WhatsApp use case

§ 01Summary

Zatio is a reply-only AI conversational agent for SMB sales teams in Europe and the UK. Each Operator (a connected business — solar installer, dental clinic, etc.) plugs their own WhatsApp Business number into Zatio via Meta Embedded Signup. When a customer messages that number, our AI replies on the Operator’s behalf inside Meta’s 24-hour customer service window, qualifies the lead, and hands off to the Operator’s human team for booking or complex cases.

We do not originate marketing campaigns. We do not mass-message lists. The platform exists to respond fast, not to push.

§ 02Actors

• End user (customer) — a person who initiates a conversation by messaging an Operator’s WhatsApp number. They are the data subject under UK GDPR / EU GDPR.
• Operator — the business whose WhatsApp number receives the message. They are the Data Controller for end-user data and own their own WABA in Meta Business Manager.
• Zatio (Almor Ventures SL) — the Data Processor and the technical provider operating the AI agent and webhook.

§ 03What we send

• Service replies (free-text) — answers to a customer’s question, sent inside the 24-hour customer-service window. Generated by our AI or typed by an Operator’s human agent in our dashboard.
• Utility templates — booking confirmations, appointment reminders, and quote summaries, only after the customer has explicitly requested the action. Always sent via a Meta-approved template, never as free-text.
• Authentication templates — only when an Operator’s use case requires OTP delivery and they have enabled it. Not enabled by default.

§ 04What we never send

• Bulk marketing messages or promotional broadcasts without documented per-customer opt-in
• Messages to recipients on the Operator’s suppression list (STOP / UNSUBSCRIBE / opt-out)
• Messages outside the 24-hour customer-service window using free-text body — only via Meta-approved templates
• Messages on behalf of an Operator whose Meta token has been revoked, expired, or is in any state other than active
• Content covered by the WhatsApp Commerce Policy prohibitions (illegal goods, regulated drugs, weapons, adult content, MLM schemes, etc.) — see our Acceptable Use Policy

§ 05How opt-in is collected

For inbound conversations the opt-in is implicit: the customer messaged the Operator first. Free-text replies within the 24h window are governed by the customer’s own initiation of the conversation.

For outbound utility templates (booking confirmations, appointment reminders) the Operator must capture an explicit opt-in. Acceptable channels include:

• Web form on the Operator’s site with a tickbox referencing WhatsApp specifically
• A confirmation step inside the chat itself (“Want me to send this on WhatsApp?” → customer replies yes)
• In-store / on-call collection where the Operator records the consent timestamp and the channel

Opt-in evidence must be retained by the Operator for the duration of the messaging relationship plus the period required by applicable law. Zatio surfaces opt-in metadata on the lead record where the Operator captures it via our widget.

§ 06AI disclosure

On the first AI reply in any conversation, the assistant introduces itself by name and discloses that it is an AI. We track this on conversations.ai_disclosed_at. The disclosure is intentional and visible — never buried in a system message or footer. This satisfies EU AI Act Art. 50 (transparency for users interacting with AI systems) and Meta’s platform expectations on bot identification.

§ 07Honouring opt-out

Every inbound message is checked for the standard opt-out keywords:

STOP · STOPALL · UNSUBSCRIBE · CANCEL · END · QUIT · OPT OUT

Matching is:

• Case-insensitive (“Stop”, “STOP”, “stop” all match)
• Punctuation-tolerant (“STOP.” matches)
• Strict: only the keyword on its own (and trivial variants) counts. We do not opt out customers who write “please stop spamming me” mid-complaint — that’s a complaint, not an unambiguous instruction

On a STOP match we write a row to whatsapp_suppressions for that (tenant_id, phone) pair. Every subsequent outbound — AI, operator-typed, template, scheduled — checks that table and is dropped if a row exists. Opt-back-in via START / UNSTOP / OPT IN deletes the row.

§ 08Template policy

Templates are required for any outbound message outside the 24-hour customer service window. Zatio enforces this proactively: free-text sends to a phone whose conversations.last_inbound_at is more than 24h old return a 409 window_closed response and never hit Meta’s API. This protects the Operator’s phone-number quality rating from rejected sends.

All templates are Meta-approved per Operator. We do not bypass Meta’s template approval queue or use any mechanism that would allow a template to send before its status is approved.

§ 09Platform safeguards

• HMAC-SHA256 signature verification on every inbound webhook, gated by META_APP_SECRET
• Idempotency on messages.wa_message_id so a Meta retry never duplicates a row
• Rate limit of 60 events/minute per phone_number_id at the webhook (defence-in-depth on top of HMAC + idempotency)
• Per-tenant daily spend cap on the AI inference budget (default £20/day) so a compromised widget embed cannot drain the platform’s budget
• Quality rating monitoring — Meta’s phone_number_quality_update events are wired to a Sentry alert (alert_key wa_quality_downgraded) so a FLAGGED or DOWNGRADE event pages an on-call operator within minutes
• Encrypted token storage — Operator access tokens are encrypted at rest via token-crypto.ts; never logged or surfaced in dashboards
• Multi-tenant isolation at the database layer via Postgres Row Level Security; no cross-tenant access path exists
• Handover state machine with audit log for every ai → human → closed transition; the AI stops sending while a conversation is in human mode
• PII redaction before logs leave the process — UK phones, postcodes, email addresses

§ 10Expected frequency

Per active end user: typically 5–20 messages over the lifetime of a sales conversation. Most conversations resolve within 1–3 days from the first inbound to the human handoff or close.

Per Operator phone number: typically 50–500 conversations per month at a healthy SMB volume. The platform is designed to scale to 5,000+ conversations per number per month without degradation, but Operators rarely approach this volume.

Per Operator: 0–1 outbound utility templates per booking. No recurring marketing schedules.

Reviewers wishing to verify any of the above against the running implementation can reference the source code at github.com/aizatio/zatio-web or contact legal@zatio.io for read access.