Gary Club

Privacy policy requirements

The exact clauses your privacy policy must contain, why carriers check for them, and a drop-in template.

Updated May 6, 20263 min read

Your brand's privacy policy is one of the first things a reviewer reads. A non-compliant or missing policy is one of the most common rejection causes (carrier error codes 805, 851, and 852 all map back to the privacy policy).

Required clauses

  1. What you collect. Phone number, name, email, anything else captured at signup.
  2. How you use it. Specifically that the phone number is used to send SMS for the stated use cases.
  3. The third-party clause. Explicit, plain-language statement that mobile information and SMS opt-in data are not shared with third parties or affiliates for marketing or promotional purposes.
  4. How a recipient opts out and how they reach you for help.
  5. Retention — how long you keep the data.
  6. Effective date and a way to contact the brand about the policy.

The third-party clause — drop-in template

SMS opt-in data and consent will not be shared, sold, rented, or otherwise transferred to any third party or affiliate for marketing or promotional purposes. Information sharing with subprocessors is limited to what is required to deliver SMS messages on our behalf (such as our messaging carrier).

Where the policy must live

  • On the same domain as the brand's main website (a separate subdomain is fine, but not a different host).
  • Reachable via a footer link on every page where you collect a phone number.
  • Linked from the opt-in form itself ("By submitting … see our Privacy Policy").
  • Served over HTTPS. A non-HTTPS privacy URL is rejected automatically.

Common mistakes

  • Using a generic template that says "we may share your information with marketing partners" — that one sentence will fail your filing.
  • Mentioning third-party advertising with respect to phone data. If you have an analytics or ad pixel on the page, the privacy policy can mention it, but the SMS data clause must explicitly carve out a no-share rule.
  • Linking to a Google Doc or a PDF that requires download. The policy must be a real, indexable web page.
  • Privacy policy on a different domain than the brand's website. Reviewers expect both on the same root domain.
Previous

Consent and opt-in

Next

Keywords and auto-replies

Was this page helpful?