Privacy Policy

WHYUSER, INC ("WhyUser," "we," "us," or "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (whyuser.com) or use our Go-To-Market Simulation Platform (the "Service").

If you are using the Service on behalf of an organization (our "Customer"), our processing of your data is also governed by our Cloud Service Agreement and Data Processing Agreement (DPA). In the event of a conflict between this Privacy Policy and the DPA, the DPA will govern.

1. Information We Collect

We collect information that identifies, relates to, describes, or could reasonably be linked to you ("Personal Data") in the following categories:

• Account Data: Name, email address, phone number, and professional title when you register for an account.
• Billing Data: Payment details and billing addresses processed securely by our third-party payment processors.
• Customer Content: Drafts, PDFs, URLs, and sales transcripts you upload to the Service for simulation.
• Usage Data: Information about your interactions with the Service, including IP addresses, log data, and performance metrics.

2. How We Use Your Information

We use your information for the following business purposes:

• To provide, operate, and maintain the Service.
• To process transactions and send related information, including invoices and confirmations.
• To monitor and analyze usage and trends to improve our products and services.
• To communicate with you regarding support, technical notices, and security alerts.

3. Our "Privacy-First" Data Architecture (How We Protect Content)

As a simulation platform processing sensitive GTM assets and sales intelligence, we employ a strict "Privacy-First" ingestion architecture:

• Ingestion-Layer Redaction: All unstructured data (such as Gong or Chorus transcripts) is programmatically redacted for Personally Identifiable Information (PII) immediately upon receipt at the ingestion layer (in volatile memory) before simulation processing occurs.
• No Raw Storage: We do not store raw sales transcript audio or full text files on disk. These are processed in volatile memory and immediately purged following signal extraction.
• Data Minimization: Our ingestion engine surgically isolates only structural market signals (Industry, Role, Pain Points, and Objections) to calibrate our Context Graph. Technical market signals are decoupled from individual identities.
• Per-Tenant Isolation: Each Customer is assigned a unique tenant identifier; all per-Customer data resides exclusively under that Customer's dedicated storage prefix and is never co-mingled with other Customers' data.

4. Artificial Intelligence & Third-Party Subprocessors

WhyUser utilizes secure third-party subprocessors to provide cloud infrastructure and foundational Large Language Model (LLM) capabilities. We strictly govern how these partners interact with your data:

• Approved LLM Providers: We route queries through enterprise APIs provided by OpenAI, L.L.C., Google LLC (Gemini), and Anthropic PBC (Claude).
• Zero-Day Retention & No Base Model Training: Data processed via these third-party LLM APIs is subject to zero-day retention and is strictly prohibited from being used to train their foundational base models.
• Infrastructure: We utilize AWS for secure, encrypted cloud infrastructure and data storage, in US regions only.

For a full list of our subprocessors and compliance mechanisms, please review our Data Processing Agreement.

5. Data Retention

We retain Personal Data only for as long as necessary to provide the Service and for the periods set forth in our Data Processing Agreement and internal Data Retention Policy:

• Raw Customer Content (e.g., transcripts) is never persisted to disk; it is purged from volatile memory immediately after signal extraction.
• Anonymized behavioral signals and simulation outputs are retained for the duration of the customer's Agreement plus up to 30 days, after which they are deleted.
• Account metadata (name, email, workspace configuration) is retained for the duration of the Agreement plus 90 days, to support re-activation and contractual obligations.
• System logs (infrastructure and access logs) are retained for up to 12 months to support security monitoring and audit.

We may retain specific records beyond these periods where required by applicable law, regulatory obligation, or valid legal process.

6. Data Sharing and Disclosure

We do not sell or share your Personal Data with third parties for their direct marketing purposes. We may disclose your information only in the following situations:

• Service Providers: To approved subprocessors who perform services on our behalf, bound by strict confidentiality obligations.
• Legal Obligations: If required to do so by Applicable Laws, court orders, or governmental regulations.
• Business Transfers: In connection with a merger, sale of company assets, financing, or acquisition of all or a portion of our business.

7. Your Rights & How to Exercise Them

If you are a resident of California or the European Economic Area (EEA)/United Kingdom, you have specific rights regarding your Personal Data, including:

• Access: Request a copy of the Personal Data we hold about you.
• Deletion: Request deletion of your Personal Data, subject to legal retention obligations.
• Correction: Request correction of inaccurate Personal Data.
• Opt-Out: Opt out of certain processing activities.
• Data Portability: Receive your Personal Data in a structured, machine-readable format.

To exercise any of these rights, email us at privacy@whyuser.com. We will acknowledge your request within 5 business days and respond in full within 30 days.

When providing the Service, WhyUser acts as a "Service Provider" under the CCPA and a "Processor" under the GDPR. We process Customer Personal Data solely upon the documented instructions of our Customers (the "Controllers"). If you are an end-user of one of our Customers, please direct your privacy inquiries to them directly; we will support our Customer in responding to your request.

8. Security

We maintain commercially reasonable administrative, technical, and physical safeguards designed to protect Personal Data. For a detailed description of our security practices, see our Security Policy.

In the event of a Personal Data Breach affecting your data, we commit to notifying affected Customers without undue delay and in any event within 72 hours of confirming the breach. Our full incident-response process is documented and available on request.

9. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

WHYUSER, INC
California, USA
Privacy Inquiries: privacy@whyuser.com
Security Inquiries: security@whyuser.com
Legal Notices: notices@whyuser.com