1. Introduction
This Privacy Policy explains how Alton Valley ("we", "us", or "our") collects, uses, and protects personal data in connection with our WhatsApp Emergency Notification API (the "Service"). The Service is a purpose-built API integration that sends automated emergency alert messages via WhatsApp to specified mobile numbers on behalf of authorised clients.
We are committed to protecting personal privacy and to processing all personal data in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. What the Service Does
The Alton Valley WhatsApp Emergency Notification API operates as a secure messaging relay. Its sole function is to transmit pre-defined emergency alert messages to mobile phone numbers via the WhatsApp Business API (provided by Meta Platforms, Inc.).
How the data flow works:
- The triggering event and the identity of the intended recipient are held and managed entirely within the client's own source system — Alton Valley's API has no visibility of this data.
- The API receives only the destination mobile phone number and the pre-approved message content required to deliver the alert.
- Once the message is dispatched, the API does not retain, log, or store any personal data beyond what is strictly necessary for message delivery confirmation.
- The Service does not access or store Facebook or WhatsApp social media profiles, full names, email addresses, or any other personal identifiers beyond the mobile number used for message delivery.
3. Personal Data We Process
Given the limited scope of this Service, the personal data processed is minimal and strictly controlled:
3.1 Data Processed in Transit (Not Stored)
- Mobile phone number — used solely to route the WhatsApp message to the correct recipient
- Message content — the pre-approved emergency notification text, defined by the client in their source system
3.2 Data We Do Not Collect or Store
- Full name or personal identity details
- Email address
- Facebook or WhatsApp social media profile information
- Location data
- Device or usage data
- Any data held in the client's originating system (this remains entirely under the client's control)
The personal data that determines why a message is sent and to whom is managed solely within the client's own systems. Alton Valley acts as a Data Processor in this context, acting strictly on the documented instructions of the Data Controller (the client).
4. Purpose and Legal Basis for Processing
We process personal data for the following purposes:
- To transmit emergency notification messages via WhatsApp on behalf of authorised clients
- To confirm successful message delivery to the client system
- To maintain the security, integrity, and availability of the API service
- To comply with applicable legal and regulatory obligations
Our legal bases for processing under UK GDPR are:
- Contract Performance: Processing is necessary to perform the messaging service agreed with our clients.
- Legitimate Interests: We have a legitimate interest in maintaining service security and reliability, where this does not override individual rights.
- Legal Obligation: We may process or retain limited data where required to do so by applicable law.
5. Sharing of Personal Data
We do not sell personal data. Data processed through the Service may be shared only in the following limited circumstances:
- Meta Platforms (WhatsApp Business API): Message content and destination numbers are transmitted through the WhatsApp Business API to facilitate delivery. This is subject to Meta's own privacy policy at www.whatsapp.com/legal/privacy-policy.
- Client Organisations: Delivery confirmation and status information is returned to the client's system. The client is the Data Controller for the underlying recipient data held in their own systems.
- Legal Authorities: We may disclose data where required to do so by law, regulation, or a valid legal request from a competent authority.
All third-party data processors engaged by Alton Valley are bound by appropriate data processing agreements in line with UK GDPR requirements.
6. Data Retention
Alton Valley retains only the minimum data necessary to operate the Service:
- Message delivery logs (status confirmation only, no message content): retained for 12 months
- API access and security logs: retained for 12 months for security monitoring and incident response
- Data required for legal or regulatory compliance: retained for the period required by the relevant obligation
Upon expiry of the applicable retention period, data is securely and permanently deleted.
7. Data Security
Alton Valley applies robust technical and organisational security measures, including:
- End-to-end encryption for all data transmitted via the API
- Role-based access controls and multi-factor authentication for API access
- Regular penetration testing and security health checks carried out by CISSP-certified personnel
- ISO-aligned information security practices across our operations
- Continuous monitoring and incident response procedures
In the event of a personal data breach that poses a risk to individuals, Alton Valley will notify the ICO within 72 hours and affected parties will be informed where required.
8. International Data Transfers
Message data is processed through Meta's WhatsApp Business API, which may involve data being processed outside the UK or EEA. Where such transfers occur, Alton Valley ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the UK ICO.
9. Individual Rights Under UK GDPR
Where Alton Valley processes your personal data as a Data Controller, you have the following rights:
- Right of Access — to request a copy of any personal data we hold about you
- Right to Rectification — to request correction of inaccurate data
- Right to Erasure — to request deletion of your data in certain circumstances
- Right to Restrict Processing — to ask us to limit how we use your data
- Right to Object — to object to processing based on legitimate interests
- Right to Data Portability — to receive your data in a structured, machine-readable format
To exercise any of these rights, please contact us using the details below. We will respond within 30 days at no charge.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at www.ico.org.uk or by calling 0303 123 1113.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Any material changes will be communicated to relevant clients and published at www.altonvalley.com. The date at the top indicates when it was last revised.
11. Contact Us
If you have any questions, concerns, or requests in connection with this Privacy Policy, please contact our Privacy Team: