Privacy Policy | Urban Refine Renovation

# Privacy Policy — SMS & Phone Number Collection

**Effective date:** September 27, 2025
**Last updated:** September 27, 2025

**Summary:** This Privacy Policy explains what personal information we collect when you provide a phone number (including for SMS/text messaging), how we use and share that information, how you can control and revoke SMS consent, and how we protect your data. It is written to align with U.S. laws and industry standards governing telephone numbers and SMS messaging (including the TCPA/FCC requirements, CTIA industry best practices, and state privacy laws such as the CCPA/CPRA). This is a corporate-level policy intended to be included prominently wherever phone numbers or SMS consent are captured (web forms, checkout, account signup, etc.) and linked from our website footer.

## 1. Who we are / Contact

[Company Name] (“we,” “us,” or “our”) operates [urbanrefine.ca]. For questions about this policy, or to exercise any privacy rights described below, contact:
Email: privacy@urbanrefine.ca

---

## 2. What personal information we collect

When you interact with our services and provide a phone number or subscribe to SMS, we may collect:

* **Identifier data:** telephone number (mobile or landline), SMS short/long code interactions, device identifier associated with messaging.
* **Contact information:** name, email address (when supplied with phone).
* **Consent metadata:** timestamp of opt-in, exact consent language presented, IP address, page/URL where consent occurred, method of consent (web form, text opt-in, verbal), and any confirmation messages.
* **Service communications:** content of SMS messages you send to us (e.g., opt-out keyword), delivery status, and message logs.
* **Usage & analytics:** timestamps, message frequency, campaign identifiers, and service usage metrics.
* **Optional profile data:** any other personal info you voluntarily give through SMS or account settings.

*Why this matters:* capturing consent metadata and message logs is vital to comply with U.S. communications rules and to demonstrate lawful prior express consent when required. ([FCC Docs][1])

---

## 3. How we use personal information (purposes)

We use personal information (including phone numbers) for these purposes:

1. **To send transactional SMS** (order confirmations, delivery alerts, appointment reminders). These messages are typically allowed under TCPA without express written marketing consent when they are non-marketing/transactional. ([Federal Communications Commission][2])
2. **To send marketing/promotional SMS**, only where we have obtained prior express written consent for marketing communications (see “Consent” below). Consent records will indicate the telephone number the consumer authorized. ([America's Credit Unions][3])
3. **To provide customer support** via SMS and to respond to inbound messages.
4. **To manage subscriptions and preferences** (opt-ins, opt-outs, frequency preferences).
5. **To maintain and demonstrate compliance** (recordkeeping to prove consent and to respond to regulatory inquiries or litigation). Note: retaining consent evidence (timestamp, copy of consent language, page URL) is an industry best practice. ([CTIA][4])
6. **Security, fraud prevention, analytics, and internal auditing.**
7. **Legal obligations and enforcement:** to respond to lawful requests by government, courts, or regulators.

---

## 4. SMS consent — what we require and how we collect it

**Prior express written consent** is required for marketing SMS under the Telephone Consumer Protection Act (TCPA) and related FCC rules. Our consent collection meets or exceeds the industry and regulatory standards:

* Consent is obtained with **clear, conspicuous language** identifying: the organization sending messages; that consent is for SMS messages; that consent is not required to make a purchase (if applicable); the phone number to be used; message frequency estimate; info about message and data rates; and a clear method to opt out (e.g., “Reply STOP to unsubscribe”). We also store the timestamp, the exact text shown to the user, and the page URL where the consent was given. ([CTIA][4])

**Sample consent checkbox language (web form):**
`[ ] By checking this box and providing my mobile phone number, I agree to receive recurring promotional and transactional text messages from [Company Name] at the number I provide, including messages sent by automated dialing systems. Message frequency varies. Message & data rates may apply. Reply STOP to opt out; HELP for help. SMS consent is not shared with third parties. Privacy Policy [link].`

* The telephone number must be **specifically identified** in the consent (one-to-one consent) when required by law/regulation (some rules require the consent to be directed at the specific seller or sender). We will not rely on broad or generic consents that do not identify the receiving number or the sender identity. ([America's Credit Unions][3])

---

## 5. Opt-out / Revocation of consent

* **Easy opt-out:** Recipients can revoke consent at any time by sending the designated opt-out keyword (e.g., `STOP`) via SMS, or by following other simple methods described in each message (e.g., reply HELP for assistance or use account settings). We process opt-out requests promptly and update our records to stop further marketing messages. Opt-out of marketing will not remove you from non-marketing/transactional messages that are necessary unless you request that specifically. ([Federal Communications Commission][2])

* **Revocation mechanics and recordkeeping:** We store the opt-out timestamp and the method used. Where law requires, we will honor a revocation that is reasonable under the circumstances and documented. Note: evolving FCC rules on revocation and one-to-one consent may change mechanics; we monitor regulatory updates. ([America's Credit Unions][5])

---

## 6. Who we share personal information with

We may share personal information (including phone numbers and consent records) with:

* **Service providers and vendors** that perform services on our behalf (SMS aggregators, carriers, hosting providers, analytics providers, payment processors). We require such vendors to handle information only as instructed and to implement adequate safeguards.
* **Affiliates** only if we have your consent or as described at the time of collection. If we share consent data with an affiliate, we will disclose that clearly at point-of-collection. **SMS consent is not shared with third parties.** (See explicit statement below.)
* **Legal & safety reasons:** law enforcement, regulators, courts, or to defend legal claims.
* **Business transactions:** in connection with a merger, acquisition, or sale of assets — with notice and contractual protections.

**Explicit statement required by you (we include this exact language where you asked):**

> **“SMS consent is not shared with third parties.”**

*(Note: This means we do not sublicense, sell, or transfer the record of your explicit SMS consent to third parties for their independent marketing use. We still may share phone numbers or message content with service providers who operate under contract to send SMS on our behalf; such processors act on our instructions and do not have independent rights to use the consent for their own marketing.)* ([CTIA][4])

---

## 7. Data retention and deletion

* We retain phone numbers, consent metadata, and message logs as long as necessary to provide the services, to comply with legal obligations, to resolve disputes, and to enforce our agreements. Recommended retention for consent evidence and message logs is at least several years (business/legal standard) — adjust per your legal counsel. ([CTIA][4])
* When you request deletion, we will remove personal data from active systems and, where reasonably possible, instruct service providers to delete backups in accordance with their policies, subject to legal hold obligations.

---

## 8. Security

We use administrative, technical, and physical safeguards appropriate to the sensitivity of the information. Examples include access controls, encryption in transit, and vendor security assessments. Despite these measures, no system is 100% secure; we will notify affected individuals and regulators as required by applicable law in the event of a breach.

---

## 9. Consumer privacy rights (U.S. and state-level)

* **California (CCPA/CPRA):** California residents have rights to know, access, delete, correct, and opt out of sale/sharing of personal information, and to limit the use of sensitive personal information. We provide designated methods to submit these requests and will verify identity in accordance with the law. See: CCPA/CPRA materials and our California-specific notice at collection. ([California DOJ][6])
* **Other states:** Some states (e.g., Virginia, Colorado, Connecticut, Utah) have privacy laws granting similar rights — we are monitoring and will comply where applicable.
* **Right to appeal / contact regulator:** You may contact our privacy team or file a complaint with your state privacy regulator.

---

## 10. Children’s privacy

We do not knowingly collect phone numbers from children under 13. If we learn that we have collected personal information from a child under 13 in a manner that violates COPPA, we will delete it. For children under 16, we may require parental/guardian consent where required by law.

---

## 11. International transfers

If personal information is transferred or processed outside the U.S., we will take appropriate safeguards as required by law (contracts, vendor assurances, or other legal mechanisms).

---

## 12. Marketing via third-party lists & lead generators — our policy

We generally do **not** rely on third-party lead generator consents for marketing SMS to consumers unless the consent meets the one-to-one and express written consent requirements (including identification of the telephone number and the specific seller). If we use third-party leads, we document how consent was collected and will only send messages if the consent is valid for our use. ([America's Credit Unions][3])

---

## 13. Automated decision-making and AI

If we use automated systems (including AI) to generate or personalize messages, we will disclose material uses of automation and provide contact/support methods to address any issues. Note: regulatory developments around AI disclosures for calls/texts are evolving; we will update our disclosures as required. ([The Verge][7])

---

## 14. Changes to this policy

We may update this policy to reflect legal, regulatory, or operational changes. Material changes will be posted on our website with a revised effective date and, where required by law, other notice mechanisms.

---

## 15. How and where to present this policy (accessibility & placement)

To satisfy transparency and consent-recording best practices:

* **Web forms & signup pages:** Place a clearly visible **link to this Privacy Policy** immediately adjacent to any phone number or SMS consent checkbox or consent button. The consent text itself should refer to the Privacy Policy (e.g., “Privacy Policy [link]”). ([CTIA][4])
* **Footer:** Include a persistent link to the Privacy Policy in your website footer on every page. This is a best practice and helps meet “clear and conspicuous” disclosure expectations. ([CTIA][4])
* **Message confirmations:** When users opt in via SMS, send a confirmation message that repeats the program name, contact information, opt-out instructions, frequency, and a short link to the Privacy Policy. CTIA best practices recommend including these elements in the confirmation. ([CTIA][4])

---

## 16. Example point-of-collection wording (copy/paste)

**Checkbox version (web form):**
`[ ] I agree to receive recurring marketing and transactional SMS messages from [Company Name] at the mobile number provided, which may be sent using automated technology. Message frequency varies. Message & data rates may apply. Reply STOP to opt out; reply HELP for help. SMS consent is not shared with third parties. View our Privacy Policy [link].`

**Text-to-join/opt-in SMS example (confirmation):**
`Thanks for subscribing to [Company Name] alerts. Msg&data rates may apply. Expect X msgs/mo. Text STOP to opt out, HELP for help. Privacy: [short-link]. SMS consent is not shared with third parties.`

---

## 17. Third-party processors & contractual obligations

We contractually require service providers who process phone numbers or SMS content on our behalf to: (i) process data only on our instructions; (ii) implement reasonable security measures; (iii) assist with data subject requests and audits; and (iv) delete or return data upon termination. We do not allow service providers to use SMS consent records for their independent marketing uses.

---

## 18. Legal & regulatory notes (current environment)

* The TCPA and FCC rules require prior express written consent for most marketing texts; the FCC has recently refined “one-to-one” consent and other TCPA-related rules and enforcement practices. Businesses should capture precise consent records and identify the phone number and the specific sender/seller permitted by the consent. ([FCC Docs][1])
* Court decisions have recently affected how much weight courts give to FCC interpretations of the TCPA, creating additional uncertainty in remedies and enforcement. Businesses should plan compliance conservatively and consult counsel. ([Reuters][8])

---

## 19. Remedies & how to exercise rights

To exercise your privacy rights (access, correction, deletion, opt-out), or to make a complaint:

* Email: privacy@urbanrefine.ca

---

## 20. Special note on “SMS consent is not shared with third parties”

To avoid ambiguity, we state clearly:

> **SMS consent is not shared with third parties.**
> We will not sell, rent, or share your explicit SMS consent record for other companies’ independent marketing purposes. We may, however, share phone numbers and associated data with service providers who operate under contract to send SMS on our behalf; those processors act only on our instructions and are prohibited by contract from using consent records for their own marketing.

---

## 21. Record of updates & audit trail

We maintain an internal audit trail of consent language, timestamps, and the location (URL/form) where consent was collected, and we retain these records in accordance with our retention policy to support regulatory compliance and dispute defense. ([CTIA][4])

---