GDPR & consent
WhatsApp marketing under GDPR comes down to one discipline: only message people who agreed to hear from you, be able to prove it, and stop the moment they say stop. Nybero is built around that discipline — this page shows you where each piece lives in the product and what remains your responsibility as the business owner.
Why opt-in matters twice
Two separate rulebooks require consent before you send marketing on WhatsApp:
- GDPR (and national anti-spam law): marketing messages need a legal basis — for WhatsApp, that is in practice explicit opt-in consent you can prove.
- WhatsApp’s own Business Messaging Policy: Meta requires opt-in too. Contacts who report or block you damage your quality rating, and a bad rating can throttle or shut down your number — the channel itself is on the line.
Nybero enforces the baseline for you: campaigns only ever go to contacts whose status is “Opted in” — contacts with No consent, Pending, or Opted out are excluded automatically. Automations and the send pipeline additionally hard-skip anyone who is opted out.
How Nybero records consent
Every contact carries a consent state you can see and filter by in Contacts:
- Opted in — valid consent recorded; the contact can receive campaigns.
- Pending — captured (e.g. from a funnel) but not yet confirmed.
- No consent — in your CRM, but not messageable with marketing.
- Opted out — withdrew consent; hard-blocked from automated sends.
On each contact’s page you’ll find:
- Opt-in at — the timestamp of the consent.
- Source — where the contact came from (an opt-in link, an import, a webhook, …).
- Consent history — an append-only log of every Opt-in and Opt-out event with its channel, timestamp, and proof text (for example the exact keyword the contact sent, or the wording of the consent checkbox they ticked). This is your audit trail if you ever need to demonstrate consent.
Building your list compliantly
Use collection methods where consent is explicit and gets recorded automatically:
- Opt-in links (the Opt-in links page in the app): create a link with a consent-worded, prefilled WhatsApp message. Each opt-in link gives you a shareable link, a website button, and a QR code for flyers, packaging, or your storefront. When a contact sends that message, Nybero records the opt-in — with proof — in the consent history. See Opt-in.
- Forms (in-chat WhatsApp forms): enable the consent option to show a required consent checkbox with your exact permission wording and an optional privacy policy link. Ticking it sets the contact to Opted in and writes the proof entry.
- Imports — when importing contacts you already have, the checkbox “These contacts have given opt-in consent” controls their status. Only tick it if you genuinely collected consent elsewhere (e.g. a signed form or your shop checkout) and keep that original proof yourself.
- Integrations — contacts arriving via ActiveCampaign opt-in elements or an inbound webhook can be marked as opted-in at the source; the consent event is logged with its origin.
Honoring opt-outs
- Automatic: if a contact replies with STOP, STOPP, STOP ALL, UNSUBSCRIBE, or ABMELDEN, Nybero immediately sets them to Opted out and logs the event with the exact keyword as proof. From that moment, campaigns and automations skip them — nothing to configure.
- Manual: you can click Opt out on any contact’s page, e.g. when someone asks you in person or by email. This is logged as well.
- Re-opt-in: an opted-out contact who later replies START, UNSTOP, or SUBSCRIBE is set back to Opted in (with a new consent log entry). An everyday “start” from a subscribed contact never touches their consent state.
Right to erasure (deleting a contact)
When someone exercises their right to be forgotten:
- Open the contact in Contacts.
- Click delete and confirm — the prompt reads “Delete this contact and its consent history?”.
This permanently removes the contact’s profile (name, phone number, attributes), their entire consent history, notes, and tag assignments. Message log entries are detached from the deleted person. You can also delete multiple contacts at once from the contact list.
Remember that erasure requests usually extend beyond Nybero: also delete the person from your other systems (CRM, email tool, spreadsheets) where you stored their data.
Data processing agreement (DPA)
For your contacts’ data, you are the controller and Nybero is your processor under Art. 28 GDPR. Nybero enters into a data processing agreement (DPA) with its customers, and hosting runs on servers in the EU. Sub-processors (such as Meta/WhatsApp as the messaging channel and Stripe for payments) are disclosed in Nybero’s privacy policy on the website.
What to put in your own privacy policy
As the controller, you inform your contacts. Practical checklist for your privacy policy and opt-in wording:
- That you use WhatsApp for the communication they signed up for, and that messages are transmitted via Meta’s WhatsApp Business Platform.
- Nybero as your processor for managing contacts and conversations.
- Purpose of the messages (e.g. “webinar reminders and related offers”) — and stick to it.
- How to opt out: reply STOP anytime.
- Retention and deletion: how long you keep the data and how to request erasure.
Link that privacy policy right where you collect consent — Forms support a privacy policy URL next to the consent checkbox for exactly this.
Worked example: a yoga studio builds a list the right way
- Mia runs a yoga studio. She creates an opt-in link named Studio newsletter with the prefilled message “I’d like to receive class updates from Studio Mia on WhatsApp” and prints the QR code at the front desk; the website button goes on her site next to a link to her privacy policy.
- A client scans the code and sends the message. Nybero creates the contact as Opted in, with the timestamp, the source, and the message text as proof in the Consent history.
- Months later the client replies STOP to a schedule campaign. Nybero sets them to Opted out on the spot — the next campaign automatically excludes them, even though they’re still in Mia’s segment.
- The client later emails asking for full deletion. Mia opens the contact, deletes it (confirming “Delete this contact and its consent history?”), and removes the person from her booking system too. Done — and every step in between was documented without Mia maintaining a single spreadsheet.