WHAM Privacy Policy

1. Entity Definition & Scope

WHAM is a Bangladeshi WhatsApp-Based CRM and Mass Communication Platform operated under the laws of Bangladesh, designed to facilitate:

  • Tier 1 (Individual Consumers): Private citizens who opt-in to receive communications from verified businesses or government entities through WhatsApp.
  • Tier 2 (Business Entities): All commercial entities ranging from multinational to SMEs and micro-enterprises (e.g., home-based sellers), registered with the Bangladesh Registrar of Joint Stock Companies (RJSC) or equivalent authorities.
  • Tier 3 (Government & Public Entities): Ministries, departments, and affiliated agencies of the Government of Bangladesh (e.g., DGHS, City Corporations), as well as registered NGOs (e.g., BRAC) collaborating on public welfare initiatives.
3. Data Utilization & Cross-Tier Interactions

Tier

Primary Use Case

Cross-Tier Data Flow

Tier 1

Receiving personalized offers or public alerts (e.g., flood warnings).

Data shared with Tier 2/3 only via WHAM’s encrypted relay – no direct access.

Tier 2

Running targeted campaigns.

Receives aggregated consumer trends (e.g., "20% of Tier 1 users in Dhaka prefer evening promotions").

Tier 3

Disseminating critical updates (e.g., cyclone alerts by BMD).

Zero access to Tier 1/2 databases; messages routed via government-dedicated API channels.

 

5. User Rights & Enforcement

Tier 1 Rights:

  • Withdrawal of Consent: Send "STOP" to +880XXXXXXX; full data purging within 72 hours.
  • Grievance Redressal: Complaints escalated to Bangladesh Cyber Tribunal within 30 days.

Tier 2 Obligations:

  • Data Portability: Download customer engagement reports in CSV format (GDPR Article 20 alignment).
  • Breach Notification: Mandatory disclosure to WHAM’s DPO within 48 hours of detecting a leak.

Tier 3 Protocols:

  • National Security Overrides: Bypass standard retention policies for counter-terrorism investigations (DSA 2018, Section 43).

Tier 2 (Business) Messaging Policy

5.1 Message Sending Permissions & Liabilities

  1. Permitted Recipients
    Tier 2 businesses may only message:
    • Existing customers: Users who have:
      • Previously transacted with the business (via invoice/order records).
      • Voluntarily shared their number (e.g., at point-of-sale with written consent).
    • Service subscribers: Users who actively opted in (e.g., checked "Receive Offers" during checkout).
  2. Prohibited Messaging
    • Purchased/third-party contact lists (violates Bangladesh’s Personal Data Protection Act 2023, Section 8).
    • Non-customer numbers scraped from social media/public directories.
  3. Business Responsibilities
    • Consent Proof: Must retain verifiable opt-in records (e.g., SMS logs, signed forms) for 3 years.
    • Compliance Audits: WHAM may request evidence of recipient consent; failure to provide results in account suspension.

5.2 WHAM’s Limited Liability

  1. No Enforcement Role
    • WHAM does not:
      • Verify individual recipient consent for Tier 2 messages.
      • Mediate disputes over unsolicited messages (e.g., "STOP" ignored by business).
    • Businesses alone bear legal responsibility for violations (e.g., BTRC fines under Telecom Act 2001, Section 71).
  2. Rejection of Liability
    • WHAM is not liable for:
      • Businesses messaging unverified contacts.
      • Recipient complaints to regulatory bodies (e.g., Bangladesh Cyber Tribunal).
    • Tier 2 must indemnify WHAM against penalties arising from their misuse (Terms of Service, Clause 12.4).

5.3 User Protections

  • Mandatory Opt-Out:
    • All Tier 2 messages include:
      "Reply STOP to unsubscribe. Msg & data rates may apply."
    • Businesses must process opt-outs within 24 hours.
  • WHAM’s Blacklisting:
    • Repeat violators (≥3 complaints) are permanently banned and reported to BTRC.

Compliance Addendum

  • Tier 2 Onboarding:
    Businesses must sign an Acknowledgment Form confirming:
    ✅ Understanding of consent requirements.
    ✅ Acceptance of full legal liability.
  • Regulatory Alignment:
    • Bangladesh ICT Policy 2018: Prohibits commercial spam.
    • Meta’s WhatsApp Business Policy: Bans unauthorized messaging.

 

7. Policy Updates & Compliance Calendar
  • Version Control:
    • Tier 1/2: Notified via WhatsApp broadcast 14 days pre-implementation.
    • Tier 3: Requires Gazette Notification + stakeholder consultations.
  • Annual Audits: Conducted by PwC Bangladesh against ISO 27001:2022 standards.

Contact Framework

  • Tier 1/2:
    +880XXX-XXXXXX (9AM–10PM) | legal@getwham.net
  • Tier 3 (Priority Channel):
    +880XXX-XXXXXX (24/7) | Secure portal: gov.getwham.net

 

 

Compliance Addendum

  • Transparency Logs:
    • All Tier 3 message deliveries are logged in a BTRC-auditable system with:
      • Timestamp, sender ID, message type (critical/non-critical).
      • Consumer opt-out status (where applicable).
  • Redressal Mechanism:

False flagging of messages as "critical" may be reported to:
gov.compliance@getwham.net (24-hour response window).

 

2. Data Collection Protocols by Tier

Tier 1 (Consumer Data):

  • Collected Data:
    • Mobile number (verified via WhatsApp’s OTP authentication).
    • Opt-in timestamp and campaign interaction metadata (e.g., message open rates, response patterns).
    • Explicitly Excluded:
      • Contact lists, private chats, or any off-platform data.
      • Location data (unless voluntarily shared for hyper-local campaigns like emergency alerts).

Tier 2 (Business Data):

  • Collected Data:
    • Business registration details (Trade License, TIN, BIN).
    • Campaign performance metrics (delivery receipts, conversion rates).
    • Payment records (for WHAM Pro subscriptions, processed via SSL-encrypted Bangladeshi gateways like bKash/SSLCommerz).
  • Data Retention:
    • 3 years post-account closure (per Bangladesh Income Tax Act 2023).

Tier 3 (Government Data):

  • Collected Data:
    • Official entity credentials (e.g., Ministry of Health approval for COVID-19 alerts).
    • Public service datasets (vaccination schedules, disaster warnings) – stored in isolated, FIPS 140-2 compliant servers.
  • Audit Requirements:
    • Quarterly third-party audits (as per Digital Security Act 2018, Section 42).
4. Data Sharing & Third-Party Compliance
  • Domestic Partners:
    • Shared with Bangladesh Bank-approved payment processors (for Tier 2 subscriptions).
    • BTRC-regulated telecom providers (for SMS fallback during outages).
  • International Vendors:
    • AWS Singapore (with data localization clauses per Bangladesh ICT Policy 2018).
  • Government Requests:
    • Tier 3 data may be disclosed to Cabinet Division-approved bodies under Official Secrets Act 1923.

Government (Tier 3) Communications Policy

4.1 Message Delivery from Government Entities

  1. Unsubscription Exemption for Critical Alerts
    • Tier 1 (Consumers) and Tier 2 (Businesses) cannot opt out of messages sent by verified Tier 3 (Government/NGO) entities when classified as:
      • National emergency alerts (e.g., natural disasters, pandemics under DGHS guidelines).
      • Public service mandates (e.g., tax notices by NBR, election updates by EC).
    • All other non-critical Tier 3 messages (e.g., awareness campaigns) follow standard opt-out rules.
  2. Number Sourcing & Verification
    • Tier 3 entities must use government-issued number pools (e.g., +88015XX-XXXXXX for BMD weather alerts).
    • WHAM validates all Tier 3 sender IDs through:
      • MOU with a2i (Access to Information Programme).
      • BTRC’s National Numbering Plan cross-checks.
  3. Strict Data Isolation
    • Government-supplied numbers are never:
      • Added to commercial (Tier 2) contact databases.
      • Used for profiling or analytics by non-government tiers.
      • Retained beyond the campaign period unless legally required (e.g., DSA 2018 archives).

4.2 Prohibited Data Sharing

  • With Other Tiers:
    • Tier 1 numbers receiving Tier 3 messages are masked (e.g., shown as +8801XXX**4567 in Tier 2 dashboards).
    • Tier 2 businesses cannot target users based on Tier 3 interaction history.
  • With External Parties:
    • Violations incur penalties under:
      • Digital Security Act 2018, Section 32 (5-year imprisonment for unauthorized sharing).
      • WHAM’s Government MOU termination.

 

6. Security Measures
  • Encryption:
    • End-to-end AES-256 for all WhatsApp messages.
    • Hardware Security Modules (HSMs) for Tier 3 data.
  • Access Controls:
    • Tier 2: Role-based dashboards (e.g., "Admin", "Analyst").

Tier 3: Biometric authentication + two-person rule for sensitive operations.