100% GDPR-Compliant WhatsApp Marketing

Yes. GDPR-compliant marketing is possible via the official WhatsApp Business API. The API was developed specifically for this purpose in 2018. The key distinction: the WhatsApp Business App is problematic from a data protection standpoint because it accesses your address book and stores metadata on US servers. The API does neither. Chatarmin uses exclusively the API.

No. You need a separate, channel-specific double opt-in for WhatsApp. An email opt-in or a phone number from your shop system is not sufficient. However, you can invite your existing customers via email to sign up for WhatsApp. This way you can build your list quickly. Typical result: 1,000+ new subscribers in 2–3 months.

The app accesses your address book, stores backups unencrypted in the cloud and does not provide an adequate DPA. The API has no address book access, requires no physical device, runs via a BSP (Business Solution Provider) with its own DPA and EU hosting. For professional marketing in the DACH region, the API is the only legally compliant option.

On servers in Frankfurt. Chatarmin is a German Business Solution Provider headquartered in Vienna. All customer data is stored in the EU. Chatarmin acts as a technical buffer between your company and Meta. Primary data storage takes place on EU servers.

The transfer is based on the EU-US Data Privacy Framework (DPF), the successor to Privacy Shield. Meta is DPF-certified. Additional protection comes from EU hosting via Chatarmin as a BSP. Through the API, Meta does not use your end customers' data for its own advertising purposes. The WhatsApp Business Data Processing Terms govern this clearly.

A complete DPA in accordance with Art. 28 GDPR is available from day one. It covers processing purpose, duration, scope, sub-processors (WhatsApp Ireland Limited and their sub-processors), as well as technical and organisational measures. Your DPO can review the DPA prior to signing the contract. We will send it within 24 hours.

Then you are not allowed to send them a message. Chatarmin also prevents this technically. Without a documented double opt-in, no newsletter can be sent to that contact. The system simply does not allow it.

Via the API: No. The WhatsApp Business Terms of Use stipulate that business data is used exclusively for the operation and improvement of business services. Metadata is used in pseudonymised form for statistical purposes, as permitted under Art. 89 GDPR. Those using the private WhatsApp app give Meta significantly more access. The API is the secure option. And that is only possible through Chatarmin.

With a clean double opt-in, documented timestamp and API usage: practically zero. The Munich Court of Appeal awarded damages of €250 to €750 per affected contact in late 2025. This concerned cases where companies had linked data without a sufficient legal basis. Those working via the API with a documented opt-in have exactly this legal basis.

Since January 2026, Meta only allows task-specific bots on the API. Generic AI chatbots (e.g. a free ChatGPT clone) are prohibited. Art. 50 of the EU AI Act requires transparency: users must know they are interacting with AI. Chatarmin bots are built accordingly: clear AI labelling, defined task areas, responses exclusively from stored knowledge sources. Customers with their own OpenAI key retain full data sovereignty.