WhatsApp Business Messaging Policy

Home → ResourcesGovernance → WhatsApp Messaging Policy

WhatsApp Business Messaging Policy

Governing all NOVARIC® WhatsApp Business communications

Document ID: NOVARIC-POL-WA-001 Version: v1.0 Effective: March 2026 Review: March 2027
Owner: NOVARIC® Legal & Compliance Division Classification: Public Status: Active

Purpose

This policy governs the use of WhatsApp Business by NOVARIC® and all its entities across Malta, Albania, and international operations including the NOVARIC® Nexus AI system. It ensures compliance with Meta’s WhatsApp Business Messaging Policy, GDPR (EU 2016/679), LGPD (Brazil), and NOVARIC® Brand Guidelines.

Opt-In Requirements

NOVARIC® must obtain clear, documented consent before sending any WhatsApp message. Consent must be explicit, informed, specific and recorded. Pre-ticked boxes are non-compliant. Opt-outs must be honoured within 24 hours.

All lead capture forms including those used by Country Agents must include a separate, explicit WhatsApp opt-in checkbox compliant with both GDPR and LGPD. See: NOVARIC® GDPR Policy.

Message Template Categories

Action Status
Marketing — vacancy alerts, NOVARIC® Academy promotions, webinars, lead magnets ✅ Approved with opt-in
Utility — application updates, consultation reminders, document requests ✅ Approved
Authentication — OTP and verification only ✅ Approved

All templates must be submitted to Meta for approval and reviewed by a human NOVARIC® representative for compliance with NOVARIC® Brand Guidelines.

Prohibited Content & Actions

Action Status
Spam or bulk unsolicited messaging ❌ Prohibited
False, misleading, or deceptive claims ❌ Prohibited
Guaranteed immigration or visa outcomes ❌ Prohibited
Guaranteed job placement promises ❌ Prohibited
Cold WhatsApp outreach without prior consent ❌ Prohibited
Purchasing lead lists without verified GDPR/LGPD consent ❌ Prohibited

AI-Generated Messages

NOVARIC® Nexus may generate WhatsApp message content. All AI-generated templates must be reviewed and approved by a designated NOVARIC® human reviewer before Meta submission. See: NOVARIC® Nexus AI Operations Governance.

Data Protection

All WhatsApp operations comply with GDPR (EU 2016/679) and LGPD (Brazil). Data collected is stored in NOVARIC®’s authorised CRM. Not shared with third parties without explicit consent. Retention: 24 months, then purge or re-consent.

Related NOVARIC® Governance Documents

Document Reference
NOVARIC® Nexus AI Operations Governance N-DOC-10010-032026
Health & Safety Policy N-DOC-10008-032026
Corporate Email Policy N-DOC-10009-032026
Brand Guidelines N-DOC-10007-032026
GDPR & Privacy Policy NOVARIC-POL-GD-001
IP Rights Policy NOVARIC-POL-IP-001
Terms & Conditions NOVARIC-POL-TC-001
NOVARIC® Company Governance NOVARIC-POL-CG-001

All documents are published under the NOVARIC® Governance Hub.

Version: v1.0  |  Effective: March 2026  |  Review: March 2027

Owner: NOVARIC® Legal & Compliance Division  |  Document ID: NOVARIC-POL-WA-001

NOVARIC® — The Future Starts At The Endgame.™  |  C 63881 — Malta  |  EU Trademark: 018313401  |  Privacy Policy  |  Governance Hub

AI Communication Governance & Disclosure Controls

AI COMMUNICATION GOVERNANCE & DISCLOSURE CONTROLS

ISO/IEC 27001 & AI Governance Aligned

Document Reference

NOVARIC-POL-WA-001 — Addendum

Version

v1.1

Effective Date

March 2026

Status

ACTIVE

Cross-Reference

Information Security Policy (ISMS) · Data Protection & Privacy Policy · Acceptable Use Policy · Incident Management & Logging Controls

1. Purpose

This clause establishes mandatory controls for the transparent, secure, and accountable use of AI-assisted communication within NOVARIC® WhatsApp channels, operated via NOVARIC® Nexus.

It ensures alignment with:

  • ISO/IEC 27001 — Information Security Management Systems (ISMS)
  • ISO/IEC 27701 — Privacy Information Management
  • Emerging AI governance principles: transparency, accountability, human oversight, risk mitigation

2. Scope

This policy applies to:

  • All WhatsApp communications managed by NOVARIC®
  • NOVARIC® Nexus (AI communication system)
  • All employees, contractors, and systems interacting with the platform

3. Control Objectives

  • Transparency: Users are aware when interacting with AI
  • Accountability: Clear attribution of communication source (AI vs human)
  • Integrity: Prevention of misleading or impersonated communication
  • Confidentiality: Protection of user data during AI interaction
  • Human Oversight: Ensuring human intervention in high-risk scenarios

4. AI Disclosure Control (ISO 27001 – A.5, A.8, A.14)

4.1 All AI-assisted communications must include clear and accessible disclosure to users.

4.2 At initial interaction, NOVARIC® Nexus shall provide a notice stating:

  • Communication may be generated or assisted by AI
  • Users must exercise reasonable judgment
  • Critical decisions require human confirmation

4.3 Disclosure must be transparent, presented before or at the point of interaction, and repeated where risk level increases (e.g., financial, legal, or employment decisions).

5. Message Attribution & Identity Control (ISO 27001 – A.5.17, A.8.2, A.8.16)

5.1 All outbound messages must include a verifiable identifier of origin.

5.2 Attribution standards:

  • AI-generated messages: “– NOVARIC® Nexus”
  • Human-generated messages: “– [Authorised Personnel Name]”

5.3 AI systems must not impersonate human users or obscure their identity. Identity integrity controls must ensure traceability of message origin and prevention of spoofing or unauthorised modification.

6. User Risk Awareness & Safe Use (ISO 27001 – A.6.3, A.7.2)

6.1 Users must be informed to:

  • Avoid reliance on AI outputs for critical decisions
  • Refrain from sharing sensitive data without verification
  • Seek clarification when uncertainty exists

6.2 NOVARIC® shall provide guidance to mitigate risks related to misinterpretation of automated responses, fraud, impersonation, or misinformation.

7. Human Oversight & Escalation Control (ISO 27001 – A.5.15, A.5.16)

7.1 Users must have continuous access to request human interaction.

7.2 Mandatory human intervention is required for:

  • Employment offers and contractual commitments
  • Financial or payment-related communications
  • Legal or compliance-sensitive matters
  • Handling of sensitive personal data

7.3 Escalation mechanisms must ensure timely response by authorised personnel, proper handover from AI to human operator, and logging of escalation events.

8. Logging, Monitoring & Auditability (ISO 27001 – A.8.15, A.8.16, A.5.31)

8.1 All AI interactions must be logged, including: timestamp, source attribution (AI or human), user consent and interaction triggers, and escalation requests and outcomes.

8.2 Logs must be protected against unauthorised access, retained per NOVARIC® data retention policies, and available for audit and compliance verification.

9. Data Protection & Privacy Integration (ISO 27701 Aligned)

9.1 AI systems must process personal data in accordance with GDPR principles (lawfulness, fairness, transparency, minimisation) and the NOVARIC® Privacy Policy.

9.2 AI interactions must not collect excessive personal data or process sensitive data without lawful basis.

9.3 Users must be informed of their rights, including:

  • Access · Rectification · Erasure · Objection to processing

10. AI Risk Management & Governance

10.1 NOVARIC® shall implement risk-based controls including periodic review of AI outputs for accuracy and bias, safeguards against harmful or non-compliant responses, and defined acceptable use boundaries.

10.2 AI systems must be regularly tested and validated, monitored for anomalies, and updated in line with regulatory and operational changes.

11. Compliance with Platform & Regulatory Requirements

11.1 All communications must comply with the WhatsApp Business Messaging Policy, applicable data protection laws, and NOVARIC® internal governance standards.

11.2 Any violation may result in suspension of messaging capabilities, system access restrictions, or internal disciplinary procedures.

12. Enforcement & Accountability

12.1 Responsibility for compliance lies with system administrators (technical enforcement), NOVARIC® personnel (operational compliance), and governance and compliance functions (oversight and audit).

12.2 Non-compliance with this clause may trigger incident response procedures, internal investigation, and corrective and disciplinary actions.