WhatsApp Business API Compliance

Scope and Purpose

This document describes Cathalyst's compliance framework for using the WhatsApp Business Platform (API), as required by Meta Platforms Inc. and applicable data protection law. It applies to all automated and agent-assisted messaging sent through the API on behalf of Cathalyst or its clients. Cathalyst operates as both an API user for its own business communications and, where applicable, as a technology implementer for clients integrating the API into their own systems.

Opt-In Requirements

• —All recipients of API-initiated messages must have given explicit, documented opt-in consent before the first message is sent.
• —Opt-in must clearly identify Cathalyst (or the applicable client business) as the sender and describe the types of messages to be received.
• —Opt-in is obtained through one or more of the following: web forms with an explicit WhatsApp consent checkbox, in-app consent flows, verbal consent recorded and documented in CRM, or prior established business relationship with clear channel disclosure.
• —Double opt-in (confirmation message requiring user acknowledgment) is used for marketing-category messages.
• —Opt-in records are retained for a minimum of 2 years or the duration of the business relationship, whichever is longer.

Message Templates and Categories

• —All outbound API messages use pre-approved Meta message templates, organized into the following categories: Utility (transactional, service-related), Authentication (one-time codes), and Marketing (promotional content).
• —Templates are submitted for Meta review before use and are not modified after approval.
• —Marketing-category templates are only sent to contacts who have provided explicit marketing consent in addition to general WhatsApp consent.
• —Template content is truthful, clearly identifies the sender, and does not contain prohibited content as defined by Meta's Commerce and Business Policies.

Prohibited Content and Conduct

• —Cathalyst does not use the WhatsApp Business API to send spam, bulk unsolicited messages, or content that violates Meta's Acceptable Use Policy.
• —We do not send messages related to prohibited industries or content categories as defined by Meta (e.g., illegal products, adult content, weapons, gambling where restricted).
• —We do not use deceptive practices, impersonation, or misleading sender identification.
• —We do not attempt to circumvent Meta's message quality ratings or opt-out enforcement mechanisms.

Opt-Out Enforcement

• —All outbound messages include instructions for opting out (e.g., reply STOP or SAIR).
• —Opt-out requests are processed automatically within the messaging platform and confirmed within 24 hours.
• —Opted-out contacts are immediately added to suppression lists and will not receive further outbound API messages.
• —Suppression lists are maintained and synchronized across all systems using the API.
• —Users may also submit opt-out requests via email to hello@cathalyst.com.br.

Data Protection and LGPD Compliance

• —All personal data processed through the WhatsApp Business API — including phone numbers, message content, and interaction metadata — is treated in compliance with the LGPD (Lei nº 13.709/2018).
• —Processing is based on the legal bases of consent (Art. 7, I) and legitimate interest (Art. 7, IX) as applicable to each message category.
• —Data subjects can exercise their LGPD rights (access, correction, deletion, portability, objection) by contacting hello@cathalyst.com.br.
• —Personal data is not used for profiling or automated decision-making with significant effects without appropriate safeguards.

Data Retention

Message content and metadata are retained for the minimum period necessary to fulfill service obligations, resolve disputes, and comply with legal requirements. By default, conversation data is retained for 24 months. Data associated with concluded contracts is anonymized or deleted within 90 days following the retention period, unless required for legal or audit purposes.

Infrastructure and Business Solution Provider (BSP)

Cathalyst accesses the WhatsApp Business API through a Meta-authorized Business Solution Provider (BSP). The BSP is responsible for API infrastructure, uptime, and tier-1 compliance. Cathalyst remains responsible for message content, consent management, and compliance with these policies at the application layer. The identity of the BSP is available upon request.

Message Quality and Tier Management

• —Cathalyst actively monitors message quality ratings in the WhatsApp Business Manager dashboard.
• —We maintain a target Quality Rating of 'High' and take corrective action if ratings degrade.
• —Messaging limits are managed proactively to avoid throttling or account restrictions.
• —Feedback from recipients (blocks, reports) is reviewed regularly and used to improve messaging practices.

Incident Response

In the event of a data breach, unauthorized access, or significant compliance incident involving the WhatsApp Business API, Cathalyst will notify affected parties and relevant authorities in accordance with LGPD Article 48 timelines (72 hours for authority notification where required) and Meta's incident reporting requirements.

User Rights and Contact

To exercise your data rights, request information about how your data is processed through the WhatsApp Business API, or report a compliance concern, contact us at hello@cathalyst.com.br — Cathalyst Consultoria em Tecnologia Ltda., Porto Alegre, RS, Brasil. We aim to respond to all compliance inquiries within 5 business days.