I sent a WhatsApp GDPR Request

WhatsApp isn’t really recommended as a privacy tool as it’s owned by the zucc and isn’t FOSS, but is basically a necessity in the civilised world because everyone uses it by default for communication (I’m the only person my friends use signal to talk to and that’s simply not a good position to be in when you need something from someone else). However, I sent a WhatsApp GDPR request, and they responded. This should have everything WA collects (or claims to collect). I don’t know if I am naive by trusting the response, but it does give some insight into what they store and what they can read:

  • Your profile info (all of it)
  • Your WA settings
  • Your profile photo
  • Your phone number
  • Your groups
  • Your contacts (WA stores them)

I still believe that messages on the platform are actually encrypted, but metadata combined with all of this makes it fairly easy to spy on someone as the content of a message could be guessed. I’m assuming more data is collected through interaction with other zucc services.

Consider using it in a work profile with a custom contact list.


Would you please elaborate? What do you mean by work profile?

On many android phones you have the option to create a “work profile”. This is basically a sandbox meant for “work” apps with separate directories and contacts. Work applications can also be disabled entirely with one click, so you can stop them running in the background if you need to.

I usually configure my work profile using shelter.

Contacts are just of the device which allowed contacts permission, as if you change device you won’t have saved contacts.

WA can hand over the entire contact address book of a user when issued with a search warrant.

A search warrant issued under the procedures described in the Federal Rules of Criminal Procedure or equivalent state warrant procedures upon a showing of probable cause is required to compel the disclosure of the stored contents of any account, which may include “about” information, profile photos, group information and address book, if available. In the ordinary course of providing our service, WhatsApp does not store messages once they are delivered or transaction logs of such delivered messages, and undelivered messages are deleted from our servers after 30 days. WhatsApp offers end-to-end encryption for our services, which is always activated.


Big oopsie from me then

1 Like