whatsapp.com privacy policy — score 45/100 (high risk)

Last analyzed

Run a new analysis on another policy

WhatsApp LLC · whatsapp.com

Report details

high risk

WhatsApp collects extensive metadata on your usage and device and shares it widely across Meta's family of companies, making it a concerning privacy choice despite its end-to-end encrypted messaging.

While WhatsApp provides end-to-end encryption for message content, the policy reveals massive metadata collection and broad data sharing with Meta companies for purposes including marketing and product improvement. The policy lacks transparency on international transfer safeguards and is entirely silent on AI training practices. For EU users, the reliance on WhatsApp Ireland Limited offers some GDPR coverage, but the global data flows and Meta integration present significant privacy risks.

Last analyzed
SourceURL
Length33,851 chars

Category Assessment

Breakdown of the policy across key compliance areas. Good = strong, fair = mixed, poor = concerning.

Data Minimizationpoor

Collects extensive metadata (battery level, signal strength, online status, interaction frequency) far beyond what is strictly necessary to deliver a messaging service.

Transparencyfair

The policy is clearly written and structured, but obscures the sheer volume of Meta sharing behind broad phrases like 'operate, provide, improve... and market.'

Third-party Sharingpoor

Data is broadly shared across the Meta family of companies for marketing and ad targeting purposes, and with unspecified third-party service providers.

International Transferspoor

Explicitly transfers data to the US and globally but completely omits mentioning the legal safeguards or transfer mechanisms used to protect EU data subjects.

AI/Model Trainingpoor

The policy is entirely silent on whether user data or metadata is used to train AI or machine learning models.

User Rightsfair

Basic rights like access and deletion are mentioned with in-app tools, but the policy lacks a comprehensive, explicit list of GDPR rights (like restriction, objection) and how to exercise them.

Key Findings

Notable clauses, issues, or positive practices discovered (critical first)

Critical

Broad Meta Data Sharing

The policy allows extensive data sharing with other Meta Companies for purposes beyond just providing the service, including marketing and showing relevant ads across Meta products, which raises serious GDPR proportionality concerns.

Critical

Extensive Metadata Collection

Despite end-to-end encryption for message content, WhatsApp collects a vast amount of metadata (device info, usage logs, location, identifiers) which creates a detailed profile of the user's behavior and interactions.

Critical

Vague International Transfer Safeguards

The policy admits to transferring data globally, including to the US, but fails to specify the legal mechanisms (like Standard Contractual Clauses) used to ensure EU-level data protection during these transfers.

Warning

Third-Party Contact Upload

The policy states users can upload their address books, meaning non-users' phone numbers are processed without their direct consent, although WhatsApp claims it manages this so individuals cannot be identified.

Consumer Takeaway

Your messages are private, but everything around them—who you talk to, when, how often, on what device, and where you are—is collected and shared with Meta to profile you and target ads across their platforms.

Compliance Posture

The policy attempts to comply with GDPR by routing EEA users through WhatsApp Ireland Limited, but the broad data sharing with Meta companies and global transfers without explicit mention of safeguards like Standard Contractual Clauses represent substantial compliance gaps under EU law.

EU Transfers

The policy explicitly states data is transferred to the US and globally using Meta's infrastructure, but fails to mention the legal mechanisms (like SCCs) used to legitimize these transfers post-Schrems II, which is a major red flag for EU compliance.

Detected Signals

Specific data points and practices identified in the text

Data Collected
Mobile phone numberProfile nameProfile pictureAbout informationMessages (temporarily up to 30 days if undelivered)Address book contactsStatus informationPayment and transaction dataCustomer support communicationsUsage and log informationDevice and connection informationLocation informationCookie data
Processing Purposes
Providing and improving servicesSafety, security, and integrityMarketing for WhatsApp and Meta CompaniesCommunicating with businessesPersonalizing features and contentShowing relevant offers and ads across Meta Company Products
Third-party Sharing
Other Meta Companies (Facebook, Instagram, etc.)Third-party service providersBusinesses on WhatsAppLaw enforcement and government requests
International Transfers
United StatesCountries where Meta affiliates are locatedCountries where service providers are locatedGlobal transfers for service provision

Evidence Snippets

Direct quotes from the policy supporting these findings

We are one of the Meta Companies. You can learn more further below in this Privacy Policy about the ways in which we share information across this family of companies.

We collect information about your activity on our Services, like service-related, diagnostic, and performance information. This includes information about your activity (including how you use our Services, your Services settings, how you interact with others using our Services...)

Your information may, for example, be transferred or transmitted to, or stored and processed in, the United States; countries or territories where the Meta Companies’ affiliates and partners... are located

You can use the contact upload feature and provide us, if permitted by applicable laws, with the phone numbers in your address book on a regular basis, including those of users of our Services and your other contacts.

Missing or Unclear

  • No mention of whether user data is used for AI or machine learning model training
  • No specific reference to the legal basis for international data transfers (e.g., SCCs or adequacy decisions) required under GDPR
  • No clear explanation of the specific categories of third-party service providers or a link to a subprocessor list
  • No explicit mention of the right to restrict processing or the right to object to profiling beyond the 'delete account' option

Questions to Ask

  • What specific legal mechanism (e.g., Standard Contractual Clauses) does WhatsApp rely on to lawfully transfer EU user data to the United States?
  • How can users explicitly opt out of their metadata being used for marketing or ad targeting across the broader Meta Company Products?
  • Is any user data or metadata used to train AI or machine learning models, and if so, how can users object?
  • What exact data points are shared with other Meta companies when a user simply opens the app, versus when they actively use a feature?
This analysis is generated by AI and is not legal advice. Always consult a qualified legal professional for compliance decisions.

Share this analysis

Anyone with this link can view the result above.

Built by DentroChat

100% European AI chat for everyone

Chat with AI, work with files, generate images, and search the web. Data stays in Europe.

EU-hosted infrastructureText, files, images & web searchFast, Thinking & Creative modesPrivacy-first by defaultNo data leaves Europe
Try free →