My Events
Login
New Poll

Privacy Policy

Last updated: 29 May 2026

Whocan is a scheduling and polling tool, run by a two-person team based in Zurich. We know that privacy and trust go hand in hand, which is why we keep this policy short and honest. If anything is unclear, drop us a line: hello@whocan.org.

1. Controller

The controller responsible for processing under the GDPR and the Swiss Federal Act on Data Protection (FADP) is:

Petersen Software
Goldbacherstrasse 38
8700 Küsnacht, Switzerland
Email: hello@whocan.org
Website: whocan.org

2. What data we process and when

2.1 When you visit the website

When you access whocan.org, we process the technical information your browser sends automatically: IP address, date and time, browser type, operating system, the page you requested, and the referring URL. We need this data to deliver the site, defend against attacks, and diagnose errors. Legal basis: our legitimate interest (Art. 6(1)(f) GDPR). Server logs are automatically deleted after 30 days.

2.2 When you create a poll

You can create polls without an account. We then process the data you enter yourself: title, description, options (e.g. dates), optional settings, and — if you enable it — an email address we send the admin link to. Legal basis: performance of the service you requested (Art. 6(1)(b) GDPR).

2.3 When you respond to a poll

When you participate in a poll, we see the name you enter, your selection or answers, optionally a comment, optionally an email address (if the organizer requires it), and technical metadata (see 2.1). This data is visible to the poll's organizer. Retention: as long as the poll exists. You or the organizer can delete individual responses at any time.

2.4 When you create an account

An account is optional. If you create one, we store, depending on your sign-up method: email address and password hash (email registration), or the basic data passed by the sign-in provider, such as name and email (sign-in with Google, Apple, Facebook, Microsoft, Twitter, GitHub, or Yahoo). Passwords are stored only as salted hashes; we cannot see them in plaintext.

2.5 When you write to us

If you contact us by email (for support or feedback), we keep the conversation so we can reply, and delete it after no more than 24 months — unless legal retention obligations require otherwise.

3. Where your data is processed — and why we use US infrastructure despite our Swiss base

We are a Swiss team, but technically we run Whocan on Google Firebase (hosting, authentication, realtime database, cloud functions). Firebase is a service provided by Google LLC (USA), operated through Google Cloud EMEA Limited (Ireland). In practical terms: your poll and account data sits primarily in Google data centers within the EU, but access by US authorities under the US CLOUD Act cannot be legally ruled out.

We use Firebase because, as a small team, it lets us run a reliable, scalable service without operating our own server infrastructure. A fully Swiss or European alternative is currently not economically viable for us — we'd rather say that openly than hide behind a "Swiss Made" label and suggest a level of data sovereignty that doesn't actually exist. We're keeping an eye on alternatives like Hetzner, Exoscale, and Infomaniak, and will reassess in the future whether a migration is sensible and feasible.

The legal basis for the transfer to the US or to US affiliates is the EU Standard Contractual Clauses under Art. 46(2)(c) GDPR (see Google Cloud Data Processing Addendum) and the EU-US Data Privacy Framework.

4. Third-party services

4.1 Google Analytics 4

We use Google Analytics 4 (provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin, Ireland) to understand which content on our site is in demand and which isn't. We anonymize IP addresses, use neither Google Signals nor User-IDs, and run no ads through GA4. The cookies GA4 sets are functional cookies. Retention: 14 months. You can object to tracking via the Google Analytics opt-out add-on or your browser settings. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

4.2 Google Search Console

We use Google Search Console to analyze the visibility of our site in Google Search. Search Console processes aggregated, anonymous query data — no personal data about our visitors.

4.3 Sign-in providers (OAuth)

If you choose to sign in to Whocan via Google, Apple, Facebook, Microsoft, Twitter, GitHub, or Yahoo, the provider in question passes the basic data needed for sign-in to us (typically: email and name). At the same time, the provider learns that you signed in to Whocan. This data flow only happens once you actively click the corresponding sign-in button — as long as you don't use these buttons, no data flows to these providers. Respective privacy policies:

5. What we don't do

To leave no room for misunderstanding, here's what we don't do:

  • We do not pass any data to Doodle. Whocan is a standalone alternative to Doodle. There is no technical connection, no API call, no data-sharing between Whocan and Doodle.
  • We do not run a Facebook Pixel, Meta Conversion Tracking, or LinkedIn Insight Tag. Facebook is integrated exclusively as an optional sign-in provider (see 4.3).
  • We do not sell your data — neither poll data, nor email addresses, nor behavioral profiles.
  • We do not build advertising profiles based on your use of Whocan.

6. Cookies and local storage

We use the following categories of cookies and similar storage technologies:

  • Necessary cookies / local storage: to keep you signed in and to make Whocan work technically. These cannot be turned off — without them the service does not function.
  • Analytics cookies (Google Analytics 4): see 4.1. Can be blocked via your browser.

7. Your rights (EU, EEA, Switzerland, UK)

If you reside in the EU, EEA, Switzerland, or the UK, you have the following rights vis-à-vis us under the GDPR or FADP:

  • Access to the personal data we hold about you (Art. 15 GDPR);
  • Rectification of inaccurate data (Art. 16 GDPR);
  • Erasure of your data ("right to be forgotten", Art. 17 GDPR);
  • Restriction of processing (Art. 18 GDPR);
  • Data portability (Art. 20 GDPR);
  • Objection to processing based on legitimate interest (Art. 21 GDPR);
  • Withdrawal of consent with effect for the future (Art. 7(3) GDPR);
  • Complaint to a supervisory authority (Art. 77 GDPR). UK: ICO. Switzerland: FDPIC.

Simply email us at hello@whocan.org — we respond within 30 days.

8. Your rights (US residents)

If you are a resident of a US state with a comprehensive consumer-privacy law — including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana, Delaware, Iowa, Tennessee, and others — you have, broadly, the following rights regarding personal information we have collected about you in the previous 12 months:

  • Right to know / access: request the categories and specific pieces of personal information we have collected.
  • Right to delete: request that we delete the personal information we have collected from you, subject to legal exceptions.
  • Right to correct: request that we correct inaccurate personal information.
  • Right to opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information for cross-context behavioral advertising as those terms are defined under US state laws. No opt-out is required because there is nothing to opt out of.
  • Right to limit use of sensitive personal information. We do not use sensitive personal information for the purpose of inferring characteristics about you.
  • Right to non-discrimination: we will not discriminate against you for exercising any of these rights.
  • California "Shine the Light" (Cal. Civ. Code § 1798.83): we do not disclose personal information to third parties for their direct marketing purposes.

To exercise any of these rights, email hello@whocan.org. We may need to verify your identity (typically by asking you to confirm the email address tied to your account or poll). You may also designate an authorized agent to make a request on your behalf.

We do not have actual knowledge of selling or sharing the personal information of consumers under 16 years of age.

9. Retention

We retain personal data only for as long as necessary for the purposes stated above or as required by law. Specifically:

  • Server logs: 30 days
  • Poll data: as long as the poll exists, or until deleted by you or the organizer
  • Account data: as long as you have an account, or up to 30 days after account deletion
  • Support conversations: max. 24 months
  • Google Analytics: 14 months

10. Data security

Whocan is served exclusively over HTTPS. Passwords are stored as hashes. Database access is restricted via Firebase Security Rules so that each poll can only be read and edited by authorized parties. Despite technical and organizational safeguards, no internet-based service can guarantee 100% security.

11. Changes to this policy

If our services or the legal landscape change, we update this policy. The date of the most recent update is shown at the top.

12. Contact

Privacy questions? Email us: hello@whocan.org.