Privacy notice.
This notice explains how Chat Compliance handles personal data – both as the controller of our own website and prospect data, and as the processor of customer data flowing through governed WhatsApp channels. We have tried to write it plainly. Where we have to be honest about the limits of what we can govern, we are.
- About this notice
- Who we are
- Our two-hat model: controller and processor
- Data we handle as a controller
- Data we handle as a processor
- Lawful bases under UK GDPR
- Special category data and safeguarding information
- Children's personal data
- The personal-device boundary
- End-to-end encryption: what changes and what does not
- International data transfers
- Retention
- Sub-processors and recipients
- Your rights and how to exercise them
- Cookies and analytics
- Security
- Personal data breaches
- Changes to this notice
- Complaints
- Contact us
About this notice
Chat Compliance provides governed WhatsApp groups to UK charities and care providers, with every message captured to a UK-hosted, tamper-evident archive. Because we operate at the intersection of a public marketing site, a SaaS product, and a regulated communications service, the relationships we have with personal data are not all the same. This notice covers all of them.
We have written this notice to be intelligible to a Data Protection Officer, a trustee, and an ordinary reader. Where we draw distinctions that have legal weight – between controller and processor, between operational data and content, between what we can and cannot reach – we have flagged them in plain language. If anything here is unclear, the contact details in section 20 are real and monitored.
Who we are
Chat Compliance is a service operated by [the Operator], a company registered in England and Wales (company number [number]), with its registered office at [registered office address] (in this notice, "we", "us", "our"). We are registered with the Information Commissioner's Office (ICO) under reference [ICO registration number].
For matters relating to this notice or any data we hold about you, please contact enquiries@chat.org.uk. For escalations specifically about privacy or data protection, please use compliance@chat.org.uk; that mailbox is monitored by the person responsible for data protection at the Operator.
Our two-hat model: controller and processor
Under the UK GDPR, the responsibilities we have for personal data depend on whether we determine the purposes and means of processing (in which case we are a controller) or whether we act on behalf of another organisation that does (in which case we are a processor). In practice, we wear both hats, depending on the data:
- We are the controller for personal data we collect about visitors to chat.org.uk, prospective customers and people who fill in our contact form, our business contacts, and the staff at customer organisations who administer the service on their organisation's behalf (account holders).
- We are the processor for personal data flowing through governed WhatsApp channels and stored in the archive on a customer's behalf. The customer organisation – the charity or care provider running the channel – is the controller of that data. They decide who joins, what is discussed, how long it is kept, and who is told.
This notice describes both roles. Sections 4 to 11 mostly concern data we handle as a controller. Sections 12 onwards apply to both. Where we are acting as a processor, the customer's own privacy notice is the primary one that data subjects should read; ours describes the framework we operate within.
Data we handle as a controller
The categories of personal data we collect and process as a controller are limited and listed below. We do not buy lists, scrape contact details, or enrich data from third-party data brokers.
Website visitors
Our website is hosted on Azure Static Web Apps (Microsoft Azure, UK region). When you visit chat.org.uk, Azure's network logs record your IP address, the time of the request, the resource requested, response status, user agent string and referrer. These logs are kept for short-term operational and security purposes (typically 30 days) and are not used to profile visitors or for any marketing purpose. We do not use third-party analytics, advertising tags, fingerprinting or session replay on this site.
Contact form submissions and demo requests
If you complete the contact form or email us to request a demonstration, you choose what to share. The form asks for your name, work email address, organisation, role (optional), phone (optional), tier of interest (optional) and a message. Your submission is delivered to our staff inbox at enquiries@chat.org.uk via a serverless function and is not retained anywhere else. We use it to respond to you, and (if a sales conversation begins) to keep a minimal record of the discussions we have had, so that we are not asking you the same questions twice.
Prospective and live customers
If you become a paying customer, we record the contact details of the people at your organisation who administer the account, our contractual correspondence with you, and the billing information needed to invoice and collect payment. We do not store full payment card details; card payments are processed by our payment provider (see Sub-processors).
People who write to us
Where you contact us by email, telephone, post or any other channel, we keep a record sufficient to provide a coherent reply and to demonstrate, where necessary, that we handled your enquiry properly.
Data we handle as a processor
When a customer runs a governed WhatsApp channel on our platform, the personal data flowing through it is processed by us strictly on the customer's documented instructions, set out in a Data Processing Agreement (DPA) that forms part of our contract. That data may include:
- Phone numbers and WhatsApp display names of staff, volunteers, family members, residents and other participants in governed groups.
- Message content (text, images, voice notes, documents, location pins and other attachments) sent to or within a governed group.
- Message metadata: timestamps, sender identity, delivery and read receipts, group membership changes, and the device/client information surfaced by the WhatsApp Business API.
- Administrative records: which staff member added or removed which participant, when, and on whose authority.
None of this data is mined, profiled, sold, used to train machine learning models, or used for any purpose beyond providing the service the customer has contracted for. The customer decides what is discussed in the channel, who joins, and what they are told; our role is to capture, retain and make answerable what flows through.
Lawful bases under UK GDPR
Article 6 of the UK GDPR requires us to identify a lawful basis for each category of processing. The table below sets out the basis we rely on as a controller.
| Purpose | Personal data | Lawful basis (Article 6) |
|---|---|---|
| Operating and securing chat.org.uk | Access logs (IP, user agent, request data) | Legitimate interests (running a website securely) |
| Responding to your enquiry or demo request | Form submission and any subsequent correspondence | Legitimate interests, or steps prior to entering a contract at your request |
| Managing the customer relationship | Account administrator contact details, contractual records | Performance of a contract |
| Billing, accounting and tax compliance | Billing contacts, invoice records | Performance of a contract; legal obligation (tax law) |
| Detecting fraud, abuse or security incidents | Access logs, account activity | Legitimate interests (protecting customers and the service) |
| Sending occasional service-related notices | Account administrator email | Legitimate interests, performance of a contract |
Where we rely on legitimate interests, we have carried out a balancing assessment that weighs our interest against your rights and freedoms. You can request a summary of any such assessment by writing to compliance@chat.org.uk.
When we are acting as a processor (for governed channel data), the customer – not us – is responsible for identifying and recording the lawful basis under Article 6 (and, where applicable, Article 9). We provide template wording, notification copy for participants, and a Data Protection Impact Assessment template to help, but the assessment and the decision remain the customer's.
Special category data and safeguarding information
Conversations in a care or charity setting routinely include special category data under Article 9: health information, ethnicity, religious belief, sexual orientation, and information about safeguarding concerns that, while not always a special category in itself, is treated with comparable sensitivity.
As a processor we will inevitably encounter such data – it is the nature of the conversations our customers govern – but we do not single it out, profile it, or use it for any purpose other than storing and making it retrievable for the customer. The customer, as controller, must identify an Article 9 condition (in practice, typically the substantial public interest conditions in Schedule 1 of the Data Protection Act 2018 relating to safeguarding, the provision of health or social care, or the protection of vulnerable adults) and document it in their Article 30 record. Our DPA template includes a section in which the customer formally records that determination.
Our security controls (UK data residency, customer-managed keys, role-based access, audit logging) apply uniformly across all data we hold for a customer; we do not consider Article 9 data to need a stronger baseline because the baseline is already set for it.
Children's personal data
Our service is sold business-to-business. We do not offer it to children and we do not knowingly process children's data as a controller.
Where a customer's governed channel includes participants under the age of 18 (for example, in a youth-focused charity, a young carers' group, or a children's service), the customer remains the controller of that data and is responsible for obtaining the necessary parental consent or alternative lawful basis, providing age-appropriate notices, and applying the additional protections required by the ICO's Children's Code where relevant. The standard contractual terms we make available to customers specifically address this scenario.
The personal-device boundary.
This is the most important honest disclosure in this notice, and we will not bury it.
Our service governs conversations that take place in groups created on a charity's WhatsApp Business API number. It does not, and cannot, govern conversations that staff, volunteers or family members hold on their own personal WhatsApp accounts on their own personal phones. The WhatsApp Business API does not expose those conversations; nothing we install would; and any vendor claiming otherwise is either misleading you or operating outside Meta's terms of service.
This matters because the underlying compliance problem – conversations about service users taking place in unaccountable side-channels – cannot be solved by software alone. Our service is a risk-treatment, not a risk-elimination, measure: it provides an attractive, easy, default-supported alternative to personal WhatsApp groups, and gives the organisation the cultural, policy and operational levers to make that alternative the only one in use. Solving the rest is governance work that sits with the customer.
To support that work we provide: template staff and volunteer policies prohibiting work-related discussion of service users on personal channels; template family and resident notices explaining what the governed group is and how to use it; trustee briefings; and guidance on enforcing the policy via mobile device management on charity-issued devices. We also publish, alongside this notice, our standard terms of service, which require customers to deploy and enforce such a policy as a condition of using the platform.
End-to-end encryption: what changes and what does not
WhatsApp's end-to-end encryption (E2EE) protects messages in transit between the participants of a conversation. In a governed group, the customer's WhatsApp Business API endpoint is a legitimate participant – Meta admits it to the group via the official API, the same way any other phone number would be admitted – and messages are therefore delivered to it through that channel. They are not intercepted off any other participant's device.
From the moment the message reaches the Business API endpoint, it is held by the customer's archive. We re-encrypt the content at rest using AES-256, with key material that the customer can elect to manage themselves via Azure Key Vault. Where a customer holds their own keys, revoking the key cryptographically destroys their data, and we cannot read it without it.
We do not claim "zero knowledge", and any vendor that claims both governance and zero knowledge over the same content is misrepresenting how this works. Governance requires the controller (or its processor) to be able to read the content; that is the point of the archive. The right question is not "is this zero-knowledge?" – it cannot be – but "who can read it, under what controls, with what oversight?" The answer, on our platform, is: only the customer's designated administrators, under role-based access, with every access logged.
International data transfers
Customer content (messages, attachments, archive contents) is stored exclusively in UK-region Microsoft Azure data centres (UK South and UK West). It is not transferred outside the United Kingdom in the normal course of providing the service.
There are two narrow exceptions, both named in our Sub-processors list. First, the WhatsApp Business API itself, operated by Meta Platforms Ireland Limited and the wider Meta group, processes message metadata and content as a strict consequence of using WhatsApp at all; transfers undertaken by Meta are subject to the safeguards Meta has put in place (in current practice, the UK Addendum to the EU Standard Contractual Clauses). Second, billing and payment processing is handled by Stripe Payments UK Limited (an FCA-authorised payment institution that contracts with us under UK law); Stripe's underlying processing infrastructure is global, with the UK Addendum to the EU SCCs governing any transfers outside the UK. We do not see or store full payment card details; those are entered directly into Stripe-hosted elements.
Our application telemetry (errors, performance traces, operational logs) is processed in a UK Azure region using Microsoft Application Insights, so no transfer arises in respect of it.
Where we add a sub-processor that would meaningfully change this picture, we will give customers thirty days' prior notice and the opportunity to object.
Retention
As a controller:
- Website access logs: 30 days, then automatically deleted.
- Contact form submissions: retained as long as the conversation is reasonably live, plus the limitation period applicable to any contract that follows. If no contract follows, deleted within 12 months of the last meaningful contact.
- Customer relationship records: for the duration of the contract, plus the limitation period under the Limitation Act 1980 (typically six years).
- Billing and accounting records: as required by HMRC, currently six years.
As a processor: retention is determined by the customer, expressed in their channel configuration and DPA, and enforced by us. The customer can also issue a legal hold that suspends scheduled deletion for specific data subjects, conversations or time ranges.
Sub-processors and recipients
We use a small set of sub-processors to provide the service. Each is bound by a written contract that imposes the same data protection obligations on them as our contract imposes on us, in line with Article 28(4) UK GDPR. The current list is maintained at /sub-processors.html and is updated whenever a sub-processor is added, removed or changes.
Beyond sub-processors, we share personal data only with: our professional advisers (lawyers, accountants, auditors) under a duty of confidentiality; regulators, courts or law enforcement where a valid legal request requires it; and an acquirer if the business is sold (in which case data is transferred subject to confidentiality and continued application of this notice).
Your rights and how to exercise them
Under the UK GDPR you have the right to be informed (this notice), the right of access, the right to rectification, the right to erasure ("right to be forgotten"), the right to restrict processing, the right to data portability, the right to object, and the right not to be subject to solely automated decision-making with legal or similarly significant effects. We do not undertake any such automated decision-making.
To exercise any of these rights in relation to data we hold as a controller, write to compliance@chat.org.uk. We will respond within one month (extendable by two further months for complex requests, with notice to you). We will not charge a fee unless the request is manifestly unfounded or excessive.
To exercise these rights in relation to data we hold as a processor – i.e. data flowing through a governed channel at a particular customer organisation – please direct your request to that organisation (the controller) in the first instance. Where you are unsure who the controller is, write to us and we will tell you. We support our customers in answering subject access requests through our SAR tooling.
Cookies and analytics
The chat.org.uk marketing site does not set any cookies, does not use third-party analytics, and does not load any tracking, advertising or fingerprinting technologies. We do not need a cookie banner because we do not set cookies. If that changes, we will update this notice and seek consent where required under the Privacy and Electronic Communications Regulations 2003.
The product itself (which is delivered behind authentication, not via this public site) uses a small number of strictly necessary first-party cookies to keep you logged in. Those are governed by the in-product privacy notice presented to administrators on first sign-in.
Security
We operate an information security management programme designed to ISO/IEC 27001:2022 and are pursuing certification under that standard and Cyber Essentials. Specific controls include UK-region data residency, encryption in transit (TLS 1.2+) and at rest (AES-256), customer-managed keys via Azure Key Vault on request, role-based access control with least-privilege defaults, comprehensive audit logging, mandatory two-factor authentication for our staff, hardware-key requirements for production access, separation of duties between development and operations, regular vulnerability scanning, independent penetration testing, and an incident response plan with defined RTO and RPO targets that we publish to customers under NDA.
We are not so naive as to claim we cannot be breached. We have written this section so that, if one day we are, the question of "what was in place beforehand" is answerable.
Personal data breaches
If we become aware of a personal data breach affecting data for which we are the controller, we will notify the ICO within 72 hours where the breach is likely to result in a risk to the rights and freedoms of natural persons, and we will inform affected data subjects without undue delay where the risk is high.
If the breach affects data we process on a customer's behalf, we will notify the affected customer without undue delay – in practice, within 24 hours of confirmation – with all the information the customer needs to discharge its own notification obligations under Article 33.
Changes to this notice
We will update this notice when the law, the service or our practices change. Material changes will be announced at the top of this page and (for our customers) by direct notice to the account administrator. The "Effective" date at the top of this notice always reflects the date of the most recent version. Archived versions are kept and can be requested.
Complaints
If you are unhappy with how we have handled your personal data, we would like the chance to put it right. Please write to compliance@chat.org.uk in the first instance.
You also have the right to complain to the Information Commissioner's Office at any time. The ICO can be contacted at ico.org.uk, on 0303 123 1113, or by post at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
Contact us
General: enquiries@chat.org.uk
Privacy and data protection: compliance@chat.org.uk
Post: [registered office address]