Whisper

Whisper

Built to Disappear.

Privacy Policy

Last updated: February 19, 2026

What Whisper Does

Whisper is an encrypted secret sharing service. It allows users to share passwords, API keys, and other sensitive text via encrypted, time-limited, optionally self-destructing links.

Data We Collect

Whisper is designed to collect as little data as possible:

  • Secret content — encrypted at rest with AES-256-GCM. We cannot read your secrets. They are automatically deleted when they expire or after the first retrieval if self-destruct is enabled.
  • Slack metadata — when using the /whisper slash command, Slack sends us your user ID, username, team ID, and channel ID. We use this only to process the command and do not store it.

Analytics — We use Google Analytics 4 and Mixpanel to collect anonymous usage data (page views, feature usage). No personal information is tied to these events. Session recordings may be collected by Mixpanel to improve the user experience.

We do not collect:

  • Email addresses or personal information
  • Cookies (only a theme preference stored in your browser's localStorage)
  • IP addresses or access logs beyond standard server operation

How We Use Your Data

  • Secret content is encrypted, stored temporarily, and deleted after expiration or first retrieval.
  • Slack command metadata is used only to process your request and return a response. It is not stored.

Data Retention

  • Secrets with self-destruct enabled are permanently deleted after the first retrieval.
  • All secrets are permanently deleted when their expiration time is reached.
  • A cleanup job runs every minute to remove expired secrets.

Data Security

  • All secrets are encrypted with AES-256-GCM before storage.
  • Each secret uses a unique random nonce.
  • The encryption key is stored on the server, separate from the database.
  • All connections use HTTPS with HSTS enabled.
  • Slack requests are verified using HMAC-SHA256 signature verification.

Third Parties

Whisper uses the following third-party services:

  • Google Analytics 4 — anonymous usage analytics
  • Mixpanel — product analytics and session recording
  • Slack API — to process /whisper slash commands (integration only)

No secret content is ever shared with third parties.

Your Rights

Since secrets are encrypted and automatically deleted, there is typically no personal data to manage. If you have questions or concerns, contact us at the support email provided in the Slack App Directory listing.

Changes

We may update this policy. Changes will be reflected on this page with an updated date.