wordpress blog stats
Connect with us

Hi, what are you looking for?

WhatsApp says Facebook has no access to UPI transaction data

WhatsApp Pay screenshots
Source: WhatsApp

Facebook does not have access to transaction data, which is encrypted and in compliance with data localisation guidelines, said WhatsApp, in a clarification on its data and privacy policy for payment services based on the Unified Payments Interface (UPI). In its blogpost, the Facebook Inc. owned messaging platform said that it will ensure that UPI payments through WhatsApp will be completely secure and in full compliance with the data localisation guidelines issued by Reserve Bank of India (RBI). “The UPI transaction data is encrypted, and Facebook doesn’t have access to this data in clear format,” it said.

While the government has told WhatsApp to roll-back its proposed privacy policy update and the company has delayed its roll-out by three months, the global messaging platform is currently facing legal challenges over its new terms of service and payments facility, given the proposed changes to WhatsApp’s privacy policy. It has been taken to court several times in the last few years over alleged non-compliance with RBI rules and regulations. Further, some of the petitions filed before the courts also alleged that the platform also violates privacy rights of its users.

In November last year, WhatsApp got the green light from regulators to launch its UPI payments service in a graded manner, with user registration restricted to 20 million at present, after two years of beta-testing phase. The blog says that WhatsApp India’s Payments Privacy Policy will solely take care of the privacy concerns with regards to WhatsApp Pay. “WhatsApp India actively monitors necessary compliances and may share UPI transaction data for identified exceptions with affiliates and regulators subject to regulatory approvals to stop illegal use of WhatsApp payments in compliance with applicable laws and regulation,” it said.

Does Facebook have access to WhatsApp Pay?

It is unclear what sort of data Facebook will or may receive from WhatsApp on its users’ UPI payments. The blog is fairly vague when it says that Facebook doesn’t have access to encyrpted UPI transaction data in a clear format, but adds that “When we share information with service providers, we require them to use your information on our behalf in accordance with our instructions, terms, and applicable law.”

What information is collected?

  • Customer details: The company has access to the user’s UPI virtual payment address (VPA) or ID, but it does not store the UPI PIN and does not store customer payment sensitive information such as the one-time password (OTP), full account number, or any debit card details.
  • Payment information: For UPI payments, WhatsApp Pay will require the sender’s VPA, receiver’s VPA, phone number, payment amount, currency, date, time and transaction number. “When the sender makes a payment to a WhatsApp contact, we collect account and transaction information, including the sender’s and receiver’s names and BHIM UPI IDs,” the blog said.
  • Information from service providers: WhatsApp India says it works with service providers like WhatsApp Inc. and other Facebook companies to operate, improve, customize, support, and market payments in a secure manner. “We work with companies to assist with customer support, and we receive information from them that you provide over the phone or email,” it said.
  • Information from banks and NPCI: Payment service provider banks and National Payments Corporation of India  (NPCI) provide information to WhatsApp about the user, their financial acccounts and payment transactions. “For example, we may receive information about you or your transactions from a PSP bank, including information to confirm your registration, the payment sender’s or receiver’s name, account information and status, balance sufficiency, transaction and account identifiers, risk or fraud alerts, and the like,” it said. The information shared between UPI users and the bank is subject to privacy policies of the banks, it added.

How is this data used?

The company says that all the information it receives goes back to improve, customize, support and market its services, which in the payments space usually means protecting users from fraud, abuse and misconduct.

“WhatsApp India works with the other Facebook Companies, including Facebook Inc. (“Facebook”) and WhatsApp Inc., to provide Payments, including to send payment instructions to PSP banks. We also use the information to customize, market and improve Payments, including cross-selling, promotions, providing value-added services and other NPCI approved purposes, and in accordance with applicable law,” it said.

It is important to note that since WhatsApp Pay and its bank partners are subject to regulations set by the RBI and the NPCI, much of the information and data fields collected by WhatsApp is fairly standard across all third-party UPI mobile apps. However, the clear conflict in the case of WhatsApp is the ability for the messaging service to share anonymous aggregated data or meta-data with its “affiliates” and other Facebook-owned platforms.

Advertisement. Scroll to continue reading.

While WhatsApp’s new privacy policy aims to create an inter-operable experience across its app platforms, WhatsApp Pay admits that affiliate businesses either currently support or will be in a position to market its UPI service. At the minimum it can market WhatsApp Pay through other ecosystem apps.

What do the liability clauses say?

WhatsApp India says it will not be liable for any profits or loss occurring through the payment transaction and that its aggregate liability will not exceed ₹1,000. “WhatsApp does not have control over the payment and therefore cannot provide refunds or facilitate chargebacks. WhatsApp is not liable for errors caused by the PSP, your or other banks processing the transactions, or NPCI, or for unauthorized transactions. We assume no responsibility for the underlying transaction of funds, or the actions or identity of any transfer recipient or sender,” according to the WhatsApp India Payments Terms of Service,” it said.

Also read: 

Written By

Reports on banking, payments, fintech and crypto-curencies. Additional reporting on media regulations, data protection and other areas.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ