1. Who We Are
HACKASTRA INFOSEC L.L.C-FZ ("Company", "we", "us") operates whomi.bio. We are registered in a UAE Free Zone and act as the data controller for personal data collected through the Service. For EU/EEA users, we comply with the General Data Protection Regulation (GDPR) in addition to UAE data protection law.
2. What Data We Collect
2.1 Data you provide directly
- Email address (during sign-up)
- Username and chosen display name
- Password — stored only as a salted, irreversible hash; we never see your plain password
- Profile content: bio text, links, theme settings, uploaded avatar
- Payment details: handled by Stripe; we store only the Stripe customer ID and transaction metadata, never your card number or CVV
- Messages: content of messages you send or receive in the inbox feature
2.2 Data pulled from third-party APIs
When you connect your GitHub, Stack Overflow, or LeetCode profile, we fetch and store public, statistical data:
- GitHub: contribution graph, top repositories, follower count, public account metadata
- Stack Overflow: reputation score, top tags, top answers
- LeetCode: solved problem count, contest rating, public profile metadata
whomi.bio does NOT store:
- Your GitHub / Stack Overflow / LeetCode passwords
- Any private repositories, private answers, or private data
- Long-lived OAuth tokens beyond what is needed to refresh public statistics (we store only short-lived refresh tokens, encrypted at rest)
2.3 Data we collect automatically
- Cookies (see Cookie Policy)
- IP address and basic device info for security and abuse prevention
- Usage data: page views, link clicks, city-level geographic region, aggregate analytics
3. Legal Basis for Processing (GDPR)
For EU/EEA users, our legal basis for each category of processing:
- Account creation — Contract
- Profile content — Contract
- Third-party API data — Consent (given when you connect the integration)
- Payment processing — Contract
- Marketing emails — Consent (withdrawable anytime)
- Security logs — Legitimate interest
- Analytics — Consent for non-essential; legitimate interest for first-party aggregate
4. How We Share Your Data
We do not sell your personal data. We share it only with:
- Stripe — process payments (USA / EU)
- Resend — send transactional + marketing emails (USA / EU)
- GitHub / Stack Overflow / LeetCode APIs — fetch your public stats (you initiated this) (USA)
- Cloud hosting providers — host the Service infrastructure (EU / UAE)
- Greenhouse / Lever / Ashby — only when you explicitly push your own profile / data to a connected ATS (USA / EU)
All third-party processors are bound by data processing agreements requiring at least equivalent protection to GDPR.
5. Data Retention
- Active accounts: retained as long as your account is active
- Deleted accounts: profile data removed within 30 days; backups purged within 90 days
- Payment records: retained for 7 years to meet UAE accounting requirements
- Security logs: 90 days
6. Your Rights
For EU/EEA users (and in practice for all users), you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Delete your data ("right to be forgotten")
- Restrict processing while a dispute is being resolved
- Port your data to another service in a machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent at any time, where consent is the legal basis
- Lodge a complaint with a supervisory authority
To exercise any right, email legal@whomi.bio. We respond within 30 days.
7. International Data Transfers
Your data may be processed outside the UAE or EU/EEA. When we transfer data internationally we rely on Standard Contractual Clauses approved by the European Commission, or adequacy decisions where applicable.
8. Data Security
We use industry-standard security measures:
- TLS 1.2+ for all data in transit
- Encryption at rest for sensitive fields (refresh tokens, ATS credentials)
- Salted bcrypt password hashing
- Regular security reviews and least-privilege access controls
If we become aware of a breach affecting your personal data, we will notify you and the relevant authority within 72 hours.
9. Children
The Service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has signed up, please email legal@whomi.bio.
10. Changes to this Policy
Material changes will be communicated by email or a prominent banner on the Service.
11. Contact
Privacy questions, data requests, or complaints: legal@whomi.bio.