Legal and privacy
Privacy Policy
How Whenish collects, uses, stores, and protects personal data across accounts, events, invitations, and organiser workflows.
Current version
Effective date: 22 May 2026
Questions about personal data, access requests, or corrections can be sent to [email protected].
1. Introduction
Whenish ("we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal information when you use the Whenish scheduling platform (the "Service").
We act as the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you have any questions about how we handle your personal data, please contact us at [email protected].
2. Information We Collect
2.1 Information You Provide
- Account information: Your name and email address when you register.
- Credentials: Your password, which is stored as a one-way cryptographic hash — we never store your plain-text password.
- Event content: Titles, descriptions, dates, times, locations, and invitee information for events you create or join.
- Service database records: Account, event, invitation, comment, and related service records stored in our database may appear in restricted operational backups created for recovery and business continuity.
- Communications: Any messages or enquiries you send to us directly.
- Payment information: Subscription payments are handled directly by Paddle, our payment processor. We do not store your card or banking details.
2.2 Information Collected Automatically
- Log data: IP address, browser type and version, device information, pages visited, and access timestamps.
- Usage data: Features you use, events you create or join, and actions you take within the Service.
- Cookies and similar technologies: See Section 7 for full details.
3. Legal Basis and How We Use Your Information
We only process your personal data where we have a lawful basis to do so. The table below sets out our processing activities and the corresponding legal bases under the UK GDPR.
| Purpose | Legal Basis |
|---|---|
| Creating and managing your account | Contract |
| Processing subscription payments | Contract |
| Sending transactional emails (event invitations, confirmations, password resets) | Contract |
| Creating operational backups and restoring the Service after incidents | Legitimate interests |
| Security monitoring and fraud prevention | Legitimate interests |
| Improving and developing the Service | Legitimate interests |
| Sending marketing communications | Consent |
| Complying with legal obligations | Legal obligation |
4. Information Sharing
We do not sell, rent, or trade your personal data to third parties. We may share your information with trusted third-party service providers solely to operate and improve the Service:
- Paddle: Our payment processor, for handling subscription billing. Paddle processes your payment data under their own privacy policy.
- Email service providers: To send transactional emails and, where required for service recovery, administrative backup notifications or backup files to authorised recipients.
- Analytics providers: Aggregated, anonymised usage data to help us understand how the Service is used and where it can be improved.
- Infrastructure providers: Cloud hosting and storage providers required to run the Service and maintain access-restricted operational backups.
- Law enforcement and regulatory bodies: Where we are legally required to do so, or where disclosure is necessary to protect our legal rights or the safety of others.
All third-party processors are bound by appropriate data processing agreements and are prohibited from using your personal data for their own independent purposes.
5. Data Retention
- Account data: Retained while your account is active, plus 30 days after account deletion to allow for recovery requests.
- Event data: Retained for the duration of your account plus 30 days after deletion.
- Payment records: Retained for 7 years to comply with UK financial and tax reporting obligations.
- Log and usage data: Retained for up to 12 months, after which it is deleted or fully anonymised.
- Database backup archives: Retained on a rolling business continuity schedule. We keep all backups for 7 days, daily backups for a further 16 days, weekly backups for 8 weeks, monthly backups for 4 months, and yearly backups for up to 2 years, subject to earlier deletion if storage limits require cleanup.
6. Your Rights Under UK GDPR
As a data subject, you have the following rights regarding your personal data. To exercise any of these rights, contact us at [email protected]. We will respond within one month of receiving your request.
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request that we correct any inaccurate or incomplete data.
- Right to erasure: Request that we delete your personal data ("right to be forgotten"), subject to certain exceptions.
- Right to restriction: Request that we limit the way we process your data in certain circumstances.
- Right to data portability: Receive your data in a structured, machine-readable format for transfer to another service.
- Right to object: Object to processing based on legitimate interests or direct marketing.
- Right to withdraw consent: Where processing is based on your consent, withdraw it at any time without affecting prior processing.
If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
7. Cookies
We use cookies and similar browser technologies to operate and improve the Service. The categories of cookies we use are:
- Strictly necessary cookies: Essential for the Service to function, including session management, authentication, and security features. These cannot be disabled.
- Preference cookies: Remember your settings, such as your chosen colour theme (light or dark mode).
- Analytics cookies: Collect aggregated information about how users interact with the Service to help us improve it.
You can control or disable non-essential cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the Service.
8. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include:
- Encrypted data transmission using TLS/HTTPS across the entire Service.
- Passwords stored exclusively as one-way cryptographic hashes using industry-standard algorithms.
- Database backup archives stored on access-restricted internal systems, with administrator-only access, monitored retention limits, and additional archive-level protection where configured.
- Regular security assessments and vulnerability monitoring.
- Access controls ensuring staff can only access data necessary for their role.
Where a backup file is generated for an authorised administrative recipient, it should be treated as confidential, stored securely, and any transient email or downloaded copy should be deleted once it has been archived into controlled records.
While we take all reasonable precautions, no system is entirely secure. We recommend you use a strong, unique password for your account and enable any additional security features available to you.
9. Children's Privacy
The Service is not directed at or intended for children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at [email protected] and we will take steps to delete that information.
10. International Data Transfers
In some cases, your personal data may be transferred to and processed in countries outside the United Kingdom or European Economic Area. Where such transfers occur, we ensure that appropriate safeguards are in place — such as Standard Contractual Clauses or adequacy decisions — to provide a level of data protection equivalent to that in the UK, in accordance with UK GDPR requirements.
11. Links to Third-Party Websites
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those third parties. We encourage you to read the privacy policies of any third-party sites you visit.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. We will notify you of any material changes by email and/or by posting a notice within the Service. The "Effective date" at the top of this page indicates when the current version was last updated. Continued use of the Service after changes take effect constitutes your acceptance of the updated policy.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or the personal data we hold about you, please contact us:
- Data controller: Whenish
- Email: [email protected]
- General enquiries: [email protected]