Your financial data is sensitive. Learn how Whistl protects it with on-device processing, bank-level encryption, and privacy-first design.">
Whistl
← Back to Blog

Whistl Privacy & Security: How We Protect Your Data

Your financial data is deeply personal. Whistl is built with privacy-first principles: on-device processing, bank-level encryption, and transparent data practices. Here's exactly how we protect your data.

Our Privacy Philosophy

Privacy isn't a feature—it's a foundation. Our principles:

  • Minimal data collection: We only collect what's necessary
  • On-device processing: Your data stays on your device
  • No data selling: We never sell your data, period
  • Transparency: Clear about what we collect and why
  • User control: You control your data

On-Device Processing

What It Means

Most finance apps send your transaction data to their servers for processing. Whistl doesn't. Our AI runs entirely on your device.

Why It Matters

  • No server breaches: Your data isn't on servers that can be hacked
  • No third-party access: No employees, contractors, or partners see your data
  • No data mining: We can't mine your data because we don't have it
  • Works offline: Core features work without internet

What Stays On Your Device

  • All transaction data
  • Spending patterns and analysis
  • AI risk assessments
  • Accountability partner settings
  • Protected Floor configuration

Bank-Level Encryption

Data at Rest

All data stored on your device is encrypted:

  • AES-256 encryption (same as banks)
  • Keys stored in Secure Enclave (iOS)
  • Data unreadable without your device passcode

Data in Transit

When data must leave your device (e.g., bank connections):

  • TLS 1.3 encryption (latest standard)
  • Certificate pinning (prevents man-in-the-middle attacks)
  • Perfect forward secrecy (each session uses unique keys)

Open Banking Security

Whistl uses Australian Open Banking (Consumer Data Right):

  • OAuth 2.0 authentication
  • You explicitly authorise each connection
  • You can revoke access anytime
  • Banks verify Whistl's identity

What Data We Collect

Transparency is key. Here's exactly what we collect:

Account Data (On-Device Only)

  • Transaction history (for analysis)
  • Account balances
  • Savings goals
  • Protected Floor settings

Where stored: On your device only

Who can access: Only you

Accountability Partner Data (Minimal)

  • Partner email/phone (for invitations)
  • Notification preferences
  • Threshold settings

Where stored: Encrypted on our servers

Who can access: You and your partner only

Usage Analytics (Optional)

  • Feature usage (which features you use)
  • Crash reports (if app crashes)
  • Performance data (app speed)

Where stored: Encrypted analytics servers

Who can access: Whistl engineering team only

Opt-out: Settings → Privacy → Disable Analytics

What We DON'T Collect

  • ✗ Transaction details sent to our servers
  • ✗ Spending patterns for advertising
  • ✗ Data sold to third parties
  • ✗ Location data (except for venue detection, which is on-device)
  • ✗ Contact list access
  • ✗ Microphone or camera access

Accountability Partner Privacy

What Your Partner Can See

You control exactly what they see:

  • Purchase notifications (threshold you set)
  • Spending summaries (if enabled)
  • Goal progress (if enabled)
  • Full transaction history (only if you enable)

What Your Partner CAN'T See

  • Your total balance (unless you share)
  • Transactions below your threshold
  • Protected Floor settings
  • Other partners you have

Data Retention

Active Accounts

Data is retained as long as your account is active.

Deleted Accounts

When you delete your account:

  • On-device data: Deleted immediately
  • Server data: Deleted within 30 days
  • Backups: Deleted within 90 days

Export Your Data

You can export all your data anytime:

  1. Settings → Privacy → Export Data
  2. Receive CSV file via email
  3. Includes all transactions, goals, settings

Security Practices

Internal Security

  • Employee background checks
  • Least-privilege access (employees only access what they need)
  • Two-factor authentication for all internal systems
  • Regular security training

Infrastructure Security

  • AWS hosting (SOC 2 certified)
  • Regular penetration testing
  • Vulnerability bounty program
  • 24/7 security monitoring

Compliance

  • Australian Privacy Principles (APP)
  • GDPR compliant (for EU users)
  • Open Banking CDR compliant
  • Regular third-party audits

Privacy by Design

Privacy isn't added after the fact—it's built in from the start:

  • Privacy impact assessments for all new features
  • Data minimisation (collect only what's needed)
  • Purpose limitation (use data only for stated purposes)
  • Storage limitation (retain only as long as needed)

Your Privacy Rights

Under Australian law, you have the right to:

  • Access your data
  • Correct inaccurate data
  • Delete your data
  • Export your data
  • Opt-out of analytics
  • Lodge a complaint

Contact Our Privacy Team

Privacy questions or concerns?

  • Email: privacy@whistl.app
  • In-app: Settings → Privacy → Contact Privacy Team
  • Response time: Within 72 hours

Conclusion: Your Trust Is Everything

We know you're trusting us with sensitive data. We take that trust seriously. Privacy-first design, on-device processing, bank-level encryption—these aren't buzzwords. They're our commitment to you.

Privacy-First Financial Tools

Whistl protects your data with on-device processing, encryption, and transparent practices. Your financial data stays yours. Free forever.

Download Whistl Free

Related: Accessibility Features | Support Center | On-Device AI Explained