Skip to content
Wisp

Privacy.

Plain English, no padding. The way Wisp handles your content is the load-bearing part of the product, not a footnote.

The one-paragraph version

Your video is encrypted in your browser before it reaches us. The encrypted blob is stored on Vercel Blob and deleted after the recipient views it once, or after 24 hours, whichever happens first. The decryption key is never stored on our servers — it lives in the URL fragment of the link the recipient receives, which browsers never include in network requests.

What we collect

  • Sender email + recipient email. Stored on the clip row so we can deliver the link and route any reply back.
  • Encrypted ciphertext + IV + ciphertext SHA-256.These are server-blind: we have the bytes, but no way to read them. The hash is the integrity fingerprint we use to verify the upload didn’t corrupt in transit.
  • Truncated IP and a coarse browser/OS hint (chrome/ios, etc.) attached to event records (sent / viewed / replied). Used for spam attribution if a recipient flags abuse. Not surfaced to senders. Truncated to /24 (IPv4) or /48 (IPv6) before storage.
  • Token balance per email. When you buy a token pack via Stripe, we increment your balance. We don’t store card data — Stripe holds it.

What we don’t collect

  • The plaintext video. We can’t see it.
  • The decryption key in any persisted form. (See the next section for the one transient exception.)
  • Browser fingerprints, third-party analytics, ad pixels.
  • Your name. The only identifier is your email.
  • Audio reply content. Same encryption story as the video — we hold the ciphertext, not the key.

The one transient exception about the decryption key

The link we email the recipient looks like wisp.video/v/<id>#k=<key>. The #k=... fragment is the decryption key. To compose that email, our server briefly handles the key in memory during the email-send step. We don’t log it,don’t persist it to the database, and don’t retain it after the email goes out.

If you don’t want the key to pass through our server even transiently, you can copy the link from the composer’s success screen and share it via your own channel — Signal, AirDrop, in-person. Email is the convenience path; it isn’t the only path.

Encryption details (for the curious)

We use the browser’s native Web Crypto API: AES-GCM with a 256-bit key and a 96-bit IV generated fresh per upload. AES-GCM is authenticated encryption (AEAD), so any tampering with the ciphertext or IV during transit will fail decryption rather than silently producing garbage. We don’t use any third-party crypto library — only the browser’s built-in implementation.

Retention

  • Encrypted blobs: deleted on first view, or after 24 hours if not viewed. Either way, gone within a day.
  • Clip metadata rows: kept for up to 180 days after the blob is deleted, so we can keep accurate counts of throughput. PII (sender + recipient emails) is part of this row; the actual content fingerprint is just a hash.
  • Token balance + Stripe records: kept indefinitely while you have tokens, since the alternative is forfeiture. You can request deletion of the balance and we’ll honor it on the next zero-out.
  • Webhook + idempotency logs: kept for 180 days for fraud / chargeback review.

Your rights

Email privacy@wisp.video for any of the following:

  • Delete my data. We’ll purge any remaining clip rows that reference your email and zero out your token balance. Token refunds for unused balance are at our discretion and depend on Stripe payout timing.
  • Tell me what you have. We’ll list the rows we hold for an email address, on request.
  • Fix something inaccurate. Self-explanatory.

Subprocessors

  • Vercel — application hosting and Blob storage. Vercel Blob holds the encrypted ciphertext only.
  • Neon — Postgres hosting for clip metadata and token balances.
  • Stripe — payment processing for token packs. Holds card data; we never see it.
  • Resend — transactional email delivery (the wisp link to recipients, the reply notification to senders).

Children

Wisp is for users 18+. The product involves recording video and voice replies; we’re not the right tool for under-18 users.

Changes

If we change anything material in this policy we’ll update the page and put a notice on the home page for at least two weeks. We’ll never quietly remove a privacy commitment.

Last updated: 2026-04-29. Wisp is operated from Scottsdale, Arizona. Questions? privacy@wisp.video.