Legal

Privacy Policy

Last updated: June 2026

The short version

We built WHIG so that even we cannot see what is in your home. Your video walkthrough is processed to extract an inventory, then deleted from our servers. Your inventory is encrypted on your device and delivered to your chosen storage. We hold only cryptographic fingerprints that prove your record is genuine. We can never reconstruct what you own from what we store.

What we collect

• Email address for account creation and communications.
• Country and property type (e.g. house, apartment, 3 bedrooms) for valuation calibration.
• Room labels (e.g. “Kitchen”, “Garage”). Names only, never contents.
• Processing job metadata (status, timestamps, step completion). No inventory content.
• Sealed record fingerprints: cryptographic hashes and digital signatures that prove the authenticity and date of your record. These contain no item names, values, or content of any kind. See What is a sealed record? below.

What we never collect or store

• Item names, brands, or model numbers
• Individual item values
• Inventory content of any kind
• Transcript text
• Video or audio files after processing (deleted, not archived)
• Insurance policy documents
• Anything that could reconstruct what you own

If WHIG were breached, an attacker would find a list of room labels and cryptographic hashes. Nothing about what anyone owns. By design.

How your data is processed: two separate paths

Every walkthrough produces two completely separate outputs, generated by separate systems with no shared state. They never meet again.

Path A: Your personal inventory

Your full inventory (items, values, photos, transcript) is encrypted on your device and delivered to your chosen storage destination (Google Drive, iCloud, your device, or S3-compatible storage). WHIG does not retain a copy. After delivery is confirmed, all processing files are deleted from our servers.

Path B: Anonymised aggregates

With your consent, anonymised category-level aggregates are contributed to improve estimates for all users. This data contains:

• Country and region band
• Property type and bedroom count band
• Category (e.g. “Electronics”), aggregate value, and item count

It does not contain: user identifiers, item names, brands, individual values, timestamps, or anything that could identify you or reconstruct your inventory.

Aggregates are only published when at least 50 households of a similar profile in a region have contributed. In sparse areas (fewer than 200 contributions), bedroom count is rounded to bands (1-2 / 3-4 / 5+) and household size is dropped entirely.

How we use aggregate data

The anonymised aggregate dataset has commercial value. We may licence it in aggregate form to third parties in the insurance, actuarial, and property industries. This is part of how WHIG is funded and improved.

This data can never be traced back to you. It contains no user identifiers, item names, or individual values.

You can opt out at any time from Settings in the app. Past contributions cannot be individually extracted (they are aggregated at generation with no individual record retained). Opting out means future walkthroughs will not contribute aggregates.

Users who opt in receive more accurate estimates (calibrated against real households in their area). Users who opt out receive estimates based on industry baselines only.

Encryption

A 256-bit encryption key is generated on your device and sealed in the iOS Secure Enclave or Android Keystore. This key is biometric-gated: only your Face ID or fingerprint can unlock it. We never have access to this key. Your inventory is encrypted before it leaves your device.

Data deletion

Processing files (video, audio, temporary data)

Deleted from our servers as soon as delivery to your chosen storage is confirmed. Target: under one hour. A hard-limit lifecycle policy on our storage infrastructure ensures deletion within 24 hours regardless of delivery confirmation status. This is a safety net, not the normal timeline.

Receipt matching data

If you use the receipt matching feature, extracted receipt fields (retailer, item, amount, date) are held temporarily for on-device matching. Full email content, headers, and attachments are discarded immediately after field extraction. Unmatched receipt data is automatically deleted after 7 days.

Account deletion

You can delete your account at any time from Settings. This deletes all personal data (recordings metadata, account information, processing history). Sealed record fingerprints (hashes and signatures only, no content) are retained for verification purposes. Previously contributed anonymised aggregates cannot be individually extracted or deleted as they contain no user identifier.

What is a sealed record?

A sealed record is a set of cryptographic fingerprints (SHA-256 hashes and AWS KMS digital signatures) that prove your walkthrough was recorded on a specific date and has not been altered since. It is approximately 2-5 KB per walkthrough.

A sealed record contains:

• Session identifier and timestamps
• Hashes of audio, video, transcript, inventory, and PDF documents
• Digital signatures from AWS Key Management Service

A sealed record does not contain:

• Item names, values, or descriptions
• Transcript content
• Images or video frames
• Anything that reveals what you own

Sealed records are stored permanently in our database for verification purposes. They allow us (or a third party) to confirm that a document is genuine and unaltered without accessing its contents.

Device information

A device identifier is stored in your sealed record to support authenticity verification. This identifier is excluded from any share packages sent to third parties, as it is personally identifiable information. Access to the device identifier in the sealed record is available only through legal process.

Your rights

• Access: Your inventory data is in your chosen storage. You have direct access at all times.
• Deletion: Delete your account from Settings. All personal data is removed.
• Opt out: Stop contributing anonymised aggregates at any time from Settings.
• Portability: Your Evidence Package includes JSON structured data that can be imported into any system.

Applicable law

WHIG is designed to comply with privacy legislation across all markets we operate in, including the Australian Privacy Act 1988, UK GDPR, US state privacy laws (CCPA and equivalents), Canadian PIPEDA, and New Zealand Privacy Act 2020. Truly anonymised aggregate data is generally outside the scope of these frameworks; our opt-in consent model provides additional protection.

Contact

Questions about this policy? Get in touch.