Privacy Policy

Effective date: 15 June 2026.

This policy explains how Unlimited Blanco Ltd, Sucursal en España ("Unlimited Blanco Ltd", "we", "us"), operating the commercial brand Quilla Group, processes personal data through Quilla Group - Comms at comms.quilla.group. This domain is the shared communications layer that connects Quilla Group products to the Meta / WhatsApp Business Platform. It is intended for business use and does not integrate with personal (consumer) WhatsApp accounts.

Our role

For the content of WhatsApp messages and the end-customer data exchanged through a business client's connected WhatsApp Business Account, we act as a data processor on behalf of that business client, who is the controller. For the account, connection and operational data we hold to run the integration (for example the identifiers of the connecting user and organisation), we act as a controller.

Information we process

• Connection data: Meta business ID, WhatsApp Business Account (WABA) ID, phone number ID, display phone number and verified name of the connected business number.
• Access tokens: OAuth access tokens issued by Meta, stored encrypted and never exposed to the browser.
• Message events: inbound and outbound WhatsApp messages and status updates — sender and recipient numbers, message identifiers, message type, text and media references, and timestamps.
• Webhook events: the raw event payloads delivered by Meta for the connected account.
• Context identifiers: the tenant, organisation, product and user identifiers passed by the initiating Quilla product to scope each connection.

Why we process it and our legal bases

We process this data to establish and maintain the WhatsApp Business connection, to route and record inbound and outbound messages for the business client's product workflows, and to meet our legal and platform obligations. Our legal bases under the GDPR are performance of a contract with the business client, our legitimate interests in operating and securing the service, and compliance with legal obligations. Where we act as processor, we process message content only on the documented instructions of the business client.

WhatsApp and Meta

Messages are delivered through Meta's WhatsApp Business Platform. Meta Platforms processes the same message data as the platform provider, subject to Meta's own terms and policies. Our use and transfer of information received from Meta APIs complies with the Meta Platform Terms and Developer Policies.

Security and token handling

Access tokens are encrypted at rest using authenticated encryption (AES-256-GCM) and are only ever used server-side; they are never returned to the frontend. Webhook deliveries are verified by signature before they are accepted. Connections are isolated by tenant and organisation.

Sharing and sub-processors

We do not sell personal data. We share data only with infrastructure providers that operate the service on our behalf — including our hosting and serverless platform and our managed database provider — and with Meta as the messaging platform. Each acts under contractual data-protection terms.

International transfers

Some providers, including Meta, process data outside the European Economic Area. Where that occurs, transfers are covered by appropriate safeguards such as the European Commission's Standard Contractual Clauses.

Retention

We retain connection records and message events for as long as the connection is active and for up to 12 months after disconnection, unless a longer period is required by law or a shorter period is requested by the business client. Access tokens are deleted or invalidated on disconnection or deauthorization.

Your rights

Subject to applicable law, you may request access to, rectification or erasure of your personal data, restriction of or objection to processing, and data portability, and you may lodge a complaint with a supervisory authority (in Spain, the Agencia Española de Protección de Datos). For message content we process as a processor, please direct requests to the relevant business client; we will assist them in responding.

Deletion and deauthorization

You can request deletion of data associated with a connection at comms.quilla.group/data-deletion. Removing the app's access from your Meta account triggers our deauthorization handler, which marks the connection disconnected and invalidates the stored token.

Changes and contact

We may update this policy from time to time; the effective date above reflects the latest version. This policy is governed by the laws of Spain. For privacy questions or data requests, contact privacy@quilla.group.