Vol. 01 · No. 02
Summer 2026
The Founding Ten · now open Half price for two years
For UK charities & care providers

WhatsApp, on the record.

Your teams already run on WhatsApp. We move those conversations onto a number your organisation owns – same app, nothing to install, nothing to learn – and capture every message into your own Microsoft 365 tenant, where it is answerable the day a regulator, a relative or a tribunal asks.

Book a free risk audit See the founding offer
30-minute call · No pitch deck · We'll say if we're not the fit
Official WhatsApp Business API Archive in your own tenant Disclosed, never covert Capturing in 14 days
PART 01 · THE EXPOSURE
The conversation we keep avoiding

Your charity is already having the conversations. None of them are governed.

WhatsApp lives in your care homes, your frontline teams, your fundraising threads, your trustee chat. Your DPO knows. Your IT director has tried to stop it. The conversations happen anyway – just outside everything you bought to keep the organisation safe.

Then one morning it surfaces. A solicitor's letter asks for "all WhatsApp messages concerning my mother". A safeguarding review needs a thread that lives on the personal phone of someone who left in March. An inspector asks how handover decisions are recorded, and the only honest answer is "on people's own phones".

You can spend another year fighting the culture. Or you can govern the channel your people refuse to give up.

1 month
The statutory clock on a Subject Access Request. It starts the day the letter lands, whether or not you can search WhatsApp.
UK GDPR · Art. 12(3)
Reg 17
The CQC's good-governance rule: accurate, complete and contemporaneous records. Group chats about care are records.
Health & Social Care Act regs · care providers
Zero
Messages you can reliably produce from a leaver's personal phone once they walk out the door.
Ask your last three leavers
PART 02 · THE CHOICE
The usual three options

Three doors everyone tries. None of them hold.

Door 01 · Ban it

Write the policy. Send the memo.

The chats don't stop; they go quiet. Risk you could at least see becomes risk you can't, and the next incident arrives with "and they knew" attached to it.

Verdict · The risk goes dark
Door 02 · Replace it

Roll out the approved app.

Teams, Slack, a "secure messenger". Adoption lasts a fortnight, the night shift never moves, the families never join. Now you run two channels: one official and empty, one real and invisible.

Verdict · Two channels, one dark
Door 03 · Ignore it

Hope the letter never comes.

The cheapest option, right up until the morning it isn't. This strategy ends with a Subject Access Request, a tribunal order or an inspection finding – and it picks the date, not you.

Verdict · Works until it doesn't
The fourth door

Don't fight WhatsApp. Govern it.

Keep the app every member of staff, every volunteer and every family already uses. Move the conversations onto a number the charity owns. Capture everything, disclose everything, and be able to answer anything. Same habit, new ownership.

The principle behind every feature we ship
PART 03 · THE MECHANISM
How it works

Four steps. Then it just runs.

STEP 01 · DAY ONE

Stand up a governed channel

A WhatsApp Business number your organisation owns, in your own Meta Business portfolio. Staff and families message it like any other contact – same app, nothing to install.

STEP 02 · WEEK TWO

Bring your people across

We set up your conversations, relay groups and invites, and supply the staff and family comms. Membership is controlled centrally: one click in, instant removal when someone leaves.

STEP 03 · ALWAYS ON

Every message captured

Each message flows through the official API into your own Microsoft 365 tenant, where your Purview retention, legal hold and eDiscovery govern it like any other record. Disclosed to members, never covert.

STEP 04 · THE DAY IT MATTERS

Search, hold, answer

Subject Access Requests, safeguarding evidence, retention and litigation holds – answered from the compliance tooling your organisation already runs, in hours not weeks.

Contract to first captured conversation: fourteen days.
We do the heavy lifting · Your staff change nothing
Start the fourteen days
PART 04 · WHAT'S IN THE BOX
What's in the box

Built for the people who have to answer for it.

001 · Channel

A number the charity owns

Conversations run on your organisation's WhatsApp Business number, not a volunteer's personal phone. The channel survives staff churn, phone upgrades and awkward exits.

002 · Membership

Joiners in, leavers out, instantly

Add and remove members by API. When someone leaves, they're out of every governed group before they reach the car park. No more "who still has access to that chat".

003 · Archive

Every message, in your own tenant

Captured through the official API into your Microsoft 365 tenant – not ours. Your Purview retention, legal hold and eDiscovery govern WhatsApp like any other record, from day one.

004 · Respond

SARs answered in an afternoon

Search by data subject across every governed channel. Redact, package, deliver inside the statutory month. A workflow built around ICO guidance, for charity DPOs.

005 · Preserve

Holds that survive deletion

Messages are archived the instant they are sent – the API offers no delete-for-everyone takeback – and Microsoft 365 litigation hold preserves them through any purge attempt. A trustee-ready evidence trail.

006 · Protect

Your tenant, not ours

The archive never lives with us. Leave, and there is nothing to hand back – the records were always yours, in your tenant, under your keys and your access controls.

PART 05 · THE FOUNDING OFFER
Ten places · opened June 2026

We're building this with ten organisations. Be one of them.

We're a young company with a strong opinion and a working product. We won't show you logos we don't have. What we need now is ten organisations who live this problem every day – and we're paying properly for the privilege.

Founding partners get the product at half price, the founders on a first-name basis, and a real say in what gets built next. In return we ask for the one thing money can't buy at this stage: your honest, public word that it works.

Every founding place includes
  • Half price for two years, then today's list price locked for life
  • White-glove setup: Business API onboarding and migration of every group, done for you
  • The trustee pack on day one: DPIA template, privacy notices, staff and family comms, board briefing
  • A named line to the founders and a vote on the roadmap
  • In exchange: a reference call and a case study, once we've earned them
Guarantee · In the contract

The Answerable Guarantee

If a Subject Access Request touches your governed channels and you can't produce the WhatsApp side within one working day, our team does it with you, free. If we still can't, we refund your year. The product has one job; this is us betting on it.

Exit · In the contract

The no-hostage clause

Leave whenever you like. Full export in open formats within fourteen days, a certificate of deletion, no exit fees. If we're not earning the renewal, we shouldn't have it.

"A named line to the founders" is not a metaphor. I'm Terry Sullivan, I built this, and I read everything sent to enquiries@chat.org.uk myself. If you'd rather take our measure before booking anything, write to me directly.

Terry Sullivan · Founder, Chat Compliance · CISSP
Claim a founding place
30-minute call · No pitch deck · We'll say if we're not the fit
PART 06 · THE NUMBERS
Pricing

Pricing built for charities and care providers. No mystery line items.

Every number here is the number you pay. No platform fees, no inflated seat counts, no setup hidden in the small print. You pay for staff seats; everyone you serve joins free. Annual billing saves around two months on Foundation and Governance, onboarding is on us, and founding places take half off both – Enterprise founding terms are agreed in conversation.

The fair bit
You only ever pay for staff seats. Volunteers, families and the people you support join governed groups free, always.
No per-message fees from us. No per-participant creep. Seats count the staff in governed groups, not your whole payroll.
Tier 01 Foundation
Foundation
A single care home, centre or small charity
Founding rate · The Founding Ten
£199 £99 / month
Founding £990 / yr · List £1,990
Works out around 57p per staff member per week
  • Up to 40 staff seats
  • Unlimited volunteers, families & residents
  • Up to 15 governed groups – relay or native
  • Archive in your own Microsoft 365 tenant, audit logs included
  • Unlimited self-serve search & export · 2 managed SAR responses / year
  • Onboarding & group migration included (annual plans)
  • Email support, 48-hour response
Start with Foundation
Tier 02 Most chosen
Governance
Growing, multi-site organisations
Founding rate · The Founding Ten
£599 £299 / month
Founding £2,990 / yr · List £5,990
  • Up to 250 staff seats
  • Unlimited volunteers, families & residents
  • Unlimited governed groups – relay or native
  • Bulk export in eDiscovery-ready formats
  • Unlimited self-serve search & export · 15 managed SAR responses / year
  • Retention & hold policy set-up, done for you
  • Quarterly compliance reports
  • Phone support, next-day response
Choose Governance
Tier 03 Enterprise
Enterprise
Large, multi-site care providers
Founding terms · By conversation
From £1,250 / month
From £15,000 / yr · custom
  • Unlimited staff seats & groups
  • Unlimited volunteers, families & residents
  • Unlimited managed SAR responses
  • Purview retention & hold configuration across every site
  • Multi-site numbers & per-site archives
  • Bespoke integrations (care management, HR, M365)
  • Named success lead & SLA with credits
  • Onboarding & migration across every site included
Talk to us
The safety net Every tier carries both contract clauses from the founding offer: the Answerable Guarantee – the WhatsApp side of a SAR produced within a working day, or we work it with you free and refund your year if we still can't – and the no-hostage clause. The risk of trying this sits with us.
Setup & onboarding Included on every annual plan. We run the WhatsApp Business API setup and migrate your existing groups across. No separate fee, ever.
If you need more Searching and exporting your own archive is never metered. If you'd rather our team run a SAR response end to end, your allowance covers it – beyond that it's £150 each (Enterprise includes unlimited). The Answerable Guarantee applies to every SAR either way. Optional extra training is £500 per half-day.
The honest anchor A single contested SAR or tribunal disclosure exercise routinely eats more staff time than a year of Governance costs. Price this against one bad month, not against zero.
PART 07 · READ BEFORE BUYING ANYTHING
Read this before buying anything in this category

What we won't promise. And nobody honest can.

We won't · 01

Read personal phones.

Nobody can, lawfully. A vendor who says otherwise is selling you a data breach with a dashboard. Governance starts where ownership starts: on a number the charity controls.

We won't · 02

Absorb your existing groups.

The official API can't join groups it didn't create. We migrate you forward instead, with the rollout plan, invites and policy templates to make the switch stick.

We won't · 03

Monitor anyone covertly.

Every governed group is disclosed to its members, with the wording supplied by us. Disclosure is what makes the archive usable as evidence and your position defensible.

We won't · 04

Claim "zero knowledge".

Governance and zero knowledge are mutually exclusive. Your archive lives in your own tenant, readable by your authorised administrators – and we say out loud what that does and doesn't mean.

If another vendor promises any of the above, ask them to put it in the contract. We put ours in writing two sections up.
PART 08 · SECURITY
Security & data protection

Built the way a charity DPO would design it.

We operate to the standards your trustees expect, and a few they don't yet ask about. Every claim on this page is independently auditable, and where we're still earning a certificate, we say so.

01 · Standards

Designed to ISO 27001

Information security mapped to ISO 27001:2022 controls from day one. Independent certification on the roadmap.

02 · Government

Cyber Essentials path

Targeting certification under the UK NCSC scheme. Increasingly expected by funders and public sector partners.

03 · Residency

UK data residency

Your archive lives in your own UK-region Microsoft 365 tenant; capture runs in UK-region Azure. Every third party – Azure for transient capture, Meta's WhatsApp API, Stripe billing – is disclosed in our sub-processor list.

04 · Custody

Your archive, your tenant

The record sits in your Microsoft 365 tenant under your access controls, your retention and any Customer Key encryption you run. We hold no copy to lose.

05 · Privacy

GDPR by design

DPIA templates, Article 30 records, lawful basis register. Built in, not bolted on.

06 · Transparency

Disclosed capture only

No covert monitoring. Members are in a charity-owned group and told it is governed. Lawful and ethical by default.

PART 09 · QUESTIONS
Frequently asked

Questions worth asking.

Yes. Governed conversations and groups run on the official WhatsApp Business Platform – Meta's Cloud API – on a number and WhatsApp Business Account your organisation owns in its own Meta Business portfolio. Members know the channel is governed and are told so in wording we supply. That is fully within WhatsApp's terms and meets GDPR transparency requirements. We do not tap, scrape or covertly join anyone's existing personal groups, which is neither possible through the API nor permitted.
In a governed conversation, your organisation's Business API endpoint is a legitimate participant, so messages are delivered to it through Meta's official API rather than intercepted off anyone's device. From there each message is archived into your own Microsoft 365 tenant, under your retention, legal holds and access controls. We do not run a modified WhatsApp client and we do not claim "zero knowledge", because governance and zero knowledge are mutually exclusive. Any vendor promising both is misrepresenting how this works.
Fourteen days is typical from signed order to first captured conversation: number live, relay groups running, every message archived into your tenant. One thing takes longer, and we say so: native WhatsApp groups need Meta's Official Business badge on your account, which has its own waiting period – it typically clears around week five, and we run the application for you. Your side of the work is approving the wording and turning up to one 45-minute session.
You talk, mostly. Bring the scenario that worries you – the group nobody admits to, the leaver with two years of messages on their phone, the SAR you'd dread. We map your exposure against the rules that apply to you, show you the product only where it's relevant, and send you a one-page summary written for trustees. There is nothing to prepare and nothing to pass, and if we're not the fit we'll say so on the call.
There are two kinds, and we are straight about the difference. Native WhatsApp groups created through the official API are capped by Meta at eight members plus your organisation's number, and they need Meta's Official Business badge on your account – an application we run with you during onboarding. Relay groups have no size cap and work from day one: members message your organisation's number, and every message is passed on to everyone else, labelled with the sender's name. A board of fifteen runs as a relay group; a committee of six fits a native group. Anyone promising native fifty-person WhatsApp groups through the official API is describing something Meta does not offer.
Yes, and we provide the templates. Transparency is a GDPR requirement and an ethical one. We supply notification copy for staff, for relatives joining governed groups, and for your trustee board. In practice, almost everyone is reassured rather than alarmed.
No, and any tool that claims to is either misleading you or breaking WhatsApp's terms. The API can only govern groups created on your business number, so the model is to migrate activity into governed groups going forward and make that the way your charity uses WhatsApp. We give you the rollout plan, the member invites, and the staff and trustee policy templates to make the switch stick.
That is a policy and culture problem, and we treat it as one. Governed groups become the only approved channel, backed by a safeguarding-grounded policy your trustees can stand behind. On charity-issued devices, mobile device management can enforce it. The lever is making the governed channel the easy, expected default, not pretending we can secretly read private phones.
We onboard you directly to Meta's WhatsApp Business Platform: your own Meta Business portfolio, your own WhatsApp Business Account, your own verified number. You hold all of it – we automate around it. We run the onboarding for you, included on every annual plan. Because the traffic is conversation rather than marketing, most messages are free at Meta's end; the occasional re-opening template costs pennies and is itemised, never marked up.
Yes. Anywhere WhatsApp has become operationally important, governance becomes operationally important. Fundraising teams, volunteer coordinators, safeguarding leads and trustee chats are all in scope. Pricing is by staff seat and participants are always free, so widening the use case never widens the bill.
You take everything with you – and the archive itself already lives in your own Microsoft 365 tenant, so the records were never ours to withhold. Anything operational we do hold is exported in open formats within fourteen days, deletion is confirmed in writing, and there are no exit fees. Founding terms are exactly as the offer states: half price for two years, then today's list price locked for life – never the price we charge new customers later. On Governance that's £2,990 a year for two years, £5,990 a year from year three, while the list price for everyone else moves on without you. We intend to earn the renewal, not enforce it.
The Founding Ten · places open

Find out where you stand before someone asks.

A 30-minute risk audit with our team. Bring your messiest scenario. You leave with a one-page, board-ready summary of your WhatsApp exposure and a straight answer on whether we're the fit – even if that answer is no.

Book the risk audit Read the founding offer

Not ready for a call? Ask for the trustee briefing instead – one page on WhatsApp exposure, written for boards, no follow-up unless you ask for one. Request the briefing