Skip to content

WhatsApp Data Handling

Last updated: May 2026

Effective 11 May 2026. This page describes how Perfect Design Enterprise (trading as Cyrus) ("Cyrus", "we", "us") processes, stores, and protects data from WhatsApp Business API conversations on behalf of our customers.

1. Data We Receive from WhatsApp

When an end user messages your business via WhatsApp, the WhatsApp Business Cloud API sends us the following data:

  • Phone number — The sender's phone number in international format (e.g., +60123456789)
  • Display name — As set by the user in their WhatsApp profile
  • Message content — Text messages, captions, and interactive message responses
  • Media attachments — Audio/voice notes, images, and documents (up to 25 MB per file as permitted by WhatsApp)
  • Timestamps — Sent and received timestamps for each message
  • Message IDs — WhatsApp-assigned identifiers used for delivery tracking and read receipts
  • Delivery status updates — Real-time status transitions: sent, delivered, read, and failed
  • CTWA referral data — Click-to-WhatsApp ad attribution data when a conversation originates from a Facebook or Instagram advertisement, including source URL, campaign information, and referral text

We do not receive or store WhatsApp profile photos, status updates, contact lists, group membership information, or end-to-end encryption keys.

2. Media Processing

When an end user sends media files via WhatsApp, we process them as follows:

  • Audio and voice notes — Downloaded from WhatsApp servers and transcribed to text using OpenAI Whisper. The transcription is used as message content for the AI agent to respond to. Original audio files are not stored long-term after transcription.
  • Images — Downloaded from WhatsApp servers and analysed using GPT-4o vision to generate a text description. The description is used as conversation context. Original image files are not stored long-term after analysis.
  • Documents — Downloaded and processed through text extraction (PDF, HTML, TXT supported). Extracted text is used as conversation context. Original document files are not stored long-term after extraction.

Transcriptions, image descriptions, and extracted document text are retained as part of the conversation record and are subject to the same storage and retention policies as text messages.

3. How We Use This Data

WhatsApp conversation data is used exclusively to provide the Cyrus service on your behalf:

  • Power the AI agent — Message content (including media transcriptions and descriptions) is sent to the configured LLM provider (e.g., xAI Grok, OpenAI GPT, Anthropic Claude, Google Gemini) to generate contextual responses.
  • Build conversation memory — Every 3 conversation turns, a rolling summary is generated and stored so the agent maintains context across sessions. Summaries preserve exact numbers, prices, dates, names, and SKUs.
  • Extract user profiles — Structured profile data (name, role, company, location, budget, preferences, past interests, open questions) is extracted from conversations and accumulated on the contact record to personalise future interactions.
  • Contact identity resolution — Phone numbers serve as the primary identifier for linking conversations across sessions. The external_user_id format is wa:{phone_number}.
  • Dashboard display — Conversations are visible to you in your Cyrus dashboard for review, human takeover, and quality monitoring.
  • Analytics — Aggregated metrics (conversation volume, resolution rate, response time, knowledge gaps) are shown in the analytics dashboard. Individual query embeddings are generated for semantic analysis.
  • Action execution — If enabled, conversation data may be used by action plugins (lead capture, booking, escalation) to perform actions you have configured.

We do not use WhatsApp data for advertising, sell it to third parties, or use it to train our own AI models.

4. Message Aggregation

End users often send rapid-fire messages in quick succession (e.g., "Hi" followed by "I want to book" followed by "for tomorrow"). To provide coherent responses and reduce unnecessary API costs:

  • Incoming messages are buffered within a configurable aggregation window (default: 3 seconds).
  • Multiple messages received within the window are concatenated and processed as a single query.
  • The AI agent responds once to the combined message rather than to each fragment individually.

5. Outbound Message Handling

  • Message splitting — Long AI responses are automatically split into 2-3 natural segments to mimic human conversation patterns on WhatsApp, with typing indicators sent between segments.
  • Delivery status tracking — Each outbound message is tracked through its lifecycle: sent, delivered, read, or failed. Status updates are recorded in real-time.
  • Mark-as-read — Incoming messages are marked as read immediately upon receipt to set user expectations.

6. 24-Hour Service Window

In compliance with WhatsApp Business API rules:

  • Your bot may send unlimited free-form messages within 24 hours of the end user's last message.
  • The 24-hour window resets each time the end user sends a new message.
  • Outside the 24-hour window, only pre-approved message templates may be sent.
  • Cyrus does not currently send template messages outside the service window. All interactions are reactive (user-initiated).

7. CTWA Referral Attribution

When a conversation originates from a Click-to-WhatsApp advertisement on Facebook or Instagram, Meta includes referral data in the webhook payload. This data is captured and stored with the conversation record for campaign attribution purposes. It may include the source URL, headline text, and media URL from the originating ad.

8. Data Storage and Retention

Data typeStorage locationRetention
Message content and media transcriptionsPostgreSQL (row-level tenant isolation)Lifetime of account; deleted within 90 days of account closure
Conversation summariesPostgreSQL (on conversation record)Permanent while account is active
User profilesPostgreSQL (JSONB on conversation record)Accumulated over time; deleted with account
Session memory (raw turns)Redis7-day TTL, automatically expires
Phone numbersPostgreSQL (as external_user_id)Lifetime of account; used for cross-session linking
Lead informationPostgreSQL (leads table)Lifetime of account; deleted with account
Booking recordsPostgreSQL (bookings table)Lifetime of account; deleted with account
Original media filesNot stored long-termProcessed and discarded; only transcriptions/descriptions retained

9. Sub-Processors

WhatsApp conversation data is processed by the following third-party services:

ServiceLocationPurposeData shared
Meta (WhatsApp Cloud API)United StatesMessage delivery and receiptMessages, phone numbers, media, delivery status
OpenAIUnited StatesChat completions, audio transcription (Whisper), image analysis (GPT-4o vision), text embeddingsMessage content, audio files, images, document text (no phone numbers)
xAI (Grok)United StatesChat completions (default LLM provider)Message content and conversation context (no phone numbers)
Anthropic (Claude)United StatesChat completions (when configured)Message content and conversation context (no phone numbers)
Google (Gemini)United StatesChat completions (fallback provider)Message content and conversation context (no phone numbers)
Hetzner Online GmbHGermany (EU)Infrastructure hostingAll data (encrypted at rest)
Redis (self-hosted on Hetzner)Germany (EU)Session memory and rate limitingConversation context with 7-day TTL

Phone numbers and other direct identifiers are not sent to LLM providers. Only message content and conversation context are shared for response generation.

10. Security Measures

  • Webhook verification — All WhatsApp webhook payloads are verified using HMAC-SHA256 signature validation against the X-Hub-Signature-256 header. Invalid signatures are rejected.
  • Per-channel verify tokens — Each WhatsApp channel has a unique verify token for webhook registration, preventing unauthorised webhook subscriptions.
  • TLS encryption — All API communications use TLS 1.2 or higher. Caddy reverse proxy provides automatic certificate management.
  • Fernet encryption — WhatsApp Business API credentials (access tokens, phone number IDs, verify tokens) are encrypted using Fernet symmetric encryption before storage in the database.
  • Row-level tenant isolation — Every database query is filtered by tenant_id. Your WhatsApp conversations are never accessible to other Cyrus customers.
  • Rate limiting — Redis sliding-window rate limiting is applied per plan, per tenant, and per IP address to prevent abuse.
  • Duplicate message debounce — A 5-second Redis-based deduplication window prevents processing of duplicate webhook deliveries.

11. User Rights and Data Deletion

Business owners (you) can:

  • View all WhatsApp conversations in the Cyrus dashboard
  • Export conversation data, leads, and bookings via the API (JSON format)
  • Delete individual conversations, including all associated messages and extracted profiles
  • Request full account deletion — all data is removed within 90 calendar days

End users (WhatsApp customers) can:

  • Request to view their conversation data by contacting your business directly
  • Request deletion of their conversation data by contacting your business or by emailing [email protected]
  • Request a copy of their data in a portable format (JSON) through your business or via [email protected]

Important limitation: Data that has been sent to LLM providers for processing cannot be retroactively deleted by Cyrus from those providers' systems. Deletion requests apply to data stored in Cyrus infrastructure only.

12. WhatsApp Business Policy Compliance

Cyrus complies with the WhatsApp Business Policy and the WhatsApp Business Solution Terms:

  • 24-hour service window — We only send free-form messages within the 24-hour customer service window. Template messages are used outside this window where applicable.
  • No spam — We do not send bulk unsolicited messages or prohibited content categories through WhatsApp.
  • Opt-out mechanism — End users can request to stop receiving messages. Businesses are responsible for honouring opt-out requests promptly.
  • No cross-account data sharing — WhatsApp conversation data from one business account is never shared with or accessible to another business account. Row-level tenant isolation enforces this at the database level.
  • Data minimisation — We only collect and process data necessary to provide the conversational AI service. Original media files are discarded after processing.

13. Contact

Questions about WhatsApp data handling can be directed to:

Perfect Design Enterprise (trading as Cyrus)
Privacy: [email protected]
Security: [email protected]
General: [email protected]
Website: meetcyrus.ai

We respond within 48 hours.