Third-Party Services & Sub-processors
Third-Party Services & Sub-processors
Last updated: 2026-07-16
This sub-processor disclosure applies to the website, products and services offered under the brand WAAPI, operated by WAAPI (“we”, “us”, “our”), acting as the business. By accessing or using our services you agree to this sub-processor disclosure. If you do not agree, please discontinue use of the services.
Delivering the service requires sending some data to the platforms below. Every one is named here with what it receives and why — nothing is processed by a party not on this list, other than as described in our Data Sharing & Disclosure Policy. Each is bound by data-processing terms and may use the data only to perform its service for us. We give 30 days’ notice before adding or replacing a sub-processor.
Messaging channel
| Service & entity | Why we use it | Data it receives | Where | Their policies |
|---|---|---|---|---|
| WhatsApp Business Platform (Cloud API) Meta Platforms Ireland Ltd. (EEA/UK) / Meta Platforms, Inc. (rest of world) | Sending and receiving WhatsApp business messages, registering and managing business phone numbers, submitting and managing message templates, and receiving delivery, read and inbound-message webhooks. | Business phone number and WhatsApp Business Account ID, recipient phone numbers, message content and attached media, template content, delivery/read status and error codes. | Ireland, United States and other Meta data centres | WhatsApp Business Terms of Service WhatsApp Business Messaging Policy WhatsApp Business Solution Terms Meta Privacy Policy |
Social platform
| Service & entity | Why we use it | Data it receives | Where | Their policies |
|---|---|---|---|---|
| Facebook Login, Pages & Business Manager Meta Platforms Ireland Ltd. / Meta Platforms, Inc. | Optional social sign-in, WhatsApp Embedded Signup (connecting your WhatsApp Business Account), and reading the Pages and business assets you explicitly grant access to. | Your Facebook user ID, name and email address (only if you choose social sign-in), Business Manager and Page IDs, and the access tokens you grant. We never post to your timeline. | Ireland, United States | Meta Platform Terms Meta Developer Policies Meta Privacy Policy |
| Instagram Professional Platform Meta Platforms Ireland Ltd. / Meta Platforms, Inc. | Reading and replying to Instagram messages and comments on the professional accounts you connect, and publishing content you schedule through the platform. | Instagram professional account ID and username, message and comment content you send or receive, media you publish, and basic engagement metrics. | Ireland, United States | Instagram Platform Policy Instagram Terms of Use Meta Privacy Policy |
Advertising
| Service & entity | Why we use it | Data it receives | Where | Their policies |
|---|---|---|---|---|
| Meta Ads (Marketing API, Pixel & Conversions API) Meta Platforms Ireland Ltd. / Meta Platforms, Inc. | Creating, managing and reporting on advertising campaigns for the ad accounts you connect, and — where you enable it — sending website/conversion events so campaign performance can be measured. | Ad account IDs, campaign, ad set and creative configuration and performance metrics, and (for Pixel/Conversions API) website events with hashed identifiers such as an email address or phone number where you have a lawful basis to send them. | Ireland, United States | Meta Business Tools Terms Meta Advertising Standards Meta Privacy Policy |
| Google Ads API Google LLC / Google Ireland Ltd. | Creating, managing and reporting on Google Ads campaigns for the ad accounts you explicitly link to the platform. | Google Ads customer IDs and OAuth tokens, campaign, ad group, keyword and creative configuration, conversion and performance metrics. | United States and other Google data centres | Google Ads API Terms of Service Google Ads policies Google Privacy Policy |
Business listing
| Service & entity | Why we use it | Data it receives | Where | Their policies |
|---|---|---|---|---|
| Google Business Profile API (Google Business Messages) Google LLC / Google Ireland Ltd. | Managing the Google Business Profile locations you connect: reading and publishing posts and media, reading and replying to reviews, and reading performance insights. | Google account identifier and OAuth tokens for the locations you authorise, business location and listing data, review content and your replies, post and media content you publish, and listing performance metrics. | United States and other Google data centres | Google API Services User Data Policy Google Business Profile API policies Google Privacy Policy |
Authentication
| Service & entity | Why we use it | Data it receives | Where | Their policies |
|---|---|---|---|---|
| Sign in with Google (Google Identity Services) Google LLC / Google Ireland Ltd. | Optional social sign-in to the panel. | Your Google account ID, name, email address and profile picture — only when you choose to sign in with Google. | United States | Google API Services User Data Policy Google Privacy Policy |
Analytics
| Service & entity | Why we use it | Data it receives | Where | Their policies |
|---|---|---|---|---|
| Google Analytics / Google Tag Manager Google LLC / Google Ireland Ltd. | Aggregate measurement of website and panel usage, where the site owner has enabled it. | Pseudonymous device and usage identifiers, page views, IP address (truncated where supported), referrer. | United States, European Union | How Google uses data from partner sites Google Privacy Policy |
Mobile infrastructure
| Service & entity | Why we use it | Data it receives | Where | Their policies |
|---|---|---|---|---|
| Firebase (Cloud Messaging, Crashlytics, Analytics) Google LLC | Delivering push notifications to the mobile apps, crash reporting and aggregate app analytics. | Device push token, device model and OS version, crash stack traces, pseudonymous app-usage events. | United States | Firebase Privacy and Security Google Privacy Policy |
AI provider
| Service & entity | Why we use it | Data it receives | Where | Their policies |
|---|---|---|---|---|
| Google Gemini API Google LLC | Generating AI assistance you explicitly request — drafting replies, composing posts, summarising conversations and answering business questions. | The prompt content you submit, which may include message text, business context and the reply history you choose to include. Paid Gemini API content is not used by Google to train its models. | United States | Gemini API Additional Terms Google Privacy Policy |
| OpenAI API OpenAI, L.L.C. / OpenAI Ireland Ltd. | Generating AI assistance you explicitly request, where the platform routes your request to this provider. | The prompt content you submit. OpenAI does not use data submitted through its API to train its models by default, and retains it only for a limited abuse-monitoring window. | United States | OpenAI API data usage policies OpenAI Privacy Policy |
Payment gateway
| Service & entity | Why we use it | Data it receives | Where | Their policies |
|---|---|---|---|---|
| Razorpay Razorpay Software Private Limited (India) | Collecting subscription, wallet top-up and usage payments, and — where you authorise a mandate — charging recurring subscription renewals. | Your name, email address, phone number, billing address, order amount and reference, and the payment-mandate token. Card numbers and CVV are captured by Razorpay on its own PCI-DSS certified infrastructure and are never received or stored by us. | India | Razorpay Terms of Use Razorpay Privacy Policy |
| PhonePe Payment Gateway PhonePe Private Limited (India) | Collecting UPI and card payments for subscriptions and wallet top-ups. | Your name, contact details, transaction amount and merchant transaction reference. Payment credentials are captured by PhonePe and are never received or stored by us. | India | PhonePe Terms & Conditions PhonePe Privacy Policy |
Hosting & storage
| Service & entity | Why we use it | Data it receives | Where | Their policies |
|---|---|---|---|---|
| MongoDB Atlas MongoDB, Inc. | Managed database hosting for all platform data. | All account and service data stored by the platform, encrypted in transit and at rest. | Contracted cloud region | MongoDB Privacy Policy |
Communications
| Service & entity | Why we use it | Data it receives | Where | Their policies |
|---|---|---|---|---|
| Transactional email (SMTP provider) The SMTP provider configured for the account | Delivering transactional email — sign-up verification, one-time passwords, invoices and service notices. | Recipient email address, message subject and body. | Provider-dependent | — |
Your own integrations
If you connect a service of your own through our API, webhooks or an outbound integration, that provider is your sub-processor, not ours, and its handling of the data you send it is governed by your agreement with it.
Governing law & jurisdiction
This document is governed by the laws of India. For operators in India this includes the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Consumer Protection Act, 2019. Where we serve customers in other jurisdictions we honour applicable local requirements, including the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), to the extent they apply. Courts at India have exclusive jurisdiction, subject to any non-waivable consumer rights in your country of residence.
Contact us
WAAPI is operated by WAAPI. For any question about this document, contact us:
- Email: support@thewaapi.com
- Registered address: India