Privacy Policy
Whirl
Last updated: 16 June 2026
This Privacy Policy explains how Median Software, a sole trader based in Australia, trading as "Whirl by Median Software" ("Whirl", "we", "us", or "our"), collects, uses, shares, and protects your personal information when you use the Whirl website, applications, and related services (the "Service").
We are the data controller for the personal information described in this Policy. If you have any questions, contact us at support@median.software.
By using the Service, you agree to the practices described here. If you do not agree, please do not use the Service.
1. Information we collect
Account information. When you sign up, our authentication provider Clerk collects and provides us with information such as your email address, name or username, profile image, and a unique account identifier. If you sign in via a third-party provider (for example, Google), we receive basic profile details from that provider.
Content you provide. This includes the messages and prompts you send, the conversations ("threads") you create, files and images you upload, thread titles, and personalisation preferences you save.
Usage and technical information. We automatically collect information about how you use the Service, such as the models you select, message and usage metadata, feature interactions, approximate device and browser information, your time zone and locale, and event and performance data collected through our analytics provider, PostHog.
Billing information. When you subscribe to a paid plan, our billing provider Autumn and payment processor Stripe process your subscription, plan, usage balance, and payment details. We receive billing status and related metadata but do not store your full payment card number.
Cookies and similar technologies. We and our providers use cookies and local storage to keep you signed in, remember your preferences (such as theme), and understand usage. See Section 6.
2. How we use your information
We use personal information to:
- provide, operate, maintain, and secure the Service;
- generate AI responses to your prompts (see Section 4);
- manage your account, authentication, and subscriptions;
- process payments and prevent fraud;
- personalise your experience;
- analyse and improve the Service and develop new features;
- communicate with you about the Service, including support and important notices; and
- comply with legal obligations and enforce our Terms.
Legal bases (GDPR/UK GDPR). Where this law applies, we rely on: performance of a contract (to provide the Service to you); legitimate interests (to secure, analyse, and improve the Service, balanced against your rights); consent (for example, certain analytics or cookies, where required, which you may withdraw at any time); and legal obligation (to comply with applicable law).
3. We do not train models on your content
We do not sell your personal information, and we do not use your conversations to train our own foundation models. We instruct our AI providers through their business/API offerings, which are generally not used to train their models; however, their handling of data is governed by their own terms (see Section 4).
4. AI processing and third parties
To generate responses, your prompts, conversation history, attachments, and certain context (such as your name, time zone, and locale) are sent to OpenRouter, which routes requests to underlying AI model providers (which may include providers such as Anthropic, OpenAI, and Google). When you use live web search, your search queries are sent to Exa. These providers process your data under their own terms and privacy policies.
Please avoid submitting sensitive personal information you would not want processed by these third-party providers.
5. How we share your information
We share personal information only as needed to run the Service, including with the service providers ("sub-processors") below, each of which processes data on our behalf or to provide their service:
| Provider | Purpose |
|---|---|
| Clerk | Authentication and account management |
| Convex | Backend database and file storage |
| OpenRouter | Routing prompts to AI model providers |
| AI providers | Generating AI responses (e.g. Anthropic, OpenAI, Google) |
| Exa | Live web search |
| Autumn | Subscription and billing management |
| Stripe | Payment processing |
| PostHog | Product and usage analytics |
We may also disclose information: (a) to comply with the law or valid legal requests; (b) to protect the rights, safety, and security of Whirl, our users, or others; and (c) in connection with a merger, acquisition, or sale of assets, in which case we will require the recipient to honour this Policy.
We do not sell your personal information, and we do not "share" it for cross-context behavioural advertising as those terms are defined under California law.
6. Cookies and tracking
We use cookies and local storage that are strictly necessary (for example, to keep you signed in and remember your theme) and analytics cookies (via PostHog) to understand how the Service is used. You can control cookies through your browser settings; disabling some cookies may affect how the Service works.
7. Data retention
We retain your personal information for as long as your account is active or as needed to provide the Service. You can delete individual threads at any time, which removes the thread and its messages from our database. If you close your account, we will delete or anonymise your personal information within a reasonable period, except where we need to retain certain information to comply with legal obligations, resolve disputes, or enforce our agreements.
8. Data security
We use reasonable technical and organisational measures to protect your information, including encryption in transit and access controls. No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security.
9. International data transfers
We and our providers operate globally, and your information may be processed in countries outside your own, including outside Australia, the EU/EEA, and the UK, which may have different data-protection laws. Where required, we rely on appropriate safeguards (such as the European Commission's Standard Contractual Clauses) for such transfers.
10. Your rights — EU / UK (GDPR)
If you are in the EU, EEA, or UK, you have the right to: access your personal data; correct inaccurate data; delete your data ("right to erasure"); restrict or object to processing; data portability; and withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local data-protection authority.
11. Your rights — California (CCPA/CPRA)
If you are a California resident, you have the right to: know what personal information we collect and how we use and disclose it; request access to and deletion of your personal information; correct inaccurate information; and not be discriminated against for exercising your rights. As stated above, we do not sell or share your personal information for cross-context behavioural advertising. You may exercise these rights by contacting us at support@median.software.
12. Your rights — Australia
We handle personal information in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth). You may request access to, or correction of, your personal information, and you may make a complaint about how we handle your information. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
13. How to exercise your rights
To exercise any of the rights above, email us at support@median.software. We may need to verify your identity before acting on your request, and we will respond within the timeframes required by applicable law. You can also manage much of your information directly in the app (for example, editing your profile and preferences, deleting threads, or closing your account).
14. Children's privacy
The Service is not directed to children under 13, and we do not knowingly collect personal information from them. If you are under the age of majority in your country, you may only use the Service with the consent and involvement of a parent or guardian. If you believe a child has provided us with personal information, contact us at support@median.software and we will take steps to delete it.
15. Third-party links
The Service and its Output may contain links to third-party websites and resources. We are not responsible for the privacy practices of those third parties, and we encourage you to review their privacy policies.
16. Changes to this Policy
We may update this Privacy Policy from time to time. If we make material changes, we will take reasonable steps to notify you (for example, by posting the updated Policy with a new "Last updated" date or by notifying you in-app). Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.
17. Contact us
For any privacy questions or requests, contact:
Median Software — Whirl by Median Software Email: support@median.software