WhatsApp, Telegram and company: what happens to your data when you chat?

Let’s admit it: if someone took WhatsApp away from us, chaos would break out. We use it for everything: talking to friends, coordinating work, sending photos, audio messages, memes, documents… even for arguing. But behind that convenience lies something we rarely think about: the amount of personal data we give away without even realizing it.

The Catalan Data Protection Authority (APDCAT) has been warning about this for years. Back in 2013 and 2016 it published two reports on the use of messaging apps, and what they said remains completely relevant: not all platforms are secure, and even less so when handling sensitive information.

It’s not just “an app to talk”

Every time you use a messaging app, you’re not just sending messages. You’re also sharing metadata: who you talk to, when, from where, how long the conversation lasts, what files you send, what contacts you have… All of that travels to the servers of the company that runs the app, usually outside Europe.

And that’s where the problem lies. In Europe we have the General Data Protection Regulation (GDPR), which requires strong guarantees regarding privacy, security and consent. But many of these platforms do not fully comply with these rules, or they follow them in their own way.

What if it’s used by an administration or a professional?

This is where the APDCAT was very clear. In its Opinion 24/2013, it explained that it is not advisable for lawyers, doctors, schools or public institutions to use WhatsApp or similar apps to communicate with clients or citizens.

Why?
Because the administration or professional is responsible for processing the data, even if they use a third-party tool. And if that tool does not comply with European regulations (for example, if it stores data on U.S. servers or allows access to contacts without consent), the responsibility does not disappear.

In Opinion 55/2016, the warning was extended to public administrations as well:

“Public entities must ensure that the instant messaging systems they use comply with the principles and guarantees of data protection regulations.”

In other words: it’s not enough to say “we only send notifications via WhatsApp.” If that chat contains personal information —a medical appointment, a file or a document— the entity must ensure that the service complies with the GDPR, that the data is encrypted, and that the citizen has given their consent.

What WhatsApp (and other apps) really know about you

Although WhatsApp says it uses end-to-end encryption, that does not mean it doesn’t collect information. In fact, its privacy policy acknowledges that it stores:

  • Your phone number.

  • Your contact list (even if you don’t use them).

  • Your location if you share it.

  • Device, operating system and usage data.

And even though messages are encrypted, metadata is not. That means the company can know when you talk, with whom and how often.

Telegram, for its part, has a somewhat more flexible policy (it allows encrypted secret chats, for example), but it also stores some information on external servers. Signal, meanwhile, is the most privacy-respectful option, although less popular.

Quick tips to avoid giving away your privacy

  • Review the app’s permissions. If it doesn’t need access to your location or microphone, disable it.

  • Avoid sending personal data or important documents via chat, especially if you don’t know the other person well.

  • Disable cloud backups: many of them are not encrypted.

  • Create groups carefully: adding someone without their consent can also be a violation.

  • Always update the app: many security breaches come from outdated versions.

  • And at work, use secure corporate tools — not your personal WhatsApp.