RippleCom processes (Art. 4(8) GDPR) on behalf of its client, named in the Collaboration Agreement, the personal data (Art. 4(1) GDPR) required to use the RippleCom platform, the WhatsApp Team Inbox.
Processing takes place exclusively for:
RippleCom does not process data for its own purposes or for third parties.
Processing via the RippleCom platform is limited to functional service and transactional messages directly related to an existing relationship or service agreement (such as appointment confirmations and practical information).
Marketing and bulk messaging are only permitted if (i) the client demonstrates compliance with Telecommunications law and GDPR, (ii) parties agree in writing, and (iii) RippleCom has explicitly activated this functionality.
Processing may involve personal data including, but not limited to, phone numbers, names, gender, region (location), job title, and age.
Data subjects consist of prospects, interactions, conversations, and relations of the client.
Processing takes place within the European Union, with development in the Netherlands and hosting in Germany (Frankfurt am Main) and sub-processor Meta Platforms Ireland Ltd. (Ireland).
RippleCom retains data processed via the platform for a standard period of 12 to 24 months, unless otherwise agreed:
Data is automatically deleted or anonymised after these periods.
If the client demonstrates that different periods are necessary based on statutory obligations, legitimate interest for evidence, or contractual obligations, a deviating period may be agreed in writing.
The client, as Data Controller, bears full responsibility for determining the necessity of retention and informing data subjects via their privacy policy.
The 30-day Meta retention is a fixed condition of the WhatsApp Cloud API and cannot be altered.
RippleCom uses Speakup BV (Enschede, NL) for telephony infrastructure and Meta Platforms Ireland Ltd. for WhatsApp traffic. No other sub-processors are used without prior written consent.
RippleCom has implemented appropriate technical and organisational measures, including encryption (in-transit and at-rest), TLS 1.2+ connections, and role-based access.
The client is responsible for handling Art. 15-22 GDPR requests. RippleCom will process referred requests within five working days.
RippleCom implements "STOP" message blocks for marketing within 15 minutes of receipt.
RippleCom will notify the client of any potential breach within 24 hours of discovery.
Initial notification within 4 hours, followed by a comprehensive report within 24 hours.
The client acknowledges that using Meta involves inherent risks. RippleCom is not liable for breaches occurring within Meta's infrastructure not caused by RippleCom's negligence.
The client is responsible for adhering to Meta’s Business and Commerce policies. RippleCom is indemnified against claims arising from client violations.
All data is treated as strictly confidential.
Data will be deleted or anonymised within 30 days of the agreement ending.
Liability is limited to the fees paid for the relevant month, capped at three months' fees, except in cases of wilful misconduct.
The client shall include RippleCom in its register as Processor.
Governed by Dutch law; disputes handled by the court in Overijssel.
