Does Facebook have access to WhatsApp Pay?
It is unclear what sort of data Facebook will or may receive from WhatsApp on its users’ UPI payments. The blog is fairly vague when it says that Facebook doesn’t have access to encyrpted UPI transaction data in a clear format, but adds that “When we share information with service providers, we require them to use your information on our behalf in accordance with our instructions, terms, and applicable law.”
What information is collected?
- Customer details: The company has access to the user’s UPI virtual payment address (VPA) or ID, but it does not store the UPI PIN and does not store customer payment sensitive information such as the one-time password (OTP), full account number, or any debit card details.
- Payment information: For UPI payments, WhatsApp Pay will require the sender’s VPA, receiver’s VPA, phone number, payment amount, currency, date, time and transaction number. “When the sender makes a payment to a WhatsApp contact, we collect account and transaction information, including the sender’s and receiver’s names and BHIM UPI IDs,” the blog said.
- Information from service providers: WhatsApp India says it works with service providers like WhatsApp Inc. and other Facebook companies to operate, improve, customize, support, and market payments in a secure manner. “We work with companies to assist with customer support, and we receive information from them that you provide over the phone or email,” it said.
- Information from banks and NPCI: Payment service provider banks and National Payments Corporation of India (NPCI) provide information to WhatsApp about the user, their financial acccounts and payment transactions. “For example, we may receive information about you or your transactions from a PSP bank, including information to confirm your registration, the payment sender’s or receiver’s name, account information and status, balance sufficiency, transaction and account identifiers, risk or fraud alerts, and the like,” it said. The information shared between UPI users and the bank is subject to privacy policies of the banks, it added.
How is this data used?
The company says that all the information it receives goes back to improve, customize, support and market its services, which in the payments space usually means protecting users from fraud, abuse and misconduct.
“WhatsApp India works with the other Facebook Companies, including Facebook Inc. (“Facebook”) and WhatsApp Inc., to provide Payments, including to send payment instructions to PSP banks. We also use the information to customize, market and improve Payments, including cross-selling, promotions, providing value-added services and other NPCI approved purposes, and in accordance with applicable law,” it said.
It is important to note that since WhatsApp Pay and its bank partners are subject to regulations set by the RBI and the NPCI, much of the information and data fields collected by WhatsApp is fairly standard across all third-party UPI mobile apps. However, the clear conflict in the case of WhatsApp is the ability for the messaging service to share anonymous aggregated data or meta-data with its “affiliates” and other Facebook-owned platforms.
What do the liability clauses say?
WhatsApp India says it will not be liable for any profits or loss occurring through the payment transaction and that its aggregate liability will not exceed ₹1,000. “WhatsApp does not have control over the payment and therefore cannot provide refunds or facilitate chargebacks. WhatsApp is not liable for errors caused by the PSP, your or other banks processing the transactions, or NPCI, or for unauthorized transactions. We assume no responsibility for the underlying transaction of funds, or the actions or identity of any transfer recipient or sender,” according to the WhatsApp India Payments Terms of Service,” it said.
- ‘Govt should ban WhatsApp Pay for privacy violations’, says Atmanirbhar Digital India Foundation: Report
- WhatsApp Users Get Prompt To Accept New Terms Of Service, Privacy Policies