Privacy at Whisp3r

Principles

Three commitments shape every decision in this app:

• Identity stays at the authority. Your name, picture, language, pronouns, age verification — those are owned by Whisp3r Auth, not by this app. We resolve them when we need to render them and cache them for performance, but the canonical source is your identity provider.
• Content lives at your anchor. Today this app hosts your posts on a corporate anchor. Tomorrow you can move to a self-hosted anchor without re-binding your identity — see "Self-hosted mode" below.
• You choose what happens on revoke. Disconnecting this app at Whisp3r Auth is not a single default — the revoke screen offers you Delete (we wipe everything) or Archive (we hide everything publicly and preserve it so you can come back to exactly where you left off). We do not "retain for analytics" and we do not "keep for legal" — both options are user-driven. See "Revoking access: Delete or Archive" below.

What we store

For each user who has connected this app, we store:

• A directory pointer — your pairwise identifier from Whisp3r Auth, your chosen handle, and where your content lives. We do not store your display name, picture, language, pronouns, or any other identity field; we resolve those from Whisp3r Auth at render time.
• Your posts, comments, reposts, and reactions — the content you create on this app, addressed by human-readable aliases like post@yourhandle/01HZX...
• References — when someone replies to your post or follows you, we store the reference (alias + signature) but never copies of their identity data.
• Mutation history — an append-only log of edits to your containers, so that consumers can verify continuity and replay state.
• Media you upload — addressed by cryptographic hash. The same image uploaded by many users is stored once.

What we do not store

We deliberately do not store:

• Your email address. We never receive it from Whisp3r Auth.
• Your legal name, full name parts, birthday, or pronouns. Those live at Whisp3r Auth and we resolve them at render time using the identity directory.
• A separate password for this app. Authentication is delegated to Whisp3r Auth — we never see credentials.
• Cross-app correlation identifiers. Your identifier with us is opaque and different from your identifier with every other app connected to your Whisp3r Auth account.
• Tracking pixels, analytics fingerprints, or marketing cookies on this app's surfaces.

Revoking access: Delete or Archive

This app is registered with Whisp3r Auth under both the delete and archive data-retention commitments. When you disconnect this app from Whisp3r Auth, the revoke screen asks you which one you want. Either way, your sign-in session is ended immediately.

Delete

"Delete my data" is the privacy-maximum option. When you choose Delete, we:

1. Clear your sign-in session.
2. Delete every post, comment, repost, and reaction you authored on this app.
3. Delete every follow / subscription involving you (the ones you started and the ones pointed at you).
4. Delete every inbox reference authored by you sitting in other users' inboxes.
5. Delete the mutation history of containers you owned.
6. Delete the directory pointer row that made you addressable as @yourhandle on this app.

Media you uploaded that's referenced by other users' content remains in the content-addressed pool until no remaining reference points to it; the same hash is stored once regardless of how many users uploaded it, so removing your reference does not affect anyone else who happens to have uploaded the same bytes.

Archive

"Archive my data" is the take-a-break option. When you choose Archive, your data is fully preserved on our side but every public-facing surface treats you as if you are not on the platform. Specifically:

• Your /@yourhandle profile page returns 404 Not Found to anyone who visits it.
• Your posts, comments, reposts, and reactions are hidden from every feed, search result, thread view, and direct alias lookup. To other users it looks as though they were never there.
• Your follow / subscription relationships stop being visible; you do not appear in anyone's followers list, and nobody you follow sees you in their followers.
• Inbox entries pointing at your authored content are filtered out when other users read their inboxes.

Nothing is deleted. Your user_mirror row, your containers, your mutation history, and your media references stay exactly where they were, with an archived_at timestamp on your row marking you as away.

To come back, sign in again through Whisp3r Auth — that fresh consent IS the unarchive signal. The archived_at stamp is cleared atomically with your sign-in, and every surface returns to exactly where it was the moment before you archived. There is no separate "restore" affordance; signing in is restoration.

There is no time limit on the archive period. You can be away for a day, a year, or a decade and reconnect to find your profile and content unchanged.

Account deletion at the identity layer

If you delete your Whisp3r Auth account, that wipes our copy too — there is no separate "delete my Whisp3r social account" flow because your sign-in is the gateway to everything we store. An account deletion at the identity layer is equivalent to a Delete revocation here.

How we identify you (and what stays stable)

Whisp3r Auth identifies you to this app with a pairwise opaque identifier — different from your identifier with every other Whisp3r-connected app, and opaque so it can't be looked up against any external service. That identifier is deterministic: if you disconnect this app and reconnect later, you come back under the same identifier on our side.

What that stability does for you depends on which revoke option you picked:

• After Delete: a return visit sees a user with no prior content — a clean slate, indistinguishable from a brand-new account. The stable identifier exists so an accidental disconnect doesn't lock you out of returning to the same handle; the deletion makes the privacy guarantee real.
• After Archive: the stable identifier is what makes Archive's restore-on-sign-in promise possible. We index your archived data by your pairwise identifier; when you reconnect under the same identifier, we clear the archive marker and your profile, posts, follows, and inbox references are visible again in their original form.

If you want a truly fresh account — a new identifier, no possible continuity even theoretically — create a new account at Whisp3r Auth.

Self-hosted mode

The protocol this app implements lets you host your own content on your own server. When self-hosted mode ships:

• You point your Whisp3r Auth directory entry at your own anchor URL. Your content moves with you.
• This corporate app becomes a follower of your anchor — same as a friend's app following you. It caches the references it needs to render your posts in your followers' feeds, but the canonical data lives on your server.
• Disconnecting from this app no longer needs to "delete your data," because the data was never canonically here. The cache expires and that's it.

Until self-hosted mode ships, the revocation-is-deletion guarantee above stands in for the equivalent property a self-hosted user would have natively.

Changes to this document

This document is versioned. Changes are listed in chronological order so you can audit what shifted and when. Material changes (those that expand what we collect, shorten retention, or change deletion guarantees) require a fresh consent screen at Whisp3r Auth before the change takes effect for your account.

v1.1-draft (2026-06-04): Documents the Archive option on the revoke screen alongside Delete. Archive is additive — it does not weaken any prior commitment; it gives you a reversible exit so you can step away without losing your profile and content. The identifier-stability section is updated to explain how the same pairwise identifier supports both clean restarts (after Delete) and continuity (after Archive). Wire-level: this app now registers both accepts_delete and accepts_archive with Whisp3r Auth's retention model.

v1.0-draft (2026-06-04): Initial publication. Documents the directory-pivot architecture: identity at auth, content at the anchor, revocation triggers deletion, self-hosted mode coming.