Privacy Policy and Terms of Service Templates for A2P 10DLC: Paste-Ready Clauses for GoHighLevel Agencies

If you’ve ever Googled “A2P 10DLC privacy policy template” or “TCR terms of service required clauses,” you’ve probably noticed that most of what comes back is generic, partially out of date, or written for a different platform than GoHighLevel. The exact wording matters more than most templates acknowledge — TCR’s automated screening looks for specific phrases, and paraphrasing reduces approval rates noticeably.

This guide gives you the paste-ready text for every required clause, organized by document, sourced from the same rule library Easy A2P uses to review submissions. Copy each clause verbatim into your Privacy Policy and Terms of Service and you’ll pass the document-side checks every TCR reviewer runs.

The short version

You need two documents (or two sections inside existing documents):

• Privacy Policy SMS section — must include the TCR non-sharing clause, an “Information We Collect” disclosure, a “Data Security” disclosure, opt-out instructions, and contact info.
• Terms of Service SMS section — must include all 7 required clauses (business identity, STOP, HELP, carrier liability, message frequency & rates, privacy policy link, and 18+ age restriction).

Both must be linked from your website footer and from your opt-in form footer. The links must work and open the actual pages — not modals or popovers.

The clauses below are paste-ready. Use them verbatim where indicated; the only edits should be the parts in [brackets] (your business name, phone number, contact email, etc.).

How to use these templates

Use the SMS-specific clauses verbatim. TCR’s automated screening looks for specific phrases — especially the non-sharing clause. Paraphrasing reduces approval consistency. The clauses in this guide have been tested against thousands of GHL Trust Center submissions and reflect what carriers and TCR reviewers actually scan for.

Adapt the rest of your Privacy Policy and Terms of Service to your actual business practices. The SMS clauses are a small subset of a complete Privacy Policy / Terms of Service — your full documents need to cover data handling, cookie policy, user rights, contract terms, and dozens of other topics. A template can’t write those for you accurately because they depend on your specific business operations.

This is not legal advice. I’m an A2P 10DLC compliance practitioner, not a lawyer. The clauses here are based on what TCR’s automated screening accepts and what GoHighLevel’s compliance tool flags. Have a real attorney review your final Privacy Policy and Terms of Service before publishing — especially if you handle sensitive data or operate in regulated industries (healthcare, financial services, education).

If your business operates under a DBA different from the legal entity (e.g., legal name “Acme Holdings LLC,” consumer-facing name “Acme Salon”), use the format “[Legal Name] DBA [DBA Name]” in the section headers of both your Privacy Policy SMS section and your Terms of Service SMS section. Body references to the brand can use the DBA alone (consumer-facing — that’s what users opted in to). This pattern is sanctioned by GHL’s Understanding A2P Campaign Rejection Reasons & Required Fixes article, provided you also declare the relationship in your Campaign Description with the sentence “We are doing business as [DBA Name].” Examples in this guide use a single [Business Name] placeholder; substitute “Acme Holdings LLC DBA Acme Salon” in headers and “Acme Salon” in body where applicable.

The Privacy Policy SMS section — five required parts

Most agencies add this as a clearly-labeled section (“SMS / Text Messaging” or “SMS Privacy Policy”) inside an existing Privacy Policy. Place it wherever the rest of your data collection and sharing topics live — usually toward the bottom of the document.

Part 1 — The TCR non-sharing clause (paste verbatim)

This is the single most important paragraph in your Privacy Policy from a TCR-approval perspective. The exact wording matters. TCR reviewers look for this specific phrasing or close variants. Don’t paraphrase, don’t summarize, don’t restructure — just copy:

No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. Information sharing to subcontractors in support services, such as customer service, is permitted. All other use case categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

The clause does three things at once: declares no marketing-purpose sharing, carves out an exception for legitimate support subcontractors (which carriers expect), and explicitly excludes opt-in data and consent from any sharing arrangement. That carve-out structure is what TCR’s screening looks for — versions that omit it sometimes get rejected even when they say “we don’t share” in different words.

If your Privacy Policy currently says anything that could be read as “we may share your phone number with marketing partners” or “we share data with affiliates for promotional purposes,” that language must be removed. TCR rejects Privacy Policies that mention sharing SMS opt-in data with third parties, even if the rest of the policy is otherwise compliant.

Part 2 — “Information We Collect” disclosure

GHL’s compliance tooling now flags Privacy Policies missing an “Information We Collect” section as a failure. The Privacy Policy must explicitly describe what personal data is collected through the SMS opt-in process.

Paste-ready template:

Information We Collect. When you opt in to receive SMS messages from [Business Name], we collect the following information through our opt-in form:

• Phone number (required for messaging)
• First and last name (used for personalized messaging)
• Email address (optional, for account communications)
• Any additional information you voluntarily provide on the opt-in form

This information is collected solely to deliver the SMS messages you have consented to receive and to maintain a record of your consent. We retain this information for as long as you remain opted in, plus a reasonable period afterward to respond to support requests or comply with legal record-keeping requirements.

Adapt the bullet list to match what your form actually collects. If your form only asks for phone number, drop the other items.

Part 3 — “Data Security” disclosure

The Privacy Policy must describe the security measures protecting user data. GHL’s compliance tooling flags Privacy Policies missing a Data Security section as a failure.

Paste-ready template:

Data Security. We protect user information through the following measures:

• Encryption in transit (TLS / HTTPS for all data transmission between user devices, our website, and our service providers)
• Access controls limiting data to authorized personnel on a need-to-know basis
• Secure third-party processors including GoHighLevel (CRM and messaging platform), Twilio (SMS delivery), and Stripe (payment processing), each of which maintains industry-standard security certifications
• Regular review of access logs and data handling practices

No system is perfectly secure, but we treat user information with the same care we would expect for our own.

If you use different processors, swap them in (e.g., HubSpot, ActiveCampaign, Square, etc.). The structure — encryption, access controls, named processors — is what reviewers look for.

Part 4 — Opt-out instructions

Most A2P 10DLC programs already include opt-out language elsewhere (in the opt-in confirmation message, in the Terms of Service), but reviewers expect to see opt-out described in the Privacy Policy too:

Opt-Out. You may opt out of SMS messages at any time by replying STOP to any message. You will receive one final confirmation message and will not receive further SMS messages from us. To opt out by other means or if you have questions about opting out, contact us at [support email address] or [phone number].

Part 5 — Contact information for SMS-related questions

Contact. For privacy questions related to our SMS program, contact us at [support email address] or [phone number]. Our mailing address is [Business Address].

That’s the complete Privacy Policy SMS section. Five parts; total length around 300-400 words. Add it as a labeled section inside your existing Privacy Policy.

The Terms of Service SMS section — all 7 required clauses

The Terms of Service SMS section is more structured than the Privacy Policy section. Seven clauses are required — missing any one causes rejection during TCR vetting. The seventh clause (age restriction) was added by GHL in 2026 and is a common gap in older templates.

Most agencies title this section “SMS Messaging Terms” or “SMS Program Terms” inside an existing Terms of Service.

Clause 1 — Business Identity / Program Description

[Business Name] SMS Alerts Program — [brief description of the messages users will receive].

Example for a real-estate agency: “Sarah Mitchell SMS Alerts Program — appointment confirmations, listing alert notifications, and follow-up messages after open houses.”

The description should match your registered campaign use case. If you registered as Customer Care, the description should reflect customer-care messaging. Don’t describe a marketing program if you’re registered as non-marketing — the use case mismatch causes rejection.

Clause 2 — STOP Opt-Out with full unsubscribe instructions

The STOP language must be unconditional — it cannot be scoped to one category of messages. The FCC’s “revoke-all” consent rule, which has been delayed multiple times and is now scheduled to take effect on January 31, 2027, will explicitly require that a single STOP halt all automated messages from the sender, not just one program type. The rule is still pending FCC review, but carriers and TCR are already encouraging compliant ToS language ahead of the deadline — write yours that way now and you avoid having to revise later.

Paste-ready template:

Opt-Out. You can cancel the SMS service at any time. Just text “STOP” to [Phone Number]. After you send the SMS message “STOP” to us, we will send you an SMS message to confirm that you have been unsubscribed. After this, you will no longer receive SMS messages from us. If you want to join again, just sign up as you did the first time and we will start sending SMS messages to you again.

Avoid phrasing like “Reply STOP to stop receiving marketing messages” — implying transactional messages continue is the FCC violation. STOP must mean STOP for everything.

Clause 3 — HELP Support with contact information

Help. If you are experiencing issues with the messaging program you can reply with the keyword HELP for more assistance, or you can get help directly at [support email address] or [toll-free or business phone number].

The contact must be a real, monitored channel. If HELP is texted, you (or your platform’s auto-responder) should reply with the contact info. Most modern SMS platforms including GoHighLevel have automated HELP responses built in.

Clause 4 — Carrier Liability disclaimer

This clause has very specific approved wording. Carriers actually require it in this form:

Carrier Liability. Carriers are not liable for delayed or undelivered messages.

Don’t expand this into a paragraph or add legal hedges. The single-sentence version is what TCR scans for.

Clause 5 — Message Frequency and Rates

Message Frequency and Rates. Message and data rates may apply. Message frequency varies. If you have any questions about your text plan or data plan, it is best to contact your wireless provider.

“Message frequency varies” is the canonical, fully-compliant phrasing — it’s the default both TCR and our Review Existing Copy Wizard treat as a clean pass. You don’t need to commit to a specific number of messages per day, week, or month, and we recommend against doing so for most GHL agency clients. A specific number like “4 messages per month” creates a baseline you can be held to in a customer dispute or carrier review, and most agency clients have variable volume from week to week. If you do run a genuinely consistent program (a daily horoscope, a weekly newsletter, a monthly statement reminder), you can swap “Message frequency varies” for “Up to N messages per month” — but it’s an option, not a requirement.

Clause 6 — Privacy Policy cross-link

Privacy. If you have any questions regarding privacy, please read our privacy policy: [link to your Privacy Policy URL]

This is what makes your SMS Terms of Service connect to the Privacy Policy. Use a real link that opens the actual Privacy Policy page — not a popover, not a modal, not “see our website.”

Clause 7 — Age Restriction (18+)

This is the one most older Terms of Service templates miss. GHL’s compliance tooling now flags Terms of Service missing 18+ age restriction language as a failure. Several wordings are acceptable:

Age Restriction. You must be 18 years of age or older to use this SMS service.

Or:

Age Restriction. This SMS service is intended for users 18 years of age and older. By opting in, you confirm that you are at least 18 years old.

Or:

Age Restriction. Users must be 18 years or older. By providing your phone number and consenting to receive messages, you affirm that you meet this age requirement.

Pick whichever phrasing fits your tone. The key is that the clause exists, names “18” specifically, and applies to SMS service use.

Strongly recommended (not strictly required, but improves approval rates)

Re-enrollment instructions (START keyword):

Re-Enrollment. If you opt out and want to start receiving messages again, text START to [Phone Number] and we will resume sending you SMS messages. Standard message and data rates may apply.

This isn’t strictly required by TCR but most current GHL Trust Center submissions include it. Not having it doesn’t cause rejection on its own; including it strengthens the overall ToS profile.

That’s the complete Terms of Service SMS section. Seven required clauses plus one strongly recommended. Total length around 350-450 words. Add it as a labeled section inside your existing Terms of Service.

Easy A2P generates these for you. Our copy review system includes a Draft Fresh Copy mode that generates a complete A2P 10DLC submission package — including paste-ready Privacy Policy SMS section and Terms of Service SMS section with all seven required clauses, customized to your business name, phone number, and contact info. Try with 3 free credits →

Where these clauses go in your actual documents

Both the Privacy Policy SMS section and the Terms of Service SMS section live inside your existing legal documents — not as separate pages.

For your Privacy Policy

Open your existing Privacy Policy. Find a logical place — typically near the bottom, under “Data Sharing,” “Marketing Communications,” or in a dedicated section. Add a new section header:

SMS / Text Messaging

Paste the five parts from above (TCR non-sharing clause, Information We Collect, Data Security, Opt-Out, Contact) under that heading. Save and republish.

For your Terms of Service

Open your existing Terms of Service. Add a new section header:

SMS Messaging Terms

Paste the seven required clauses (and re-enrollment if you’re including it) under that heading. Save and republish.

Both documents must be:

1. Linked from your website footer — visible on every page of your website, not buried in a sub-page
2. Linked from your opt-in form footer — directly under or near the consent checkboxes, where TCR vetting reviewers verify the link placement on the live form
3. Functional — the link must open the actual Privacy Policy or Terms of Service page, not a popover, modal, or “see our website” text

If your opt-in form is a GoHighLevel native form, the footer link area is usually a settings option in the form builder — check the form’s Advanced settings to add Privacy Policy and Terms of Service URLs.

Why TCR scans for specific phrases

A reasonable question: why does the exact wording matter if my Privacy Policy says the same thing in different words?

Two reasons:

1. Automated screening runs first. Before a human reviews your campaign, an automated system scans the Privacy Policy and Terms of Service URLs you submitted, looking for specific patterns. Patterns include the non-sharing clause phrasing, the carrier liability sentence, the 18+ age restriction. Paraphrased versions sometimes pass and sometimes fail depending on how close to the canonical wording they get. Verbatim versions almost always pass.

2. Manual review uses the same criteria. When a human reviewer escalates after automated screening, they use the same criteria — they’re looking for the exact clauses to be present in some form. A reviewer who sees the canonical wording verbatim moves through the checklist quickly. A reviewer who has to interpret whether “We don’t share information for marketing” means the same thing as the canonical clause may decide to escalate further or reject pending more review.

The cost of paraphrasing is small but real. If you’re going to paste the clauses anyway, paste them in the exact form that consistently passes.

Common mistakes when adapting templates

Mistake 1 — Restructuring the non-sharing clause

The most common adaptation error: restructuring the non-sharing paragraph for “readability.” The canonical version has a specific three-part structure (no marketing sharing, support carve-out, opt-in data exclusion). Reorganizing it changes what the screening system sees. Don’t restructure.

Mistake 2 — Watering down STOP language

Phrases like “Reply STOP to stop receiving marketing messages from us” scope STOP to a single message category. Once the FCC’s revoke-all rule takes effect (currently scheduled for January 31, 2027 after multiple postponements), that scoped phrasing will be a clear non-compliance. Even today, carriers and TCR reviewers prefer unconditional STOP language. Use the canonical version exactly.

Mistake 3 — Vague program description

Clause 1 (Business Identity / Program Description) sometimes gets written generically: “Our SMS program sends messages to subscribers.” That doesn’t satisfy the requirement. The clause must name the actual specific message types (“appointment reminders, treatment-related communications, special offers and promotional messages”).

Mistake 4 — Forgetting the 18+ clause

If you copied a Terms of Service template from before 2026, it almost certainly doesn’t include the age restriction clause. Audit specifically for this. Search your Terms of Service for “18” — if there’s no match, you’re missing the clause.

Mistake 5 — Linking to a Privacy Policy that hasn’t been updated

If your Privacy Policy URL points to a document that doesn’t have the SMS section yet, the campaign rejection is almost guaranteed. Make sure the live URL contains the updated SMS section before submitting.

Mistake 6 — Privacy Policy that mentions selling or sharing SMS data

If your Privacy Policy contains any language suggesting you sell or share SMS opt-in data with third parties for marketing purposes, that language must be removed. Even if the rest of the policy is compliant, this single phrase causes rejection. Search your Privacy Policy for “sell,” “share,” “third party,” “affiliate” — review each match for context.

How Easy A2P handles this for you

Every clause in this guide is included automatically in Easy A2P’s Draft Fresh Copy output. Enter your business name, phone number, contact email, and a few other inputs; the system generates a complete A2P 10DLC submission package including:

• Privacy Policy SMS section with all five parts (TCR non-sharing clause, Information We Collect, Data Security, Opt-Out, Contact)
• Terms of Service SMS section with all seven required clauses plus re-enrollment
• Customized to your specific business identity, phone, and contact info
• Cross-checked against the same rule library this guide is built from

You can also use Review Existing Copy to audit a Privacy Policy or Terms of Service you’ve already written, against the same rules. The review system flags missing clauses, paraphrased phrasing that may fail TCR screening, and any language that could trigger rejection.

Review or generate your A2P 10DLC documents with 3 free credits →

A final note on legal review

The clauses in this guide are about A2P 10DLC compliance — what TCR’s automated screening looks for and what GoHighLevel’s compliance tool flags. They are not a complete Privacy Policy or Terms of Service, and they are not legal advice.

Your full Privacy Policy and Terms of Service should cover dozens of topics beyond SMS messaging — data retention, user rights under GDPR/CCPA/state privacy laws, cookie policy, contract terms, dispute resolution, jurisdiction, and so on. The SMS clauses fit inside those documents but don’t replace them.

If you’re publishing a Privacy Policy or Terms of Service for the first time, work with an attorney or use a reputable legal-document service (TermsFeed, Termly, iubenda, etc.) for the base documents. Then add the SMS clauses from this guide. The combination — proper underlying legal documents plus the verbatim A2P 10DLC clauses — is what passes both legal review and TCR screening.

Once both documents are live with the SMS clauses included, you can submit to GHL Trust Center with confidence. The document side of the review will pass cleanly.