NetRef Safety, Inc. (“NetRef,” “we,” “us,” or “our”) operates the Whistle platform, a purpose-built tool designed to help athletes identify, document, and respond to online abuse directed at them through social media channels.
We take privacy seriously. This Privacy Policy explains what data Whistle collects, how we use and protect it, who we share it with, how long we keep it, and the rights you have over your own information. Please read it carefully.
By connecting your social media account(s) to Whistle and using the platform, you agree to the practices described in this policy.
This policy applies to:
This policy does not apply to third parties whose content may be processed by Whistle (e.g., individuals who have sent abusive comments to an athlete’s account). Processing of that data is governed by applicable law and described in Section 4.
Whistle collects only the data necessary to provide its abuse-detection and moderation services. We collect data in three ways: directly from you, from connected social media platforms with your authorization, and automatically through your use of the platform.
Name and contact information:
Your name, email address, and any other contact details you provide when creating your Whistle account.
Account credentials and authorizations:
OAuth tokens and permissions you grant to allow Whistle to access your social media accounts. We do not store your social media passwords.
When you connect your Instagram account (or other supported platforms) to Whistle, we collect:
Your published content:
Posts, stories, captions, and other content you have published on your account.
Comments and mentions:
Comments posted on your content and posts that mention your account by other users.
Account metadata:
Account identifiers (e.g., username, user ID), follower counts, and other publicly available profile information associated with your account.
We only access content that is publicly visible or that you have explicitly authorized us to access.
Platform usage data:
Log data, IP addresses, browser type, device identifiers, and usage patterns when you access the Whistle web application.
Cookies and similar technologies:
We use cookies and similar tracking technologies to maintain your session and improve the platform. You can control cookies through your browser settings, though some features may not function correctly without them.
We use the data we collect for the following purposes:
Comments, mentions, and other social media content are analyzed using AI-assisted classification to identify potential abuse, harassment, hate speech, and other harmful content. This is the core function of Whistle.
Classification is performed with the assistance of third-party AI providers (see Section 6). Content is sent to these providers for analysis and is not retained by them for their own purposes beyond completing the classification task.
On your instruction, Whistle may take moderation actions on your behalf, including hiding, filtering, flagging, or deleting comments on your connected social media accounts. We take these actions only when you direct us to, either manually or through automated rules you have configured.
When you identify content as abusive or ask us to preserve evidence, Whistle can generate an evidence bundle for that content — a structured record containing the content text, associated metadata, and contextual information drawn from the data we already hold on your behalf. The first time an evidence bundle is downloaded, we record a cryptographic hash and timestamp of its contents to support chain-of-custody integrity, so the bundle can later be shown not to have been altered.
The information underlying an evidence bundle is retained for as long as your account is active, or until you ask us to delete it, subject to the exceptions described in Section 7 and Section 8 (for example, where you have already exported a bundle and submitted it to a platform or law enforcement, or where we are required to retain it to comply with law). Evidence bundles may be used to support reporting to platforms, law enforcement, or other relevant bodies at your request.
With your consent, anonymized or de-identified classification data may be used to improve the accuracy of Whistle’s abuse-detection models. Where we use your data for this purpose, we will take reasonable steps to remove or obscure information that could identify you or the individuals whose content was processed.
You may opt out of your data being used for model improvement at any time by contacting us at the address in Section 10. Opting out will not affect the quality of the service you receive.
We use automatically collected data (Section 3.3) to operate, maintain, secure, and improve the Whistle platform, including for authentication, fraud prevention, and troubleshooting.
Where applicable law requires us to identify a legal basis for processing personal data (including under the EU/UK General Data Protection Regulation), we rely on the following:
Contract:
Processing necessary to provide the Whistle service to you under our Terms of Service.
Consent:
Where we process data for model improvement or other optional purposes, we rely on your consent, which you may withdraw at any time.
Legitimate interests:
Processing necessary for our legitimate interest in improving the platform, preventing fraud, and ensuring security, where those interests are not overridden by your rights.
Legal obligation:
Processing required to comply with applicable law.
We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes. We share data only with the following categories of recipients and only to the extent necessary:
We use the following third-party service providers (data processors) to operate the Whistle platform. Each processor is bound by contractual obligations to process data only on our instructions and to protect it appropriately:
Supabase — Database and storage:
Your data, content, and evidence bundles are stored in Supabase’s managed database infrastructure.
Vercel — Application hosting:
The Whistle web application is hosted and served via Vercel.
OpenAI and/or Anthropic — AI content classification:
Social media content is transmitted to our AI provider(s) for abuse classification. Under our commercial agreements, these providers do not use the content to train their models and do not use it for any purpose other than returning a classification result. Content may be retained transiently by the provider for a limited period (generally up to 30 days) for security and abuse-monitoring purposes before deletion.
When Whistle takes moderation actions on your behalf (e.g., hiding a comment), this necessarily involves communicating with the relevant social media platform’s API. The platform’s own privacy policy governs the data involved in those interactions.
We may disclose data if required to do so by law, court order, or governmental authority, or where we believe in good faith that disclosure is necessary to protect the safety of any person, to address fraud or security issues, or to protect our legal rights.
If NetRef Safety is acquired by or merged with another company, or if we sell substantially all of our assets, your data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Whistle platform before your data becomes subject to a different privacy policy.
We retain personal data for as long as it is needed to provide the Whistle service to you and for the purposes described in this policy. We delete or irreversibly anonymize it when it is no longer needed for those purposes, or when you ask us to delete it, except where we are required to keep it for longer.
In practice, this means:
When you close your account or ask us to delete your data, we will delete or irreversibly anonymize the personal data we hold about you within 30 days, except where we are required to retain specific information to comply with a legal obligation, or for the establishment, exercise, or defense of legal claims — for example, evidence you have already exported and submitted to a platform or law enforcement. We will tell you if such an exception applies to your request.
Subject to applicable law, you have the following rights regarding your personal data:
To exercise any of these rights, contact our Privacy Owner at the details in Section 10. We will respond to all valid requests within 30 days. We may need to verify your identity before processing your request.
If you are located in the EU, UK, or another jurisdiction with a supervisory authority, you also have the right to lodge a complaint with that authority.
NetRef Safety operates and hosts the Whistle platform in the United States. If you are accessing Whistle from outside the United States, please be aware that your personal data will be transferred to, stored, and processed in the US.
The data protection laws of the United States may differ from those in your home country. Where required by applicable law, we will put in place appropriate safeguards for international transfers of personal data, including Standard Contractual Clauses approved by the European Commission or equivalent mechanisms.
Sarah Husain is the Privacy Owner for Whistle and the designated point of contact for all privacy-related questions and data subject requests.
You can reach us at:
Email:privacy@netrefsafety.com
Location: San Francisco, California, United States
Our full business mailing address is available on request by emailing privacy@netrefsafety.com. We will respond to privacy inquiries and data subject requests at the email address above; see Section 8 for how we handle and verify those requests.
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. We will notify you of material changes by:
The “Effective Date” at the top of this document indicates when this version of the policy was last updated. Your continued use of Whistle after the effective date of a revised policy constitutes your acceptance of the changes.