Verdict

EXHIBIT A

WhatsApp.

"end-to-end encrypted. metadata: sold."

Your messages are encrypted — WhatsApp genuinely cannot read them. But everything else — who you talk to, when, how often, your entire contact list, device fingerprint, and location — goes straight to Meta §3 and feeds their ad-targeting machine on Facebook and Instagram. Government requests get your full metadata on good-faith belief alone — no warrant required §6.

Messaging

Analyzed: 2026-05-24

§2 · The short version

TL;DR — 8 answers.

The eight things you actually want to know, at a glance.

TL;DR — 8 answers D

YES Do they sell your data?

NO Are they tracking you on other sites?

~ Can your data train their AI?

~ Who can see what you do?

~ Can you delete everything?

NO Do they honor your opt-out?

~ Special handling for minors?

YES Been fined for this before?

§3 · The details

The questions, answered.

No legalese. Every answer the way your most cynical friend would put it.

YES

§3

Do they sell your data?

Not in name. But your contact list, social graph, and usage patterns go to Meta — and Meta uses them for targeted ads on Facebook and Instagram. Same outcome, different word.

§3

Are they tracking you on other sites?

WhatsApp itself doesn't run cross-site trackers. But your data feeds Meta's cross-platform ad graph, which does. The laundry gets done — just one building over.

COND.

§5

Can your data train their AI?

Using AI at Meta features? Your data goes to Meta for AI. The policy says "to support AI features" — whether that includes model training is deliberately vague. No opt-out described.

COND.

§3

Who can see what you do?

Message content: no one but you and the recipient. Message metadata (who, when, how often): Meta always · governments on good-faith request · businesses you message: everything.

COND.

§8

Can you delete everything?

Deleting the app does not delete your data. You must use the in-app 'delete my account' flow. After that, metadata and logs are retained for an undefined "necessary" period.

§8

Do they honor your opt-out?

No GPC support. No opt-out from Meta data sharing (it's framed as operational, not optional). CCPA rights exist but are buried in a separate document most users never see.

COND.

§7

Special handling for minors?

Minimum age is 13 (16 in EU) — but that's in the Terms, not the privacy policy. The policy mentions under-18s only in the context of "legitimate interests" legal basis, not enhanced protection.

YES

§9

Been fined for this before?

€225M GDPR fine (2021) — second largest in GDPR history — for opacity about exactly this: data shared with Meta. Italy, UK, Germany, Turkey, and Brazil also investigated or fined.

§3 · The privacy card

At a glance, honestly.

Eight signals, color-coded. Like a model card for a machine — except the machine is reading your data.

Privacy Card · WhatsApp · Analyzed 2026-05-24

Data sold / shared YES MIXED

Cross-site tracking UNKNOWN MIXED

AI training YES opt-out: unavailable

Deletion right AVAIL. GOOD

GPC honored NO BAD

Keeps forever? YES BAD

Child protections COND. MIXED

Automated decisions YES human review: no

Collects

Identifiers, Contact Info, Location, Usage Data, Device Info +3 more

Shares with

Meta Companies, Third-party businesses, Government, Acquirers

§5 · The label they should have shown you

The Privacy Label, honestly.

An Apple-style label for what's collected and a Cranor-style back-of-pack for what they do with it. Every cell links to the exact line in their policy.

WHATSAPP — DATA COLLECTED

PER APPLE PRIVACY-LABEL TAXONOMY ↗

● USED TO TRACK YOU

Data shared with third parties for cross-property tracking.

Identifiers §2

Phone number · Device ID · Advertising ID · IP address

Usage Data §2

Who you message · When · How often · Call duration · Online status · Last seen

◐ LINKED TO YOU

Tied to your identity and stored against your account.

Contact Info §2

Your full contact list (uploaded) · Profile name · About info

Location §2

Precise location (optional) · Coarse location via IP

Device Info §2

Hardware model · OS · Battery level · Signal strength · App version

User Content §2

Status updates · Profile photos · Group names

Financial §2

Payment method · Transaction amount · Shipping details

○ NOT LINKED TO YOU

Aggregated, supposedly anonymous.

Messages §1

Content: end-to-end encrypted (not readable by WhatsApp)

↓ BACK OF LABEL · WHAT THEY DO WITH IT (CRANOR FRAMEWORK)

Purposes

Advertising (via Meta), Analytics, Safety / CSAM detection, Product improvement. §3

4+ stated purposes. The interesting ones are buried in §7.

Sold or shared?

Yes. Meta Companies, Third-party businesses, Government, Acquirers. §3

"We don't sell data" is technically true and substantively false.

Retention

Indefinite, with caveats. §8

Messages: deleted on delivery or after 30 days if undelivered. Metadata: "as long as necessary" — undefined maximum.

User controls

Deletion: Available · Opt-out: Unavailable §8

Delete works. Opting out of inference does not exist.

Honors GPC?

No. §8

Global Privacy Control browser signal: ignored.

Automated decisions

Yes. No human review. §5

Content ranking in Status/Channels · Account suspension. All algorithmic.

AI training on your data

Yes. No opt-out. §5

Your public posts/photos train commercial models.

Children's data

Under 13 blocked · 13–17 limited §8

Ad targeting paused for teens, but content profile still kept.

Breach disclosure

"As required by law." §15.3

Translation: the bare minimum legal window in your jurisdiction.

§5 · The receipts

The receipts, translated.

Five of the worst clauses, lifted verbatim. Strikethroughs are theirs. Marginalia is ours.

WHATSAPP PRIVACY POLICY · "HOW WE WORK WITH OTHER META COMPANIES" §3

improving their services and your experiences using them, such as making suggestions for you (for example, of friends or group connections, or of interesting content), personalizing features and content, helping you complete purchases and transactions, and showing relevant offers and ads across the Meta Company Products ↑ there it is. your WhatsApp data serves you ads on Facebook.

ADS. ALWAYS.

WHATSAPP PRIVACY POLICY · "LAW, OUR RIGHTS, AND PROTECTION" §6

We access, preserve, and share your information described in the 'Information We Collect' section of this Privacy Policy above if we have a good-faith belief ↑ self-assessed. no court order required. that it is necessary to: (a) respond pursuant to applicable law or regulations, legal process, or government requests "government requests" — not "lawful orders"

NO WARRANT NEEDED

WHATSAPP PRIVACY POLICY · "INFORMATION YOU AND WE SHARE" §4

Users, including businesses, with whom you communicate can store or reshare your information (including your messages) ↑ E2E encryption does NOT protect business chats with others on and off our Services.

BUSINESS CHATS: EXPOSED

WHATSAPP PRIVACY POLICY · "MANAGING AND RETAINING YOUR INFORMATION" §8

We store information for as long as necessary "necessary" = whatever we decide for the purposes identified in this Privacy Policy. purposes = everything. indefinitely. Be mindful that if you only delete WhatsApp from your device without using our in-app delete my account feature, your information will be stored with us for a longer period. "longer period" = undefined

DELETE ≠ DELETE

WHATSAPP PRIVACY POLICY · "ASSIGNMENT, CHANGE OF CONTROL, AND TRANSFER" §10

In the event that we are involved in a merger, acquisition, restructuring, bankruptcy, or sale of all or some of our assets, "some of our assets" = your data is an asset we will share your information with the successor entities or new owners in connection with the transaction in accordance with applicable data protection laws. new owner could be a data broker or foreign state-controlled entity

YOUR DATA = ASSET

§6 · The deceptive design

Dark patterns spotted.

Tricks the policy and surrounding UX use to make you "consent" without really consenting.

"No ads" misdirection

§3

WhatsApp prominently states "We do not allow third-party banner ads" — a straw man. Ads appear in Status/Channels, and more critically, your data feeds Meta's ad-targeting engine for Facebook and Instagram.

"We still do not allow third-party banner ads on our Services. We have no intention to introduce them.

Buried ad-graph integration

§3

The admission that WhatsApp data powers Meta ads is buried as a subordinate clause in a benefits list. There is no section titled "How Your Data Is Used For Advertising."

"…showing relevant offers and ads across the Meta Company Products

Silent data persistence on app delete

§8

Deleting the app from your phone does not delete your data — you must use a specific in-app flow. This critical fact is mentioned once, in passing, with no disclosure of how much longer data is retained.

"if you only delete WhatsApp from your device without using our in-app delete my account feature, your information will be stored with us for a longer period.

No opt-out from Meta data sharing

§3

Data sharing with Meta Companies is framed as operational infrastructure, not a consent choice. There is no toggle, no granular opt-out, no way to use WhatsApp without feeding Meta's systems.

"As part of the Meta Companies, WhatsApp receives information from, and shares information with, the other Meta Companies.

E2E encryption as privacy shield

§1

End-to-end encryption is real and significant — but it only covers message content. WhatsApp leads with this fact to deflect scrutiny from the extensive metadata, contact, and behavioral data collection that is not encrypted and flows freely to Meta.

"End-to-end encryption means that your messages are encrypted to protect against us and third parties from reading them.

CCPA rights hidden in separate document

§9

Consumer rights under California law (including the right to opt out of data sale) are segregated into a separate US Regional Privacy Notice linked at the bottom. The main policy gives no hint these rights exist.

"For more information about your privacy rights under US state privacy laws, please see our US Regional Privacy Notice.

§7 · What you can actually do

Your rights, by where you live.

Same company, wildly different rights depending on your jurisdiction. Direct links to the specific opt-out / delete / access flows.

EU / EEA (GDPR)

DIFFICULTY: MEDIUM

✓ Right of access
✓ Right to rectification
✓ Right to erasure
✓ Right to data portability
✓ Right to object to legitimate interests processing
✓ Right to withdraw consent

REQUEST →

Source: §7

California (CCPA / CPRA)

DIFFICULTY: HARD

✓ Right to know what is collected
✓ Right to delete
✓ Right to opt-out of sale / sharing
✓ Right to correct
✓ Right to limit use of sensitive info

REQUEST →

Source: §9

Default (rest of world)

DIFFICULTY: NIGHTMARE

✓ Account deletion via in-app flow
✓ Data portability via 'Request Account Info'
✓ No statutory rights enforceable
✓ No opt-out from Meta data sharing

REQUEST →

Source: §8

§8 · Receipts

The actual sources.

Every claim above is anchored to a line in the policy we analyzed. Click any section ID to view it in context.

ANALYZED BY: claude-sonnet-4-6 · PROMPT VERSION: honest-policy-v1.3 · ANALYZED AT: 2026-05-24T18:00Z
SOURCE: https://www.whatsapp.com/legal/privacy-policy/ · POLICY VERSION: 2024-01-04 · SNAPSHOT HASH:

§1

End-to-end encryption

"End-to-end encryption means that your messages are encrypted to protect against us and third parties from reading them."

Original → Snapshot →
§2

Information We Collect

"We collect device and connection-specific information when you install, access, or use our Services."

Original → Snapshot →
§3

How We Work With Other Meta Companies

"…showing relevant offers and ads across the Meta Company Products"

Original → Snapshot →
§4

Information You And We Share

"Users, including businesses, with whom you communicate can store or reshare your information (including your messages) with others on and off our Services."

Original → Snapshot →
§5

AI at Meta features

"If you choose to use AI at Meta through WhatsApp, Meta receives…device and connection information…to support the provision of AI at Meta features."

Original → Snapshot →
§6

Law, Our Rights, And Protection

"We access, preserve, and share your information…if we have a good-faith belief that it is necessary to: (a) respond pursuant to applicable law or regulations, legal process, or government requests"

Original → Snapshot →
§7

EEA user rights (GDPR)

"If you are located in the European Economic Area…you have the right to access, rectify, port and erase your information and the right to restrict and object to certain processing of your information."

Original → Snapshot →
§8

Managing And Retaining Your Information

"We store information for as long as necessary for the purposes identified in this Privacy Policy."

Original → Snapshot →
§9

US Regional Privacy Notice / regulatory history

"For more information about your privacy rights under US state privacy laws, please see our US Regional Privacy Notice."

Original → Snapshot →
§10

Assignment, Change of Control, and Transfer

"In the event that we are involved in a merger, acquisition, restructuring, bankruptcy, or sale of all or some of our assets, we will share your information with the successor entities or new owners."

Original → Snapshot →