Skip to main content
Whim is designed to keep your code and data secure. Here’s how we handle isolation, storage, and third-party data sharing.

Container isolation

Every task runs in its own isolated container on Fly.io. This means:
  • Your code is cloned into a fresh, ephemeral environment for each task
  • Containers are isolated from other users’ workloads — there’s no shared filesystem or process space
  • When a task completes or is archived, the container is destroyed along with its local data
Task containers are full Linux environments with their own filesystem, network stack, and process space. No other user can access your running container.

Workspace isolation

Whim enforces strict workspace-level isolation at the database layer using Row-Level Security (RLS):
  • All user-facing database tables enforce RLS policies
  • You can only read and write data belonging to workspaces you’re a member of
  • API requests from the frontend use a restricted key that enforces RLS automatically
  • Backend services use elevated access only when necessary for system operations
This ensures that even at the data layer, your tasks, files, comments, and settings are invisible to users outside your workspace.

Data storage

Data typeWhere it’s storedRetention
Task metadataSupabase (PostgreSQL)Retained while workspace is active
File attachmentsSupabase StorageRetained while associated task exists
Terminal outputContainer filesystemDestroyed with container
Git changesYour GitHub repositoryGoverned by your GitHub settings
User profilesSupabase (PostgreSQL)Retained while account is active

AI provider data policies

When you run a task, your code and prompts are sent to the AI provider you’ve selected (e.g., Anthropic for Claude, OpenAI for Codex, or models via OpenRouter). Each provider has its own data handling policies:
  • Anthropic (Claude) — does not train on your data when accessed via API
  • OpenAI (Codex) — does not train on API inputs by default
  • OpenRouter — routes to various model providers; each has its own policy
Whim does not control how third-party AI providers process your data. Review each provider’s data policy to understand how your code and prompts are handled.
Whim sends only the minimum context necessary for each task — your prompt, relevant file contents, and attachments.

Your rights

You can request access to or deletion of your personal data at any time. For data requests, visit whim.run/data-request.