Legal
Onlywhales AI operates a B2B API platform that enables businesses ("Customers") to integrate AI-powered companion and conversational experiences into their own products. This Privacy Policy describes how Onlywhales AI collects, uses, processes, and protects information in connection with our Services.
If you are an End User of a Customer's product, your primary privacy rights should be exercised with that Customer, who controls how your data is collected and used in their product.
Onlywhales AI, Inc. is the data controller for information collected from Customers (businesses and developers) using the platform.
Registered address: Wilmington, Delaware, USA
Privacy inquiries: contact@onlywhales.ai
Data Protection Officer (DPO): contact@onlywhales.ai
The privacy practices of our Customers with respect to their own End Users. Each Customer operates its own product and is independently responsible for its privacy disclosures to End Users. When a Customer submits End User data to our API, the Customer is the data controller of that data, and Onlywhales AI processes it solely on the Customer's behalf as a data processor.
| Data | Our Role | Governed By |
|---|---|---|
| Customer Account Data (email, name, billing) | Data Controller | This Privacy Policy |
| API usage logs and telemetry | Data Controller | This Privacy Policy |
| Customer Data (End User conversations via API) | Data Processor | Customer's Privacy Policy + our DPA |
When you register, we collect: full name, business email address, company name, country, phone number, and payment/billing information (processed by our payment provider; we do not store raw card numbers).
We automatically collect technical metadata related to your API interactions, including: API key identifiers (hashed), request timestamps, endpoint called, token counts (input/output), latency metrics, HTTP status codes, and IP addresses.
We do not log the content of API Inputs or Outputs by default.
When you visit our website or developer portal, we collect: IP address, browser type and version, operating system, pages visited, time on page, referrer URL, and cookie identifiers.
By default, we do not retain the content of Inputs or Outputs beyond the time needed to process and return the API response. Customers who opt into features such as persistent memory or conversation history may have session data stored as configured. Any such storage is governed by the Customer's subscription plan and our Data Processing Agreement.
If you contact us via email, support tickets, or feedback forms, we collect the content of those communications and associated metadata.
We do not intentionally collect sensitive categories of personal data (health data, biometric data, political opinions, religious beliefs, etc.) from our Customers or End Users. Customers bear responsibility for ensuring lawful processing of any sensitive data submitted through the API as part of conversation content.
| Purpose | Data Used | Basis |
|---|---|---|
| Provide and operate the Services | Account, API usage | Contract |
| Billing and payment processing | Account, usage | Contract |
| Security and fraud prevention | IP, usage anomaly | Legitimate interest |
| Service improvement & analytics | Aggregated / anonymized | Legitimate interest |
| Customer support | Account, communications | Contract |
| Legal compliance | As required by law | Legal obligation |
| Marketing communications | Business email | Consent / Legit. interest |
| Processing API Inputs/Outputs | Customer Data | Processor |
We do not use Customer Data (conversation content submitted via the API) to train or fine-tune our general AI models without your explicit written consent. Opt-in model training programs are available for Enterprise customers.
For individuals in the EEA, United Kingdom, and Switzerland, we process personal data under the following legal bases:
Processing necessary to provide the Services you have contracted for, including account management and API delivery.
Security monitoring, fraud prevention, service improvement, and direct marketing to existing customers — balanced against your fundamental rights.
Compliance with applicable laws, regulatory requests, and court orders.
Marketing to prospective customers; optional model training programs. Consent may be withdrawn at any time without affecting prior lawful processing.
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes. We may share data in the following limited circumstances:
We engage trusted third-party vendors bound by data processing agreements:
We may disclose data when required by law, court order, or governmental authority, or to protect our rights, property, or safety, or that of others.
In the event of a merger, acquisition, or sale of assets, Customer data may be transferred to the acquiring entity subject to equivalent privacy protections. We will provide advance notice.
We may share data with third parties when you have explicitly consented to such sharing.
Onlywhales AI is based in the United States. If you access our Services from outside the United States, your data will be transferred to, stored, and processed in the United States and other countries where our service providers operate.
For transfers of personal data from the EEA, UK, or Switzerland to countries not recognized as providing adequate protection, we rely on:
| Data Category | Retention Period |
|---|---|
| Account Data | Account duration + 3 years |
| Billing Records | 7 years from transaction date |
| API Usage Logs (metadata only) | 90 days rolling |
| API Content — Default | Not retained (ephemeral) |
| API Content — Memory feature | Per Customer config, max 2 yrs |
| Support Communications | 3 years from resolution |
| Security & Audit Logs | 1 year |
When retention periods expire, data is securely deleted or anonymized. Customers may request earlier deletion through the developer dashboard or at contact@onlywhales.ai.
We implement technical and organizational measures including:
No method of electronic storage or transmission is 100% secure. Please report suspected security vulnerabilities promptly to contact@onlywhales.ai.
In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify affected Customers without undue delay and no later than 72 hours after we become aware of the breach.
Depending on your jurisdiction, you may have the following rights:
Submit a request to contact@onlywhales.ai with subject line "Privacy Rights Request." We will respond within 30 days (extendable to 90 days for complex requests, with notice). We will verify your identity before processing requests. Requests are free of charge unless manifestly unfounded or excessive.
If you are in the EEA or UK and believe we have not complied with applicable data protection law, you have the right to lodge a complaint with your local supervisory authority.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
| Category | Collected |
|---|---|
| Identifiers (name, email, IP) | Yes |
| Commercial information (billing, transactions) | Yes |
| Internet / network activity (usage logs) | Yes |
| Geolocation data (country level) | Limited |
| Professional / employment info (company, title) | Yes |
| Sensitive personal info (via payment processor) | No (processor only) |
| Biometric data | No |
Our Services are intended solely for use by businesses and professionals aged 18 and over. We do not knowingly collect personal information from children under the age of 13 (or the applicable age of digital consent in relevant jurisdictions).
We do not permit the use of our API to create products directed at children without appropriate parental consent mechanisms as required by COPPA and similar laws. Customers deploying applications that may be accessed by minors are solely responsible for compliance with COPPA, GDPR provisions for children's data, and all other applicable laws.
If we become aware that we have inadvertently collected personal information from a child under the relevant age of consent, we will take immediate steps to delete that information. Please contact contact@onlywhales.ai if you have concerns.
We use cookies and similar technologies on our website and developer portal:
The API itself does not use cookies.
Our website and documentation may contain links to third-party websites. We are not responsible for the privacy practices or content of such third parties. We encourage you to review their privacy policies independently.
Our Services may integrate with third-party tools (e.g., authentication providers, monitoring services). These are subject to their respective privacy policies. We select vendors who provide appropriate data protection guarantees.
We may update this Privacy Policy from time to time. We will notify you of material changes by:
Material changes will be communicated at least 30 days before they take effect. Your continued use of the Services after the effective date constitutes acceptance of the changes.
To request a prior version of this Privacy Policy, contact contact@onlywhales.ai.
General Privacy Inquiriescontact@onlywhales.ai
Data Protection Officercontact@onlywhales.ai
DPA / Legal Requestscontact@onlywhales.ai
Security / Vulnerabilitiescontact@onlywhales.ai
EU/EEA Representative (GDPR Art. 27)contact@onlywhales.ai
UK Representative (UK GDPR)contact@onlywhales.ai
Mailing AddressAttn: Privacy Team, Wilmington, Delaware, USA