When people sign up for WhatsApp, they can choose if they want to add their device contacts to WhatsApp. This optional feature allows us to check if their friends, family and other contacts use WhatsApp to make it easier to chat with them. Other Meta Companies provide us with technical services like data hosting and infrastructure services. But we care about your privacy and we don’t share these device contacts with our parent company Meta Platforms Inc. or any other Meta Company for their own use.
This means that if you are listed in the device address book of a user who chooses to add their contacts to WhatsApp, we may still process your phone number even if you are not a user of the service.
When a user who has your number chooses to give WhatsApp access to their device address book, WhatsApp does not store your number in a readable format. Instead, we use it to create a cryptographic hash value to prevent your phone number from being re-identified by WhatsApp. We store each cryptographic hash value in a list linked to the WhatsApp users who uploaded the corresponding phone numbers from which the hash value was created. We do not collect names or any other information from a user's device address book.
In the event you decide to join WhatsApp, the limited information that we store is used to then help other WhatsApp users who have your phone number to connect with you on WhatsApp. This means that once you join WhatsApp they will automatically be able to see you in their WhatsApp contact list. However, WhatsApp will not send them a notification when this happens.
Please see below for more information.
Non-user Data Notice
If you’re not a user of the WhatsApp service (a “Non-user” or “you”), WhatsApp Ireland Limited may process your mobile phone number if a WhatsApp user has your phone number saved in their device address book and chooses to share their contacts with WhatsApp.
If you’re a Non-user living in the United Kingdom (“UK”) WhatsApp LLC is the controller of your information. WhatsApp Ireland Limited is the controller of this information if you're a Non-user living in the European region. References in this Notice to "we", "us" or "our", should be interpreted to mean the relevant WhatsApp entity (i.e. WhatsApp LLC or WhatsApp Ireland Limited, as applicable) identified above as the controller of your information.
About contact upload - how it works
Contact upload allows users to choose whether to give WhatsApp permission to discover if contacts in their device address book are WhatsApp users. If so, WhatsApp can add those phone numbers to the user’s WhatsApp contact list and keep the list updated. WhatsApp also updates users’ contact list once any of their contacts who are Non-users join WhatsApp later.
How do we use a Non-user’s information?
When a user chooses to use contact upload, the phone numbers in the user’s device address book are uploaded on a regular basis to our servers, typically daily, but this depends on various factors including how often a user uses WhatsApp, to ensure their information is kept up to date. This includes phone numbers of both WhatsApp users and other contacts who aren’t currently WhatsApp users (i.e. Non-users). We don’t collect any of the other information that could appear in a user’s device address book including names, email addresses, etc.
We manage Non-user phone numbers in a way that is designed to prevent Non-users from being identified by WhatsApp through creating a cryptographic hash value from the Non-users’ phone numbers. We don’t store Non-users’ phone numbers, we only store these cryptographic hash values. Each cryptographic hash value is stored in a list on WhatsApp's servers, linked to the WhatsApp users who uploaded the corresponding phone numbers before they were hashed.
We use the cryptographic hash values created from Non-users’ phone numbers to enable users to connect more quickly and efficiently with people in their device address book when they join WhatsApp.
Separately, we also use a cryptographic hash representation of the phone numbers from the WhatsApp user’s device address book to detect and combat misuse of contact upload by assessing the hashes to determine whether there have been unusual changes in the device address book. This does not involve tracking or comparing individual phone numbers.
How is this information used if a Non-user becomes a WhatsApp user?
If you are listed in the device address book of a user who uses contact upload, and you subsequently join WhatsApp, this information is used to help us automatically update their WhatsApp contact list to show that you can now be contacted via WhatsApp. We update users' contact lists immediately after you join WhatsApp but sometimes contact lists can take longer to update.
What is our legal basis for this processing?
We rely on our legitimate interests and the legitimate interests of our users to briefly process Non-users’ phone numbers and then store the cryptographic hash values in the manner described above. More specifically, we rely on our legitimate interests in operating and providing the WhatsApp service to our users and keeping WhatsApp safe and secure, and the interests of our users in more efficiently connecting with their contacts who join WhatsApp.
Retaining Non-user information
When we collect Non-users’ phone numbers, we don’t store these phone numbers and we process them for no more than a few seconds to create the cryptographic hash values from them.
The cryptographic hash values are stored in a list on WhatsApp's servers, linked to the WhatsApp users who uploaded the phone numbers from which they were created, for as long as those users use contact upload and keep these phone numbers in their devices’ address books.
How Non-users exercise their data subject rights
Data subjects have the right to access, rectify, port, and erase their information, as well as the right to restrict and object to certain processing of their personal information (“Data Subject Rights”). To exercise those rights, contact us via this form or via the contact address provided below. Given that we do not store Non-users’ phone numbers and we only store cryptographic hash values which are designed to prevent WhatsApp from re-identifying your phone number, our ability to respond to your request and the information we can provide to you may be limited in practice. We hope this information addresses any queries you may have about how we process a Non-user’s personal information. However, if you have unresolved concerns and are living within:
the European region, you also have the right to complain to WhatsApp’s lead supervisory authority under the GDPR, the Irish Data Protection Commission, or any other competent data protection supervisory authority;
the UK, you also have the right to complain to the UK’s data protection authority, the Information Commissioner’s Office or any other competent data protection supervisory authority.
Third parties and transferring information as part of our global operations
We work with other Meta Companies that act as our service providers and provide services like data hosting and infrastructure services. However, Non-user phone numbers and cryptographic hash values are not shared with Meta Platforms Inc. or other Meta Companies for their own use.
This means Non-users’ information will be transferred or transmitted to, or stored and processed in, third countries outside of the EEA for the purposes described in this Notice. When the cryptographic hash values are transferred or transmitted to, or stored and processed, outside of the European Economic Area, we utilise standard contractual clauses approved by the European Commission for these transfers.
When the cryptographic hash values are transferred or transmitted within the United States, or to third countries outside of the United States, WhatsApp LLC utilises standard contractual transfer mechanisms approved by the UK Government (the International Data Transfer Agreement or the International Data Transfer Addendum to the standard contractual clauses approved by the European Commission) for these transfers.
For example, WhatsApp uses Meta’s global infrastructure and data centers, which are located around the world including in the United States, to store the cryptographic hash values.