privacy policy

your data is yours.

we collect the minimum possible and store it responsibly. here is the full picture — no legal fog.

effective: 31 may 2026

This Privacy Notice is issued under Article 13 of the EU General Data Protection Regulation (GDPR) (EU) 2016/679 and describes how Dmitry Popelyshko ("we", "the controller") processes personal data of users of whittly.dev.

1. Data controller

Controller Dmitry Popelyshko (self-employed individual, Russian Federation)
Service https://whittly.dev
Privacy email privacy@whittly.dev
DPO Not required — we do not process special categories of data and do not conduct large-scale systematic monitoring

2. What we collect — at a glance

$catprivacy.txt 
# what we collect
email          · only when you create an account
password       · bcrypt hash only — plaintext is never stored
api keys       · sha-256 hash only — raw key shown once, never stored
analytics      · umami analytics — cookieless, self-hosted, no third parties

# what we never collect
× anything you paste or type into the tools
× cookies, tracking pixels, fingerprints
× ip addresses (not stored or logged by us)
× name, phone, address, payment card details
× third-party ad networks or behavioural analytics

3. Legal basis for processing (Art. 6 GDPR)

Purpose Legal basis
Account creation and authentication Art. 6(1)(b) — performance of a contract to which the data subject is party
Providing access to service features Art. 6(1)(b) — performance of contract
Sending service notifications (plan changes, security) Art. 6(1)(f) — legitimate interests of the controller in maintaining the contractual relationship
Aggregate traffic analytics Art. 6(1)(f) — legitimate interests; data is anonymised at collection, no cookies set

4. Data we process

4.1. When you create an account we store your email address and a bcrypt hash of your password. We store your plan status (free / pro). We cannot recover your original password from the hash.

4.2. If you generate API keys, we store a SHA-256 hash of each key. The raw key is displayed to you once and never stored by us.

4.3. When you use Pro cloud features (batch processing, large files), request content is transmitted to our server over HTTPS, processed in memory, and immediately discarded. We do not log, store, or inspect the content of requests.

4.4. Browser-based tools (JSON formatter, JWT decoder, Base64, regex, hash, etc.) run entirely in your browser. No data you enter ever leaves your device.

5. Data retention

5.1. Personal data is retained until you delete your account. Upon deletion, all associated data (email, password hash, API key hashes, operation history, saved presets) is permanently and immediately erased. There is no backup retention period.

5.2. Umami Analytics aggregate data contains no personal data and is not subject to a retention limit.

6. Third-party processors

6.1. We use Umami Analytics — an open-source, self-hosted analytics platform running on our own server (analytics.whittly.dev). Umami collects only aggregate data — page view counts and approximate visitor country. It receives no email addresses, no account data, and no request content. No data is transferred to any third party.

6.3. We do not use Google Analytics, Facebook Pixel, Hotjar, Mixpanel, or any other third-party tracking or advertising service. We do not sell or share personal data with any third party.

7. International data transfers

7.1. API server — Amsterdam, Netherlands (EU/EEA). Request processing takes place on a server located in the EU. No transfer outside the EEA occurs at the processing layer.

7.2. Database — Russian Federation. Account data (email, password hash) is stored in a database located in Russia. Russia does not have an EU adequacy decision under Art. 45 GDPR. The transfer is made on the basis of Art. 49(1)(b) GDPR — the transfer is necessary for the performance of the contract between you and the controller. By creating an account you explicitly acknowledge this transfer.

7.3. Analytics — our own server (EU). Umami Analytics is self-hosted on our own server in the EU. No analytics data is transferred outside the EEA.

8. Your rights under GDPR (Art. 15–22)

You have the following rights. To exercise any of them, email privacy@whittly.dev. We will respond within 30 days (Art. 12(3) GDPR).

Art. 15right of access+
You may request a copy of the personal data we hold about you, together with information about how we process it, the legal basis, retention period, and any recipients.
Art. 16right to rectification+
You may correct inaccurate personal data. You can update your email address in your account settings or contact us at privacy@whittly.dev.
Art. 17right to erasure ("right to be forgotten")+
You may delete your account and all associated data at any time from your account settings. Deletion is immediate and irreversible. We retain no backups containing your data after deletion.
Art. 18right to restriction of processing+
You may request that we restrict processing of your data (e.g. while the accuracy of data is contested). Contact us at privacy@whittly.dev. During restriction we will only store your data and not use it further.
Art. 20right to data portability+
You may request your personal data in a structured, commonly used, machine-readable format (JSON). This applies to data you provided to us and which we process on the basis of contract performance. Email privacy@whittly.dev.
Art. 21right to object+
Where we process data on the basis of legitimate interests (Art. 6(1)(f)), you may object to such processing. This applies to our aggregate traffic analytics. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Art. 77right to lodge a complaint+
You have the right to lodge a complaint with the supervisory authority in your EU/EEA member state. A list of national supervisory authorities is available at edpb.europa.eu. We ask that you contact us first at privacy@whittly.dev so we can address your concern directly.

9. Cookies

9.1. whittly.dev sets no cookies — not for authentication, not for analytics, not for any other purpose. Authentication tokens are stored exclusively in your browser's localStorage on your own device.

9.2. Umami Analytics operates without cookies or fingerprinting. No cookie consent banner is displayed because there is nothing to consent to.

10. Changes to this notice

10.1. We may update this notice. The current version is always available at https://whittly.dev/privacy/. The effective date at the top of the page reflects the date of the last update.

10.2. For material changes affecting your rights we will notify account holders by email at least 10 days before the change takes effect.

Contact

For any privacy-related questions, data requests, or concerns — email privacy@whittly.dev. We will respond within 30 days as required by Art. 12(3) GDPR.

Effective date: 31 May 2026

// history
Pro Cloud Sync — upgrade
no operations yet