whomi.bio
~/legal$cat privacy-policy.md

Privacy Policy

// last updated: May 20, 2026

whomi.bio ("whomi.bio", "we", "us") provides a link-in-bio service for engineers. This policy explains what data we collect, why we collect it, and how you stay in control of it. We try to keep this short and human-readable.

1. The data we collect

Account data

When you claim a handle we store your email, a bcrypt hash of your password, your chosen username, display name, avatar, location, tagline, bio, skills, and the social/GitHub/Stack Overflow/LeetCode identifiers you choose to connect.

Inbox & chat data

When a visitor sends you a message through your bio, we store the message content, the visitor's chosen name & email (if provided), the intent label they picked, timestamp, and the conversation labels you apply later.

Usage data

We log basic request metadata (IP, user-agent, page viewed) to operate the service and detect abuse. We use PostHog for product analytics — this includes pseudonymous events such as page views and feature interactions.

Payment data

If you subscribe to Pro, all payment information (card details, billing address) is collected and stored by Stripe. We never see or store your card number. We retain only the Stripe session/customer ID and your subscription status (is_pro).

2. What we do with your data

  • Render your public bio at whomi.bio/<username>.
  • Fetch public statistics from GitHub, Stack Overflow, and LeetCode using only the identifiers you provide.
  • Deliver messages from visitors to your inbox in real-time via WebSockets.
  • Send transactional emails (account, billing receipts, offline-chat notifications) only when relevant.
  • Improve the product through aggregate analytics. We never sell your personal data.

3. Third-party services we use

  • Stripe — payments. (Their privacy policy.)
  • PostHog — product analytics.
  • GitHub, Stack Exchange, LeetCode — we call their public APIs with the identifiers you provide.
  • OpenStreetMap Nominatim — powers the location autocomplete.
  • Anthropic (Claude) — only when you invoke the AI brief summarizer; the pasted text is sent for processing and cached on our side for 30 days.
  • Resend — transactional email delivery (when enabled).

4. Your rights & controls

You have the right to access, correct, export, or delete your data at any time. Specifically you can:

  • Edit any profile field from your dashboard.
  • Toggle yourself out of the public /discover directory.
  • Disable the chat widget on your bio.
  • Request full data export or account deletion by emailing hi@whomi.bio. We'll action it within 14 days.

If you're in the EU/UK/California, you have additional rights under GDPR/CCPA — the same email gets you the same outcome.

5. Data retention

We retain account data for as long as your account is active. Chat messages are retained until you delete the conversation (or 24 months, whichever is sooner). Deleted accounts are purged from our primary database within 30 days; backups age out within 90 days.

6. Security

Passwords are hashed with bcrypt. Auth uses JWT. All traffic is TLS-encrypted. We follow industry standards but no system is bulletproof — if you spot a vulnerability, please email security@whomi.bio.

7. Children

whomi.bio is not directed to anyone under 16. If you believe a child has provided us data, contact us and we'll delete it.

8. Changes

We'll update this page when our practices change and post the new effective date at the top. Material changes will also be announced via email.

9. Contact

Questions? hi@whomi.bio.