Compliance & Responsible Messaging

Where an engagement requires BookingsBack to access protected health information (PHI), the appropriate agreement structure, including a Business Associate Agreement (BAA) when required, must be in place before data access or integration begins.

We aim to minimize sensitive-data exposure. Campaigns should use the least sensitive segment labels and message language practical for the workflow, and client teams retain final approval on what is sent. Provider choices for email, SMS, CRM, and storage must be confirmed against the final data flow before launch.

Patient and client consent for SMS varies by jurisdiction, message type, prior relationship, and the client's own intake paperwork. Care-related reminders and promotional campaigns should be reviewed separately before launch.

SMS campaigns should include clear opt-out language such as "Reply STOP to opt out." Opt-outs must be honored across the campaign immediately, and opt-out and complaint rates should be monitored on every send.

Campaign emails should include a valid physical mailing address and a working unsubscribe path. Unsubscribes must be honored within the required legal window, and sender domains should have valid SPF, DKIM, and DMARC records before launch.

Every campaign is reviewed and approved in writing by the client before launch. The client retains final approval on all messaging. We provide draft sequences and revise them in collaboration with the client's compliance contact.

Sender-reputation requirements are confirmed per campaign. High-volume sends may use a subdomain to reduce risk to the main domain. Bounce rate, complaint rate, and deliverability should be monitored during every campaign, with list cleaning completed before sends begin.

SMS sending should use the appropriate registered messaging path, such as A2P 10DLC where applicable. Brand and campaign registration requirements, including any healthcare-adjacent review, must be confirmed before SMS launch.

The preferred operating model is to keep campaigns inside the client's own infrastructure whenever practical: their CRM, their email/SMS provider, and their sending domain. If exports or temporary processing are required, the data flow, retention window, access controls, and deletion process should be documented before launch. We do not resell, share, or repurpose client data.

Compliance questions can be sent to contact@bookingsback.com.