WhatSMS

GDPR — Data Protection

Last updated: April 22, 2026

WhatSMS was built with GDPR compliance as a core requirement, not an afterthought. Your customers' data stays on servers in the European Union and is never shared for commercial purposes.

1. Controller and processor

When using WhatSMS to communicate with your customers, your company acts as the Data Controller of your customers' personal data. Evidente Despertar, Lda. acts as the Data Processor, processing that data exclusively to provide the contracted service.

This distinction is important: your customers' data belongs to you. We are just the technical intermediary.

2. Data Processing Agreement (DPA)

Under Article 28 of the GDPR, we provide a Data Processing Agreement to formalize the relationship between Controller and Processor.

To request the DPA, send an email to with the subject "DPA Request — [company name]".

3. Data location and security

  • Servers in the EU: All infrastructure is hosted on servers located in the European Union (Germany/Hetzner). There are no data transfers to third countries.
  • Encryption in transit: All communications use TLS 1.3. HTTP connections are redirected to HTTPS.
  • Encryption at rest: Databases and backups are encrypted at rest.
  • Multi-tenant isolation: Each company has its data completely isolated. There is no data sharing between tenants.
  • Backups: Automatic daily backups with 30-day retention, stored in the EU.

4. Data subject rights

The GDPR grants data subjects (your customers) a set of rights that your company, as the Controller, has an obligation to respect. WhatSMS provides tools to facilitate compliance with these rights:

  • Right of access (Art. 15): You can export the full chat history of a contact.
  • Right to rectification (Art. 16): Contact data editable directly on the platform.
  • Right to erasure (Art. 17): Permanent deletion of a contact and all their history.
  • Right to data portability (Art. 20): Export data in JSON or CSV format.
  • Right to object (Art. 21): Block contact to prevent future communications.

5. Data retention

  • Active account data: kept during the term of the subscription
  • After cancellation: deleted within 30 days (export available during this period)
  • Billing data: retained for 10 years by legal obligation (Portuguese tax law)
  • Security logs: 90 days

6. Processors (sub-processors)

WhatSMS uses the following processors to provide the service:

EntityPurposeLocation
Hetzner Online GmbHServer hostingGermany and Austria (EU)
Stripe, Inc.Payment processingIreland (EU)

7. Data breach notification

In case of a personal data breach, Evidente Despertar, Lda. commits to notify affected customers within 72 hours of becoming aware of the occurrence, under the terms of Article 33 of the GDPR.

8. Supervisory authority

The competent supervisory authority in Portugal is the National Data Protection Commission (CNPD).

  • Website:
  • Email: geral@cnpd.pt
  • Phone: +351 213 928 400

9. Contact for privacy issues

For questions related to data protection, DPA, or exercising rights:

  • Email:
  • Evidente Despertar, Lda. — VAT PT514785691 — Portugal