Compliance – esek.io

esek.io is operated by Esek, a Meta Tech Provider. We build on the official WhatsApp Business Platform (Cloud API) and the Meta Marketing API on behalf of the businesses that use our service.

Our Meta status & permissions

Meta Tech Provider WhatsApp Business Platform (Cloud API) Marketing API — ads management

Provider role

Tech Provider building on official Meta APIs. We do not resell WhatsApp number access; merchants own their WhatsApp Business Account (WABA) and grant us access via Embedded Signup.

WhatsApp permissions

whatsapp_business_management, whatsapp_business_messaging — used to manage merchant WABAs, phone numbers, message templates, and to send/receive messages on the merchant's behalf.

Ads permissions

ads_management, ads_read, business_management, pages_show_list — used to create, manage and report on Meta ads (including click-to-WhatsApp) for the merchant's own ad accounts and Pages.

Meta App ID

1004874335222631

What we comply with

Every merchant action we take through Meta APIs is bound by the Meta policies below. Where merchant content (messages, ads, catalogs) is involved, the merchant is the publisher and is responsible for what they send; esek.io enforces platform policy and refuses to transmit content that violates it.

Meta Platform Terms and Developer Policies
WhatsApp Business Solution Terms
WhatsApp Business Messaging Policy
WhatsApp Commerce Policy
Meta Advertising Standards and Community Standards
Applicable data-protection law (GDPR / Israeli Privacy Protection Law). See our Privacy Policy.

WhatsApp messaging compliance

Opt-in

Merchants must obtain explicit opt-in before sending any business-initiated message. We require merchants to declare the opt-in source and retain proof. Templates are submitted to Meta for review; we do not bypass template approval.

Customer service window

Outside the 24-hour customer service window, only approved templates may be sent in the relevant template categories (utility, authentication, marketing). Marketing templates respect per-recipient frequency caps and quiet hours.

Opt-out

All marketing threads honour opt-out keywords (STOP / UNSUBSCRIBE and localized equivalents). Opt-out is recorded and enforced across the merchant's WABA — a recipient who opts out cannot be re-added by import.

Prohibited use cases

We do not enable, and our chat-agent prompts refuse, content that violates the WhatsApp Commerce Policy (firearms, drugs, adult products, real-money gambling, etc.) or that targets WhatsApp users with unsolicited bulk messaging. Suspected abuse leads to suspension pending review.

Ads & Marketing API compliance

Ads are created against the merchant's own ad account; billing and ownership stay with the merchant.
Creatives and targeting must conform to Meta Advertising Standards. Special ad categories (credit, employment, housing, social issues) are flagged and require the merchant to confirm category before launch.
We do not produce ads that imply personal attributes of the viewer, scrape Meta data, or circumvent Meta's review.
Audiences built from merchant first-party data require a documented lawful basis and respect Meta's Custom Audiences terms.

Data handling

What we collect, how we use it, and the legal bases are described in the Privacy Policy. Highlights relevant to platform compliance:

Merchant data (account, billing, OAuth tokens) — processed to provide the service.
End-user data (WhatsApp messages, phone numbers, ad engagement) — processed on the merchant's behalf as a data processor; the merchant is the controller.
Encryption — TLS 1.2+ in transit; AES-256 at rest. Tokens and credentials are stored encrypted with restricted access.
Retention — operational data is retained only as long as needed for service provision and legal obligations. Account deletion is documented on the Data Deletion page.
Sub-processors — Meta (WhatsApp / Marketing API), our cloud provider, and accounting/payment processors. List available on request.
Cross-border transfers — covered by Standard Contractual Clauses where applicable.

Security & access controls

Role-based access; production access limited to a small number of engineers, audited.
Secrets stored in a managed secret store; no credentials in source control.
Webhooks signed and verified; idempotency keys on all external writes.
Logging excludes message content and PII — IDs and metadata only.
Penetration testing and dependency scanning on a recurring cadence.

Incident response

Security incidents are triaged on detection. If an incident affects merchant or end-user personal data, we will notify affected merchants without undue delay and within the timelines required by applicable law (e.g. 72 hours under GDPR), with the information needed for them to meet their own notification duties.

Reporting abuse or a policy concern

If you believe a message or ad sent through esek.io violates Meta or WhatsApp policy, or you want to report suspected misuse of our platform:

Email compliance@esek.io with the subject Policy concern.
Include the WhatsApp message (screenshot or sender number) or the ad ID / link, and a short description.
We acknowledge reports within 2 business days and act on confirmed violations promptly.

GDPR roadmap — what's in place and what's planned

esek.io is pre-launch. The following is an honest status of our GDPR posture so customers, auditors, and our own AI assistants can answer accurately.

In place today

Privacy Policy, data-deletion flow, and retention windows.
Processor model: merchant is controller of end-user data, esek.io is processor.
Encryption in transit (TLS 1.2+) and at rest (AES-256); least-privilege access; no message content or PII in logs.
WhatsApp opt-in/opt-out enforcement and template-approval discipline.

Planned, not yet shipped

Data Processing Agreement (DPA) presented and accepted at signup (Art. 28).
Public sub-processor list with names, locations, and a change-notification channel (Art. 28(2)).
EU data residency — current production is US-hosted under SCCs; migration to an EU region (planned before first EU enterprise customer).
EU representative appointed and published per Art. 27.
Cookie / analytics consent banner for EU visitors before PostHog loads.
Records of Processing (RoPA) document (Art. 30) and a DPIA for chat-agent automated decisioning and ad-audience generation (Art. 35).
Formal data-subject request intake with SLA tracking for access, rectification, portability, and objection requests (Arts. 15, 16, 20, 21).
Documented breach-response runbook with on-call rotation and merchant notification list.

If you are evaluating esek.io for an EU deployment and need any of the above today, contact compliance@esek.io — we will prioritise items required for your engagement.

Contact

Compliance & abuse: compliance@esek.io
Privacy & data requests: privacy@esek.io
General: hello@esek.io

Note: esek.io operates as a Tech Provider on top of Meta's platforms. Merchants remain responsible for the lawfulness of the content they send and the ads they run. We will not transmit or publish content that breaches Meta or WhatsApp policy, and we cooperate with Meta enforcement actions.