Your competitors are storing customer WhatsApp conversations in plaintext databases. When they get breached, they'll face €20M fines and lose every enterprise deal. MoltFlow encrypts every message and gives you one-click GDPR compliance. Here's how to prove it.
This guide shows you how to export WhatsApp data for GDPR Article 15-17 compliance, request contact erasure, and build audit trails that win enterprise contracts. MoltFlow encrypts every message field with per-tenant Fernet keys—competitors store plaintext. When enterprise buyers audit your data practices, you'll win.
What You'll Need
Before starting, make sure you have:
- A MoltFlow account with API key — You'll need API access to use the GDPR endpoints. Generate an API key from Settings > API Keys in your dashboard.
- Basic REST API knowledge — We'll be making HTTP requests using curl. Any HTTP client (Postman, Insomnia, etc.) works too.
- Understanding of GDPR rights — Familiarity with Articles 15, 17, and 20 helps, but we'll explain the basics below.
Important: GDPR compliance is your responsibility as a data controller. MoltFlow provides the technical tools, but you must implement proper processes for handling data subject requests.
Data export (all plans) — GDPR compliance shouldn't cost extra. Every plan tier includes full export and erasure APIs.
Step 1: Understand Your GDPR Obligations
GDPR grants individuals specific rights regarding their personal data. As a WhatsApp Business operator using MoltFlow, you're likely a data controller for the messages and contact information you collect.
The three most relevant rights are:
- Right to Access (Article 15) — Individuals can request a copy of all data you hold about them. This includes messages, contact details, and any metadata.
- Right to Erasure (Article 17) — Also known as "right to be forgotten." Individuals can request deletion of their personal data when it's no longer necessary or when they withdraw consent.
- Right to Data Portability (Article 20) — Individuals can request their data in a machine-readable format (like JSON) to transfer to another service.
MoltFlow handles the technical implementation:
- All sensitive contact fields (
sender_phone,sender_name,message content) are encrypted at rest using per-tenant Fernet keys - Data export endpoint provides a complete JSON dump of all tenant data
- Erasure endpoint permanently wipes encrypted fields and removes all traces of contact information
- All erasure actions are logged in an audit trail for compliance records
You're responsible for verifying identity, responding within 30 days, and documenting your processes.
Step 2: Export Your Account Data via the API
When someone requests their WhatsApp data (or you need a GDPR compliance audit), use the data export endpoint to retrieve everything MoltFlow stores about your account. GDPR WhatsApp data exports include messages, contacts, and all metadata.
Here's how to export your full dataset:
curl -X GET https://apiv2.waiflow.app/api/v2/gdpr/export \
-H "X-API-Key: YOUR_API_KEY" \
-o data-export.jsonReplace YOUR_API_KEY with your actual API key from the dashboard.
What's Included in the Export
The export endpoint returns a comprehensive JSON object containing:
- Messages — All inbound and outbound messages (decrypted), including content, timestamps, sender/recipient info, and delivery status
- Contacts — All contacts from synced chats, including names, phone numbers, and WhatsApp metadata
- Sessions — Your connected WhatsApp sessions with QR scan timestamps and status history
- Labels — All custom labels and their assignments to contacts
- Custom Groups — Bulk messaging groups you've created with member lists
- Monitored Groups — WhatsApp groups you're tracking for leads
- AI Configurations — Auto-reply settings and style profiles (if you use AI features)
- Usage Data — Message counts, API call statistics, and billing metrics
The export is tenant-scoped—you only see data belonging to your account, never other users' data. For programmatic access, see our REST API Quick Start guide to learn how to automate exports via API.
Filtering by Contact
If someone requests only their personal data (not your entire account), you can filter the export:
curl -X GET "https://apiv2.waiflow.app/api/v2/gdpr/export?phone=972501234567" \
-H "X-API-Key: YOUR_API_KEY" \
-o contact-export.jsonThis returns only messages, reviews, and records associated with that specific phone number.
Save and Store the Export
The JSON export is your compliance proof. Best practices:
- Save exports in a secure location — Use encrypted storage with access controls
- Timestamp the export — Include the export date in the filename (e.g.,
export-2026-02-13.json) - Retain for required period — GDPR requires keeping erasure records for 3-5 years depending on jurisdiction
- Never email exports in plaintext — If sending to a data subject, use encrypted email or a secure file transfer service
Step 3: Request Contact Data Erasure
When a contact invokes their right to erasure (or you need to comply with data minimization), use the erasure endpoint to permanently delete all records associated with a phone number.
Here's the erasure request:
curl -X POST https://apiv2.waiflow.app/api/v2/gdpr/contact-erasure \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"phone": "972501234567",
"reason": "Data subject erasure request per GDPR Article 17"
}'Replace 972501234567 with the phone number to erase (with or without the @c.us suffix—both work).
What Gets Erased
The erasure endpoint performs these actions irreversibly:
- Deletes all messages — Both plaintext and encrypted messages where
sender_phonematches the provided number - Deletes collected reviews — Any feedback/reviews submitted by that contact
- Anonymizes chat records — Sets
contact_phoneandcontact_nameto"REDACTED"(preserves chat structure for analytics but removes PII) - Anonymizes group memberships — Redacts contact info from custom group member lists
- Creates audit log entry — Records the erasure with a SHA-256 hash of the phone number, timestamp, and counts
Important: Erasure is permanent and cannot be undone. Always verify the phone number and identity before processing.
Response Example
A successful erasure returns:
{
"phone": "972501234567",
"messages_deleted": 143,
"reviews_deleted": 2,
"chats_anonymized": 1,
"group_members_anonymized": 0,
"audit_logged": true,
"completed_at": "2026-02-13T10:45:23Z"
}Use these counts to document the scope of erasure in your compliance records.
Handling Encrypted Data
MoltFlow uses Fernet encryption with per-tenant keys for sensitive fields. The erasure endpoint handles encrypted data by:
- Paginating through encrypted rows in batches of 5,000
- Decrypting each
sender_phonefield in memory - Matching against the provided phone number variants (
phone,[email protected]) - Deleting matching rows without leaving traces
This ensures compliance even for legacy data that was encrypted with older key versions. Erasure operations are logged via webhooks for real-time compliance tracking.
Step 4: Verify Erasure Completion
After running an erasure, verify it completed successfully by re-exporting the contact's data:
curl -X GET "https://apiv2.waiflow.app/api/v2/gdpr/export?phone=972501234567" \
-H "X-API-Key: YOUR_API_KEY" \
-o verify-erasure.jsonCheck the JSON file—it should contain no messages, reviews, or identifiable information for that phone number. Chats may appear as "REDACTED" entries if the contact was part of group conversations (this preserves analytics without storing PII).
Audit Log Verification
You can also verify via the audit log:
curl -X GET https://apiv2.waiflow.app/api/v2/audit-logs?action=data_deleted \
-H "X-API-Key: YOUR_API_KEY"Look for the erasure entry with matching timestamp and phone hash. This log entry serves as your compliance proof for GDPR Article 30 records.
Step 5: Set Up Regular Compliance Audits
GDPR requires ongoing compliance, not just reactive responses to requests. Implement these best practices:
Monthly Data Export Review
Schedule a monthly task to export and review your data:
# Create a monthly export for compliance records
curl -X GET https://apiv2.waiflow.app/api/v2/gdpr/export \
-H "X-API-Key: YOUR_API_KEY" \
-o "exports/monthly-$(date +%Y-%m).json"Store these exports securely and use them to:
- Verify encryption is working correctly
- Identify inactive contacts for erasure
- Document data retention compliance
Automated Erasure of Inactive Contacts
Implement a data minimization policy by erasing contacts who haven't interacted in 12+ months:
- Export your full dataset monthly
- Parse the JSON to identify contacts with
last_message_atolder than 12 months - Loop through and call the erasure endpoint for each inactive contact
- Document the batch erasure in your compliance log
Document Your Data Processing
GDPR Article 30 requires maintaining records of processing activities. Your documentation should include:
- Purpose of processing — "WhatsApp Business automation for customer support and marketing"
- Categories of data — "Contact phone numbers, message content, timestamps, delivery status"
- Retention period — "Active contacts retained indefinitely; inactive contacts erased after 12 months"
- Technical measures — "Fernet encryption at rest, API key authentication, audit logging"
Respond to Requests Within 30 Days
GDPR mandates responding to data subject requests within 30 days (extendable to 60 days for complex requests). Build a process:
- Verify identity (don't accept erasure requests via WhatsApp without confirming identity)
- Export the contact's data using the filtered endpoint
- Review for third-party data (if you received forwarded messages from others, consult legal counsel)
- Execute erasure if the request is valid
- Send confirmation with erasure details (number of records deleted, completion timestamp)
Troubleshooting
403 Forbidden Error
Problem: The API returns 403 Forbidden when calling the GDPR endpoints.
Solution: Check your API key permissions. The key must have gdpr:read and gdpr:write scopes. Regenerate the key if it's missing permissions.
Rate Limit on Export Endpoint
Problem: Large exports time out or hit rate limits.
Solution: The export endpoint may paginate large datasets. If you have 100,000+ messages, request pagination parameters:
curl -X GET "https://apiv2.waiflow.app/api/v2/gdpr/export?limit=10000&offset=0" \
-H "X-API-Key: YOUR_API_KEY"Fetch in chunks of 10,000 records and combine the JSON arrays.
Erasure Doesn't Complete
Problem: The erasure endpoint returns success but counts are 0.
Solution: Verify the phone number format. Try both variants:
- With suffix:
[email protected] - Without suffix:
972501234567
The endpoint checks both, but ensure you're using the same format stored in your messages.
Decryption Errors in Logs
Problem: Server logs show FieldEncryptionError during erasure.
Solution: Some encrypted fields may be corrupted or use an old key version. The erasure endpoint logs warnings but continues processing. Contact support if you see high error rates (>1% of records).
What's Next?
Now that you've set up GDPR-compliant WhatsApp data management, explore related compliance and security features:
- REST API Quick Start — Automate GDPR exports via API for quarterly compliance audits
- Set Up Webhooks — Get notified of new messages without storing unnecessary data
- Configure Anti-Spam Rules — Protect your account from being flagged by WhatsApp
Upgrade for Enterprise GDPR Features
Need advanced compliance tools for enterprise buyers? Upgrade to Growth or Business plans for:
- Bulk erasure API — Process 1,000+ erasure requests via CSV upload
- Compliance webhooks — Real-time notifications for data subject requests
- Custom retention policies — Auto-erase contacts after configurable inactivity periods
- SSO + audit logs — Centralized access control and tamper-proof compliance records
View plans and pricing or contact sales for enterprise quotes.
Need help with GDPR compliance? Contact our support team via the dashboard chat or email us at [email protected]. We can help you design a compliant data processing workflow tailored to your business.