If you’re not a user of the WhatsApp service (a “Non-user” or “you”), WhatsApp may process your mobile phone number if a WhatsApp user has your phone number saved in their device address book and chooses to share their contacts with WhatsApp.
If you’re a Non-user living in the United Kingdom (“UK”) WhatsApp LLC is the controller of your information. WhatsApp Ireland Limited is the controller of this information if you're a Non-user living in the European region. References in this Notice to "we", "us" or "our", should be interpreted to mean the relevant WhatsApp entity (i.e. WhatsApp LLC or WhatsApp Ireland Limited, as applicable) identified above as the controller of your information.
About contact upload - how it works
Contact upload allows users to choose whether to give WhatsApp permission to discover if contacts in their device address book are WhatsApp users. If so, WhatsApp can add those phone numbers to the user’s WhatsApp contact list and keep the list updated. WhatsApp also updates users’ contact list once any of their contacts who are Non-users join WhatsApp later.
How do we use a Non-user’s information?
When a user chooses to use contact upload, the phone numbers in the user’s device address book are uploaded on a regular basis to our servers, typically daily, but this depends on various factors including how often a user uses WhatsApp, to ensure their information is kept up to date. This includes phone numbers of both WhatsApp users and other contacts who aren’t currently WhatsApp users (i.e. Non-users). We don’t collect any of the other information that could appear in a user’s device address book including names, email addresses, etc.
We manage Non-user phone numbers in a way that is designed to prevent Non-users from being identified by WhatsApp through creating a cryptographic hash value from the Non-users’ phone numbers. We don’t store Non-users’ phone numbers, we only store these cryptographic hash values. Each cryptographic hash value is stored in a list on WhatsApp's servers, linked to the WhatsApp users who uploaded the corresponding phone numbers before they were hashed.
We use the cryptographic hash values created from Non-users’ phone numbers to enable users to connect more quickly and efficiently with people in their device address book when they join WhatsApp.
Separately, we also use a cryptographic hash representation of the phone numbers from the WhatsApp user’s device address book to detect and combat misuse of contact upload by assessing the hashes to determine whether there have been unusual changes in the device address book. This does not involve tracking or comparing individual phone numbers.
How is this information used if a Non-user becomes a WhatsApp user?
If you are listed in the device address book of a user who uses contact upload, and you subsequently join WhatsApp, this information is used to help us automatically update their WhatsApp contact list to show that you can now be contacted via WhatsApp. We update users' contact lists immediately after you join WhatsApp but sometimes contact lists can take longer to update.
What is our legal basis for this processing?
We rely on our legitimate interests and the legitimate interests of our users to briefly process Non-users’ phone numbers and then store the cryptographic hash values in the manner described above. More specifically, we rely on our legitimate interests in operating and providing the WhatsApp service to our users and keeping WhatsApp safe and secure, and the interests of our users in more efficiently connecting with their contacts who join WhatsApp.
Retaining Non-user information
When we collect Non-users’ phone numbers, we don’t store these phone numbers and we process them for no more than a few seconds to create the cryptographic hash values from them.
The cryptographic hash values are stored in a list on WhatsApp's servers, linked to the WhatsApp users who uploaded the phone numbers from which they were created, for as long as those users use contact upload and keep these phone numbers in their devices’ address books.
How Non-users exercise their data subject rights
Data subjects have the right to access, rectify, port, and erase their information, as well as the right to restrict and object to certain processing of their personal information (“Data Subject Rights”). To exercise those rights, contact us via this form or via the contact address provided below. Given that we do not store Non-users’ phone numbers and we only store cryptographic hash values which are designed to prevent WhatsApp from re-identifying your phone number, our ability to respond to your request and the information we can provide to you may be limited in practice. We hope this information addresses any queries you may have about how we process a Non-user’s personal information. However, if you have unresolved concerns and are living within:
- the European region, you also have the right to complain to WhatsApp’s lead supervisory authority under the GDPR, the Irish Data Protection Commission, or any other competent data protection supervisory authority;
- the UK, you also have the right to complain to the UK’s data protection authority, the Information Commissioner’s Office.
Third parties and transferring information as part of our global operations
We work with other Meta Companies that act as our service providers and provide services like data hosting and infrastructure services. However, Non-user phone numbers and cryptographic hash values are not shared with Meta Platforms, Inc. or other Meta Companies for their own use.
This means Non-users’ information will be transferred or transmitted to, or stored and processed in, third countries outside of the EEA for the purposes described in this Notice.
When the cryptographic hash values are transferred or transmitted to, or stored and processed, outside of the European Economic Area, WhatsApp Ireland Limited relies on:
- decisions from the European Commission where they recognise that certain countries and territories outside of the European Economic Area ensure an adequate level of protection for personal information.
- EU-U.S. Data Privacy Framework: WhatsApp LLC and Meta Platforms, Inc. have certified their participation in the EU-U.S. Data Privacy Framework. We rely on the EU-U.S. Data Privacy Framework, and the European Commission's related adequacy decision, for transfers of the cryptographic hash values to WhatsApp LLC and Meta Platforms, Inc. in the U.S. for the services specified in the certification of WhatsApp LLC and Meta Platforms, Inc. For more information, see the WhatsApp LLC’s Data Privacy Framework Disclosure and Meta Platforms, Inc.’s Data Privacy Framework Disclosure.
- Standard contractual clauses approved by the European Commission for these transfers.
When the cryptographic hash values are transferred or transmitted within the United States, or to third countries outside of the United States, WhatsApp LLC utilises standard contractual transfer mechanisms approved by the UK Government (the International Data Transfer Agreement or the International Data Transfer Addendum to the standard contractual clauses approved by the European Commission) for these transfers.
For example, WhatsApp uses Meta’s global infrastructure and data centers, which are located around the world including in the United States, to store the cryptographic hash values.
For a copy of these documents, please see our SCC Help Centre article.
Contact Us
If you have questions about this Data Notice or if you wish to contact the Data Protection Officer for WhatsApp, please use this form.
You can also write to us at the following address:
For WhatsApp Ireland Limited
Attn: Privacy Policy
Meta Platforms Ireland Ltd
Merrion Road
Dublin 4
D04 X2K5
Ireland
For WhatsApp LLC
Attn: Privacy Policy
1601 Willow Road Menlo Park
California 94025, USA
