1. Introduction
Welcome to WhalePrep (“we,” “our,” or “us”). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the WhalePrep mobile application (the “App”) and our website at whaleprep.com (the “Website”). The App and the Website are referred to together as the “Services.”
By using the Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, do not use the Services.
2. Information We Collect
2.1 Account Information
Accounts exist only in the App. When you create an account, we collect:
- Email address
- Full name
- Password (stored only as a secure hash; we never store or have access to your plaintext password)
- Authentication method (email, Google, or Apple sign-in)
If you sign in via Google or Apple, we receive your name and a unique identifier from the respective service. We do not receive your Google or Apple password.
2.2 Profile Information
During onboarding and App usage, you may provide:
- Professional role (e.g., Data Analyst, QA Engineer, Product Manager)
- Proficiency level (e.g., Junior, Middle, Senior)
- Profile photo (optional)
2.3 Resume / CV Data
You may optionally upload your resume or CV (PDF or DOCX format) to enable personalized interview practice. We extract the text content from your file and store it on our servers. The original binary file is not retained. The extracted text is sent to OpenAI’s API for analysis to generate a structured summary of your skills, experience, and achievements. This summary is then used to create personalized interview questions tailored to your background. You may store up to 5 resumes per account.
2.4 Audio Recordings and Transcripts
During interview practice sessions, the App records your voice responses using your device’s microphone. This audio is:
- Stored locally on your device in the app’s private storage
- Transcribed to text (using on-device Apple Speech Recognition when available, or server-side transcription via OpenAI Whisper API)
- Uploaded to our servers for AI-powered analysis of your answers
Audio recordings are not stored on our servers. The uploaded audio is processed through OpenAI Whisper for transcription and then immediately discarded. Only the resulting text transcripts and analysis scores are stored on our servers linked to your account.
Recordings on your device are automatically deleted after 30 days of not being accessed (e.g., played back). If you listen to a recording, its retention period resets. All recordings and associated metadata are deleted when you log out or delete your account.
2.5 Interview Performance Data
For each practice session, we collect and store:
- Questions asked
- Your transcribed answers
- Performance scores (overall and per dimension: fluency, grammar, vocabulary, coherence, pronunciation)
- AI-generated feedback and improvement tips
- Session timestamps
2.6 Job Vacancy Data
If you use the custom interview feature, you may provide:
- Job posting links (URLs) or job description text
We analyze this content using AI to generate relevant interview questions. The extracted job details (title, company, key focus areas) are stored linked to your account.
2.7 Subscription and Purchase Information
We use Apple’s StoreKit for in-app purchases. We do not collect or store your payment card information. Apple handles all payment processing. We only receive:
- Subscription status (active, trial, expired)
- Plan type (monthly, quarterly, yearly)
- Transaction confirmation
2.8 Device and Technical Information
We collect limited device information for technical support purposes:
- Device model
- iOS version
- App version and build number
This information is collected only when you submit a support ticket.
2.9 Usage and Analytics Data
We use Mixpanel, a third-party analytics service, to understand how users interact with both the App and the Website. We track:
- Screen and page views and navigation patterns
- Feature usage (interviews started, completed, abandoned)
- Onboarding progress
- Subscription-related events (paywall views, purchases)
- Permission grant/denial (microphone, speech recognition, notifications) — App only
- Marketing engagement events on the Website (page views, clicks on calls to action, blog and guide reads)
Analytics events from the App are linked to your user ID to provide aggregated insights. Events from the Website are linked to an anonymous device identifier (set via cookie / local storage) unless you are signed in. We do not sell analytics data to third parties.
2.10 Support Information
When you submit a support ticket, we collect:
- Your message topic and description
- Device and app version information
- Optionally, recent error information to help diagnose issues
2.11 Push Notification Data
If you grant notification permissions in the App, we store locally:
- Notification preferences
- Last app open date (to schedule relevant reminders)
We use local notifications only. We do not use third-party push notification services.
2.12 Website Data
The Website does not require an account and does not ask you to submit personal information. The following data is collected automatically when you visit:
- Server access logs. Our hosting provider (Railway) automatically logs your IP address, user agent, requested URL, referrer, and timestamp for every request. These logs are used for security, abuse prevention, and debugging, and are retained for a short rolling window.
- Cookies and local storage. The Website uses a small number of cookies and local-storage entries, primarily set by Mixpanel to recognise return visitors anonymously. We do not use advertising cookies and we do not embed third-party advertising trackers.
- Analytics events. Page views and interactions on the Website are captured by Mixpanel as described in Section 2.9.
The Website is statically generated — there is no database, no contact form, no newsletter signup, and no account login at this time. If we add any of these features later, we will update this Privacy Policy before launching them.
3. How We Use Your Information
We use the collected information for the following purposes:
| Purpose | Data Used |
|---|---|
| Provide interview practice sessions | Audio recordings, transcripts, profile data |
| Generate personalized questions | Resume/CV data, role, level, job vacancy data |
| Analyze and score your answers | Transcripts, audio files |
| Display your progress and statistics | Interview scores, history, timestamps |
| Manage your account | Email, name, authentication tokens |
| Process subscriptions | Subscription status from Apple |
| Send practice reminders | Notification preferences, last open date |
| Operate and secure the Website | Server access logs, cookies, anonymous device identifier |
| Improve the Services | Aggregated analytics data from App and Website |
| Provide technical support | Device info, support ticket content |
| Prevent fraud and abuse | Authentication tokens, account activity, server logs |
4. Third-Party Services
We share data with the following third-party service providers, solely for the purposes described:
4.1 OpenAI
- Data shared: Your audio recordings (for transcription only — not retained by our servers), transcribed answers, interview questions, extracted resume/CV text, and job vacancy descriptions
- Purpose: Speech-to-text transcription (Whisper API); AI-powered answer analysis, scoring, and feedback generation; resume analysis and personalized question generation; job posting analysis for custom interview preparation
- Privacy Policy: https://openai.com/privacy
4.2 ElevenLabs
- Data shared: Interview question text
- Purpose: Text-to-speech generation for interview questions
- Privacy Policy: https://elevenlabs.io/privacy-policy
4.3 Microsoft Azure Speech Services
- Data shared: Audio recordings of your answers and transcribed text
- Purpose: Pronunciation assessment and scoring (accuracy, fluency, prosody)
- Privacy Policy: https://privacy.microsoft.com/privacystatement
4.4 SendGrid (Twilio)
- Data shared: Your email address
- Purpose: Sending transactional emails (password reset codes)
- Privacy Policy: https://www.twilio.com/legal/privacy
4.5 Mixpanel
- Data shared: User ID (App only) or anonymous device identifier (Website), user properties (name, email, role, level — App only), usage events
- Purpose: Product analytics and usage insights across the App and the Website
- Privacy Policy: https://mixpanel.com/legal/privacy-policy
4.6 Google Sign-In
- Data shared: Authentication tokens during sign-in
- Purpose: Account authentication
- Privacy Policy: https://policies.google.com/privacy
4.7 Apple
- Data shared: Authentication tokens (Sign in with Apple), purchase transactions (StoreKit)
- Purpose: Account authentication, subscription management
- Privacy Policy: https://www.apple.com/legal/privacy
4.8 Railway
- Data shared: Standard HTTP request data when you visit the Website (IP address, user agent, requested URL, timestamp)
- Purpose: Hosting the Website and storing short-lived server access logs for security and debugging
- Privacy Policy: https://railway.com/legal/privacy
We do not sell your personal information to any third party.
5. Data Storage and Security
5.1 Where Your Data Is Stored
- On your device: Audio recordings (auto-deleted after 30 days of inactivity), personal information and authentication tokens (encrypted in iOS Keychain), profile photo (encrypted with iOS Data Protection), app preferences
- On our servers (App): Account information, interview attempts, transcripts, scores, extracted resume text, job vacancies, support tickets
- On our hosting provider (Website): The Website is served as static content from Railway. Railway retains short-lived server access logs.
5.2 Security Measures
We implement appropriate technical and organizational measures to protect your data:
- Passwords are hashed using bcrypt before storage
- Personal information (name, email) and authentication tokens are stored in the iOS Keychain (hardware-encrypted)
- Profile photos are stored with iOS Data Protection encryption
- All data transmission uses HTTPS/TLS encryption
- Refresh tokens are stored as SHA-256 hashes on our servers
- Access tokens expire after a short period and are automatically refreshed
- All API endpoints that access personal data require user authentication via Bearer token
- Rate limiting is applied to prevent abuse (see Section 5.4)
5.3 Data Retention
We retain your data for as long as your account is active. Audio recordings on your device are automatically deleted after 30 days of inactivity. Password reset codes expire after 10 minutes. Website server access logs are retained for a short rolling window for security and debugging only.
When you delete your account:
- Your personal information (name, email, profile) is permanently deleted
- Your interview history, transcripts, and scores are permanently deleted
- Your uploaded resumes and extracted text are permanently deleted
- Your job vacancies and associated questions are permanently deleted
- Audio recordings and tracking metadata are deleted from your device
- Support tickets are retained in anonymized form for analytics — your email is replaced with an anonymous identifier and your user ID is removed. Ticket content (topic, message) is preserved but can no longer be linked to your identity.
- Account deletion feedback (if provided) is retained in anonymized form for product improvement
5.4 Rate Limiting
To protect our service and prevent abuse, we apply rate limits to API requests. Limits are applied per authenticated user. If you exceed a rate limit, you will receive a temporary error and can retry after a short wait. Rate limits do not result in account suspension or data loss.
6. Your Rights and Choices
6.1 Access and Control
You can:
- View your profile information and interview history within the App
- Update your profile, role, and level at any time
- Delete individual interview attempts from your history
- Delete your account entirely from the Profile settings
6.2 Account Deletion
You can delete your account at any time through the App (Profile > Delete Account). This will permanently remove your personal data from our servers as described in Section 5.3.
6.3 Permissions
You can revoke the following permissions at any time through your device’s Settings:
- Microphone access — required for interview practice
- Speech recognition — required for real-time transcription
- Notifications — optional practice reminders
6.4 Analytics Opt-Out
Mixpanel respects the “Limit Ad Tracking” setting on your device. You may also clear Website cookies and local storage from your browser settings to reset your anonymous identifier, or contact us to request removal of your analytics data.
7. Rights for Users in the European Economic Area (GDPR)
If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):
- Right of access — request a copy of your personal data
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data
- Right to restriction — request limitation of processing
- Right to data portability — receive your data in a structured format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — withdraw consent at any time
Legal basis for processing:
| Processing Activity | Legal Basis |
|---|---|
| Account creation and management | Performance of contract |
| Interview practice and analysis | Performance of contract |
| Subscription management | Performance of contract |
| Analytics and product improvement (App and Website) | Legitimate interest |
| Website server logs (security and debugging) | Legitimate interest |
| Push notifications | Consent |
| Resume processing | Consent |
To exercise any of these rights, contact us at the email address provided in Section 11.
8. Rights for California Residents (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used
- Delete your personal information
- Opt-out of the sale of personal information (we do not sell personal information)
- Non-discrimination for exercising your privacy rights
To exercise these rights, contact us at the email address provided in Section 11.
9. Children’s Privacy
The Services are not intended for children under the age of 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The current version is always available at whaleprep.com/legal/privacy. We will notify you of material changes by:
- Posting the updated policy on the Website and within the App
- Updating the “Last Updated” date at the top of this document
Your continued use of the Services after changes are posted constitutes your acceptance of the revised Privacy Policy.
11. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
Email: whaleprep.app@proton.me
12. Apple App Store Disclosure
In accordance with Apple’s App Store requirements, the following data types are collected by the App:
Data Linked to You:
- Contact Info (email address, name)
- User Content (audio recordings, transcripts, interview responses, resumes)
- Usage Data (product interaction, analytics events)
- Identifiers (user ID)
Data Not Linked to You:
- Diagnostics (device info in support tickets)
Data Used for Tracking:
We use Mixpanel for analytics. No data is shared with third-party advertisers or data brokers.