← Vblast home

Compliance

How Vblast satisfies TCPA, CCPA, GDPR, and other privacy frameworks by design.

Vblast is built on a layered consent model. We capture different data at different stages of the Caller’s journey, and we treat each layer with a different legal basis. The result: every SMS Vblast sends is backed by a durable, timestamped opt-in record — and nothing else we collect is used for marketing.

The three-layer consent model

Layer 1 — Scan

When someone scans a Vblast QR Call code, their phone’s browser opens a Vblast short URL (q.vblast.net/abc123). At this point we receive an HTTP request — by the basic mechanics of the internet, every web request includes the originating IP address.

What we capture: a SHA-256 hash of the IP (raw IP is never stored), the timestamp, and the user-agent string.

Legal basis: legitimate interest (GDPR Art. 6(1)(f)), service operation (CCPA). Equivalent to standard server access logging that every website on the internet performs. No personal identification is possible from the hashed value.

Used for: aggregate scan analytics (how many unique scanners) and abuse prevention. Not used for: marketing, profile-building, ad-targeting, re-identification, or sale to third parties.

Layer 2 — Phone call

The Caller’s phone dialer opens to the campaign’s toll-free number. When they place the call, our voice provider (Twilio) sends us the phone number in E.164 format along with a call identifier.

What we capture: phone number, call SID, start/end time, duration.

Legal basis: legitimate interest. Phone call records are necessary for service operation (billing, fraud detection, and providing the audio playback the Caller initiated).

Used for: playing the campaign audio, billing the Customer for voice minutes, rate-limiting, abuse prevention. Not used for: sending marketing SMS, sharing with the Customer as a marketable contact, or any purpose beyond fulfilling the call the Caller chose to make.

Layer 3 — Press 1 (consent)

The audio body explicitly tells the Caller what will happen: “press 1 to receive a text message about [topic].” If they press 1, that affirmative action is the consent gate.

What we capture: the exact opt-in event — phone number, timestamp, the call ID it was attached to, and the digit pressed.

Legal basis: express consent (GDPR Art. 6(1)(a)) / express written consent (TCPA standard). The Caller heard what would happen and took an affirmative action specifically to make it happen.

Used for: sending the SMS the Caller consented to receive. Stored permanently as an audit record. Not used for: any further messages without subsequent consent.

TCPA

The Telephone Consumer Protection Act requires “prior express written consent” for SMS to a wireless number. The FCC defines this as a written agreement, signed by the consumer, bearing their signature, that clearly authorizes the seller to deliver advertisements.

Vblast’s press-1 flow satisfies this through the established “e-signature” framework: the Caller has been informed of the specific content of the messages they will receive (via your audio body), and their press-1 action is recorded as their electronic signature consenting to receive them. The consent record we store includes:

  • The Caller’s phone number
  • The exact timestamp of the press-1 event
  • The call SID linking the consent to a specific recorded interaction
  • The campaign that was active at the time, identifying what message they consented to

STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT replies are honored automatically (per FCC rules). Every SMS Vblast sends includes a STOP-to-unsubscribe footer (auto-appended if absent from the Customer’s message body). STOP’d numbers are blocked at our application layer and confirmed at Twilio’s carrier layer.

CCPA / CPRA (California)

Vblast does not sell or share personal information for cross-context behavioral advertising. We process Caller data solely for the purpose of operating the Service — playing the audio they called, recording their consent, and sending the SMS they requested.

California residents can request access, deletion, or correction of their personal data by emailing support@vblast.net. We respond within 30 days. For Caller data tied to a specific Customer’s campaign, deletion requests may be routed through that Customer (the data controller).

GDPR / UK GDPR

Vblast is a US-based service primarily aimed at US Customers and US Callers. We do not target EEA or UK residents. However, where the framework applies:

  • Lawful basis: the layered model above maps directly to GDPR Art. 6 — legitimate interest for operational data (Layers 1–2), explicit consent for marketing data (Layer 3).
  • Data minimization: we collect only what’s necessary for each layer. Raw IPs are never persisted; only hashes.
  • Data subject rights: access, rectification, erasure, portability, and objection are all supported. Email support@vblast.net.
  • Data Processing Agreement (DPA): Customers acting as data controllers can request a DPA covering the Caller data Vblast processes on their behalf. Contact us.
  • Data location: Vblast data is stored in US-based Supabase infrastructure. Cross-border data transfers (where applicable) rely on Standard Contractual Clauses.

10DLC / Toll-Free verification

Vblast operates exclusively on Twilio toll-free numbers, all of which complete Twilio’s toll-free verification process before being placed in the customer-facing pool. This is the carrier-mandated process for sending SMS at scale — without it, US carriers heavily filter or block traffic. Customers needing a 10-digit local number can contact support@vblast.net for 10DLC brand and campaign registration as a sales-assisted option.

Customer responsibility

Vblast provides the technical machinery for compliance — the consent capture, opt-out handling, opt-in audit trail, mandatory unsubscribe footer. Customers remain responsible for:

  • The substance of their audio body and SMS body
  • Sector-specific regulations (financial services, healthcare, political, etc.)
  • State-specific telemarketing rules where they apply
  • Honoring opt-out requests received through any channel (not just SMS STOP)
  • Maintaining records of their own as required by their industry

See our Terms of Service Section 6 for the full division of responsibility.

Why the layered model matters

Many SMS marketing platforms collect lists of phone numbers from web forms, lead generators, or purchased lists, then claim TCPA compliance based on a single checkbox somewhere in the user’s path. That model is inherently fragile — opt-in records are often disconnected from the messages they’re supposed to authorize, consent language is vague, and recipients frequently don’t remember signing up.

Vblast inverts this. The Caller is on a phone call, hearing your specific message, when they press 1. The opt-in is contemporaneous, contextual, and ironclad. Every SMS we send corresponds to one specific Caller pressing one specific button at one specific moment, recorded with cryptographic identifiers. This is the strongest possible TCPA compliance posture short of getting a notarized signature.

Audit access

If you receive a TCPA complaint or regulatory inquiry, you can pull the complete opt-in record from your dashboard at any time — phone number, timestamp, call ID, SMS message ID, and delivery status. CSV export is available on the Opt-ins tab.

Contact

For compliance, regulatory, or DPA questions: support@vblast.net

This page describes how Vblast is designed and operated. It is not legal advice. For specific compliance questions affecting your business, consult an attorney.