Compliance

Documentation Index

Fetch the complete documentation index at: https://docs.apifycloud.io/llms.txt

Use this file to discover all available pages before exploring further.

WhatsApp is a permission-based channel. Meta polices it tightly and enforces with quality-score penalties, tier drops, and number suspensions. This page covers the rules you need to follow and how ApifyCloud helps you stay within them.

​

Opt-in

Opt-in is the foundation of a healthy WhatsApp channel. While the exact rules depend on your jurisdiction and Meta’s current policies, some common patterns hold up well across audits and keep quality scores healthy.

​

Recommended practice

Ideally, an opt-in has:

• Some affirmative action from the user that shows they want to receive WhatsApp messages from you — a checkbox at signup, a reply keyword, a scanned QR, a signed form, etc.
• A record of what they opted in to (marketing, transactional, or both), roughly when, and through which surface
• Clear up-front communication of what they’ll receive, in the language the opt-in was collected in

Relying on implicit signals alone (e.g., “they bought from us, so they opted in”) is riskier — if Meta or a regulator asks, you may not have enough evidence to defend the send.

​

Documenting opt-in

ApifyCloud doesn’t enforce a specific storage format, but the following tends to make audits and troubleshooting smoother:

• Keep opt-in proof in your source-of-truth system (CRM, billing, signup database) alongside the contact record
• When importing a contact list, consider including an opt_in_source and opt_in_date custom field on each row so it travels with the contact

​

Opt-out

Opt-out is managed at the app level. A phone number added to the app’s opt-out list stops receiving all outbound messages from that app — every campaign, every direct send, every flow-initiated send. You can add opt-outs in two ways:

• One by one — add a single phone number from the Opt-Out list view
• Bulk import — upload a file with many phone numbers at once via Contact lists → Import Opt-Out

Either way, the numbers don’t need to belong to any existing contact list — opt-out is independent from list membership.

​

What counts as a policy violation

The WhatsApp Business Messaging Policy calls out several practices that violate the terms of service and can lead to messaging restrictions or account termination.

​

Prohibited content

Section 4 of the WhatsApp Business Messaging Policy lists categories of products and services that organisations cannot buy, sell, or promote through WhatsApp. Prohibited categories, as listed in Meta’s policy:

• Firearms
• Alcohol and tobacco
• Drugs, whether prescription, recreational, or otherwise
• Medical and healthcare products
• Endangered species (wildlife and plants)
• Live non-endangered animals excluding livestock
• Hazardous goods and materials
• Real, virtual, or fake currency, including ICOs and binary options
• Body parts or fluids
• Business models, goods, items, or services that Meta determines may be or are fraudulent, misleading, offensive, or deceptive, or may be or are exploitative, inappropriate, or exert undue pressure on targeted groups
• Real Money Gambling and Gaming (Online Gambling and Gaming is a subset — see the policy’s Sections 5 and 6 for limited exceptions)
• Adult products and services
• Dating services
• Multi-level marketing
• Payday loans, paycheck advances, peer-to-peer lending, debt collection, and bail bonds

​

Regulated industries with exceptions

Some categories are permitted in specific countries, under licence, with restrictions on messaging features (e.g., no commerce features, age-gating, no promotions to the general public). Examples include Online Gambling and Gaming, over-the-counter pharmaceuticals, and alcoholic beverages. The exact country lists and conditions change over time. Consult Meta’s policy for the current set before launching content in these categories.

​

Data handling

• Encryption: contacts, messages, and template content are encrypted at rest, and all network traffic is over TLS.
• Audit log: every permission-sensitive action (template edits, contact imports, campaign launches, member changes, settings changes) is logged per app with actor, timestamp, and change detail. See the Audit tab of each app.
• Retention: message history follows your organisation’s retention policy. Talk to your account contact if you need shorter retention for a regulated vertical.
• Deletion: removing a contact deletes the record; inbound messages tied to that contact remain in the conversation log unless explicitly purged.

​

Roles and access

Each app has its own members and custom roles (configured in the Members tab). A role is a set of permissions that control which actions a user can perform inside the app — for example, sending messages, launching campaigns, editing settings, managing opt-outs, or publishing flows. Assign the narrowest role each person needs for their work. A support agent who only replies in conversations does not need the same role as an administrator who manages templates and billing.

​

What’s next