Privacy Policy
Last updated: 26 June 2026
This Privacy Policy explains how KMF Ventures LLC (KMF Ventures, we, us, or our), which operates the Whooshly service (Whooshly or the Service), collects, uses, and shares information. Whooshly is a pay-once campaign link toolkit that lets you create short links, dynamic QR codes, UTM templates, and hosted vCards. Our dashboard lives at app.whooshly.co, and short links and hosted pages are served from whooshly.co (and any custom domain you connect).
By using the Service, you agree to this Privacy Policy. It works alongside our Terms of Service. If you do not agree, please do not use the Service.
Who this policy is for
This policy covers two groups of people: account holders who sign up and use Whooshly to create links and other content, and visitors who click a short link, scan a QR code, or view a hosted vCard that an account holder created. Some sections below apply mainly to one group or the other, and we say so where it matters.
Information we collect
Account information. When you create an account, we collect your email address and a password. We never store your password in plaintext; it is kept only as a secure cryptographic hash. Passwords must be at least 8 characters. You may also provide a display name (if you leave it blank, we default it to your email address), and your account may include an email-verification flag and an optional profile image. If you choose Continue with Google instead of a password, we receive a standard sign-in identity from Google (such as your email, name, and profile image) along with the related authentication tokens; we only do this if you choose Google sign-in.
Content and settings you create. The Service stores the content you create, including destination URLs for your links, your link slugs and settings, QR code styling, UTM templates (source, medium, campaign, term, and content values), and the fields on your hosted vCards (such as first name, last name, organization, job title, phone, email, website, and a free-text note). It also stores any custom domain hostnames you connect. If you protect a Pro link with a password, that link password is stored only as a hash, never in plaintext. Please note that short links redirect publicly and hosted vCards are public web pages, so any content you publish through them can be accessed by anyone who has the link.
Payment information. Our payment processor, Polar, acts as the merchant of record and seller of record for purchases. Polar hosts the checkout, processes all payments, and handles billing and applicable sales tax. You enter your payment-card details directly with Polar. We never receive or store your card number or other payment-card details. We store only what we need to apply your purchases, namely entitlement flags (such as whether your one-time Core purchase is unlocked and whether your Pro subscription is active), your credit-wallet balance, and a credit ledger that records grants, top-ups, and debits for accounting purposes.
Information collected automatically when links are used. When someone clicks one of your short links, or scans or views one of your QR codes or hosted vCards, the Service records an event with coarse, low-detail dimensions: an approximate country (derived by our infrastructure provider), a device-type bucket (such as mobile, tablet, or desktop, derived from the browser's user-agent), the referrer, and any UTM parameters present on the URL. We do not build advertising profiles, and we do not track visitors across other websites.
Visitor IP addresses. A visitor's IP address is processed only transiently at the edge to apply rate limiting and abuse prevention and to derive the approximate country and device signals described above. The visitor's IP address is not stored as part of the click or scan analytics record.
Security and session data. When you sign in, we create a login session and store a session record that includes a session token, an expiry time, and, for security purposes, the IP address and browser user-agent associated with that session. This session data is retained until the session expires or you sign out, and it is removed when you delete your account.
How and why we use information
We use the information above to:
- provide, operate, and maintain the Service, including creating and authenticating your account across all four tools;
- deliver your short-link redirects, hosted vCards, and QR codes, and apply Pro smart-routing rules (such as geo, device, A/B testing, and expiry);
- produce the click and scan analytics shown in your dashboard, including per-day totals and country, device, referrer, and UTM breakdowns;
- process purchases, subscriptions, and credits through our payment processor, and apply the resulting entitlements to your account;
- keep the Service secure and prevent abuse, including rate limiting, enforcing resource limits, and disabling links, vCards, domains, or accounts that violate our Terms of Service; and
- comply with our legal obligations and respond to lawful requests.
Cookies
Whooshly uses essentially one cookie: a first-party authentication cookie that keeps you logged in to your account. There may also be strictly-necessary security cookies set by our infrastructure provider to protect the Service. We do not use advertising cookies, and we do not use third-party cross-site tracking cookies.
How we share information
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share information only in these limited ways:
- Cloud and hosting infrastructure. The Service runs entirely on our cloud and edge infrastructure provider, which hosts our compute, database, cache, analytics, and queues. Because the Service runs on this infrastructure, your data is processed there on our behalf.
- Payment processing. Our payment processor acts as the merchant of record. To enable checkout, we send it your email and an internal account identifier along with the product you selected; it returns billing and subscription status so we can apply your entitlements. Your card details go to it directly and never to us.
- Google sign-in. If, and only if, you choose to sign in with Google, you authenticate with Google and we exchange standard sign-in information with it.
- Legal and safety. We may disclose information if required by law, or where we believe in good faith that disclosure is necessary to comply with legal process, enforce our terms, or protect the rights, safety, or property of our users, the public, or us.
- Business transfers. If we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to this Privacy Policy.
Data retention
We keep your account information and the content you create for as long as your account is active. When you delete an item, it is removed; when you delete your account, your associated data, including your sessions, sign-in identities, links, vCards, QR configurations, UTM templates, custom domains, credit ledger, and analytics rows, is removed along with it.
For analytics, the dashboard on the Core tier shows roughly the most recent 30 days of activity. The Pro tier extends how long your country and device breakdowns are retained. Exact per-day click and scan totals are kept while the related link and account exist and are removed when you delete the link or your account.
You can ask us to delete your account and associated data at any time by contacting us at the address below.
Data security
We take reasonable measures to protect your information. Account passwords and Pro link passwords are stored only as cryptographic hashes, never in plaintext. Data is transmitted over encrypted connections (HTTPS), and access to systems is controlled. Billing and credit entitlements are written only from signature-verified messages from our payment processor. No method of transmission or storage is completely secure, so while we work to protect your information, we cannot guarantee absolute security.
Your rights and choices
You can access and update much of your account information directly in the dashboard. You may also ask us to access, correct, delete, or provide a portable copy of your personal information, or to object to certain processing, by emailing us at legal@whooshly.co. We will respond consistent with applicable law.
If you are in the European Economic Area or the United Kingdom, you have rights under the GDPR, including the rights to access, correct, delete, restrict, object to, and port your personal data, and to lodge a complaint with your local data protection authority. Our legal bases for processing are: performance of our contract with you (to provide the Service), our legitimate interests (such as securing the Service and preventing abuse), your consent (such as when you choose Google sign-in), and compliance with legal obligations.
If you are a California resident, you have rights under California privacy law, including the rights to know, access, delete, and correct your personal information, and to not be discriminated against for exercising those rights. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
International data transfers
The Service runs on global cloud infrastructure, and your information may be processed and stored in countries other than your own, including the United States. By using the Service, you understand that your information may be transferred to and processed in those locations.
Children
The Service is not directed to, and may not be used by, anyone under the age of 16. We do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has provided us with personal information, please contact us so we can remove it.
Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the Last updated date at the top of this page. Your continued use of the Service after an update means you accept the revised policy.
Contact
For any privacy or data questions, or to exercise your rights, contact us at legal@whooshly.co. This Privacy Policy works together with our Terms of Service.