Legal Center Anti-Spam & Messaging Policy

Anti-Spam & Messaging Policy

Effective Date: February 16, 2026  |  Last Updated: February 28, 2026

This policy governs the use of otpx.dev and any ZeroSuite messaging infrastructure. It applies to all API customers sending messages through ZeroSuite channels, including SMS, WhatsApp, and email delivery.

Table of Contents

  1. Permitted Use
  2. Prohibited Use
  3. Consent Requirements
  4. Opt-Out Mechanisms
  5. Regulatory Compliance
  6. Rate Limits & Fair Use
  7. Enforcement
  8. Reporting Abuse
  9. Contact

1. Permitted Use

ZeroSuite messaging infrastructure is intended for the following legitimate purposes:

  • Authentication OTPs: One-time passwords for user authentication and account verification.
  • Transactional Notifications: Password resets, two-factor authentication codes, account security alerts, and login notifications.
  • Delivery Confirmations: Order confirmations, shipping notifications, and service status updates.
  • Appointment Reminders: Scheduled reminders sent with prior explicit consent from the recipient.

2. Prohibited Use

The following activities are strictly prohibited on all ZeroSuite messaging channels:

  • Bulk Unsolicited Marketing: Sending bulk marketing messages, promotional content, or advertisements without prior express consent from recipients.
  • SMS/WhatsApp Blasting: Mass messaging without opt-in consent from each recipient.
  • Sender ID Spoofing: Falsifying, manipulating, or misrepresenting sender identification to deceive recipients about the origin of a message.
  • Phishing: Sending messages that impersonate legitimate entities to steal credentials, financial information, or other personal data.
  • Non-Consented Recipients: Sending messages to phone numbers or email addresses whose owners have not provided consent to receive messages.
  • Political Campaigns: Sending political campaign messages without proper regulatory disclosure and recipient consent.
  • Messages to Minors: Sending messages to minors without verified parental or guardian consent.

3. Consent Requirements

Prior express written consent is required for all messages sent through ZeroSuite messaging infrastructure. Consent must meet the following criteria:

  • Freely given: Consent must not be coerced or bundled with unrelated terms.
  • Specific: Consent must clearly describe the type of messages the recipient will receive.
  • Informed: The recipient must be told who will send the messages and how to opt out.
  • Unambiguous: Consent must be given through a clear affirmative action (not pre-checked boxes or implied agreement).

Record keeping: Consent records must be maintained by the API customer (Controller). ZeroSuite may request evidence of consent at any time. Failure to produce consent records upon request may result in account suspension.

4. Opt-Out Mechanisms

All non-OTP messages must include clear opt-out instructions:

  • SMS: Every non-OTP SMS must include opt-out instructions (e.g., "Reply STOP to unsubscribe").
  • Email: Every non-OTP email must include a functional unsubscribe link.
  • WhatsApp: Messages must respect WhatsApp's built-in opt-out mechanisms and user blocking.
  • Processing time: ZeroSuite will honor opt-out requests within 24 hours of receipt.

5. Regulatory Compliance

API customers using ZeroSuite messaging infrastructure must comply with all applicable telecommunications regulations in their operating jurisdictions:

5.1 CTIA (United States)

  • 10DLC registration required for application-to-person (A2P) messaging to US numbers
  • Compliance with CTIA Short Code Monitoring Handbook and A2P messaging guidelines
  • Prohibited content categories must be observed (SHAFT: Sex, Hate, Alcohol, Firearms, Tobacco)

5.2 ARCEP (France)

  • SIRET/SIREN registration required for commercial SMS sent to French numbers
  • Compliance with French anti-spam legislation and ARCEP directives

5.3 West Africa

  • Compliance with national telecommunications authority requirements in each operating country
  • ARTCI (Côte d'Ivoire), ARCEP (Sénégal), and other national regulators as applicable

5.4 WhatsApp Business API

  • Compliance with Meta's Commerce Policy and WhatsApp Business Policy
  • Template messages must be pre-approved by WhatsApp before sending
  • 24-hour messaging window rules must be observed for non-template messages

6. Rate Limits & Fair Use

  • API Rate Limits: Per-account rate limits are enforced on all messaging API endpoints. Exceeding rate limits results in HTTP 429 responses.
  • Burst Detection: Unusual burst sending patterns are automatically detected and flagged for review. Accounts exhibiting burst patterns may be temporarily throttled.
  • High-Volume Accounts: Accounts sending more than 10,000 messages per day require manual review and approval before the increased volume is permitted. Contact [email protected] to request a volume increase.

7. Enforcement

ZeroSuite actively monitors messaging traffic for policy violations:

  • Automatic Hold: Suspected spam or policy-violating traffic triggers an automatic hold on the sending account's messaging capabilities.
  • Investigation: All flagged accounts are investigated within 24 hours by the ZeroSuite compliance team.
  • Escalation: Confirmed violations follow a three-tier enforcement process:
    1. Written warning with required corrective action
    2. Temporary suspension of messaging capabilities
    3. Permanent account ban with no refund
  • Immediate Ban: Accounts found to be sending phishing messages, CSAM-related content, or engaging in active fraud are permanently banned without prior warning.

8. Reporting Abuse

If you receive unwanted messages sent through ZeroSuite infrastructure, or if you are aware of messaging abuse on our platform, please report it immediately:

  • Abuse Reports: [email protected]
  • Response Time: All abuse reports are reviewed within 24 hours.

9. Contact

For questions about this messaging policy or to report abuse: