Whisperstream Website Privacy Policy

Version 1.0

Effective 2026-04-26

This Website Privacy Policy explains how Lanreal Technologies Inc. ("Lanreal," "we," "us," or "our") collects, uses, shares, and retains personal information when you visit the Whisperstream marketing website at whisperstream.io (the "Website"). It also describes the rights you have with respect to that personal information and how to exercise them.

This Website Privacy Policy covers only the Whisperstream marketing website at whisperstream.io. It does not cover the Whisperstream desktop application for Microsoft Windows, which is governed by a separate Privacy Policy bundled with the application installer and published at https://whisperstream.io/privacy-app. If you are looking for information about how the desktop application handles your data, please refer to that document instead.

This Website Privacy Policy also does not cover your relationship with Polar Software Inc. ("Polar"), the Merchant of Record that processes your purchase when you buy a Whisperstream license. When you complete a purchase through the embedded checkout on the Website, Polar separately collects your name, email address, payment information, and billing address through its own checkout flow. That information is governed by your relationship with Polar and by Polar's privacy policy at https://polar.sh/legal/privacy. Lanreal does not directly collect your payment information.

The data controller responsible for the personal information described in this Website Privacy Policy is:

Lanreal Technologies Inc. 18 King Street East, Suite 1400 Toronto, Ontario M5C 1C4 Canada

Lanreal is a corporation incorporated under the Business Corporations Act (Ontario). Our registered office is in the Province of Ontario, and our operations are governed by Canadian federal and provincial law applicable therein.

Privacy Officer designation. In accordance with Canadian federal privacy law (the Personal Information Protection and Electronic Documents Act), Lanreal Technologies Inc. has designated a Privacy Officer responsible for compliance with this Website Privacy Policy. The Privacy Officer can be contacted at support@whisperstream.io. Throughout the remainder of this document, "Canadian federal privacy law" refers to the statute named above.

Under the European Union General Data Protection Regulation (GDPR), Lanreal is the "controller" of the personal information described in this Website Privacy Policy. Under the California Consumer Privacy Act (CCPA), Lanreal is a "business" that collects personal information about California residents through the Website.

All privacy-related communication, including data subject rights requests, complaints, and general questions about this Website Privacy Policy, should be directed to support@whisperstream.io. This is Lanreal's single privacy contact channel for the Website.

The Website is a static marketing site that promotes the Whisperstream desktop application and facilitates checkout. This section describes every category of information associated with your visit to the Website.

3.1 PostHog Cloud analytics data

The Website uses PostHog Cloud (the posthog-js SDK, EU instance at eu.i.posthog.com) to understand how visitors use the site. The SDK is configured in cookieless mode (cookieless_mode: 'always', persistence: 'memory') with Web Vitals performance reporting enabled (capture_performance: { web_vitals: true }), and operates as follows:

• The SDK does not set any cookies, and does not use localStorage, sessionStorage, or any other persistent browser storage. Nothing is written to or read from your terminal equipment beyond the ordinary loading and execution of JavaScript on the page.
• Each event you generate is associated with a server-side identifier derived by PostHog from a one-way hash of the project identifier, a daily-rotated random salt, your IP address, your user-agent string, and the website hostname. PostHog deletes the daily salt at the end of each calendar day, which makes the identifier non-reversible and rotates your effective identity every 24 hours.
• PostHog does not retain raw IP addresses against events captured in cookieless mode; the IP address is used only as input to the hash described above and to derive approximate geolocation (country, region, city) for aggregated analytics.

PostHog Cloud collects the following data points with each page view or custom event:

• event timestamp,
• page URL (including hostname, path, and dynamic route pattern),
• referrer URL and referring domain,
• a filtered subset of query parameters, including standard UTM campaign-attribution parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content) when present in the page URL,
• geolocation (country, region, city, derived from your IP address),
• device operating system and version,
• browser name, browser version, and browser language preference,
• device type (desktop, mobile, or tablet),
• viewport dimensions and screen dimensions,
• timezone, and
• the version of the PostHog client library.

The SDK also reports Web Vitals performance metrics (Largest Contentful Paint, Interaction to Next Paint, Cumulative Layout Shift, and First Contentful Paint) for each page view. Web Vitals data is technical performance telemetry (rendering and responsiveness measurements sampled by the browser) and contains no information that identifies or profiles individual visitors.

This data is used by Lanreal in aggregated form to understand website traffic patterns. The cookieless server-side identifier described above does not track visitors across different applications or websites and rotates each day, so it cannot be used by Lanreal to build a long-term profile of an individual visitor.

In addition to automatic page view tracking, the Website sends the following custom events through the PostHog SDK to measure user engagement:

• download_clicked (with CTA label and page location),
• watch_demo_clicked,
• buy_clicked (with page location),
• checkout_session_created (with page location),
• purchase_completed (with product name and total amount),
• license_key_ready (with the number of polling attempts), and
• license_key_copied.

These custom events contain no personally identifying information. They record which buttons were clicked and in what context, not who clicked them.

3.2 Cloudflare DNS and CDN data

The Website uses Cloudflare for DNS resolution and is hosted on Cloudflare Pages. When you visit the Website, your request is resolved and served by Cloudflare's network. As part of standard CDN, DNS, and hosting operation, Cloudflare may:

• process your IP address to route your request,
• set a security cookie (__cf_bm or similar) to distinguish legitimate visitors from automated traffic and to mitigate abuse, and
• collect standard access logs for security and performance monitoring.

Cloudflare's processing of this data is governed by Cloudflare's privacy policy at https://www.cloudflare.com/privacypolicy/. Lanreal does not have access to Cloudflare's raw CDN or DNS access logs (a separate Cloudflare Logpush product that Lanreal does not enable). Worker invocation logs that Lanreal does access through Cloudflare Workers Observability are described separately in Section 3.4 below.

3.3 Polar embedded checkout data

When you click a purchase button on the Website, the Website creates a checkout session through Polar's API and opens an embedded Polar checkout modal (an iframe served by Polar). Inside that checkout modal, Polar collects:

• your name,
• your email address,
• your payment card information (processed by Stripe, Inc., Polar's payment processor), and
• your billing address, phone number, business name, and tax number (if you provide them).

This information is collected directly by Polar inside its own iframe. Lanreal does not see, handle, or store your payment card details. Lanreal receives from Polar, through its server-side API, the following data after a successful purchase:

• the checkout identifier (a Polar-generated UUID),
• the customer email address associated with the purchase,
• the product name and purchase total, and
• the license key generated for your purchase.

This data is used to render the post-purchase confirmation page on the Website (showing your email, product name, total, and license key). It is not stored in any Lanreal-operated database. The Website retrieves it from Polar's API at page load time and displays it in the browser. When you navigate away from the confirmation page, the data exists only in Polar's systems.

3.4 Server-side request logs and Cloudflare Workers Observability

The Website is served by Cloudflare's Workers platform (via Cloudflare Pages and the @opennextjs/cloudflare adapter). Two distinct categories of server-side log data exist for the Website:

• Cloudflare's own platform-level logs. Cloudflare's hosting infrastructure logs standard HTTP request metadata (including your IP address, request path, user agent, and timestamp) as part of its normal platform operation. These logs are controlled by Cloudflare and are governed by Cloudflare's privacy policy at https://www.cloudflare.com/privacypolicy/. Lanreal does not have access to or control over these platform-level logs.

• Worker invocation logs that Lanreal accesses through Cloudflare Workers Observability. Lanreal has enabled the Cloudflare Workers Observability product (Workers Logs and Traces) for the Website's server-side route handlers. Through this product, Lanreal can view individual Worker invocation records in the Cloudflare dashboard. Each record contains: HTTP method, request URL (excluding the request body), response status, request duration, IP address, user agent, and any exception messages or stack traces emitted by Lanreal's server-side code. Lanreal does not enable Cloudflare Logpush exports, Tail Workers, sampling, or any third-party log shipper, so this data does not leave Cloudflare's platform. Workers Observability data is retained on Cloudflare's platform for a short operational window equal to Cloudflare's default for Workers Logs on Lanreal's account (currently approximately three days at the time of writing), after which it is deleted. Lanreal uses this data only for operational observability, debugging, and security; it is not used for marketing analytics or visitor profiling. Lanreal's contemporaneous accountability record for this processing is at legal/operational-logs-basis.md in the Whisperstream repository.

Server-side request logs and the Cloudflare DNS and CDN data described in Section 3.2 are processed by the same provider under the same Cloudflare Customer Data Processing Addendum and the same privacy policy.

3.5 Information the Website does not collect

The Website does not collect the following:

• No user accounts. The Website does not have a registration or login system. There is no Lanreal-operated user database for the Website.
• No first-party cookies. The Website does not set any first-party cookies. The PostHog Cloud analytics SDK is configured in cookieless mode and does not set cookies on your browser.
• No contact form submissions. The Website does not have a contact form. Support requests are handled via email at support@whisperstream.io, and any personal information in those emails is governed by the email interaction itself, not by this Website Privacy Policy.
• No localStorage or sessionStorage. The Website does not use browser storage mechanisms to store personal information.
• No advertising identifiers or tracking pixels. The Website does not integrate Google Analytics, Meta Pixel, Google Tag Manager, or any comparable advertising or tracking service.

This section explains, for each category of information described in Section 3, the purpose for which Lanreal processes that information and the corresponding lawful basis under GDPR Article 6.

• PostHog Cloud analytics data (Section 3.1). The purpose is to understand how visitors use the Website so that Lanreal can improve its content, layout, and user experience. The lawful basis under GDPR Article 6 is Article 6(1)(f), Lanreal's legitimate interest in understanding aggregate website usage patterns, balanced against your interests and fundamental rights. Because the PostHog SDK is configured in cookieless mode (no cookies, no localStorage, no sessionStorage), does not track visitors across sites, derives a daily-rotating server-side identifier from a one-way hash with a daily-deleted salt, stores all data on PostHog's EU instance in Frankfurt, Germany, and produces only aggregated statistics, Lanreal considers the impact on your privacy to be minimal. Regarding the European Union ePrivacy Directive (Directive 2002/58/EC) Article 5(3) consent regime, Lanreal's position is that the processing qualifies for the strictly-functional "audience measurement" exemption as articulated by the French Commission Nationale de l'Informatique et des Libertes (CNIL) and comparable national-regulator guidance, because (i) PostHog acts only as Lanreal's processor for this Website, (ii) the cookieless daily-rotating identifier is not combined with data from other websites or applications, (iii) the processing is limited to aggregated audience-measurement purposes and not used for advertising or cross-context profiling, and (iv) raw IP addresses are not retained against events and are used only as input to the irreversible daily hash and to derive approximate geolocation. To the extent a national regulator considers Article 5(3) engaged notwithstanding the points above, Lanreal relies on the same audience-measurement basis as the qualifying lawful exemption.

• Cloudflare DNS and CDN data (Section 3.2). The purpose is to deliver the Website to your browser reliably and to protect the Website against malicious traffic. The lawful basis is Article 6(1)(f), Lanreal's legitimate interest in operating and securing the Website. Cloudflare's security cookies, if set, serve the strictly necessary function of distinguishing legitimate visitors from bots and are not used for advertising or analytics.

• Polar embedded checkout data (Section 3.3). The purpose of creating the checkout session and displaying order confirmation details is to complete the purchase you initiated. The lawful basis is Article 6(1)(b), performance of a contract, because the checkout flow is how you enter into the Whisperstream license agreement. Polar's own collection of your payment information inside its checkout iframe is governed by Polar's privacy policy, and Polar acts as Merchant of Record for the transaction.

• Cloudflare's own platform-level logs (Section 3.4). Standard HTTP request logs generated by Cloudflare's hosting platform serve Cloudflare's purpose of platform operation, security monitoring, and abuse prevention. The lawful basis is Article 6(1)(f), Lanreal's legitimate interest in maintaining the availability and security of the Website. These logs are controlled by Cloudflare; Lanreal does not access them.

• Cloudflare Workers Observability data (Section 3.4). The Worker invocation records that Lanreal accesses through Cloudflare Workers Observability serve Lanreal's purposes of operational observability, debugging, and security of Lanreal's server-side route handlers. The lawful basis is Article 6(1)(f), Lanreal's legitimate interest in operating a reliable and secure marketing website. This processing is distinct from the Cloudflare-controlled platform-level logs described in the preceding bullet because Lanreal is the controller for the read-side and uses the data for Lanreal's own purposes. Lanreal does not use Workers Observability data for marketing analytics, visitor profiling, retargeting, or any purpose beyond the three named here. The Article 6(1)(f) accountability record for this processing is at legal/operational-logs-basis.md in the Whisperstream repository.

Lanreal does not rely on your consent (GDPR Article 6(1)(a)) as the lawful basis for any of the processing described in this Website Privacy Policy. Lanreal does not engage in automated decision-making that produces legal or similarly significant effects within the meaning of GDPR Article 22.

The Website itself does not set any first-party cookies or use localStorage or sessionStorage for tracking purposes.

The PostHog Cloud analytics SDK described in Section 3.1 is configured in cookieless mode and does not set cookies, write to localStorage or sessionStorage, or otherwise store information on your terminal equipment.

The following third parties may set cookies or use similar technologies when you visit the Website:

• Cloudflare may set a security cookie (such as __cf_bm) to identify and mitigate malicious bot traffic. This is a strictly necessary cookie that serves a security function. It is not used for advertising, analytics, or cross-site tracking.

• Polar may set cookies inside its embedded checkout iframe when you initiate a purchase. These cookies operate within Polar's own domain and are governed by Polar's privacy policy.

Because the Website does not set analytics or advertising cookies, there is no cookie consent banner. The Cloudflare security cookie, if present, falls under the "strictly necessary" exemption recognized by the ePrivacy Directive (Directive 2002/58/EC, Article 5(3)) and by most national implementations of that directive, and does not require prior consent. The PostHog analytics processing is configured to qualify for the strictly-functional audience-measurement exemption described in Section 4, which Lanreal relies on as its alternative to consent under Article 5(3).

The Website relies on the following third-party services. The list below is exhaustive for the Website as it exists at the time of this policy's effective date.

1. PostHog Inc. (San Francisco, California, USA), website analytics. PostHog provides the PostHog Cloud analytics service described in Section 3.1. PostHog receives the analytics data points and custom events enumerated in Section 3.1. PostHog stores Lanreal's analytics data on its EU instance in Frankfurt, Germany. PostHog's processing is governed by PostHog's privacy policy at https://posthog.com/privacy and PostHog's Data Processing Addendum at https://posthog.com/dpa. PostHog's GDPR transfer mechanism includes both the European Commission's Standard Contractual Clauses and PostHog's certification under the EU-U.S. Data Privacy Framework.

2. Polar Software Inc. (Dover, Delaware, USA), Merchant of Record and checkout provider. Polar provides the embedded checkout modal described in Section 3.3 and processes your purchase. Polar receives the data enumerated in Section 3.3 directly from you within its checkout iframe. Polar's processing is governed by Polar's privacy policy at https://polar.sh/legal/privacy. Polar's GDPR transfer mechanism is the European Commission's Standard Contractual Clauses, as stated in Polar's privacy policy.

3. Stripe, Inc. (South San Francisco, California, USA), payment processor for Polar. Stripe processes your payment card information on behalf of Polar. Lanreal does not have a direct contractual relationship with Stripe for the Website's checkout flow. Stripe's involvement is governed by Polar's relationship with Stripe and by Stripe's privacy policy at https://stripe.com/privacy.

4. Cloudflare, Inc. (San Francisco, California, USA), DNS, CDN, website hosting (via Cloudflare Pages and Cloudflare Workers), and Workers Observability. Cloudflare provides DNS resolution, content delivery, the hosting platform that serves the Website, and the Workers Observability product through which Lanreal views Worker invocation logs (Section 3.4). Cloudflare receives the data described in Section 3.2, the platform-level hosting logs described in Section 3.4, and the Worker invocation data Lanreal accesses through Workers Observability. All of these processing activities are covered by the same Cloudflare Customer Data Processing Addendum (version 6.4, effective 2026-04-03), whose Annex I.B expressly contemplates "Personal Data processed in Customer Logs, such as IP addresses." No additional sub-processor is engaged for the storage of Workers Observability data; it is stored on Cloudflare's own infrastructure. Cloudflare's processing is governed by Cloudflare's privacy policy at https://www.cloudflare.com/privacypolicy/. Cloudflare's GDPR transfer mechanism includes both the European Commission's Standard Contractual Clauses and the EU-U.S. Data Privacy Framework.

Lanreal does not share personal information with any other recipients. Lanreal does not disclose personal information to advertisers, data brokers, or social media platforms.

Lanreal is incorporated in Ontario, Canada. All four third-party services listed in Section 6 are incorporated in the United States. Personal information collected through the Website may therefore be transferred from your location to the United States and Canada.

This section summarizes the transfer mechanism for each service under Chapter V of the GDPR:

• PostHog Inc. (United States; EU data instance in Frankfurt, Germany). PostHog stores Lanreal's analytics events on its EU instance, which is physically located in Frankfurt, Germany. The Frankfurt storage location reduces transfer risk for data at rest but does not eliminate the Chapter V transfer, because PostHog Inc. (United States) remains the contracting processor with potential support and operational access rights under United States law. PostHog's GDPR transfer mechanisms include both the European Commission's Standard Contractual Clauses and PostHog's certification under the EU-U.S. Data Privacy Framework, which are intended to address that residual access risk, as described in PostHog's privacy policy and Data Processing Addendum.

• Polar Software Inc. (United States). Polar cites the European Commission's Standard Contractual Clauses as the transfer mechanism for personal information from the European Economic Area, as stated in Polar's privacy policy.

• Stripe, Inc. (United States). Stripe is Polar's payment processor. Stripe's transfers are governed by Stripe's privacy policy and by Polar's contractual relationship with Stripe. Lanreal does not implement a separate transfer mechanism for Stripe because Lanreal's relationship with Stripe is indirect (through Polar as Merchant of Record).

• Cloudflare, Inc. (United States). Cloudflare's GDPR transfer mechanisms include both the European Commission's Standard Contractual Clauses and the EU-U.S. Data Privacy Framework, as described in Cloudflare's privacy policy and Trust Hub.

If you are located in the European Economic Area, the United Kingdom, or Switzerland and wish to receive further information about these transfer mechanisms, please contact Lanreal at support@whisperstream.io.

Lanreal's retention posture for Website data is minimal because the Website does not operate its own database or user account system.

• PostHog Cloud analytics data. Analytics data is retained by PostHog on its EU instance for the duration of Lanreal's PostHog account, in accordance with PostHog's retention schedule. The daily-rotated server-side identifier described in Section 3.1 cannot be tied to a returning visitor because the salt used to derive it is deleted at the end of each calendar day. Aggregated analytics data (page view counts, referrer distributions, device breakdowns) is retained by PostHog for as long as Lanreal's PostHog account remains active. PostHog does not retain raw IP addresses against events captured in cookieless mode.

• Cloudflare DNS and CDN logs. Cloudflare retains access logs in accordance with its own retention schedule, as described in Cloudflare's privacy policy. Lanreal does not have access to these logs.

• Polar checkout data. Polar retains your purchase information (name, email, billing address, payment card details via Stripe) for the duration of your customer relationship with Polar and in accordance with Polar's own retention schedule and applicable financial record-keeping obligations. Lanreal does not store checkout data in any Lanreal-operated database. The confirmation page data described in Section 3.3 is retrieved from Polar's API at page load and exists only in your browser's memory during your session.

• Cloudflare's own platform-level logs. Cloudflare retains platform-level request logs in accordance with its own retention schedule, as described in Cloudflare's privacy policy. Lanreal does not control or have access to these platform-level logs.

• Cloudflare Workers Observability data. Lanreal accesses Worker invocation records through Cloudflare Workers Observability (see Section 3.4). This data is retained on Cloudflare's platform for a short operational window equal to Cloudflare's default for Workers Logs on Lanreal's account (currently approximately three days at the time of writing), after which Cloudflare deletes it. The data is not exported off Cloudflare's platform.

• Support emails. If you contact Lanreal at support@whisperstream.io, Lanreal retains the content of your email for the duration of the support interaction and deletes or anonymizes it once the matter is resolved.

Depending on where you live, you may have one or more of the rights listed in this section. Lanreal extends all of these rights to every Website visitor, regardless of jurisdiction, so that you do not have to prove residency to exercise a right.

Rights under the European Union General Data Protection Regulation (GDPR Articles 15 to 22):

• Right of access (Article 15): you may ask Lanreal to confirm whether we process personal information about you and, if so, to provide a copy of that information.
• Right to rectification (Article 16): you may ask Lanreal to correct any inaccurate personal information we hold about you.
• Right to erasure (Article 17): you may ask Lanreal to delete personal information we hold about you, subject to the statutory exceptions in Article 17(3).
• Right to restriction of processing (Article 18): you may ask Lanreal to restrict the processing of your personal information in the circumstances set out in Article 18(1).
• Right to data portability (Article 20): you may ask Lanreal to provide your personal information in a structured, commonly used, machine-readable format where the processing is based on consent or contract and is carried out by automated means.
• Right to object (Article 21): you may object at any time, on grounds relating to your particular situation, to processing of your personal information that is based on Article 6(1)(f) (our legitimate interests). This right applies to the PostHog Cloud analytics processing described in Section 3.1, the Cloudflare processing described in Section 3.2, the Cloudflare-controlled platform-level logs described in Section 3.4, and the Cloudflare Workers Observability data described in Section 3.4. If you exercise this right, Lanreal will cease the processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Rights in relation to automated decision-making (Article 22): not applicable. Lanreal does not engage in automated decision-making that produces legal or similarly significant effects within the meaning of Article 22.

Rights under the California Consumer Privacy Act (CCPA):

• Right to know what categories of personal information we have collected about you, the sources from which we collected it, the business or commercial purposes for collecting it, and the categories of third parties with whom we shared it.
• Right to delete personal information we collected from you, subject to the statutory exceptions in Cal. Civ. Code Section 1798.105(d).
• Right to correct inaccurate personal information we maintain about you.
• Right to limit use of sensitive personal information: not applicable. Lanreal does not collect sensitive personal information within the meaning of Cal. Civ. Code Section 1798.140(ae) through the Website.
• Right to opt out of the sale or sharing of personal information: not applicable. Lanreal does not sell or share personal information for cross-context behavioural advertising, as described in Section 11 below.
• Right to non-discrimination for exercising any CCPA right. Lanreal will not deny you access to the Website, charge you a different price, or provide a different level of service because you exercised a right under the CCPA.

Rights under Canadian federal privacy law:

• Right of access to personal information Lanreal holds about you.
• Right to correction of inaccurate personal information.
• Right to challenge compliance with this Website Privacy Policy and with Canadian federal privacy law generally. Challenges are directed to the Privacy Officer in the first instance (see Section 14).

How to exercise your rights. To exercise any of the rights above, email Lanreal's Privacy Officer at support@whisperstream.io with a description of your request and enough information for us to locate your personal information. Because the Website does not have user accounts and PostHog Cloud analytics data is aggregated under a daily-rotating, irreversible server-side identifier, Lanreal may not hold identifiable personal information about your Website visit. In that case, Lanreal will inform you that no identifiable personal information is held.

Verification. Because the Website does not maintain user accounts, identity verification for rights requests related to the Website will depend on the nature of the request. For purchase-related requests, Lanreal may verify your identity by confirming the email address associated with your Polar checkout.

Response timeline. Lanreal will acknowledge your request within a reasonable period and will respond substantively within 30 days of receipt. Under GDPR Article 12(3), Lanreal may extend this period by up to an additional 60 days where necessary, taking into account the complexity and the number of requests; if we need to do so, we will inform you of the extension and the reasons for it within the original 30-day window.

Authorized agents. California residents may use an authorized agent to submit a rights request on their behalf. If you do so, we may require the agent to provide written authorization from you and to verify their own identity.

The Website is not directed to children. Lanreal does not knowingly collect personal information from children under the age of 13 in the United States (consistent with the Children's Online Privacy Protection Act, or COPPA), or from children under the age of 16 in the European Economic Area (consistent with GDPR Article 8). If you are a parent or guardian and you believe your child has provided personal information to Lanreal through the Website, please contact us at support@whisperstream.io and we will take reasonable steps to delete that information.

This section supplements the rest of this Website Privacy Policy for California residents whose personal information is collected by Lanreal through the Website, and is provided in accordance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (the "CCPA").

Categories of personal information collected. In the preceding twelve months, Lanreal has collected the following categories of personal information from or about California residents through the Website, as those categories are defined by Cal. Civ. Code Section 1798.140(o):

• A. Identifiers (such as real name, unique personal identifier, online identifier, IP address, email address, or similar identifiers): IP address is processed transiently by Cloudflare for DNS, CDN, and hosting routing and by PostHog as a hash input from which the daily-rotating server-side identifier and approximate geolocation shown in analytics are derived. PostHog does not retain raw IP addresses against events captured in cookieless mode and does not make them accessible to Lanreal. Cloudflare's CDN and DNS access logs are not accessible to Lanreal either. Lanreal does access per-request IP addresses through Cloudflare Workers Observability for Lanreal's server-side route handlers (see Section 3.4); this data is retained for a short operational window (Cloudflare's default, currently approximately three days) and is used only for operational observability, debugging, and security. No other identifier sub-categories are collected by the Website itself. Purchase-related identifiers (name, email) are collected by Polar and governed by Polar's privacy policy.
• B. Personal information categories listed in Cal. Civ. Code Section 1798.80(e): None collected by the Website itself. Name, address, and payment information are collected by Polar as Merchant of Record.
• C. Characteristics of protected classifications: None.
• D. Commercial information: None collected by the Website itself. Purchase records are maintained by Polar.
• E. Biometric information: None.
• F. Internet or other electronic network activity information: aggregated page view data, referrer URL and referring domain, filtered query parameters (including UTM campaign-attribution parameters), browser type and language, operating-system type, device type, viewport and screen dimensions, timezone, and Web Vitals performance metrics, as collected by PostHog Cloud (Section 3.1). This PostHog data is aggregated under a daily-rotating cookieless identifier and cannot identify individual visitors. In addition, Lanreal accesses per-request HTTP method, request URL (excluding request body), response status, request duration, and user-agent strings for Lanreal's server-side route handlers through Cloudflare Workers Observability (Section 3.4); this data is retained for a short operational window and is used only for operational observability, debugging, and security.
• G. Geolocation data: approximate geolocation (country, region, city) derived from IP address by PostHog Cloud, provided only in aggregated form.
• H. Audio, electronic, visual, thermal, olfactory, or similar information: None.
• I. Professional or employment-related information: None.
• J. Education information: None.
• K. Inferences: None.
• L. Sensitive personal information: None.

Sources of personal information. PostHog Cloud analytics data is derived from your browser's HTTP requests to the Website. Cloudflare data is derived from your DNS and HTTP requests as they pass through Cloudflare's network and the Cloudflare Pages hosting platform.

Business or commercial purposes for collecting personal information. Analytics data is collected for the business purpose of understanding aggregate website traffic patterns and improving the Website. Cloudflare data is collected for the business purpose of delivering the Website securely and mitigating abuse.

Categories of third parties with whom we share personal information. PostHog Inc. (analytics), Cloudflare Inc. (DNS, CDN, and Cloudflare Pages hosting), and Polar Software Inc. (checkout and payment processing), as described in Section 6.

Sale or sharing of personal information ("Do Not Sell or Share My Personal Information"). Lanreal does not sell your personal information to third parties in exchange for money or other valuable consideration, and Lanreal does not share your personal information for cross-context behavioural advertising. Lanreal has not sold or shared personal information about California residents in the preceding twelve months, and does not intend to do so. Because there is no sale or sharing, there is no "Do Not Sell or Share My Personal Information" link; this Website Privacy Policy, which discloses that the right is not applicable to Lanreal's practices, serves as the required disclosure under Cal. Civ. Code Section 1798.135.

Use of sensitive personal information. Not applicable. Lanreal does not collect sensitive personal information as defined by Cal. Civ. Code Section 1798.140(ae) through the Website.

How to submit CCPA requests. California residents may submit a right-to-know, right-to-delete, right-to-correct, or non-discrimination request by emailing support@whisperstream.io.

Lanreal implements security safeguards proportional to the sensitivity of the personal information the Website processes. Because the Website does not operate its own user database, does not store payment information, and does not collect individually identifying data, the attack surface is narrow by design. In particular:

• The Website is served over HTTPS. All connections between your browser and the Website are encrypted in transit.
• Cloudflare provides DDoS protection and bot mitigation at the DNS and CDN layer.
• The Polar checkout iframe is served from Polar's own domain over HTTPS. Payment card data is handled by Stripe within the checkout iframe and never passes through the Website's frontend or backend.
• The Website's server-side API routes (checkout session creation and license key retrieval) communicate with Polar's API over HTTPS using a server-side access token that is stored as an environment variable in Cloudflare Pages and is not exposed to the browser.
• PostHog Cloud analytics data is transmitted from the browser to PostHog's EU ingestion endpoint at eu.i.posthog.com over HTTPS.

No security program can guarantee absolute protection against all threats. If you become aware of a security issue affecting the Website, please contact Lanreal at support@whisperstream.io.

Lanreal may revise this Website Privacy Policy from time to time. When we revise it, we will change the version number at the top of this document. Minor clarifications that do not materially change how we collect, use, or share personal information will increment the minor version (for example, from 1.0 to 1.1). Material changes will increment the major version (for example, from 1.0 to 2.0).

How you learn about changes. The current version of this Website Privacy Policy is always available at the URL where it is published on the Website. When a material change is made, Lanreal will update the effective date at the top of the document and publish the revised version at the same URL. Lanreal does not currently operate a separate notification mechanism for Website Privacy Policy changes (such as email notification or a changelog page), because the Website does not maintain user accounts or an email list. This may change in a future version.

Third-party service changes. If Lanreal adds, removes, or replaces a third-party service listed in Section 6, that change will be reflected in a new version of this Website Privacy Policy.

If you believe that Lanreal has processed your personal information in a way that is inconsistent with this Website Privacy Policy or with applicable privacy law, please contact Lanreal first at support@whisperstream.io so that we have the opportunity to address your concern. Lanreal's Privacy Officer will review your complaint and respond within the timeline described in Section 9.

If you are not satisfied with Lanreal's response, you may also have the right to lodge a complaint with a supervisory authority:

• European Economic Area, the United Kingdom, and Switzerland: you have the right under GDPR Article 77 to lodge a complaint with the data protection supervisory authority of the Member State of your habitual residence, place of work, or the place of the alleged infringement.
• California: you may contact the California Privacy Protection Agency or the California Attorney General's Office for information about your rights under the CCPA.
• Canada (federal): you may file a complaint with the Office of the Privacy Commissioner of Canada (the "OPC") at https://www.priv.gc.ca/en/report-a-concern/, toll-free 1-800-282-1376. The OPC has the authority to investigate your complaint under section 11 of the Personal Information Protection and Electronic Documents Act, issue a Report of Findings, and make formal recommendations. If the matter remains unresolved after the OPC's investigation, section 14 of the Act grants you the right to apply to the Federal Court of Canada for a hearing.
• Canada (provincial): if you are a resident of Quebec, British Columbia, or Alberta, your provincial regulator may have parallel jurisdiction. You may contact Quebec's Commission d'accès à l'information at https://www.cai.gouv.qc.ca, the Office of the Information and Privacy Commissioner for British Columbia at https://www.oipc.bc.ca, or the Office of the Information and Privacy Commissioner of Alberta at https://www.oipc.ab.ca.

Nothing in this section limits any other right or remedy available to you under applicable law.

Questions, requests, and complaints about this Website Privacy Policy and about Lanreal's handling of personal information collected through the Website should be directed to Lanreal's Privacy Officer:

Privacy Officer Lanreal Technologies Inc. 18 King Street East, Suite 1400 Toronto, Ontario M5C 1C4 Canada

Email: support@whisperstream.io

Lanreal Technologies Inc. is the data controller for the personal information described in this Website Privacy Policy. The Privacy Officer is the designated contact for Canadian federal privacy law, for GDPR Articles 13 and 14, and for CCPA consumer requests.

Copyright (c) Lanreal Technologies Inc. All rights reserved.