Plausible Analytics, it counts pageviews and referrers in aggregate. Plausible does not use cookies, does not collect personal data, and is GDPR-friendly.

2. How We Use Your Information

To process your purchase and deliver access to the product
To send you a sign-in link via email (magic-link authentication)
To send you a GitHub repository invitation so you can access the code
To send transactional emails about your account (purchase confirmations, refund confirmations, support replies)
To provide customer support and respond to your inquiries
To detect and prevent fraud, abuse, or violations of our Terms of Service
To comply with legal obligations (e.g., tax reporting, valid legal requests)

We do not use your data for advertising, do not sell your data, and do not share it with third parties for marketing purposes.

3. Service Providers

We use the following third-party processors to operate the Service. Each is bound by its own data-processing terms:

Stripe — payment processing. See Stripe’s Privacy Policy.
Supabase — database and authentication. See Supabase’s Privacy Policy.
Resend — transactional email delivery. See Resend’s Privacy Policy.
GitHub — code repository and invitation delivery. See GitHub’s Privacy Statement.
Vercel — application hosting. See Vercel’s Privacy Policy.

4. Data Retention

Account data (email, purchase records) — retained while your account is active and for a reasonable period after to comply with legal/tax obligations and to resolve disputes.
Payment records — retained by Stripe per their policies and as required for tax/accounting purposes.
Server logs — typically retained for 30 days for security and debugging.
Refunded customers — we retain a record of the refund (anonymized email, timestamp) for fraud prevention and financial reconciliation.

5. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or export your personal data, and to object to or restrict our use of it. To exercise any of these rights, email us at hello@whirlwindai.xyz. We will respond within a reasonable period, typically 30 days.

If you are in the EU/EEA or UK, you have rights under GDPR including the right to lodge a complaint with your local supervisory authority.

6. International Data Transfers

Our service providers may store data in the United States and other countries. By using the Service, you acknowledge that your data may be transferred to and processed in jurisdictions outside your own.

7. Security

We use encryption in transit (HTTPS/TLS) and at rest (via Supabase), row-level security on database tables, server-side secret management, and signature verification on payment webhooks. No system is perfectly secure, but we work to protect your data with current best practices.

8. Children’s Privacy

The Service is not intended for users under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided information to us, contact us and we will delete it.

9. Changes to This Policy

We may update this Policy from time to time. Significant changes will be communicated via email or a prominent notice on the Site. The “Last updated” date at the top reflects the most recent revision.

10. Contact

For questions about this Policy or our data practices, email hello@whirlwindai.xyz.