Security
How we protect your account, your links, and your data.
Whooshly is built on Cloudflare's global edge, and security is a default, not a paid tier. This page describes the practices we actually run.
Data in transit and at rest
- All traffic — the app, your short links, hosted vCards, and QR redirects — is served over HTTPS/TLS.
- Account passwords and Pro link passwords are stored only as cryptographic hashes, never in plaintext.
- We record only coarse, low-detail analytics on a click or scan (an approximate country, a device-type bucket, the referrer, and any UTM parameters). We do not build advertising profiles or track visitors across other sites.
Payments
Payments are processed by Polar, our merchant of record. You enter card details directly with Polar's hosted checkout — we never receive or store your card number. We keep only entitlement flags (whether your one-time purchase is unlocked, whether Pro is active) and a credit ledger.
Abuse prevention
We rate-limit sensitive endpoints, use a challenge (Turnstile) on the anonymous tools, and disable links, vCards, domains, or accounts that violate our Terms of Service.
Responsible disclosure
If you believe you've found a security vulnerability, please email contact@whooshly.co with the details and steps to reproduce. We'll acknowledge your report, investigate promptly, and we won't pursue action against good-faith research that avoids privacy violations, service disruption, or data destruction. Please give us a reasonable window to fix an issue before disclosing it publicly.
For how we collect and handle information, see our Privacy Policy.