← Back to Home

Privacy Policy

Version 1.0 · Last updated April 14, 2026

1. Overview

This Privacy Policy explains what personal information WhaleFlow.io (“WhaleFlow”, “we”, “us”) collects, why we collect it, how we use it, and the choices you have over it. This policy applies to the WhaleFlow web dashboard, Telegram bots, and any related interfaces operated by us.

This policy is designed to align with the principles of the European Union General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law (KVKK — Law No. 6698). This alignment statement does not constitute a legal certification of compliance in any specific jurisdiction.

2. Data We Collect

We collect only the data we need to operate the service. The categories are:

  • Account data: email address, display name, hashed password, account role, creation timestamp, last-login timestamp, preferred timezone.
  • Consent records: the timestamp at which you accepted these terms, the version of the documents you accepted, and the timestamp at which you confirmed you are at least 18 years old.
  • Service preferences:alert rules you create, alert-delivery settings, referral code redeemed at registration (if any), and any Pro-tier expiry date.
  • Telegram linkage: the Telegram chat identifier you associate with your account when you use the Telegram link flow. We do not read your Telegram profile, contacts, or message history.
  • Operational logs: request metadata such as IP address and timestamps used for rate limiting, abuse prevention, and troubleshooting. These are kept only for as long as needed for those purposes.
  • Feedback: the content of any message you send through the in-app feedback form.

We do not ask for, collect, or store payment card details directly. Any paid subscription is processed through a third-party payment provider that handles card data under its own terms and policies.

We do not collect wallet addresses, exchange API keys, seed phrases, private keys, trading history, or any data from your exchange accounts. WhaleFlow analyzes public market data only.

3. How We Use Your Data

We use personal data only for the following purposes:

  • Creating and authenticating your account.
  • Storing and evaluating the alert rules you configure and delivering the resulting notifications.
  • Sending account-related messages (such as password resets).
  • Enforcing subscription tiers, referral rewards, and rate limits.
  • Detecting and preventing abuse, fraud, and unauthorized access.
  • Debugging issues you report and improving the service based on aggregate usage signals.
  • Complying with applicable legal obligations and responding to lawful requests.

4. Legal Bases

Where GDPR or KVKK applies, we rely on the following legal bases:

  • Contract: processing necessary to create your account and deliver the service you requested.
  • Legitimate interests:operating, securing, and improving the service, preventing abuse, and protecting our users.
  • Consent: the acceptance of these terms and the age confirmation captured at registration, and any optional features you opt into later.
  • Legal obligation: where processing is required to comply with applicable law.

5. Sharing and Disclosure

We do not sell your personal data. We do not share personal data with third parties for their independent marketing use. We share data only in the following narrow cases:

  • Service providers:infrastructure, hosting, email-delivery, and payment-processing vendors acting under our instructions and bound by confidentiality and data-protection obligations.
  • Telegram: when you link a Telegram chat, we transmit alert content to the chat identifier you supplied. Telegram is an independent data controller for that channel.
  • PostHog (analytics):we use PostHog for product analytics to understand feature usage and improve the service. We send your user ID, account role, and product events (e.g. “alert created”). We do not send your email address, password, Telegram chat ID, or any trading data. PostHog processes data under its privacy policy. Analytics are only active for logged-in users; anonymous visitors are not tracked.
  • Legal and safety: where required by law, to enforce our Terms, or to protect the rights, property, or safety of WhaleFlow, its users, or others.

6. International Transfers

Personal data may be processed by cloud providers whose infrastructure is operated in multiple regions. Where data is transferred across borders, we take reasonable steps so that an appropriate level of protection is maintained, including through contractual safeguards offered by our processors. We do not publicly disclose the specific data centres or regions used for operational and security reasons.

7. Retention

We retain account data for as long as your account is active. If you delete your account, we delete or anonymize the associated personal data within a reasonable period, subject to any limited retention required for legal compliance, dispute resolution, or fraud prevention. Operational logs are retained only for as long as needed for the purposes in Section 3.

8. Security

We apply reasonable technical and organizational measures designed to protect personal data, including encryption in transit, one-way password hashing with industry-standard algorithms, access controls, rate limiting, and audit logging. No online service can guarantee absolute security, and you use the service at your own risk.

9. Your Rights

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of data that is inaccurate or outdated.
  • Request deletion of your account and associated personal data (“right to be forgotten”).
  • Request a copy of your data in a portable format.
  • Object to or restrict certain processing based on legitimate interests.
  • Withdraw a previously given consent at any time.
  • Lodge a complaint with a competent data protection authority, including the Turkish Personal Data Protection Authority (KVKK Kurumu) if you are located in Türkiye.

To exercise these rights, contact us through the in-app feedback channel or the contact address published on the service. We will respond within the period required by applicable law.

10. Children

WhaleFlow is intended for users who are at least 18 years old. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected data from a user under 18, we will delete that data and terminate the account.

11. Cookies

We use a single strictly-necessary session cookie to keep you signed in. This cookie is httpOnly, is scoped to the WhaleFlow origin, and cannot be read by third-party scripts. PostHog (product analytics) may also set cookies for logged-in users; anonymous visitors are not tracked. We do not use advertising or cross-site-tracking cookies. For full details, see our Cookie Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the service. The version and date at the top of this page identify the edition in force. Your continued use of WhaleFlow after an update constitutes acceptance of the updated policy.

13. Contact

Questions about this Privacy Policy, or requests to exercise the rights listed in Section 9, can be directed to the WhaleFlow operator through the in-app feedback channel or by email at legal@whaleflow.io.