Privacy Policy

Last updated: April 2026

1. Data Controller (Art. 4 No. 7 GDPR)

WhatGhost.ai — a SaaS project by
QLIQ Marketing L.L.C.
Dubai Branch Building, Office 1-141-278
Mankhool, 00000 Dubai — UAE
Email: what@qliq.digital

Although our company is based in Dubai (UAE), we also offer our services to users in the European Economic Area (EEA). Accordingly, the EU General Data Protection Regulation (GDPR) applies pursuant to Art. 3(2) GDPR to the processing of personal data of users located in the EEA.

2. What Data We Collect and Why

2.1 Registration & Authentication

DataPurposeLegal BasisRetention Period
Email addressSign-in via magic linkArt. 6(1)(b) GDPR (performance of contract)Until account deletion
User ID (UUID)Account identificationArt. 6(1)(b) GDPRUntil account deletion
Email addressSending product updates, new feature announcements, and service information via emailArt. 6(1)(f) GDPR (legitimate interest) in conjunction with § 7(3) UWG (existing customer privilege)Until opt-out (unsubscribe) or account deletion

As a registered user, you may occasionally receive emails about new features, product updates, and service information related to WhatGhost. This is based on the existing customer privilege (§ 7(3) UWG), as the communications relate to products and services similar to those you already use. You may opt out at any time— by clicking the unsubscribe link in any email or by contacting what@qliq.digital.

2.2 WhatsApp Connection

DataPurposeLegal BasisRetention Period
WhatsApp session dataMaintaining the WhatsApp connectionArt. 6(1)(b) GDPRStored encrypted (AES-256-GCM); deleted upon disconnection or account deletion

2.3 Voice Message Transcription

DataPurposeLegal BasisRetention Period
Audio data (voice message)AI transcription (OpenAI Whisper API)Art. 6(1)(b) GDPRNo persistent storage. Audio is processed in memory only and discarded immediately after transcription. Neither audio nor transcript is stored on our servers.
Transcript & summaryDelivery to the user in the WhatsApp chatArt. 6(1)(b) GDPRStored locally in the user's browser only (localStorage). No message content is stored on our servers.

2.4 Payment Processing

DataPurposeLegal BasisRetention Period
Stripe session ID, amount, purchased minutesPayment processing and record-keepingArt. 6(1)(b) GDPR (performance of contract), Art. 6(1)(c) GDPR (legal obligation for bookkeeping)10 years (statutory retention period)

Payment details (credit card numbers, etc.) are processed exclusively by Stripe and are never accessible to us.

2.5 Referral Program

DataPurposeLegal BasisRetention Period
Referral code, referrer/referee (user IDs)Crediting bonus minutesArt. 6(1)(b) GDPRUntil account deletion

3. Data Processors and Third Parties

We use the following data processors pursuant to Art. 28 GDPR. A data processing agreement (DPA) has been concluded with each:

ProviderPurposeServer LocationThird-Country Transfer Safeguards
Supabase, Inc.Authentication, database, user managementUSAEU Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR
OpenAI, Inc.Transcription (Whisper API) and summarization (GPT-4o-mini)USAEU Standard Contractual Clauses (SCC); OpenAI Data Processing Addendum (DPA). When using the API, data is not used for training and is deleted after 30 days.
Stripe, Inc.Payment processingUSA / EUEU Standard Contractual Clauses (SCC); Stripe partially acts as an independent controller (to fulfill regulatory obligations).
Railway, Inc.Web application hostingUSAEU Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR

4. Transfer to Third Countries

Some of our data processors are based in the USA. The transfer of personal data to the USA is carried out on the basis of EU Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR. In addition, we have implemented technical and organizational measures (e.g., encryption, pseudonymization, data minimization) to ensure an adequate level of protection.

5. Technical and Organizational Measures (Art. 32 GDPR)

  • Encryption: All connections are TLS-encrypted (HTTPS). WhatsApp session data is stored on the server encrypted with AES-256-GCM.
  • No persistent content storage: Audio data and transcripts are processed exclusively in memory and discarded immediately after delivery. Our servers only store metadata (chat name, duration, timestamp) — no message content.
  • Local storage: The transcription history is stored exclusively in the user’s local browser (localStorage) and can be deleted by the user at any time.
  • Rate Limiting: API endpoints are protected by rate limiting to prevent abuse.
  • Security headers: X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), restrictive Permissions-Policy.
  • Row Level Security: Database access is secured by Row Level Security (RLS) at the database level. Each user can only access their own data.

6. Use of Artificial Intelligence

WhatGhost uses AI services from OpenAI to process voice messages:

  • OpenAI Whisper API: Converts audio data into text (speech-to-text). The audio data is transmitted to OpenAI via their API, processed there, and the result is returned. OpenAI retains API data for up to 30 days for abuse detection and deletes it thereafter. API data is not used for training AI models.
  • OpenAI GPT-4o-mini: Generates a brief summary for voice messages longer than 60 seconds. Only the already transcribed text (no audio) is transmitted for this purpose.

No automated decision-making within the meaning of Art. 22 GDPR takes place. AI is used exclusively for transcription and summarization — no profiling or scoring is performed.

7. Cookies and Tracking

WhatGhost does notuse any cookies for marketing or tracking purposes. We only use technically necessary cookies required for the application to function (e.g., session cookies for authentication). These cookies are set on the basis of Art. 6(1)(f) GDPR (legitimate interest). No analytics, advertising, or social media trackers are used.

8. Your Rights as a Data Subject

Under the GDPR, you have the following rights, which you may exercise at any time by emailing what@qliq.digital :

  • Right of access (Art. 15): You may request information about the personal data we process about you.
  • Right to rectification (Art. 16): You may request the correction of inaccurate data.
  • Right to erasure (Art. 17): You may request the deletion of your data, provided no statutory retention obligations apply.
  • Right to restriction of processing (Art. 18): You may request the restriction of processing of your data.
  • Right to data portability (Art. 20): You may receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): You may object to processing based on legitimate interests.
  • Right to lodge a complaint (Art. 77): You have the right to lodge a complaint with a data protection supervisory authority — in particular in the EU member state where you habitually reside.

9. Account Deletion

You may request the deletion of your account at any time by sending an email to what@qliq.digital . Upon account deletion, the following data will be permanently deleted:

  • Email address and user profile
  • WhatsApp session data (encrypted)
  • Transcription metadata
  • Referral associations

Payment data held by Stripe is subject to statutory retention periods and will be deleted upon their expiry. Local browser data (localStorage) can be removed at any time via the dashboard’s “Clear history” function.

10. Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in the legal landscape or modifications to our service. The current version is always available at whatghost.ai/datenschutz. In the event of material changes, we will notify registered users by email.

11. Contact

For questions regarding data protection, please contact us at:
what@qliq.digital