Why a privacy policy is required
US A2P 10DLC registration requires a public privacy-policy URL. Carriers and The Campaign Registry use it to verify that the messaging business explains how client information is collected, used, shared, protected, and retained.
The policy must describe your business’s real practices, including the use of Fieldified and Twilio to deliver messages.
If the URL is missing, private, generic, or inconsistent with the registration, the application can be rejected.
Legal notice
This article is informational and is not legal advice. Privacy obligations depend on the business, clients, locations, information collected, and services provided.
Have qualified legal counsel review the policy and operational practices.
Identify the business
The policy should show:
- Legal or customer-facing business name
- Mailing or operating address
- Contact email
- Contact phone number
- Privacy contact method
- Effective or last-updated date
Use the same business identity submitted in number registration.
Describe the information collected
Include the categories the business actually handles, such as:
- Client and contact names
- Phone numbers and email addresses
- Property and billing addresses
- Appointment and service information
- Quotes, invoices, and payments
- Message content and attachments
- Consent and opt-out records
- Device, delivery, and interaction metadata
- Customer-support information
Do not claim to collect less data than the systems and business processes actually retain.
Explain how information is used
Describe purposes such as:
- Scheduling and delivering services
- Sending appointment reminders and updates
- Providing quote and invoice access
- Processing payments and receipts
- Responding to support questions
- Maintaining client and service history
- Preventing fraud or abuse
- Meeting legal and regulatory requirements
- Sending promotions when separate consent exists
Keep service communication and marketing purposes distinct.
Explain text-message expectations
State:
- The message categories
- That frequency can vary
- That message and data rates may apply
- How to reply
STOP - How to request help
- How recipients can contact the business
The terms page can contain the program rules, while the privacy policy explains the handling of personal information.
Address service providers and data sharing
Explain that providers such as Fieldified, Twilio, email delivery services, payment processors, and hosting vendors can process information on the business’s behalf to provide the requested services.
The policy should also state that:
- Mobile phone information is not sold.
- Mobile opt-in data and consent are not shared with third parties for their own marketing or promotional use.
- Consent is not transferred to another sender.
- Service providers receive only the information needed to perform contracted functions and are subject to applicable safeguards.
Disclose other sharing required for legal compliance, fraud prevention, business transactions, or client-requested services as applicable.
Describe storage and protection
Explain the safeguards used by the business, such as:
- Access limited by role
- Authentication controls
- Encryption in transit
- Secure hosted systems
- Staff training
- Vendor review
- Incident-response procedures
Avoid absolute promises such as “completely secure.” Describe reasonable safeguards and acknowledge that no system eliminates every risk.
Explain retention
Describe how long the business keeps:
- Client records
- Conversations and attachments
- Consent evidence
- Opt-out events
- Billing and transaction records
Retention can be based on the client relationship, operational needs, dispute handling, legal requirements, and deletion requests.
Consent evidence should be retained for the period required by applicable law and at least until the recipient withdraws consent.
Explain client choices and rights
Tell clients how to:
- Update inaccurate information
- Request access where applicable
- Request deletion where applicable
- Withdraw text consent
- Change communication preferences
- Submit a privacy question or complaint
An SMS opt-out stops text messages; it does not necessarily delete the underlying client or transaction records.
Publish the policy publicly
Use a stable URL such as:
https://yourbusiness.com/privacyThe page must:
- Use HTTPS
- Load without a login
- Work on mobile and desktop
- Remain available during review
- Link from the website and SMS opt-in form
- Link to the terms page
A public hosted document can be used when legally appropriate, but a maintained website page is easier for clients and reviewers to find.
Add the policy to registration
- Open dedicated-number registration in Fieldified.
- Enter the direct privacy-policy URL.
- Enter the terms URL.
- Confirm that the opt-in flow links to both.
- Verify that the registration’s message use case matches the policy.
- Submit or resubmit the application.
Fix a privacy-policy rejection
- Open the exact rejection message.
- Test the submitted URL while signed out.
- Confirm the page identifies the registering business.
- Add missing collection, use, sharing, security, retention, or rights information.
- Add the mobile-data and consent-sharing restriction.
- Link the policy and terms to each other.
- Publish the revised page.
- Resubmit the same direct URL.
Avoid replacing the URL after submission unless necessary; update the page at the stable address.