WhatsApp has updated its payments privacy policy and has ensured that parent company Facebook will not store any data pertaining to payments, it has also confirmed that its payments feature is built on parent Facebook’s payments infrastructure.

In an update to its terms of service and privacy policy on payments, WhatsApp has made several clarifications with regard to information that is collected when one agrees to use its payments feature. The company said that it has limited visibility on the Indian consumer’s banking details. The company also allayed fears by clearly stating that it does not have access to the user’s UPI PIN, which is used to authenticate transactions, as the PIN is encrypted by software provided by the National Payment Corporation of India (NPCI). It has said that it only collects the UPI PIN to enable payments.

We do not retain Customer Payment Sensitive Data (partial debit card number, expiry date, PIN, OTP, or BHIM UPI PIN). WhatsApp does not have access to the BHIM UPI PIN because it is encrypted by Common Library (CL) software provided by National Payment Corporation of India.

With regard to data collection by Facebook, WhatsApp said that it “works with service providers including Facebook” to send payment instructions, maintain transaction history, provide customer support, and “keep our services safe and secure.” It again clarifies that Facebook has no access to the UPI PIN as it is encrypted.

In conformance with our relationship with PSPs, WhatsApp works with service providers including Facebook. To send payment instructions to PSPs; maintain your transaction history; provide customer support; improve, understand, customize, support, and market Payments; and keep our Services safe and secure, including to detect, prevent, or otherwise address fraud, safety, security, abuse, or other misconduct, we share information we collect under this Payments Privacy Policy with service providers including Facebook. Facebook will have no access to encrypted BHIM UPI transaction information in clear format.Facebook will have no access to encrypted BHIM UPI transaction information in clear format.

An earlier version of the company’s own payments privacy policy stated “we share information we collect under this Payments Privacy Policy with third-party service providers including Facebook,” and “To provide Payments to you, we share information with third-party services including PSPs, such as your mobile phone number, registration information, device identifiers, VPAs (virtual payments addresses), the sender’s UPI PIN, and payment amount.” After this was reported, WhatsApp almost immediately had issued a statement stating that it does not “does not use WhatsApp payment information for commercial purposes, it simply helps pass the necessary payment information to the bank partner and NPCI.” (Read more about this development here.) Notice that the older privacy policy mentioned exactly what PSPs and third-parties collect (such as mobile number, registration number, VPAs, the sender’s UPI PIN, and payment amount.) The new policy update simply says that Facebook does not collect the UPI PIN. It is unclear if/how exactly the other info is collected or retained. We will have to wait for more clarity as WhatsApp has specifically mentioned that the terms of service and privacy policy for WhatsApp payments will be updated.

Remember that in the beginning of June, the company delayed the full rollout of the payments service for 200 million Indian users due to concerns over how Facebook stores users’ data as well as over RBI’s norms on data storage. The beta test began in months ago, in February. Now, the company has said in a press release that it “look[s] forward to expanding WhatsApp payments soon”

24-hour customer support

The payments service will provide 24-hour customer support after a full launch is made. Support will be provided through e-mail as well as a toll-free number, a WhatsApp spokesperson told reporters. Customer support will be available in English as well as three Indian languages — Hindi, Marathi and Gujarati. However, the official declined to comment on the launch dates and other details.

The spokesperson added that while users can connect with WhatsApp for queries related to the payments offering, they would have to reach out to their banks for any dispute resolution. The new policy also states that all payments are final and non-refundable. Additionally, it states, “WhatsApp is not liable for unauthorized transactions. We assume no responsibility for the underlying transaction of funds, or the actions or identity of any transfer recipient or sender.”

WhatsApp Payments’ saga with UPI, privacy, and Facebook

  • The launch of WhatsApp Payments has reportedly been delayed in June as parent company Facebook battles concerns over privacy with regard to how users data will be stored and shared. The RBI was concerned about data localisation and storage, and there were doubts about the privacy of users, as WhatsApp is owned by Facebook, which was rocked by the unforgettable Cambridge Analytica scandal.
  • In May, the chief executive and co-founder of WhatsApp, Jan Koum quit the company over disagreements (with parent Facebook) about privacy and encryption. A Washington Post report noted that the founders “clashed with Facebook over building a mobile payments system on WhatsApp in India.” MediaNama speculated that the concerns of the WhatsApp founders may have stemmed from the fact that while all messaging on WhatsApp is end-to-end encrypted the payments service is not, by design. This meant that third parties and government agencies may have access to data regarding all payments made via the chat platform. Soon after, it was reported that WhatsApp shares crucial payments information such as VPAs and UPI PINs with third-parties, including Facebook. WhatsApp had responded to this revelation by saying that Facebook does not use WhatsApp payment information for commercial purposes. Read more here.
  • In March, Whatsapp tweaked its payments interface to make the ‘send to UPI ID’ option more visible and accessible. However, that did not really seem to work. Read our full report here.