Policy Analysis of Messaging Applications

Arattai is an India-based messaging application developed by Zoho Corporation, built with the goal of providing a secure, private, and localized alternative to global messaging platforms. The app does not display ads or sell user data, positioning itself as a privacy-conscious service provider focused on communication rather than monetization.

Here is the privacy policy analysis of Arattai:

A. Categories of Data Collected:

(Table 1)

Observations:

Arattai collects a relatively minimal set of data compared to mainstream messaging platforms like WhatsApp, which often gather extensive metadata, usage patterns, contact details, and device identifiers to support a wider range of features and analytics. Most of Arattai’s user-provided data collected is aligned with its core purpose of enabling messaging and user authentication. 

B. Third Party Apps/Devices that Arattai can access:

• No explicit integrations or access to other apps/devices mentioned.
• Optional access is asked for contacts and notifications within the device.

C. Third- Party Access to Data:

1. Employees/Other Third Parties: Access provided on a “need-to-know” basis with appropriate confidentiality and security practices.
2. Governmental Agencies: Data can be shared with governmental agencies and other third parties in order to (i) comply with applicable laws, (ii) protect the rights and safety of our users, employees and general public, and (iii) to prevent fraud.
3. Service Providers: Messaging providers have access to phone numbers for OTP delivery.

Observations

• The privacy policy explicitly states that no data is sold or traded, 
• The third-party access framework outlined in Arattai’s privacy policy lacks specificity and transparency. While access is said to be on a “need-to-know” basis, the policy does not clearly define what internal safeguards or confidentiality measures are in place to prevent misuse of user data. 
• The privacy policy also mentions data can be shared with governmental agencies and “other third parties”, this is too broadly worded, giving the platform wide discretion without detailing the safeguards applied.

D. Rights under DPDPA :

• Right to Withdraw Consent
• Right to Access
• Right to Erasure
• Right to Correction
• Right to Grievance Redressal

Observations:

• There are no timelines set by Arattai to facilitate user’s data protection rights. 
• No specific details of the Grievance Officer are provided, only a support team email address is given.

E. Readability:

The privacy policy is comprehensive, the language used is simple and easy to follow.

F. Data Protection Score:

• Lawfulness, transparency and fairness
• Storage Limitation
• Purpose Limitation
• Data minimisation
• Accuracy
• Integrity and Confidentiality
• Accountability

Observations: 

1. Lawfulness, transparency and fairness: Arattai’s privacy policy provides a basic overview of the data collected and its purpose. However, it does not identify the legal basis for processing (such as consent, contractual necessity, or legitimate interest), nor does it explain user rights in detail. The sharing clause with “employees, service providers, and government agencies” is vaguely worded and leaves room for broad interpretation. While Arattai claims not to sell user data, its policy does not clarify if metadata is shared for analytics or security reasons.
2. Storage limitation: The policy does not specify how long data is retained, under what circumstances it is deleted, or whether backups are purged after account deletion.
3. Purpose limitation: Arattai collects and uses data primarily to authenticate users, ensure communication reliability, and improve app performance. These purposes align closely with the platform’s core functions and enhance user experience. 
4. Data minimisation:  Arattai collects essential data required to operate a secure and fully functional messaging application. 
5. Accuracy: The policy allows users to access, correct, or remove their personal information via their account or customer support, which aligns with fair information practices.
6. Integrity and Confidentiality: While the policy mentions “appropriate administrative, technical and physical safeguards,” it lacks detail on encryption standards or third-party audits. There is no mention about encryption standards in the Privacy Policy. 
7. Accountability:  Arattai has requisite policies in place i.e Privacy Policy, Terms of Use, FAQs etc. The privacy policy provides a contact email address for reaching out for concerns regarding security of data. 

Data Protection Score: 5/7

WhatsApp is one of the world’s most widely used instant messaging applications, owned by Meta Platforms Inc. It allows users to send text messages, voice notes, make voice and video calls, and share images, documents, locations, and other media instantly over the internet. WhatsApp’s appeal lies in its simplicity, speed, and reliability, making it a primary communication tool for both personal and professional use across India and the world.

A key feature of WhatsApp is its end-to-end encryption (E2EE), which secures all messages, calls, photos, and videos so that only the sender and recipient can access them. The platform also supports two-step verification, encrypted backups, and disappearing messages, enhancing user privacy.

WhatsApp privacy policy change in 2021 had come under the radar of the Competition Commission of India, the CCI found that WhatsApp abused its dominant position by making data sharing with Meta entities.In November 2024, the CCI imposed a fine of ₹213.14 crore (≈ USD 25–26 million) on Meta for its 2021 policy, and directed WhatsApp to stop sharing user data with other Meta companies for advertising purposes, for five years. It also ordered WhatsApp to provide clearer disclosures of what data is shared and allow users to opt out of certain kinds of shared processing. However, in January 2025, the National Company Law Appellate Tribunal (NCLAT) granted a temporary stay on the CCI’s order, allowing WhatsApp to continue its current practices pending appeal. The case is currency ongoing. 

Here is the privacy policy analysis of WhatApp:

A. Categories of Data Collected: 

(Table 2)

Observations

WhatsApp collects a broad range of personal and device information, extending beyond basic identifiers like phone numbers to include metadata (device details, IP, usage logs, contact lists, and transaction data). This level of collection goes far beyond what is strictly necessary to provide messaging services. Although message content is end-to-end encrypted, WhatsApp retains significant metadata, which can reveal communication patterns  such as who users talk to, how often, and for how long. This metadata collection is essential for functionality but also raises privacy concerns regarding profiling and surveillance.

The app’s integration within the Meta ecosystem means user data is shared with other Meta companies for infrastructure, safety, and personalization purposes. While WhatsApp claims this improves service efficiency, it also enables cross-platform data enrichment and potential user tracking across Meta products.

B. Third-party app/device access

•  Integrations: backup services (iCloud/Google Drive), in-app players or shared content from third-party sites, carriers or device makers may interact with WhatsApp features.
• Businesses may work with third-party providers (including Meta) to store/process business messages.
• In App access permission is seeked for Photos, Contacts, Notifications

C. Third-party access to data

i) Service providers & Meta companies: WhatsApp shares data with Meta Companies and third-party service providers for infrastructure, security, analytics, payments processing, and customer support. These providers are contractually required to process data on WhatsApp’s behalf.

ii) Businesses: Messages sent to businesses may be visible to several people at that business and to service providers they use; some business communications may therefore be processed off-platform (and may not retain end-to-end protections depending on implementation).

iii) Government/legal access: WhatsApp may share data collected as required for legal process or government requests 

iv) Backups: Cloud backups (unless protected by user-enabled E2EE backup) are accessible to the backup provider.

D. Rights under DPDPA

• Right to Withdraw Consent
• Right to Access
• Right to Erasure
• Right to Correction
• Right to Grievance Redressal

Observations:

• There are no timelines set by Whatsapp to facilitate user’s data protection rights. 
• No specific details of the Grievance Officer or Data Protection Officer are provided.

E. Readability:

The policy is long but written in relatively accessible language. It uses structured headings, examples, and links to Help Center articles and settings which improves usability.

F. Data Protection Score:

• Lawfulness, transparency and fairness
• Storage Limitation
• Purpose Limitation
• Data minimisation
• Accuracy
• Integrity and Confidentiality
• Accountability

Data Protection Score: 2/7

Observations

1. Lawfulness, transparency and fairness:  WhatsApp’s data practices are governed by clear terms of service and a detailed privacy policy that outline the categories of data collected, processing purposes, and user rights. The app discloses its data-sharing arrangements within the Meta group and with third-party service providers, ensuring a degree of transparency. However, its integration with Meta for infrastructure and analytics has raised concerns around the extent of user profiling and cross-platform data use. While WhatsApp provides lawful bases for processing under applicable regulations, the opacity around the type of data shared with Meta entities limits complete transparency.
   
2. Storage Limitation: WhatsApp retains user data only as long as necessary for providing services, security, and legal compliance. Unsent messages are deleted after 30 days, and backups can be managed by users through their linked cloud accounts. However, message backups stored on third-party cloud services (like Google Drive or iCloud) are not always end-to-end encrypted by default, which may create  privacy risks.
3. Purpose limitation: Data is collected primarily for service delivery, security, and user support. The purposes are well-defined in the policy, including preventing abuse, maintaining system integrity, and improving services. While this aligns with purpose limitation principles, the interlinking with Meta’s infrastructure can indirectly expand the scope of data use beyond messaging.
4. Data minimisation: WhatsApp demonstrates moderate compliance with data minimisation. It does not collect message content or call data (thanks to end-to-end encryption), but it gathers substantial metadata such as device identifiers, IP addresses, and contact lists to improve service reliability and safety. Compared to open-source alternatives like Signal, which minimize even metadata collection, WhatsApp’s approach is more expansive but arguably justified given its scale and integrated features.
5. Accuracy: WhatsApp allows users to update their information, including contact details and account settings, ensuring that data remains current and accurate. Synchronization with device contacts maintains updated communication networks, and users can easily rectify inaccurate information through in-app settings or account deletion
6. Integrity and Confidentiality: End-to-end encryption by default for all personal communications ensures strong confidentiality and message integrity. WhatsApp also employs advanced security protocols, two-step verification, and device-based encryption to protect against unauthorized access. 
   
7. Accountability: WhatsApp outlines the responsibilities of its data controllers and processors, and provides mechanisms for user redressal, including grievance reporting and Data Protection Officer contact details (where required by law). However we got an error while trying to access the contact details and the process is also complex.

Element is an open-source, privacy-focused messaging platform built on the Matrix protocol, a decentralized network that enables secure and interoperable communication. Unlike centralized apps like WhatsApp or Telegram, Element allows users to self-host their data or choose from various community-run servers, giving them full control over their communications and metadata. This architecture ensures transparency and minimizes reliance on a single company, aligning closely with privacy-by-design and user sovereignty principles.

Element supports end-to-end encryption (E2EE) for all messages, voice, and video calls by default, ensuring that only the intended participants can access the conversation. The app offers features such as group chats, file sharing, bridging to other platforms (like Slack, IRC, or Discord), and cross-platform synchronization, making it suitable for both personal and organizational use.

A. Categories of Data Collected:

(Table 3)

Observations:

Element’s Privacy Policy reflects a privacy-conscious approach to data collection and data sharing. The privacy policy is clear about the purposes of collection and each third-party integration also serves a defined and limited functional purpose. The architecture ensures that core user data (messages, files, metadata) remains under user or homeserver control, with no external entity having visibility into encrypted content.

B. Third-party app/device access

For creating account:

• Google
• X (Twitter) 

C. Third-party access to data

i) Service Providers:

• Twilio – for SMS-based Two-Factor Authentication (2FA).
• Stripe – for payment processing.
• Quaderno – for tax automation.
• Salesforce, Salesloft, and HubSpot – for marketing and lead management.
• Sentry – for error tracking and diagnostic reporting.
• MapTiler – for displaying maps during location sharing.
• LiveKit (Cloud/Self-hosted) – for handling Element Call (audio/video).
• Cloudflare – for DDoS protection and content delivery optimization.
• Amazon Web Services (AWS) – for hosting and infrastructure.

ii) Government and Law enforcement: Element’s privacy policy and Matrix.org documentation clarify that data storage and access depend on the homeserver used. For users on the default Matrix.org server, the operator (New Vector Ltd., UK) may respond to legally valid requests from law enforcement or regulatory bodies.However, due to end-to-end encryption (E2EE), Element (or any homeserver admin) cannot access message content only limited metadata may be provided. The policy explicitly mentions that disclosure is limited to what is legally required, ensuring proportionality and due process.

iii) Employees: Element has strong rules to control who can access user data. Only employees or contractors who need it to maintain the app can access limited, non-encrypted information, and all such access is logged and monitored. Since Element uses end-to-end encryption, employees cannot read or decrypt users’ message

D. Rights under DPDPA

• Right to Withdraw Consent
• Right to Access
• Right to Erasure
• Right to Correction
• Right to Grievance Redressal

Observations:

• There are no timelines set by Element to facilitate user’s data protection rights.

E. Readability:

Element has consciously made sure its privacy is in simple english and not legal jargon, they have specifically emphasized users needs to understand the privacy policy. The policy explains technical concepts and data practices clearly. Sections are structured logically with headings and subheadings, and examples are provided for complex topics like hosted homeservers, data sharing, and encryption. While some parts remain technical due to the nature of the service (e.g., encryption, server configurations), overall, the policy is much more user-friendly and accessible than typical privacy documents, helping users make informed decisions about their data.

• Lawfulness, transparency and fairness
• Storage Limitation
• Purpose Limitation
• Data minimisation
• Accuracy
• Integrity and Confidentiality
• Accountability

Observations:

1. Lawfulness, transparency and fairness: Element clearly states the legal basis for data processing under GDPR: Legitimate Interest for operational purposes (Users) and Performance of Contract for Customers. The policy is transparent about what data is collected, why, and how it is processed. Users are informed about their rights, and details about third-party processors are provided. 
2. Storage Limitation: Data retention practices are specified in multiple sections. IP addresses, logs, and error reports have defined retention periods (e.g., 30–180 days). Billing data is stored for financial records, and message redactions are kept for 7 days before permanent deletion. Element provides clear retention limits, demonstrating adherence to storage limitation principles.
3. Purpose limitation: Data is collected strictly for operational maintenance, account management, transaction processing, and service improvement. Marketing data collected via third parties is explicitly stated and limited to those purposes. 
4. Data minimisation: Element collects only the minimum necessary information to provide its services. 
5. Accuracy:  The policy allows users to access, correct, or remove their personal information via their account or customer support.
6. Integrity and Confidentiality: Element follows strong security measures: encrypted passwords, end-to-end encryption for calls and messages, role-based access for employees, ISO 27001:2022 standards, and provides options for secure hosting. Only necessary personnel can access non-encrypted data, and no attempts are made to decrypt encrypted user data. These practices demonstrate a high commitment to data integrity and confidentiality.
   
7. Accountability: PhonePe’s Privacy Policy does provide a general explanation of its data handling practices. Users can also have their grievances resolved by contacting the in-house Privacy Officer. Users can also access a Grievance Policy to address any payment-related, merchant redressal or Aadhaar e-KYC related issues. However, PhonePe data has been reportedly subject to a data leak (even though they insisted that their data remains safe), raising questions on whether such mechanisms will continue to be effective in the future.

Data Protection Score: 7/7

Founded in 2018, Signal is an instant messaging service developed by the Signal Foundation. It is the most prominent open-source messaging service that has pioneered the standard for end-to-end encryption on messaging platforms.

A. Categories of Data Collected: 

(Table 4)

B. Data/Devices the App Can Access:

• Contacts
• Photos
• Microphone
• Camera

C. Third Party Access : 

Signal works with third parties to provide some of its services. For instance, Signal works with third-parties to send a verification code to a users’ phone number when they register an account on Signal. 

If users are utilizing third-party services like YouTube, Spotify, Giphy, etc. in tandem with Signal, their terms and privacy policies govern their use of those services.

Additionally, Signal states that it would have to share user data to comply with any applicable law, regulation, legal process or enforceable governmental request. Additionally, such data sharing may also be required for enforcement of applicable terms, (including investigation of potential violations), detecting,  preventing or addressing fraud, security, or technical issues.

D. Rights under the Digital Personal Data Protection Act, 2023 (DPDPA)

• Right to Withdraw Consent
• Right to Access
• Right to Erasure
• Right to Correction
• Right to Grievance Redressal

Observations:

• In its Privacy Policy, Signal has not established clear timelines to facilitate user’s data protection rights under the DPDPA.
• Signal has not provided any specific details of a Data Protection Officer. In case users have any questions regarding the Privacy Policy, they will have to get in touch through an email or a mailing address

Plain Language and Readability: Signal’s Privacy Policy is readable and accessible to the average user.

F. Data Protection Score;

1. Lawfulness, transparency and fairness: Signal’s Privacy Policy provides information to users on the various categories of data collected, stored and the underlying purposes for the same.
2. Storage Limitation:Signal does not store messages or call information on its servers. Such information is only stored locally on the user’s device.
3. Purpose limitation:Signal collects and uses data primarily to authenticate users, to ensure that its service remains reliable and to provide support in case they are facing any issues.
4. Data minimisation: Signal limits additional technical information to the minimum required to operate its services. In terms of personal information, Signal has described the kinds of data collected and why it is necessary.
5. Accuracy: Users can access, correct, or remove their personal information through their account or user support.
6. Integrity and Confidentiality:Signal cannot decrypt or otherwise access the content of users’ messages or calls. Information from the contacts on  users’ devices is cryptographically hashed and transmitted to the server in order to determine which of their contacts are registered on the Signal Messenger. Exceptionally, Signal queues end-to-end encrypted messages on its servers for delivery to devices that are temporarily offline (for example, in case of a phone whose battery has died). Users’ message history is stored on their  own devices.
7. Accountability: Signal’s Privacy Policy provides users with a physical and an electronic mailing address.

Data Protection Score: 7/7

In March 2016, ‘Simpl’ was launched as an online payment platform that allows a consumer to buy now and settle for the purchase at a more convenient time. 

A. Categories of Data Collected: 

(Table 5)

B. Third Party Apps/Devices the App Can Access:

• Contacts
• Camera
• Microphone

C. Third Party Access

Prav shares a user’s phone number with twilio, for identity verification purposes during registration. Users will have to go through twilio’s Privacy Policy to understand how their data is being handled by them.

For Android users, Prav sends a wake up signal through Google’s FCM, to smartphones that lose connection to their server. Users can access detailed technical information through Prav’s Privacy Policy itself

D. Rights under the Digital Personal Data Protection Act, 2023 (DPDPA):

• Right to Withdraw Consent
• Right to Access
• Right to Erasure
• Right to Correction
• Right to Grievance Redressal

Observations:

• In its Privacy Policy, Prav has not established clear timelines to provide clarity on how it will facilitate each of its user’s data protection rights under the DPDPA.
• Prav has not provided any details of a Data Protection Officer.
• Users can request deletion of their account as well as data here.

E. Plain Language and Readability:

Prav’s Privacy Policy uses simple language to explain its privacy practices and should be accessible to the average user. Occasionally, the Privacy Policy uses technical terms (OMEMO encryption) that might require explanation to a person who does not have technical background

F. Data Protection Score;

• Lawfulness, transparency and fairness
• Storage Limitation
• Purpose Limitation
• Data minimisation
• Accuracy
• Integrity and Confidentiality
• Accountability

Observations:

1. Lawfulness, transparency and fairness: Prav’s Privacy Policy provides clear information on the different kinds of data collected and why the underlying purposes behind it. However, the Privacy Policy does not refer to any particular data protection law or specify its legal basis for collecting such data. Additionally, the Privacy Policy fails to provide clarity on how users can access all of their rights under the Indian data protection law.
2. Storage Limitation: Prav does not store messages or call information on its servers. Such information is only stored locally on the user’s device. While Prav maintains data on its users’ last login to automatically delete inactive accounts on its service, the timeline for the same is not clearly mentioned in the Privacy Policy. If a user deletes their account, all related information will be deleted, Including files and messages.
3. Purpose limitation: Prav provides clear information on what forms of data is stored by them and the underlying purposes behind the same.
4. Data minimisation: Prav collects only the required amount of data to ensure that its application remains usable. None of the data collected exceeds the scope of operating the service.
5. Accuracy: The importance of accuracy is not explicitly emphasised in the Privacy Policy. However, this is implied as Prav only collects a users’ phone number. Without providing a correct number, it will not be possible for the user to access the Prav Messenger and register an account for the same
6. Integrity and Confidentiality: While the Prav website states that all messages are end-to-end encrypted by default, the Privacy Policy does not explicitly state the same. Additionally, it also specifies that the user can have a choice to retain an archived copy of their message history and can opt-out of such retention as well. All backups are encrypted, however, the specific standard of encryption is not specified.
7. Accountability :Prav does not provide any details regarding a Data Protection Officer or even an email address at which an end-user can contact them if they have any issue with the Privacy Policy. This will make it difficult to hold Prav accountable or raise any grievances with their service, especially given the importance of data privacy in the context of personal communications and online safety.

Data Protection Score: 4/7