WhatsApp compliance.

01Our BSP relationship

Depra is a Meta-onboarded ISV (Independent Software Vendor) for the WhatsApp Business Platform. We provision and manage WhatsApp Business Accounts on behalf of customers via the official Cloud API.

Customers retain ownership of their WhatsApp Business Account (WABA) and phone number assets. If you off-board from Depra, your WABA and phone numbers transfer with you - we do not lock them.

We do not resell WhatsApp messages or take a cut of conversation pricing. Conversation costs flow through at Meta's published rates, billed to the payment method on the WABA.

02Opt-in handling

Meta requires an opt-in for any business-initiated message sent over WhatsApp. We support three opt-in patterns: a Shopify checkbox at checkout, an opt-in flow inside an existing WhatsApp conversation, and a manual import where you certify written opt-in evidence (we keep the import receipt for audit).

Opt-ins are stored per-customer with timestamp, source, and the exact disclosure shown. We can produce a per-customer opt-in record if Meta requests evidence during a quality review.

Contacts who haven't opted in are blocked at the API layer for outbound business-initiated sends. The block is enforced by Depra; it is not a configuration the operator can disable.

Customer-initiated conversations (the customer messages your number first) do not require a prior opt-in - Meta treats them as implicit consent for the 24-hour service window.

03Template approval and policy

Outbound business-initiated messages outside the 24-hour service window must use a Meta-approved template. Depra ships with a set of pre-approved templates for each playbook (cart recovery, COD confirmation, NDR recovery, etc.) and you can author your own custom templates inside the dashboard.

Submitted templates go through Meta's review queue, which typically returns a verdict in minutes to hours. We surface the status (pending, approved, rejected, paused) on every template card.

Templates that get rejected most commonly fail on category mismatch (sending a marketing message under a utility category, for example) or for prohibited content. We suggest the likely cause and a fix when this happens.

We do not send promotional messages under utility or authentication categories. The category sent on the wire matches the category Meta approved for the template.

04The 24-hour customer-service window

Once a customer messages you, you have a 24-hour window during which you (or our AI) can send free-form replies - text, media, interactive buttons. After 24 hours of no inbound message, the window closes and only approved templates can be sent.

Depra computes window expiry per conversation (sessionExpiresAt) and disables the free-form reply box in the inbox when the window has closed. Operators see a banner explaining what's allowed.

The AI follows the same rule: if a playbook's outbound action would land outside the window, the playbook either uses an approved template or holds the action and waits for the next inbound message.

05Quality rating and pacing

Meta assigns each phone number a quality rating (Green/Yellow/Red) based on how recipients respond. Sustained Yellow or Red ratings can throttle or pause your messaging tier.

Depra surfaces the quality rating in the WhatsApp dashboard and pauses outbound campaigns automatically when a number drops to Red. We also alert the account owner and recommend remediation steps.

We rate-limit outbound broadcast fan-outs to stay under Meta's per-24h tier limits. New numbers start at the lowest tier (1,000 unique recipients/24h) and grow as quality stays Green; we honour that progression.

We do not bulk-import contacts of unknown provenance. Import flows ask for opt-in evidence and the flag is propagated downstream.

06Prohibited content and use

We follow Meta's Commerce Policy, Business Policy, and the country-specific carrier rules. The most commonly relevant prohibitions for our customers: no alcohol, tobacco, weapons, adult content, financial scams, multi-level marketing, or unapproved healthcare claims.

We do not facilitate sending to recipients in jurisdictions where the customer's product or message would violate local law.

Repeated policy violations can result in account suspension. We notify you before suspending and we provide a 7-day window to remediate where Meta's process allows.

07Customer responsibilities

You are responsible for the lawful basis (consent / contract / legitimate interest, depending on jurisdiction) under which you contact your customers. Depra enforces opt-in at the platform layer; you are responsible for the legal layer.

You are responsible for honouring opt-out requests. We surface STOP / unsubscribe replies and disable outbound messaging to that number until you re-establish consent.

You are responsible for the accuracy of business profile information (display name, address, category) on your WABA. Depra surfaces these fields in the dashboard but cannot validate truthfulness.

08Data flow and retention

WhatsApp message content (inbound and outbound) is stored in the AWS Mumbai region for as long as you retain it in the inbox, capped at the retention period in your subscription tier. Default retention is 12 months on Scale, configurable on Enterprise.

Phone numbers, names, and message content are processed under the DPA and the security controls listed at https://depra.ai/security.

We do not share WhatsApp message content with sub-processors outside the list at https://depra.ai/subprocessors. AI providers see only the conversation context the agent needs to formulate a reply, not the full inbox.

09Reporting and cooperation

If Meta opens a quality review on your number we cooperate fully and provide opt-in records, message logs, and template usage data on request.

If you suspect your account has been used in violation of WhatsApp policy by a third party (compromised credentials, shared workspace), email team@depra.ai and we will help investigate and lock the account.