Data Storage and Security

Whereby is built in Norway by a team that values privacy, transparency, and user control. We take the protection of your data seriously. We don’t sell or mine your information, and your data is securely stored in the EU in compliance with the General Data Protection Regulation (GDPR). All content is encrypted during transmission, and we strive to collect as little personal data as necessary to provide our service.

As part of our GDPR compliance, Meetings users can access, export, or delete their data directly from their profile. Below you’ll find answers to common questions about how we handle data and protect your privacy in Meetings. If your question isn't answered here, feel free to reach out at legal@whereby.com.

How is communication secured?

Room Access and Locking 

Video and audio in a Whereby Meetings room are only visible to participants inside the room. No one can listen in unless they are physically in the room – meaning they are visible to other participants.

However, since room URLs are public by default, it's possible for someone to guess or stumble upon a room name. To prevent uninvited access, we recommend locking your room using the Lock button in the room menu. When a room is locked, new participants must request access using the Knock feature, and only the room owner can admit them.

Chat

Chat messages are not stored permanently. They are relayed through our servers temporarily during a session to deliver messages to participants and only saved locally, in each participant's browser. When a participant leaves the room, the chat messages stored locally on their device are also removed.

Encryption and security

All communication between your browser and Whereby is encrypted using HTTPS (TLS). Real-time messaging is secured using encrypted WebSockets or HTTPS polling.

Large Room Size is only default for paid Meetings users. Free Meetings users have only an option to use Small Room Size.

Large Room Size

In Large Room Size, streams are encrypted in transit using DTLS-SRTP and relayed through Whereby’s dedicated video routers. While the streams are decrypted and re-encrypted during routing, they are never stored.

Small Room Size

For Small Room Size meetings, Meetings users enable peer-to-peer mode, which prioritizes end-to-end encryption. In this mode, video and audio streams are encrypted in transit using DTLS-SRTP and relayed through Whereby’s dedicated video routers. If a strict network (e.g. corporate firewall) blocks direct connections, traffic is relayed through a TURN server, but encryption is still maintained.

Whereby does not store any audio or video from your calls, regardless of the room size.

How we process media (audio/video) in Meetings

We do not store or access any audio or video content shared during meetings.

If you use the Local Recording feature (available on Meetings Pro and Meetings Business plans), recordings are created client-side and never uploaded to our servers. The person initiating the recording (must be a host) is responsible for obtaining participant consent and for handling the recorded file in accordance with data protection laws once it is downloaded.

As a reminder:

  • Large Room Size: Uses server infrastructure for reliability, with encrypted routing.
  • Small Room Size: Prioritizes peer-to-peer, end-to-end encrypted communication when networks allow.

Server Locations

Whereby operates a global infrastructure of video routers, ensuring users are connected to the closest available server. For example, users physically located in Europe will be routed to servers within the EEA.

These servers:

  • Are secured to prevent interception or unauthorized access
  • Do not store any media content
  • Cannot access or modify data streams
  • Only transmit data initiated and controlled by users

In accordance with GDPR Article 2(4), hosting providers do not determine the purpose or content of the data transmission. All user account data is stored in Ireland.

You can view more details about the types of data we process and the legal basis for each in our Privacy Policy or Data Processing Agreement.

Privacy 

We in Whereby are committed to safeguarding the privacy of our users. Our business model is to provide a paid service to users who need additional features on top of the Free version, and does not rely on widespread collection of general user data. We will only collect and process information that we need to deliver the service to you, and to continue to maintain and develop the service.

Whereby may collect, store and process various kinds of data, with different legal grounds, as listed in our Privacy Policy. For the categories of data that require your consent, we will actively ask you for consent before collecting any data. You can give and revoke your consents at any time in your Profile page in your account. Here you can also download a JSON file with the information we have stored about you, and delete your user account with all data. 

You can reference more of our security and privacy standards in our Terms of Service.

Privacy and GDPR

Whereby is committed to user privacy. Our Meetings business model is based on offering paid plans with additional features – not advertising. Whereby may collect, store, and process various kinds of data, with different legal grounds, as listed in our Privacy Policy. We collect only the data necessary to provide and improve our service.

You can reference more of our security and privacy standards in our Terms of Service.

Data Access and Consent

You can:

  • Review or change your data permissions from your Profile page
  • Export your stored data in JSON format
  • Delete your user account and all associated data

We will only request consent where legally required and allow you to manage your preferences at any time.

You can find more details in our Privacy Policy.

Is Whereby a Data Processor?

For customers on our Free plan, we decide what data we collect from users, and the purpose of processing. This, according to the definitions in GDPR, defines us as a Data Controller, and not a Data Processor with regards to our Free users. It is, therefore, not relevant for us to offer a Data Processing Agreement to individual customers. 

This is clearly defined in GDPR Article 1 "Definitions"

Point 7:  ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Point 8:   'processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;


Since our Free plan is only offered to individuals, and we do not enter into a corporate commercial agreement where your company instructs us to process personal information for you, every individual user of Whereby will be the data subject in the case where they sign up for an account with us, the Data Controller. A Data Processor is someone who only processes data on the Data Controller's requests and instructions, and within strictly defined purposes, e.g. a hosting provider. 

Our Privacy Policy states the following: 

"This policy applies where we are acting as a Data Controller with respect to the personal data of users of our Services; in other words, where we determine the purposes and means of the processing of that personal data. For content and data that you upload to or make available through the Service (“User Content”), you are responsible for ensuring this content is in accordance with our Terms of Service, and that the content is not violating other users’ privacy."

Regarding information that you choose to upload or share through Whereby, our Terms of Service state: 

"You are responsible for your use of the Whereby, including the lawfulness of any content displayed, shared, uploaded, or otherwise made available by you in the Service (“the User Content”). User Content includes room names, and you are responsible for ensuring room names do not include Prohibited User Content (as listed below). Your room names are used to construct the URLs identifying your rooms, and guests you invite, and other third parties can (request to) enter your rooms based on these URLs. As these guests do not need to authenticate to Whereby in order to do this, please be aware that room names must be considered public information. Do not include information that you do not want to make public in room names."

Data Processing Agreement (DPA)

For our paying customers, we offer a Data Processing Agreement. These plans allow companies and organizations to set up team accounts, and thus, have the ability that an admin user can import emails of other employees when inviting them (which constitutes Personal Identifiable Information). We have a Data Processing Agreement (DPA) as part of our Terms of Service for all our paying customers.

You can find the latest version of the Privacy Policy below. For transparency reasons, we have decided to keep the older versions available for our customers:

Data Processing Agreement 2022

DPA Spring 2021

Old DPA


How We Handle Payments

We use Stripe to securely process and store all payment information. Stripe is a globally trusted payment provider, certified as a PCI Service Provider Level 1, the highest level of certification available for payment processors. Your full credit card details are never stored on our servers, and Stripe is fully GDPR compliant.

We are PCI DSS SAQ-A compliant, and we are performing external vulnerability scans every quarter with an external approved scanning vendor (ASV).

Learn more about their security practices: