Legal · Document 02 · Terms

Terms of service.

Effective25 May 2026

Version1.0

Governing lawEngland & Wales

These terms are the contract between us and your organisation. They are written in plain English, but they are still a contract. Read them. If something is unclear, ask – before you sign.

Parties and definitions

These terms (the "Terms") are entered into between [the Operator] (the "Provider", "we", "us") and the organisation identified on the order form or signing the subscription (the "Customer", "you").

Capitalised terms used in these Terms have the following meanings:

Service – the Chat Compliance platform and the related onboarding, archive, search, retention, SAR and legal-hold tooling made available under your subscription.
Governed Channel – a WhatsApp group created on the WhatsApp Business API number you have configured for use with the Service.
Customer Data – any data submitted to or processed through the Service on your behalf, including the contents and metadata of Governed Channels.
Order Form – the document or online sign-up record that identifies the tier, term and pricing of your subscription.
DPA – the Data Processing Agreement we make available to Customers, which forms part of these Terms.
WhatsApp Terms – the WhatsApp Business Solution Terms, WhatsApp Business Messaging Policy and other documents Meta publishes from time to time governing use of the WhatsApp Business API.

Acceptance and ordering

You accept these Terms when you sign an Order Form or otherwise confirm acceptance. The person who accepts on behalf of the Customer warrants that they have authority to bind the Customer. Each Order Form, together with these Terms and the DPA, forms the entire agreement for the subscription it describes.

If there is a conflict between an Order Form, these Terms and the DPA, the order of precedence is: (1) the Order Form for commercial matters (tier, term, price, named contacts); (2) the DPA for matters relating to personal data; (3) these Terms for everything else.

The Service

The Service provides governed WhatsApp groups on a WhatsApp Business API number that you own and control, with messages captured to a UK-hosted, tamper-evident archive and tooling to search, retain, hold and respond to Subject Access Requests. The exact entitlements (number of staff seats, Governed Channels, SARs included, etc.) are set out in your Order Form and reflect the tier you have chosen.

We will provide the Service with reasonable skill and care and in accordance with the description on chat.org.uk as it stood on the date of your Order Form. We may improve and evolve the Service, but we will not make changes during your subscription term that materially reduce the functionality or security on which you relied at the time of ordering.

Your responsibilities as Customer

You are the controller of the personal data flowing through your Governed Channels. The decisions that go with that role – who joins, what is discussed, what is captured, what is kept and for how long, what notices are given to participants, what lawful basis is relied on – are yours. We provide tools, templates and guidance, but we do not, and could not, make those decisions for you.

In particular, you will:

Identify and document a lawful basis under Article 6 UK GDPR and, where applicable, an Article 9 condition, for each category of processing carried out via the Service.
Provide a privacy notice to every participant of a Governed Channel, on or before they join, in line with Articles 13 and 14 UK GDPR. Our template wording is a starting point; you are responsible for ensuring it reflects your specific processing.
Maintain an Article 30 record of processing activities for the use of the Service, and update it when material changes occur.
Manage the membership of your Governed Channels (including removing leavers promptly) using the administrative tools we provide.
Configure retention rules appropriate to your sector, regulator and policies.
Respond, as controller, to data subjects' requests, using our SAR tooling to assist.
Notify us promptly of any actual or suspected security incident or personal data breach affecting Customer Data, and of any complaint or regulatory enquiry that touches the Service.

Personal-device obligations.

The Service governs Governed Channels created on your WhatsApp Business API number. It cannot reach, and we cannot read, conversations that your staff, volunteers or other personnel may hold on their own personal WhatsApp accounts. This is a structural limit of the WhatsApp Business API and is true of any compliant offering in this category.

Why this matters and what you must do

If your personnel continue to discuss service users, residents, beneficiaries or operational matters on personal WhatsApp in parallel with Governed Channels, those conversations remain ungoverned. The Service reduces, but does not eliminate, that risk. Reducing it the rest of the way is governance work that sits with you.

By accepting these Terms, you undertake to:

(a) Adopt a written staff and volunteer policy prohibiting the use of personal WhatsApp (and other unsanctioned personal messaging accounts) for work-related discussion of service users or other operational matters. We make a template available; you may adapt it.

(b) Communicate and re-affirm that policy at least annually and at induction, and record acknowledgement.

(d) Where work is conducted on devices you issue or manage, use mobile device management (or equivalent) to make Governed Channels the obvious default and to block or visibly discourage personal messaging apps where consistent with your wider policies on personal use.

(e) Treat the Service as part of, not a replacement for, a wider information governance framework that includes safeguarding, records management and incident response.

If you cannot or will not undertake this work, the Service is unlikely to deliver the assurance you are looking for, and we would rather you knew before you bought.

Acceptable use

You will not, and will not permit any user of the Service to:

Use the Service to engage in unlawful activity, including processing of personal data in breach of UK GDPR or the Data Protection Act 2018;
Use the Service in a way that breaches the WhatsApp Terms;
Add a person to a Governed Channel without first providing the notice required by Articles 13/14 UK GDPR (and obtaining consent where consent is the lawful basis);
Attempt to intercept, decrypt or otherwise access content from any WhatsApp conversation that is not a Governed Channel on your own Business API number;
Misrepresent the Service or this organisation to participants of a Governed Channel;
Reverse engineer, decompile or otherwise attempt to derive the source code of the Service, except to the extent that such restriction is prohibited by applicable law;
Use the Service for bulk marketing communications or anything that would breach the Privacy and Electronic Communications Regulations 2003.

WhatsApp and Meta flow-down

Use of the Service involves use of the WhatsApp Business API, operated by Meta. Your use of the Service is therefore also subject to the WhatsApp Terms, which take precedence over these Terms to the extent of any conflict. You authorise us (and our chosen Business Solution Provider, where applicable) to act on your behalf in the onboarding and operation of your Business API account, but you remain the account-holder of record.

Where Meta changes the WhatsApp Terms in a way that materially affects the Service, we will give you notice and, if necessary, propose an amendment to these Terms.

Fees, billing and founding-partner terms

Subscription fees are as set out on your Order Form and reflect the tier you have chosen. Fees are payable annually in advance unless the Order Form provides otherwise. The fees on chat.org.uk are the fees you pay; we do not levy hidden platform fees, per-message fees or per-participant fees. Adding volunteers, families and residents to a Governed Channel does not increase your fee.

Fees are exclusive of VAT, which will be added at the prevailing rate where applicable. Late payment of an undisputed invoice may attract statutory interest under the Late Payment of Commercial Debts (Interest) Act 1998.

If you joined under our founding-partner programme, you receive: 50% off the published list price for two years from the date of your first Order Form; your price locked at the founding-partner level for life thereafter (subject only to inflation-linked annual review capped at CPI); and onboarding and migration included at no extra charge, in exchange for participating as a named reference and contributing to a published case study.

Intellectual property

As between us, we own all intellectual property rights in the Service, including the software, branding, documentation and templates. You receive a non-exclusive, non-transferable, revocable licence to use the Service for the term of your subscription and for your internal organisational purposes.

You own Customer Data. We claim no licence in it beyond what is necessary to provide the Service to you, comply with the law, and produce aggregated, fully anonymised statistics that cannot be used to identify you or any individual.

If you give us feedback about the Service, you grant us a non-exclusive, perpetual, royalty-free licence to use that feedback to improve the Service. We will not identify you as the source of feedback without your consent.

Confidentiality

Each party will keep the other's confidential information confidential, use it only to perform under these Terms, and protect it with at least the standard of care it applies to its own confidential information (and never less than a reasonable standard). This obligation continues for three years after termination, except in respect of trade secrets and personal data, which remain protected indefinitely.

Data protection

Each party will comply with its respective obligations under the UK GDPR, the Data Protection Act 2018 and other applicable data protection laws. The DPA governs the processing of personal data we carry out on your behalf and, by accepting these Terms, you also accept the DPA.

If you have not received a copy of the DPA, request one at compliance@chat.org.uk. Our privacy practices as a controller (for example, in respect of your account administrators and prospect data) are described in our Privacy notice.

Security and customer-managed keys

We will operate the Service in accordance with the security commitments described in the security section of chat.org.uk and the DPA, including UK-region data residency, encryption in transit and at rest, role-based access, audit logging and our incident response programme.

On request, we will configure the Service to use encryption keys you manage in Azure Key Vault under your own Azure tenant. You acknowledge that, where you elect customer-managed keys, revocation or loss of access to the key will render the corresponding Customer Data permanently unreadable, including by us; we cannot recover it on your behalf in that scenario, and you bear sole responsibility for the consequences. We will support you with operational procedures designed to make such revocation a deliberate, rather than accidental, act.

Availability and support

We target 99.9% monthly availability for the Service, measured at the platform's public endpoints, excluding (a) scheduled maintenance announced at least 48 hours in advance, (b) emergency maintenance, (c) downstream outages of the WhatsApp Business API or Microsoft Azure that we cannot reasonably mitigate, and (d) force majeure events.

Support response times are tier-dependent and stated on chat.org.uk and in your Order Form. Where you have purchased Enterprise support, the service level agreement (with credits) attached to your Order Form prevails over the general targets in this clause.

Suspension

We may suspend your access to the Service, in whole or in part, where we reasonably believe that (a) your use breaches the acceptable use clause and you have not cured the breach within a reasonable time of being asked to, (b) your use poses a security risk to the Service or to other Customers, (c) you have failed to pay an undisputed invoice within 30 days of its due date, or (d) we are required to do so by law. We will give you notice in advance where it is practicable and proportionate to do so. Suspension does not relieve you of the obligation to pay fees that have accrued.

Termination and return of data

Either party may terminate these Terms (and the affected Order Form): (a) for material breach, if the breach is not cured within 30 days of written notice; (b) if the other party becomes insolvent or enters an analogous process; or (c) where these Terms expressly so provide. You may also terminate at the end of the then-current subscription term by giving notice no later than 30 days before renewal; failing such notice, the subscription renews for a further period equal to the previous term.

On termination, your right to use the Service ends. For 60 days afterwards, we will make Customer Data available to you in a structured export format. We will then delete it from our active systems within a further 30 days, and from backups within the standard backup-retention cycle (typically not exceeding 90 further days), except where we are required to retain it by law.

Warranties and disclaimers

We warrant that the Service will be provided with reasonable skill and care, materially in accordance with its description, and that it will not knowingly infringe the intellectual property rights of any third party.

To the maximum extent permitted by law, and except as expressly set out in these Terms, the Service is provided "as is", and we exclude all other warranties, conditions and representations, whether express or implied (including any implied warranty of satisfactory quality, fitness for purpose or non-infringement).

Nothing in these Terms excludes or limits liability for fraud, fraudulent misrepresentation, death or personal injury caused by negligence, or any other liability that cannot be excluded under English law.

Limitation of liability

Subject to the immediately preceding paragraph, each party's total aggregate liability arising out of or in connection with these Terms, whether in contract, tort (including negligence), under statute or otherwise, is limited per twelve-month period to 125% of the fees paid or payable by you in the twelve months preceding the event giving rise to liability.

Neither party is liable for any indirect or consequential loss, loss of profit, loss of revenue, loss of business, loss of anticipated savings, or loss of or corruption of data (except to the extent that loss or corruption of Customer Data results from our breach of these Terms).

The cap above does not apply to a party's liability for: (a) payment of fees lawfully due; (b) breach of the confidentiality obligations; or (c) breach of the data protection obligations and the DPA, in respect of which a higher, separately negotiated cap may be set out on the Order Form.

Indemnity

We will indemnify you against third-party claims that your authorised use of the Service infringes that third party's UK intellectual property rights, provided you (a) notify us promptly, (b) let us conduct the defence, and (c) cooperate reasonably. If the Service is held to infringe, we may, at our option, procure a right to continue using it, modify it to avoid infringement, replace it with non-infringing functionality, or refund the fees paid for the affected period and terminate the affected Order Form.

You will indemnify us against third-party claims arising from (a) your breach of the acceptable use clause, (b) Customer Data in breach of law or third-party rights, or (c) your failure to provide notices to participants as required by data protection law.

Force majeure

Neither party is liable for failure or delay caused by events beyond its reasonable control, including acts of God, war, terrorism, cyber-attack on third-party infrastructure, failure of public communications networks or utilities, or pandemic. The affected party will notify the other promptly and use reasonable endeavours to mitigate. If the event continues for more than 60 days, either party may terminate the affected Order Form by notice.

Changes to these Terms

We may update these Terms from time to time. We will not make a change that is materially adverse to you during a subscription term without giving you at least 30 days' notice and a right to terminate the affected Order Form without penalty. Other changes take effect on renewal. The current version is always available at this URL; archived versions can be requested.

Notices

Notices to us must be sent to enquiries@chat.org.uk (with a copy to compliance@chat.org.uk for data protection or compliance matters) and, for matters with legal effect, also to our registered office. Notices to you will be sent to the administrator email address on the Order Form.

General

Assignment. Neither party may assign these Terms without the other's prior written consent, except that either party may assign to a successor in connection with a merger, acquisition, corporate reorganisation or sale of substantially all of its business.

Subcontracting. We may engage sub-processors as described in the DPA and listed at /sub-processors.html.

Entire agreement. The Order Form, these Terms and the DPA together constitute the entire agreement and supersede all prior agreements and representations on the same subject matter.

Severance. If any provision is held invalid or unenforceable, it is severed and the remainder remains in force.

Third parties. A person who is not a party to these Terms has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce them.

No waiver. Failure to enforce any provision is not a waiver of the right to enforce it later.

Governing law and jurisdiction

These Terms and any non-contractual obligations arising in connection with them are governed by the law of England and Wales. The courts of England and Wales have exclusive jurisdiction to settle any dispute (including non-contractual disputes) arising out of or in connection with these Terms.