SMS consent documentation
1. business overview
bandsbandsbandsis a personal digest tool for live music fans. it tracks bands a user chooses to follow, sources tour dates and news for those bands from public sources, and delivers a daily digest via the user's chosen messaging channel. the service also generates band and show recommendations based on a user-curated taste graph.
1a. consent model
Single consent class — express written consent for a recurring program. All messages bandsbandsbands sends through its A2P 10DLC Messaging Service are recurring/promotional in nature: the daily digest, BREAKING tour announcements, band and show recommendations, and ticket-reminder messages for shows the user has marked. Because there is no transactional class of message in this program (OTP verification is handled separately via Twilio Verify, which does not use the A2P MessagingService), every user opts in once via express written consent and that single consent covers all subsequent sends.
Consent is captured by an unchecked-by-default checkbox the user must affirmatively click before the submit button is enabled. The checkbox label and surrounding disclosure are shown in section 5 verbatim. Server-side, the opt-in is rejected if consentChecked === true is not present on the verification request.
2. SMS use cases
users authenticate their phone number via 6-digit OTP using Twilio Verify. this is the entry point for both new signups and existing-account additions of an SMS channel.
provider: Twilio Verify (managed OTP service, separate from A2P 10DLC traffic)
once a user has opted in, they receive a daily digest of new tour dates, news, and recommendations for the bands and cities they have explicitly chosen to follow. digest frequency is typically 1 message per day. burst frequency (1-3 messages per week) occurs when a band the user follows announces a tour.
when a user marks a show as "want tickets" or "going" via the agent interface, the service may send a one-time reminder message ahead of the show date with venue and time details.
3. consent collection flow
there are two ways a user provides SMS consent. both flows are live at production URLs.
path A: new-user signup
- user visits bandsbandsbands.app/auth and clicks the "sign in with SMS" button.
- user lands on bandsbandsbands.app/join-sms and enters their mobile phone number and display name.
- the consent disclosure (see section 5) is shown directly above the submit button before submission.
- user clicks Continue. server calls Twilio Verify to send a 6-digit OTP. server writes a consent record (see section 8) the moment OTP send is initiated.
- user enters the OTP. server verifies via Twilio Verify and creates a pending signup_request entry, gated by closed-beta approval.
- upon manual approval, server creates the user record and provisions an SMS notification channel. a one-time welcome SMS is sent.
path B: existing-user adds SMS to their account
- authenticated user visits bandsbandsbands.app/settings.
- user clicks "ADD SMS" in the CHANNELS section.
- user enters phone number; the consent disclosure (see section 5) is shown directly above the submit button.
- user clicks Continue. server calls Twilio Verify to send a 6-digit OTP and writes a consent record.
- user enters the OTP. server verifies and writes a notification_channels row with channel_type='sms'. one-time confirmation SMS is sent.
4. live URLs (visit to verify the flow)
- phone-entry (new user): bandsbandsbands.app/join-sms
- settings "add SMS" (existing user): bandsbandsbands.app/settings
- primary login page: bandsbandsbands.app/auth
- privacy policy: /legal/privacy
- SMS terms: /legal/sms-terms
- terms of service: /legal/terms
a separate undocumented reviewer-bypass URL is provided in the campaign registration's reviewer-notes field. it is structurally identical to /join-sms but skips the closed-beta gate so reviewers can complete the full opt-in flow end-to-end.
5. consent disclosure language (verbatim)
the following text is shown to the user on screen, immediately above the submit button, before any phone number is captured:
"By providing your phone number and clicking Continue, you agree to receive SMS messages from bandsbandsbands about live music events, tour announcements, and band recommendations for artists you follow. Message frequency varies (typically 1-3 per week). Message and data rates may apply. Reply STOP to unsubscribe at any time, or HELP for assistance. See our Privacy Policy and SMS Terms."
the privacy policy and SMS terms are linked directly from the disclosure as live hyperlinks. the disclosure text is logged with each consent record (section 8) so we can prove what the user saw at the time of opt-in.
6. sample messages
7. opt-out and HELP handling
recognized opt-out keywords
STOP response (auto-replied by Twilio)
HELP response (auto-replied by Twilio)
opt-out keywords are processed immediately by Twilio's built-in Advanced Opt-Out handler at the messaging-service level. additionally, users can opt out by removing the SMS channel from their settings page on the website.
8. record retention
we retain the following consent records for 4 years per TCPA requirements:
| data point | description |
|---|---|
| timestamp | when consent was provided (UTC) |
| phone number | normalized to E.164 format |
| source URL | the page where the user opted in (/join-sms or /settings) |
| consent disclosure | exact verbatim text shown to the user at opt-in |
| IP address | for fraud prevention and audit |
| user agent | browser/device information |
| user_id | if the user is authenticated (path B); null on path A |
| marketing opt-in flag | always false; we do not separate transactional vs marketing opt-in for this program |
consent records are stored in the sms_consent Postgres table on Supabase. access is restricted to the application service role.