A lengthy correction published today acknowledges that much of this was untrue or misleading. The newspaper now says that Whisper was working on its new ToS and privacy policies months before any reports were published, and that it doesn't store data on non-US servers.
Critically, the Guardian also clarified that Whisper cannot ascertain either the identity or location of Whisper users unless those users explicitly choose to share that information. Whisper does know users' IP addresses, but the correction notes that this is a "very rough and unreliable indicator of location." This undermines the Guardian's most significant claim: that Whisper tracked the location even of users who have opted out of its location feature, and that the latitude and longitude of such users was both available to technical staff, and shared with Whisper executives. This isn't possible with IP addresses alone.