Legal SMS policy How SMS sent through our platform is handled.

SMS policy.

This is the SMS policy for the we.Shi communications platform. It covers how consent and opt-out work, how SMS data is handled and stored, what isn’t allowed, and where our responsibility ends and our clients’ begins.

Purpose

This policy sets the requirements and procedures for SMS sent through the we.Shi platform. It is built around Canadian privacy law (PIPEDA), supports Know Your Customer (KYC) obligations, and sits alongside our Company Privacy Policy, Data Management Policy, and Information Security Policy.

Who and what this covers

  • All SMS sent through we.Shi’s omnichannel communications platform.
  • All personnel involved in developing, operating, or maintaining SMS functionality.
  • All clients using we.Shi’s SMS services.
  • All data processing activities related to SMS communications.

Our role

we.Shi is a service provider and data processor for SMS sent on behalf of our clients. In that role:

  • We process SMS data according to client instructions and the contract in place.
  • We put appropriate technical and organizational measures in place to protect that data.
  • We do not control the purposes or means of processing SMS personal data.
  • Clients remain the data controllers for their SMS communications.

Consent and opt-in

What clients are responsible for

Clients obtain proper consent from recipients before sending SMS, including:

  • Express consent for commercial messages, in accordance with Canadian Anti-Spam Legislation (CASL).
  • Clear identification of the sender organization.
  • Purpose disclosure for data collection and SMS communications.
  • Opt-in confirmation where the law requires it.

What we provide

  • Consent timestamping and record-keeping.
  • Integration with client consent management systems.

How consent records are kept

  • SMS consent data is classified as Confidential under our Data Management Policy.
  • Records include the phone number, timestamp, consent method, and associated client.

Opt-out (STOP) and help

STOP

  • The STOP keyword removes a recipient from all SMS lists for that client immediately.
  • An automatic confirmation is sent on successful opt-out.
  • Opt-out status is permanent until the recipient explicitly opts back in.

HELP

  • The HELP keyword returns information about the SMS service. INFO works as an alternative.
  • The response includes the client name, the purpose of the messages, and opt-out instructions.

Implementation

  • Opt-out is processed within 10 minutes of receipt.
  • Opt-out status is synchronized across the client’s systems.
  • Opt-out events are surfaced to clients in their dashboard.
  • Opt-out records are retained for compliance verification.

Data privacy and security

What we collect

Only the minimum data needed to make SMS work:

  • Phone numbers (the primary identifier).
  • Names, when a client provides them for personalization.
  • Opt-in and opt-out status, with timestamps.
  • Message delivery status and timestamps.

How we protect it

  • TLS 1.2 or higher for all API communications.
  • AES-256 encryption at rest for all stored SMS data.
  • Access controls that limit SMS data to authorized personnel.
  • Audit logging on all SMS data access and modification.

Where it lives

  • SMS data is processed and stored in Canada and the Eastern United States (AWS regions).
  • Cross-border transfers only happen when we are acting as a data processor under client instructions.
  • All transfers comply with PIPEDA and the relevant client contract.

What is not allowed

The following are strictly prohibited under our Information Security Policy:

Spam and unsolicited messages

  • Sending SMS without proper consent.
  • Bulk messaging to purchased or scraped phone number lists.
  • Messages that violate CASL or other applicable anti-spam regulations.

Harassment and abuse

  • Harassment of any kind, whether through language, frequency, or message size.
  • Threatening, abusive, or discriminatory content.
  • Continued messaging after an opt-out request.

Fraudulent activity

  • Phishing or social engineering via SMS.
  • Impersonation of other organizations or individuals.
  • Messages designed to deceive recipients about who is sending them.

Compliance violations

  • Messages that violate a client’s industry regulations (financial services, healthcare, and so on).
  • Content that conflicts with KYC or AML obligations.
  • Anything non-compliant with Canadian telecommunications regulations.

Retention and disposal

Retention schedule

  • SMS message content: retained by we.Shi and passed through to client platforms.
  • Phone numbers and metadata: retained for the duration of the client agreement.
  • Opt-in and opt-out records: retained for compliance purposes, minimum three years.
  • Delivery logs: retained for at least one year for troubleshooting and compliance.

When a contract ends

  • All client SMS data is anonymized within 60 days, per our Data Management Policy.
  • Opt-out records are kept where regulatory compliance requires it.
  • Clients receive a final export of their SMS data on request.

Legal holds

SMS data subject to legal proceedings or regulatory investigation is exempt from standard retention periods and is held according to legal counsel’s instructions.

Roles and oversight

we.Shi maintains ongoing oversight of SMS privacy compliance.

Updates

This policy is reviewed annually and updated as needed to reflect changes in privacy and telecommunications law, platform capabilities, industry guidance, and client requirements.

Exceptions

Requests for exceptions to this policy go to the Privacy Officer at soc2 (at) we-shi.com, with an appropriate risk assessment and mitigation measures.

Contact

Questions, concerns, or incidents related to SMS privacy and security: soc2 (at) we-shi.com.