Compliance & Responsible Messaging

Where engagements involve protected health information (PHI), we sign a Business Associate Agreement (BAA) with the client before any data integration begins.

We structure workflows to minimize sensitive-data exposure. Messages reference appointment categories ("annual exam," "hygiene recall") rather than specific diagnoses or treatment details. Where BAA-eligible tooling is required (e.g., for PHI in transit through email or SMS providers), we use providers that offer signed BAAs (Postmark, Resend, Twilio, and others).

Patient and client consent for SMS varies by jurisdiction and message type. Care-related reactivation (overdue exam reminders, missed-appointment follow-up) typically falls under existing consent in patient-relationship contexts. Promotional messaging requires explicit marketing consent.

Every SMS we send includes opt-out language ("Reply STOP to opt out"). Opt-outs are honored across the campaign immediately. Opt-out rates are monitored on every send.

Every email we send includes a physical mailing address and a one-click unsubscribe link. Unsubscribes are honored within 10 business days, typically same-day. Sender domains include valid SPF, DKIM, and DMARC records before any campaign launches.

Every campaign is reviewed and approved in writing by the client before launch. The client retains final approval on all messaging. We provide draft sequences and revise them in collaboration with the client's compliance contact.

Domains that have been on a blacklist are not reused. High-volume sends use a subdomain to protect main-domain reputation. Sender reputation is monitored weekly via Google Postmaster Tools and Microsoft SNDS. Complaint rate is kept under 0.3% and bounce rate under 2%.

For SMS, we use A2P 10DLC long-code numbers. Brand and campaign registration is completed before any SMS sends. Healthcare-adjacent campaigns may face additional carrier review; clients are informed of registration timelines on the discovery call.

Client patient or client databases are not exported or copied to BookingsBack-controlled systems. Campaigns operate inside the client's own infrastructure (their CRM, their email/SMS provider, their domain). We do not resell, share, or repurpose client data.

Compliance questions can be sent to contact@bookingsback.com.