Iqwex logo iqweX
support@iqwex.com Talk to us
Legal · WhatsApp Messaging

WhatsApp Messaging Privacy Policy

This policy explains how the Iqwex Hospital Management Platform uses the WhatsApp Business Platform (operated by Meta Platforms, Inc.) to deliver transactional messages on behalf of the hospitals using Iqwex. It supplements — and should be read together with — our main Privacy Policy and Terms & Conditions.

Effective date: 1 May 2026
Last updated: 1 May 2026
Operator: Enstrics LLP, Trivandrum, Kerala 695572, India
Provider integration: Meta WhatsApp Cloud API (direct)

1.Scope & our role

Iqwex is a hospital management platform operated by Enstrics LLP. Hospitals that use Iqwex (each a "Hospital") may enable the WhatsApp messaging module to send transactional, service-related notifications to their patients and staff.

For all such messages, the Hospital is the data fiduciary / data controller in respect of the patients to whom messages are sent. Enstrics acts as a data processor: we transmit messages on the Hospital's instructions, using Hospital-supplied recipient phone numbers and Hospital-configured message preferences. Patients should direct any data requests about their own messages to the Hospital that holds their records.

This policy describes the technical reality of how WhatsApp messaging is implemented within Iqwex, so that all parties — Hospitals, patients, and Meta — understand exactly what data flows through WhatsApp.

2.WhatsApp provider

Iqwex integrates directly with the Meta WhatsApp Cloud API (currently v19.0 at graph.facebook.com). We do not route messages through any third-party Business Solution Provider (BSP). The WhatsApp Business account, phone number ID and access token used to send messages are configured by Enstrics in the platform settings of Iqwex.

Meta Platforms, Inc. is the underlying messaging provider for all WhatsApp delivery. Meta's own privacy practices apply to the WhatsApp Business Platform itself and are documented at whatsapp.com/legal/business-policy and whatsapp.com/legal/privacy-policy.

3.Scenarios & messages we send

Iqwex sends WhatsApp messages only for transactional, service-related events. We do not send marketing, promotional, advertising, or solicitation messages over WhatsApp through this platform.

The following are the only scenarios in which Iqwex sends a WhatsApp message at the time of writing:

3.1 User registered (user_registered)

A welcome message to a newly onboarded staff member of a Hospital, with sign-in instructions.

3.2 Patient registered (patient_registered)

A welcome message to a newly registered patient confirming registration and providing their Medical Record Number (MRN).

3.3 Appointment booked (appointment_booked)

An appointment confirmation containing the patient's name, the doctor's name, hospital name, date/time, and token number.

3.4 Lab report ready (lab_report_ready)

A notification that a lab test report has been signed out and is available in the patient portal.

3.5 Patient portal OTP (patient_portal_otp)

A one-time password used to authenticate the patient when they sign in to the Iqwex patient portal. The patient explicitly chooses WhatsApp as the OTP delivery channel each time they sign in.

Hospitals may enable additional transactional scenarios in future releases. Any such scenario will be templated, approved by Meta, and surfaced through the same opt-out controls described in this policy. We will not start a new scenario silently.

4.Data sent over WhatsApp

Each WhatsApp message is built from a pre-approved Meta template with a small set of named parameters. The fields that may appear inside a message are limited to:

  • Recipient phone number — taken from the Hospital's patient record (patient.Phone) or its E.164-normalised form (patient.NormalizedPhone). For staff-targeted messages, the user's phone number from the Hospital's user record.
  • patient_name — first + last name as captured in the Hospital's patient record.
  • mrn — Medical Record Number assigned by the Hospital.
  • doctor_name — first + last name of the attending doctor, with a "Dr." prefix.
  • date_time — appointment date and start time, in human-readable format.
  • token_number — queue or appointment token.
  • test_name — name of the lab test (e.g., "Complete Blood Count"). No clinical findings, values or interpretation are sent.
  • otp_code — short numeric one-time passcode and its validity window.
  • hospital_name, user_name, user_role, expiry_minutes — the remaining template parameters used by the welcome and OTP scenarios.

We do not send the following over WhatsApp:

  • Diagnoses, prescriptions, lab values, or any other clinical findings;
  • Free-form clinical notes;
  • Identifiers such as ABHA ID, Aadhaar, PAN, government IDs, or insurance numbers;
  • Photographs, scans, attachments, files or any media;
  • Payment-card or banking details.

5.Approved templates

Every WhatsApp message Iqwex sends uses a template that has been registered and approved in Meta Business Manager. Templates use named parameters (e.g., {{patient_name}}, {{date_time}}) which are populated at send time from the Hospital's data. Each template has an explicit language code (default: en) and may be localised by the Hospital.

If a template has not been approved by Meta for a given scenario / language pair, Iqwex will not attempt to send the message and will record a "skipped" entry in the notification log.

6.Lawful basis & consent

The Hospital, as data fiduciary, is responsible for obtaining the lawful basis for messaging its patients and staff. Typical bases used include:

  • Performance of the care relationship: appointment confirmations, OTPs and lab-report-ready notices are necessary to provide care or to authenticate the patient.
  • Patient consent: explicitly captured at registration, where the Hospital asks the patient how they would like to receive transactional messages.

Iqwex does not, on its own, send messages to anyone whose phone number has not been provided by the Hospital with the intent of being contacted for these scenarios.

7.Opt-out & preferences

Recipients can stop receiving WhatsApp messages from Iqwex through any of the following routes:

  • WhatsApp's own controls. Recipients can use WhatsApp's "Block" function or report the business chat directly within the WhatsApp app. Meta will then prevent further delivery.
  • Hospital-side opt-out. Recipients can ask their Hospital's front desk to remove or change their phone number, or to disable transactional messaging for them.
  • Per-scenario channel switch. A Hospital administrator can disable the WhatsApp channel per scenario in Iqwex's "Hospital Admin → Notifications" panel. The toggle is stored in Hospital.NotificationPreferences.Channels[scenarioCode].WhatsApp and takes effect on the next send.
  • Module-level disable. The entire WhatsApp module can be disabled at the subscription-plan level by Enstrics on the Hospital's request.
  • Email Enstrics. Patients or staff who cannot reach their Hospital may email support@iqwex.com with their phone number and the name of the Hospital. We will coordinate with the Hospital to suppress further messaging.

8.Logs & retention

For each message attempt, Iqwex records a row in an internal NotificationLog store containing:

  • Hospital ID and tenant ID;
  • Scenario code (one of the codes listed in section 3);
  • Channel (WhatsApp);
  • Recipient phone number;
  • The rendered template parameters (the variables substituted into the message), so the Hospital can audit what was sent;
  • Status (Sent / Failed / Skipped) and a reason if not sent;
  • The provider message ID returned by Meta (where applicable);
  • Cost units consumed against the Hospital's quota;
  • The user inside Iqwex who triggered the send (where applicable);
  • The timestamp of the send attempt.

These logs are retained for the duration of the Hospital's subscription plus a reasonable period thereafter, in accordance with our main Privacy Policy retention rules. Aggregated, de-identified counters (e.g., "messages sent this month") may be retained longer for billing reconciliation and capacity planning.

9.Security

WhatsApp messages are sent over TLS-encrypted HTTPS calls to graph.facebook.com. The access token used to authenticate to the WhatsApp Cloud API is stored in the Iqwex platform-settings store (encrypted at rest within Azure SQL using Azure-provided encryption) and is never exposed to Hospital-level users. End-to-end transport security between Iqwex and Meta is the standard provided by the Meta WhatsApp Cloud API. Once a message is delivered to a recipient's WhatsApp client, Meta's own end-to-end encryption applies between WhatsApp clients in the normal WhatsApp manner.

10.Sharing & sub-processors

WhatsApp messages necessarily involve sharing the recipient's phone number and the rendered message body with Meta Platforms, Inc. (the operator of the WhatsApp Business Platform). Meta acts as our sub-processor for the messaging delivery. We do not sell, license, or otherwise share message content or recipient data with any other third party for advertising or analytics purposes.

11.International transfers

The Meta WhatsApp Cloud API is operated globally. Sending a message therefore involves a data transfer from our hosting region (Microsoft Azure, defaulting to a region within India where available) to Meta's infrastructure, which may be located outside India. We rely on the Standard Contractual Clauses and other safeguards offered by Meta in its Business Platform terms, in addition to the protections in our own Privacy Policy.

12.Children's data

The WhatsApp messaging module is not intended for direct communication with children. Where a Hospital captures records of minors, transactional messages are typically directed to a parent or guardian's phone number under the Hospital's own consent framework.

13.Your rights

Depending on the laws applicable to you (including India's Digital Personal Data Protection Act, 2023), you may have rights to:

  • Confirmation as to whether your data is processed and access to a summary;
  • Correction or completion of inaccurate data;
  • Erasure of your data;
  • Withdrawal of consent;
  • Grievance redressal; and
  • Nominate another person to exercise rights in the event of your death or incapacity.

Patients should direct rights requests to the Hospital that holds their records (the data fiduciary). Enstrics, as a processor, will support the Hospital in fulfilling its obligations.

14.Data deletion request

To request deletion of WhatsApp-related data that Iqwex holds about you (specifically, the rows in our NotificationLog store and any contact information cached for messaging purposes):

  1. Email support@iqwex.com with the subject line "WhatsApp data deletion request".
  2. Include the phone number(s) for which you want messaging records deleted, and the name of the Hospital where you are registered.
  3. We will verify your identity (typically by sending a confirmation OTP to the phone number you supplied) and coordinate with the Hospital before acting on the request.
  4. We will confirm completion within thirty (30) days of receiving a verified request, subject to any retention obligations imposed by law.
Patient medical records are not deleted by this process. This deletion only covers the messaging logs and contact data tied to WhatsApp delivery. Erasure of the underlying medical record requires a separate request to the Hospital that holds it.

15.Changes to this policy

We may update this policy when we change how WhatsApp is used inside Iqwex — for example, when a new transactional scenario is added, or when our provider integration changes. The latest version is always at iqwex.com/whatsapp-policy.html with an updated effective date. Material changes will be communicated to Hospitals through the platform.

16.Contact

Read together with our other policies. This page sits alongside our main Privacy Policy and Terms & Conditions, which include the broader liability framework, force-majeure provisions, and the controller / processor relationship between Hospitals and Enstrics.