GoSendAPI GoSendAPI Cloud

Privacy Policy

Last updated: June 9, 2026

Related documents: Terms of Service · Acceptable Use Policy · Data Processing Agreement · Service Level Agreement · Data Deletion

1. Operator

GoSendAPI Cloud is operated by Gestic OR SA, a company incorporated in the Argentine Republic ("we", "the Operator"). This policy describes how we collect, use, store, and protect personal information in connection with our messaging service over the WhatsApp Business Cloud API of Meta Platforms, Inc.

2. Our role under data protection law

Under data protection regulations including Argentine Personal Data Protection Law 25.326, the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), the Brazilian LGPD, and equivalent regulations, GoSendAPI Cloud acts in two distinct roles:

  • As Data Controller: with respect to personal data of our integrating customers (account owners, billing contacts) that we collect directly to provide our service.
  • As Data Processor: with respect to personal data of end users (message recipients) that we process on behalf of our integrating customers. The integrating customer acts as the Data Controller of that end user data and decides which messages to send, for what purpose, and on what legal basis. We process such data only following the customer's documented instructions.

This distinction defines the responsibilities of each party regarding lawful basis, consent collection, data subject requests, retention, and incident response. For customers requiring a formal contractual document, see our Data Processing Agreement.

3. Data we collect

Depending on the user's role, we may process:

  • From integrating customers (businesses): company name, contact details, WhatsApp Business Account identifiers (WABA ID, Phone Number ID), API credentials, and encrypted tokens.
  • From end users (message recipients): phone number, content and metadata of exchanged messages (timestamp, delivery status), name if shared by the platform.
  • Technical data: API activity logs, IP addresses, session identifiers, errors, and operational metrics required to deliver the service.

4. Purposes of processing

  • Provision of message sending and receiving services through the WhatsApp Cloud API.
  • Maintaining traceability and operational auditing required by our integrating customers.
  • Compliance with Meta's policies and applicable law.
  • Service improvement, abuse prevention, and technical support.

5. End user opt-in (customer obligation)

Our integrating customers are obligated to obtain explicit opt-in from each end user before any message is sent. Opt-in must be collected through the customer's own channels — website forms, checkout flows, in-store collection, mobile app prompts — and must comply with applicable law and Meta's WhatsApp Business Messaging Policy. We do not collect opt-in on the customer's behalf, do not message individuals who have not opted in, and rely on the customer's representation that valid, current opt-in exists for every recipient. Customers must retain records of such opt-in and make them available to us or to Meta upon reasonable request. This obligation is also reflected in Section 8 of the Terms of Service and in the Acceptable Use Policy.

6. Sharing with third parties

We do not sell personal data. We may share information with:

  • Meta Platforms, Inc.: as intermediaries of the WhatsApp Cloud API, messages transit through Meta's infrastructure. The WhatsApp Privacy Policy applies.
  • Our integrating customers: messages and associated data are returned to the customer that originated the operation (for example, a healthcare provider using the platform).
  • Infrastructure providers: hosting, monitoring, and database services, under confidentiality agreements.
  • Authorities: when required by court order or legal demand.

7. Data retention

Messages and metadata are kept while the integrating customer's account is active, plus a period of up to 12 months for auditing and dispute resolution purposes. Technical logs rotate every 90 days. Customer account data is deleted 30 days after service cancellation, except where retention is legally required.

8. Security

We apply reasonable technical measures including encryption in transit (TLS), encryption at rest of sensitive credentials (AES-256-GCM), role-based access control, and anomalous activity monitoring. However, no system is 100% inviolable. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, we will notify the affected integrating customers and, where applicable, the competent supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR and equivalent provisions of other jurisdictions. Service availability commitments (uptime, incident response timing) are documented in our Service Level Agreement.

9. Data subject rights

Under Argentine Personal Data Protection Law 25.326, the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), the Brazilian LGPD, and equivalent regulations, data subjects have the right to:

  • Access: request a copy of the data we hold about the subject.
  • Rectification: correct inaccurate or incomplete data.
  • Deletion / erasure: request data deletion. See Data Deletion.
  • Restriction of processing: limit how we use the data.
  • Data portability: receive data in a machine-readable format (where applicable).
  • Objection: object to processing on legitimate grounds.
  • Withdraw consent: where processing is based on consent.

When we act as Data Processor on behalf of an integrating customer, requests from end users should first be directed to that customer; we will assist the customer in responding to such requests as required. Requests directed to us must be sent to contacto@gosendapi.com. We respond within a maximum of 30 days.

10. Cookies and similar technologies

This site (gosendapi.com) does not use tracking cookies. The operational platform may use strictly necessary technical cookies to maintain integrating customer sessions.

11. International transfers

Data may be processed on servers located outside Argentina, including Meta Platforms, Inc.'s infrastructure, in jurisdictions with data protection regulations deemed adequate. Where required by GDPR, transfers outside the EU are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards.

12. Minors

The service is directed to businesses and professionals. We do not knowingly collect data from individuals under 18.

13. Changes to this policy

We may update this policy. Changes will be published on this page with the last-updated date. Substantial changes will be notified by email to active customers.

14. Contact

For any inquiry about this policy or about personal data processing:
Gestic OR SA
Email: contacto@gosendapi.com
Argentine Republic