> ## Documentation Index
> Fetch the complete documentation index at: https://docs.apifycloud.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance

> Opt-in, opt-out, and what Meta considers a policy violation

WhatsApp is a permission-based channel. Meta polices it tightly and enforces
with quality-score penalties, tier drops, and number suspensions. This page
covers the rules you need to follow and how ApifyCloud helps you stay
within them.

<Warning>
  This page is operational guidance, not legal advice. Meta's Business and
  Commerce policies are the source of truth and change over time. Review
  them for your jurisdiction and use case.
</Warning>

## Opt-in

Opt-in is the foundation of a healthy WhatsApp channel. While the exact
rules depend on your jurisdiction and Meta's current policies, some
common patterns hold up well across audits and keep quality scores
healthy.

### Recommended practice

Ideally, an opt-in has:

* Some **affirmative action** from the user that shows they want to
  receive WhatsApp messages from you — a checkbox at signup, a reply
  keyword, a scanned QR, a signed form, etc.
* A **record** of what they opted in to (marketing, transactional, or
  both), roughly when, and through which surface
* Clear **up-front communication** of what they'll receive, in the
  language the opt-in was collected in

Relying on implicit signals alone (e.g., "they bought from us, so they
opted in") is riskier — if Meta or a regulator asks, you may not have
enough evidence to defend the send.

### Documenting opt-in

ApifyCloud doesn't enforce a specific storage format, but the following
tends to make audits and troubleshooting smoother:

* Keep opt-in proof in your source-of-truth system (CRM, billing,
  signup database) alongside the contact record
* When importing a contact list, consider including an `opt_in_source`
  and `opt_in_date` custom field on each row so it travels with the
  contact

## Opt-out

Opt-out is managed at the **app level**. A phone number added to the
app's opt-out list stops receiving **all** outbound messages from
that app — every campaign, every direct send, every flow-initiated
send.

You can add opt-outs in two ways:

* **One by one** — add a single phone number from the Opt-Out list view
* **Bulk import** — upload a file with many phone numbers at once via
  **Contact lists → Import Opt-Out**

Either way, the numbers don't need to belong to any existing contact
list — opt-out is independent from list membership.

## What counts as a policy violation

The WhatsApp Business Messaging Policy calls out several practices
that violate the terms of service and can lead to messaging
restrictions or account termination.

<Note>
  Authoritative source: [WhatsApp Business Messaging Policy](https://business.whatsapp.com/policy).
  This page paraphrases Meta's policy; the link above is the source of
  truth.
</Note>

<AccordionGroup>
  <Accordion title="Unsolicited contact without consent">
    Meta requires that you obtain the recipient's **explicit consent**
    and phone number before messaging them on WhatsApp. Contacting
    people who did not agree to receive your messages is a violation.
  </Accordion>

  <Accordion title="Ignoring block, stop, or cancel requests">
    You must respect all requests to block, interrupt, or cancel
    communications — whether the request is made on WhatsApp or
    through any other channel. Users must be removed from your
    contact lists without confusion or deception.
  </Accordion>

  <Accordion title="Impersonation or deceptive identity">
    You cannot use WhatsApp Business to impersonate another business
    or mislead users about your company's nature or affiliation.
  </Accordion>

  <Accordion title="Spam or deceptive messaging">
    You cannot confuse, deceive, defraud, or spam users with
    communications.
  </Accordion>

  <Accordion title="Unauthorized messaging at scale">
    Sending messages without the appropriate authorisation — for
    example, via an unsanctioned third-party list — violates the
    terms.
  </Accordion>

  <Accordion title="Template category mismatch">
    Separate from the Messaging Policy but worth noting: submitting a
    promotional offer as a Utility template (or vice versa) will be
    rejected or reclassified during template review. See
    [Template categories](/guides/whatsapp/template-categories).
  </Accordion>
</AccordionGroup>

## Prohibited content

Section 4 of the WhatsApp Business Messaging Policy lists categories
of products and services that organisations **cannot** buy, sell, or
promote through WhatsApp.

<Note>
  Authoritative source: [WhatsApp Business Messaging Policy — Prohibited Businesses](https://business.whatsapp.com/policy).
  Jurisdiction-specific rules may add further restrictions — always
  review Meta's current list and your local regulator.
</Note>

Prohibited categories, as listed in Meta's policy:

* Firearms
* Alcohol and tobacco
* Drugs, whether prescription, recreational, or otherwise
* Medical and healthcare products
* Endangered species (wildlife and plants)
* Live non-endangered animals excluding livestock
* Hazardous goods and materials
* Real, virtual, or fake currency, including ICOs and binary options
* Body parts or fluids
* Business models, goods, items, or services that Meta determines
  may be or are fraudulent, misleading, offensive, or deceptive, or
  may be or are exploitative, inappropriate, or exert undue pressure
  on targeted groups
* Real Money Gambling and Gaming (Online Gambling and Gaming is a
  subset — see the policy's Sections 5 and 6 for limited exceptions)
* Adult products and services
* Dating services
* Multi-level marketing
* Payday loans, paycheck advances, peer-to-peer lending, debt
  collection, and bail bonds

### Regulated industries with exceptions

Some categories are permitted in specific countries, under licence,
with restrictions on messaging features (e.g., no commerce features,
age-gating, no promotions to the general public). Examples include
Online Gambling and Gaming, over-the-counter pharmaceuticals, and
alcoholic beverages.

The exact country lists and conditions change over time. Consult
Meta's policy for the current set before launching content in these
categories.

## Data handling

* **Encryption**: contacts, messages, and template content are encrypted
  at rest, and all network traffic is over TLS.
* **Audit log**: every permission-sensitive action (template edits,
  contact imports, campaign launches, member changes, settings changes)
  is logged per app with actor, timestamp, and change detail. See the
  **Audit** tab of each app.
* **Retention**: message history follows your organisation's retention
  policy. Talk to your account contact if you need shorter retention for
  a regulated vertical.
* **Deletion**: removing a contact deletes the record; inbound messages
  tied to that contact remain in the conversation log unless explicitly
  purged.

## Roles and access

Each app has its own members and **custom roles** (configured in the
**Members** tab). A role is a set of permissions that control which
actions a user can perform inside the app — for example, sending
messages, launching campaigns, editing settings, managing opt-outs,
or publishing flows.

Assign the narrowest role each person needs for their work. A
support agent who only replies in conversations does not need the
same role as an administrator who manages templates and billing.

## What's next

<CardGroup cols={2}>
  <Card title="Quality and limits" href="/guides/whatsapp/quality-and-limits">
    How Meta enforces policy through quality and tier mechanics.
  </Card>

  <Card title="Per-user marketing limits" href="/guides/whatsapp/per-user-marketing-limits">
    The dynamic cap Meta applies per user on Marketing templates.
  </Card>
</CardGroup>
