Definitions

The following defined terms apply throughout these Terms & Conditions:

• “Company” or “We” refers to Xcel Technologies, Inc., the provider of the SaaS platform and related SMS/MMS messaging infrastructure.
• “Customer” means any business entity that subscribes to the Company’s SaaS platform and utilizes the SMS/MMS messaging capabilities to communicate with its clients.
• “Services” refers to the Twilio Programmable SMS and MMS API, as integrated into the Company’s platform, used to send, receive, and manage text and multimedia messages.
• “Authorized User” means an end-user (the Customer’s client) who has provided explicit consent to receive SMS/MMS messages from the Customer via the Company’s platform.
• “Message” means any SMS (Short Message Service) or MMS (Multimedia Messaging Service) communication transmitted through the Services.
• “Transactional Message” includes two-factor authentication codes, appointment reminders, and status update notifications.
• “Marketing Message” means any promotional, advertising, or commercial communication sent to an Authorized User via the Services.
• “Opt-In” means the express, affirmative consent given by an Authorized User to receive Messages.
• “Opt-Out” means the revocation of consent by an Authorized User to stop receiving Messages.
• “Personal Data” shall have the meaning ascribed to it under the EU General Data Protection Regulation (GDPR) and any successor legislation.

Scope of SMS/MMS Services

The Company’s platform enables Customers to send the following categories of SMS/MMS messages through Twilio’s Programmable Messaging API:

1. Two-Factor Authentication (2FA): One-time passwords and verification codes for identity authentication.
2. Appointment Reminders: Automated notifications reminding Authorized Users of upcoming scheduled appointments or services.
3. Status Updates: Informational messages regarding order status, service progress, account changes, or similar operational notifications.
4. Marketing SMS/MMS: Promotional and advertising messages, subject to enhanced consent requirements and monitoring as described in these Terms.

Consent & Compliance

3.1 Prior Express Consent

Customer represents and warrants that it will obtain prior express written consent (including via text-enabled opt-in) from every recipient before sending any SMS/MMS messages, in accordance with all applicable laws, including but not limited to:

• The Telephone Consumer Protection Act (TCPA)
• The CAN-SPAM Act
• The EU General Data Protection Regulation (GDPR)
• The ePrivacy Directive
• Any applicable state, provincial, or national privacy and electronic communications regulations

3.2 Consent Standards by Message Type

• Transactional Messages (2FA, appointment reminders, status updates): Require at minimum a single opt-in from the Authorized User, documented at the time of account creation, service enrollment, or appointment scheduling.
• Marketing Messages: Require double opt-in — the Authorized User must (a) initially consent via a web form, written agreement, or text keyword, and (b) confirm consent via a verification message before any promotional messages are sent.

3.3 Record Keeping

Customer shall maintain comprehensive logs of all opt-ins, including:

• Timestamp of consent
• Source/method of consent (e.g., web form, keyword text, paper form)
• The specific message categories consented to
• IP address or device identifier (where applicable)

These records must be retained for a minimum of two (2) years and provided to Xcel Technologies, Inc. upon request for compliance audit purposes.

3.4 Opt-Out Handling

Customer must ensure that all automated messages include a functional opt-out mechanism. Standard keywords — STOP, UNSUBSCRIBE, CANCEL, END, QUIT — must be recognized and processed immediately. Customer agrees to:

• Process opt-out requests within one (1) business hour of receipt.
• Send a single confirmation message acknowledging the opt-out (e.g., “You have been unsubscribed. No further messages will be sent. Reply HELP for assistance.”).
• Never send additional messages to an opted-out number unless the user re-subscribes.

Twilio Usage Guidelines

4.1 Prohibited Content

Customer shall not use the Services to send:

• Spam or unsolicited bulk messages
• Phishing, fraud, or deceptive content
• Content violating the CTIA SHAFT guidelines (Sex, Hate, Alcohol, Firearms, Tobacco)
• Any content that violates Twilio’s Acceptable Use Policy
• Illegal content under federal, state, or international law

4.2 A2P 10DLC Registration

Customer agrees to register all phone numbers used for Application-to-Person (A2P) SMS/MMS messaging and provide necessary, truthful information for A2P 10DLC compliance. This includes:

• Brand registration with The Campaign Registry (TCR)
• Campaign registration with accurate use-case descriptions
• Providing sample messages for campaign vetting

4.3 Throughput & Rate Limits

Customers must adhere to Twilio’s published throughput limits and avoid sending message volumes that exceed their registered campaign tier. The Company reserves the right to throttle or suspend messaging capabilities if abuse is detected.

4.4 Number Provisioning

All phone numbers provisioned for SMS/MMS usage remain the property of the telecommunications carrier and are licensed for use through Twilio. Customer may not transfer, resell, or misrepresent ownership of any provisioned numbers.

Two-Factor Authentication (2FA)

5.1 Purpose

2FA messages are transactional in nature and are used exclusively for identity verification, account security, and login authentication. They are not marketing communications.

5.2 Consent

Consent for 2FA messages is implied when an Authorized User enrolls in a service that uses SMS-based authentication. Customer must disclose the use of SMS-based 2FA at the time of account registration.

5.3 Message Content Requirements

• Messages must contain only the verification code and minimal context (e.g., “Your verification code is 482910. Do not share this code. It expires in 10 minutes.”).
• No marketing or promotional content may be included in 2FA messages.
• Verification codes must expire within a reasonable time frame (recommended: 5–15 minutes).

5.4 Security

Customer is responsible for implementing rate-limiting and fraud-prevention mechanisms to prevent abuse of 2FA endpoints (e.g., SMS pumping attacks).

Appointment Reminders

6.1 Purpose

Appointment reminder messages notify Authorized Users of upcoming scheduled services, visits, or engagements. These are classified as transactional messages.

6.2 Consent

Consent is obtained when an Authorized User schedules an appointment or service and provides their mobile number during the booking process. Customer must:

• Clearly disclose that SMS reminders will be sent.
• Provide an option to opt out of appointment reminders at time of scheduling.

6.3 Message Content Requirements

• Messages must include the appointment date, time, and relevant details.
• Messages should include instructions for rescheduling or canceling.
• No marketing or promotional content may be appended to appointment reminder messages.
• An opt-out instruction (e.g., “Reply STOP to stop reminders”) must be included at least in the first message and periodically thereafter.

6.4 Timing

Appointment reminders must be sent during reasonable hours (8:00 AM – 9:00 PM in the Authorized User’s local time zone) unless the appointment is imminent (within 2 hours).

Status Update Messages

7.1 Purpose

Status update messages provide Authorized Users with operational information such as order confirmations, shipping notifications, service progress, or account alerts. These are classified as transactional messages.

7.2 Consent

Consent for status updates is obtained when the Authorized User initiates a transaction, places an order, or enrolls in a service. Customer must disclose SMS-based notifications during enrollment.

7.3 Message Content Requirements

• Messages must be factual, relevant, and directly related to the Authorized User’s transaction or account.
• Messages must identify the sender (Company or Customer brand name).
• No promotional or marketing content may be embedded in status update messages.
• Opt-out instructions must be included periodically.

Marketing SMS/MMS Messages

8.1 Purpose

Marketing messages include promotional offers, discounts, product announcements, event invitations, and any content designed to encourage a commercial transaction.

8.2 Enhanced Consent Requirements

Marketing messages are subject to the strictest consent standards:

• Double opt-in is mandatory for all marketing message recipients.
• Consent must be specific to marketing — consent for transactional messages does not extend to marketing.
• Consent language must be clear, conspicuous, and separate from other terms. Pre-checked boxes are not permitted.

8.3 Frequency & Content Disclosure

At the point of opt-in, Customer must disclose:

• The types of marketing messages the Authorized User will receive
• Estimated message frequency (e.g., “Up to 4 msgs/month”)
• That message and data rates may apply
• How to opt out (e.g., “Reply STOP to cancel”)

8.4 Quiet Hours

Marketing messages must not be sent between 9:00 PM and 8:00 AM in the Authorized User’s local time zone, in accordance with TCPA guidelines.

8.5 Company Monitoring

• Content analysis for prohibited or non-compliant material
• Frequency monitoring to prevent over-messaging
• Opt-out compliance verification
• Quiet-hours enforcement
• Consent record auditing

The Company reserves the right to suspend or terminate a Customer’s marketing messaging capabilities without prior notice if a violation is detected.

Opt-Out & Unsubscribe Management

9.1 Universal Opt-Out

The Company’s platform provides an automated opt-out management system. When an Authorized User sends any recognized opt-out keyword (STOP, UNSUBSCRIBE, CANCEL, END, QUIT), the system will:

1. Immediately flag the phone number as opted out.
2. Send a single confirmation response.
3. Suppress all future messages to that number across all message categories (transactional and marketing) unless the user selectively re-subscribes.

9.2 Granular Opt-Out

Where supported, Customer may implement category-specific opt-out (e.g., opt out of marketing only while continuing to receive appointment reminders). In such cases:

• Clear instructions must be provided for each opt-out category.
• A global STOP must always opt the user out of all message categories.

9.3 Re-Subscription

An Authorized User may re-subscribe by sending START or UNSTOP. Re-subscription must satisfy the original consent requirements for the applicable message category.

9.4 Compliance Logging

All opt-out and re-subscription events are logged with timestamps and retained for a minimum of two (2) years for regulatory compliance purposes.

Data Privacy & Security (GDPR)

10.1 GDPR Compliance

Xcel Technologies, Inc. is committed to full compliance with the General Data Protection Regulation (GDPR) for all data processing activities related to the Services. The Company acts as a Data Processor on behalf of the Customer (the Data Controller).

10.2 Data Processing

Personal Data — including phone numbers, message content, consent records, and delivery metadata — will be processed in accordance with our Data Protection Addendum (DPA), which is incorporated by reference into these Terms. Key commitments include:

• Processing Personal Data only as instructed by the Customer and as necessary to provide the Services.
• Implementing appropriate technical and organizational security measures (encryption in transit and at rest, access controls, audit logging).
• Engaging sub-processors (e.g., Twilio) only with the Customer’s knowledge, with equivalent data-protection obligations in place.
• Assisting the Customer in fulfilling data-subject access requests (DSARs), rectification, and erasure (right to be forgotten) requests.

10.3 Data Retention

Message logs and associated Personal Data are retained only as long as necessary for the purposes of service delivery, compliance, and auditing. Default retention periods:

• Message delivery logs: 90 days
• Consent records: 2 years
• Opt-out records: Indefinitely (for suppression purposes)

Customer may request early deletion of Personal Data in accordance with the DPA.

10.4 Content Restrictions

Customer agrees not to send Sensitive Personal Information (SPI) or Protected Health Information (PHI) over non-encrypted SMS channels. This includes but is not limited to:

• Social Security numbers or government-issued identification numbers
• Financial account numbers or payment card data
• Medical diagnoses, treatment details, or health records
• Biometric data

10.5 International Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Company ensures adequate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms recognized by relevant supervisory authorities.

10.6 Breach Notification

In the event of a Personal Data breach affecting the Services, the Company will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach, consistent with GDPR Article 33 requirements.

Monitoring & Enforcement

11.1 Automated Monitoring

Xcel Technologies, Inc. deploys automated compliance monitoring across all messaging activity on the platform. Monitoring includes:

• Content Scanning: Real-time analysis of outbound message content for prohibited material, SHAFT compliance, and adherence to registered campaign use-cases.
• Consent Verification: Periodic audits of Customer consent records to ensure valid opt-in exists for all active recipients.
• Opt-Out Enforcement: Automated validation that opt-out requests are processed promptly and that no further messages are sent to opted-out numbers.
• Volume & Frequency Monitoring: Detection of unusual message volumes or frequency patterns that may indicate spam or abuse.
• Quiet-Hours Compliance: Verification that marketing messages comply with time-of-day restrictions.

11.2 Violations & Remedies

Upon detection of a violation, the Company may, at its sole discretion:

1. Issue a Warning: Notify the Customer of the violation and require corrective action within 48 hours.
2. Suspend Messaging: Temporarily disable the Customer’s messaging capabilities pending resolution.
3. Terminate Service: Permanently revoke messaging access for repeated or severe violations.
4. Report to Authorities: Report violations to relevant regulatory bodies if required by law.

11.3 Customer Cooperation

Customer agrees to cooperate fully with any compliance investigation, provide requested records and documentation, and implement corrective measures within the specified timeframes.

Indemnification & Limitation of Liability

12.1 Customer Indemnification

Customer agrees to indemnify, defend, and hold harmless Xcel Technologies, Inc., its officers, directors, employees, agents, and affiliates from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorney’s fees) arising from or related to:

• Customer’s failure to obtain proper consent from Authorized Users.
• Customer’s transmission of prohibited, unlawful, or non-compliant content via the Services.
• Customer’s violation of any applicable law, regulation, or industry standard.
• Any third-party claim resulting from the Customer’s use of the SMS/MMS Services.
• Customer’s breach of these Terms & Conditions.

12.2 Limitation of Liability

To the maximum extent permitted by applicable law:

• Xcel Technologies, Inc. shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising from the Customer’s use of the Services.
• The Company’s total aggregate liability under these Terms shall not exceed the fees paid by the Customer for the Services during the twelve (12) months preceding the event giving rise to the claim.
• The Company shall not be liable for message delivery failures caused by carrier networks, Twilio service disruptions, or recipient device issues.

12.3 Disclaimer of Warranties

The Services are provided on an “AS IS” and “AS AVAILABLE” basis. Xcel Technologies, Inc. makes no warranties, express or implied, regarding message delivery rates, uptime, or fitness for a particular purpose.

General Provisions

13.1 Amendments

Xcel Technologies, Inc. reserves the right to modify these Terms at any time. Material changes will be communicated to Customers via email or in-platform notification at least thirty (30) days prior to taking effect. Continued use of the Services after the effective date constitutes acceptance of the revised Terms.

13.2 Severability

If any provision of these Terms is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

13.3 Entire Agreement

These Terms & Conditions, together with the DPA and any applicable Order Form or Service Agreement, constitute the entire agreement between the parties with respect to SMS/MMS messaging services and supersede all prior agreements, representations, or understandings.

13.4 Governing Law

These Terms shall be governed by and construed in accordance with the laws of the State of [Insert State], without regard to conflict-of-law principles. Any disputes arising under these Terms shall be resolved in the state or federal courts located in [Insert Jurisdiction].

13.5 Assignment

Customer may not assign or transfer these Terms without the prior written consent of Xcel Technologies, Inc. The Company may assign these Terms in connection with a merger, acquisition, or sale of all or substantially all of its assets.

13.6 Notices

All legal notices under these Terms shall be in writing and sent to the addresses on file, or via email to the designated contacts for each party.

13.7 Force Majeure

Neither party shall be liable for delays or failures in performance resulting from circumstances beyond its reasonable control, including but not limited to natural disasters, war, government actions, carrier outages, or Twilio platform outages.

13.8 Contact Information