Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) Policy
Effective Date: January 19, 2025 · Last Reviewed: February 1, 2026 · Version 1.0
Next Review: February 1, 2027
Review Cadence: Annual, or upon material regulatory or business change
1. Purpose
Tells operates a carrier-grade Communications Platform-as-a-Service (CPaaS) that powers SMS, MMS, RCS, toll-free, short-code, and voice (including AI-powered voice automation) communications for business customers across regulated and unregulated industries. Several of Tells's customers are themselves "covered persons" under the Dodd-Frank Wall Street Reform and Consumer Protection Act and other consumer protection regimes, and routinely include financial-services providers, insurance agencies, healthcare-adjacent businesses, lenders, and other entities supervised by federal or state regulators.
This Policy establishes Tells's standards and operational controls for preventing, detecting, escalating, and remediating unfair, deceptive, or abusive acts or practices ("UDAAP") in connection with its services. The Policy is designed to satisfy the reasonable expectations of regulated customers conducting vendor due diligence and to support Tells's own obligations under applicable consumer protection law.
2. Scope
This Policy applies to:
- All Tells employees, officers, directors, contractors, and consultants;
- All Tells systems, services, APIs, web applications, and AI voice agents used to originate, route, deliver, receive, record, or analyze customer communications;
- All customers, resellers, agents, and downstream end-users who use Tells's platform to send messages or place calls; and
- All third-party subprocessors, carriers, aggregators, and technology vendors used by Tells to deliver its services.
This Policy applies regardless of whether the underlying communication is governed by a Business Associate Agreement, Data Processing Addendum, Acceptable Use Policy, Master Services Agreement, or other contract.
3. Policy Statement
Tells is committed to operating its platform in a manner that is fair, transparent, and non-abusive to consumers and other end-recipients of communications transmitted through its network. Tells will not knowingly originate, route, or facilitate communications that constitute unfair, deceptive, or abusive acts or practices, and will take reasonable steps to detect, prevent, and remediate such conduct by platform users.
Compliance with this Policy is a condition of employment for Tells personnel and a condition of platform access for Tells customers and their downstream users.
4. Definitions
The following definitions are drawn from Sections 1031 and 1036 of the Dodd-Frank Act (12 U.S.C. §§ 5531, 5536) and Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45), as interpreted by the Consumer Financial Protection Bureau ("CFPB") and the Federal Trade Commission ("FTC").
Unfair. An act or practice is unfair when it (i) causes or is likely to cause substantial injury to consumers, (ii) which is not reasonably avoidable by consumers, and (iii) is not outweighed by countervailing benefits to consumers or to competition.
Deceptive. An act or practice is deceptive when (i) it involves a representation, omission, or practice that is likely to mislead the consumer, (ii) the consumer's interpretation is reasonable under the circumstances, and (iii) the misleading representation, omission, or practice is material.
Abusive. An act or practice is abusive when it (i) materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service, or (ii) takes unreasonable advantage of (a) a lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service, (b) the inability of the consumer to protect their interests in selecting or using a consumer financial product or service, or (c) the reasonable reliance by the consumer on a covered person to act in the interests of the consumer.
Consumer. Any natural person who is the recipient of a communication transmitted through the Tells platform, regardless of the consumer's relationship with the originating customer.
Covered Customer. Any Tells customer that is itself a "covered person" or "service provider" under the Dodd-Frank Act, or that operates in a sector regulated by the CFPB, FTC, state attorneys general, state financial regulators, or state insurance regulators.
5. Roles and Responsibilities
5.1 Policy Owner
Tells designates a Policy Owner who is responsible for maintaining, interpreting, and enforcing this Policy. The Policy Owner approves material changes, oversees annual review, and serves as the primary escalation point for UDAAP-related issues.
5.2 Executive Leadership
Tells executive leadership is responsible for approving this Policy, allocating resources for UDAAP compliance, and ensuring that UDAAP considerations are integrated into product, engineering, sales, and customer-success decision-making.
5.3 Business Development and Customer Success
Personnel engaged in customer onboarding, sales, and account management are responsible for screening prospective customers for UDAAP risk, communicating Tells's acceptable-use standards, and escalating concerns about customer use cases or content.
5.4 Engineering and Platform Operations
Engineering personnel are responsible for implementing and maintaining technical controls that support this Policy, including content filtering, opt-out handling, call-cadence limits, AI voice guardrails, audit logging, and reporting.
5.5 All Personnel
Every Tells employee and contractor is responsible for understanding this Policy as it applies to their role and for promptly reporting suspected UDAAP issues to the Policy Owner.
6. Prohibited Practices — Messaging
Tells prohibits the origination, routing, or facilitation of SMS, MMS, or RCS messages that, taken as a whole or in context, do any of the following:
- Misrepresent the identity, sender, brand, or affiliation of the originating party (including spoofed sender IDs, impersonation of government agencies, financial institutions, healthcare providers, carriers, or well-known brands);
- Make false, unsubstantiated, or materially misleading claims about products, services, prices, rates, eligibility, qualifications, benefits, awards, or legal status;
- Create false urgency, manufactured scarcity, or fabricated deadlines designed to pressure a recipient into immediate action without time to evaluate;
- Omit material terms, fees, conditions, or limitations that a reasonable consumer would need to evaluate the offer ("bait and switch," undisclosed recurring charges, hidden eligibility criteria, undisclosed third-party involvement);
- Solicit personally identifiable information, financial credentials, login credentials, one-time passcodes, or other sensitive data through deceptive pretexting (phishing, smishing);
- Fail to honor STOP, UNSUBSCRIBE, QUIT, CANCEL, END, or other recognized opt-out keywords, or fail to honor opt-out within the timeframes required by the CTIA Messaging Principles & Best Practices and the Telephone Consumer Protection Act;
- Continue messaging a consumer after the consumer has revoked consent through any reasonable means;
- Violate SHAFT content restrictions (Sex, Hate, Alcohol, Firearms, Tobacco) where applicable to the campaign type, brand, or carrier;
- Promote products or services that are unlawful in the jurisdiction of the recipient; or
- Otherwise constitute an unfair, deceptive, or abusive act or practice as defined in Section 4.
7. Prohibited Practices — Voice
Tells prohibits the origination, routing, or facilitation of inbound or outbound voice calls (whether placed by human agents, dialers, IVRs, or AI voice agents) that:
- Use spoofed, misleading, or unauthenticated caller ID; fail to comply with STIR/SHAKEN authentication requirements; or otherwise misrepresent the calling party;
- Make false, unsubstantiated, or materially misleading statements about products, services, prices, eligibility, or legal consequences (including impersonation of government agencies or fictitious enforcement threats);
- Place calls to numbers on the National Do Not Call Registry, internal company do-not-call lists, or reassigned numbers, except where a valid exemption applies;
- Place calls outside the permitted calling-time windows under the TCPA (generally 8:00 a.m. to 9:00 p.m. local time of the called party) or applicable state law;
- Use an automatic telephone dialing system or prerecorded/artificial voice to call a wireless number without prior express consent or prior express written consent where required;
- Refuse to provide caller identification, the name of the business on whose behalf the call is being made, or a callback number when reasonably requested;
- Continue to call a consumer after the consumer has revoked consent or requested no further calls;
- Apply harassing call cadence (repeat calls within short intervals, calls intended to annoy or abuse, calls without meaningful pause between attempts); or
- Otherwise constitute an unfair, deceptive, or abusive act or practice as defined in Section 4.
8. AI Voice Agent Guardrails
Tells offers AI-powered conversational voice automation. Because AI voice agents present heightened UDAAP and consumer-protection risk, the following additional standards apply:
- Disclosure of automated nature. When required by applicable law (including emerging state laws governing AI-generated voice and the FCC's ruling that AI-generated voices constitute "artificial or prerecorded voice" under the TCPA), the AI voice agent shall disclose its automated nature at the outset of the call and shall not deny being an AI when asked directly.
- Identity. The AI voice agent shall identify, at the outset of the call, the business on whose behalf the call is placed and shall not impersonate a real, named human being who does not exist or who has not authorized the use of their identity.
- Truthfulness. Scripts, prompts, and large-language-model system instructions used to drive the AI voice agent shall not direct the agent to make false statements, deny material facts, evade lawful questions, or refuse to terminate the call upon request.
- Opt-out and termination. The AI voice agent shall recognize and immediately honor consumer requests to terminate the call, to be removed from future contact, or to be transferred to a human representative where available.
- No abusive interference. The AI voice agent shall not be configured to interrupt, talk over, pressure, or otherwise interfere with the consumer's ability to understand the terms or conditions of any offer.
- Vulnerable consumers. Where the AI voice agent detects signs that the consumer may be a minor, may be in crisis, may be cognitively impaired, or may have limited English proficiency, the agent shall not be configured to take advantage of that circumstance and shall, where appropriate, terminate the call or transfer to a human.
- Recording and consent. Where calls are recorded, the AI voice agent shall provide notice of recording in accordance with applicable federal and state law (including two-party-consent jurisdictions).
- Logging and review. All AI voice agent interactions shall be logged in a manner that permits subsequent compliance review, including transcript retention, prompt/version tracking, and the ability to reconstruct the conversational turn data for any given call.
9. Customer Onboarding and Content Vetting
Tells applies a risk-based onboarding and vetting program to mitigate UDAAP exposure originating from platform users:
- Know-your-customer (KYC). Prospective customers are required to provide verifiable business identifying information, including legal entity name, EIN or equivalent identifier, primary business address, and authorized contact, prior to platform activation.
- Use-case review. Customers must disclose their intended use case, sample messaging or calling content, opt-in mechanism, and target audience. High-risk verticals (debt collection, lending, insurance, healthcare-adjacent marketing, sweepstakes, lead generation) receive enhanced review.
- Brand and campaign registration. For 10DLC and other regulated messaging traffic, Tells submits brand and campaign registrations to The Campaign Registry and applicable carriers, including the use case classification, sample content, and opt-in language.
- Toll-free verification. Tells submits toll-free verification requests in accordance with carrier and aggregator requirements before enabling outbound toll-free messaging.
- Acceptable Use Policy. All customers are bound by Tells's Acceptable Use Policy, which incorporates by reference the prohibitions in Sections 6, 7, and 8 of this Policy.
- Right to refuse or terminate. Tells reserves the right to refuse onboarding, suspend, or terminate any customer whose use case, content, or conduct presents unacceptable UDAAP, consumer-protection, or brand risk to Tells or its carriers.
10. Content Monitoring and Sampling
Tells maintains the following technical and operational controls to detect potential UDAAP conduct on the platform:
- Automated content filtering for SHAFT and other prohibited keyword patterns;
- Automated opt-out keyword detection and propagation across customer accounts;
- Carrier delivery-receipt and error-code monitoring, including elevated spam-filtering rates, MAVERICK and similar carrier-classifier signals, and 30007/30008-class error spikes;
- Sampling-based review of message content, voice-call transcripts, and AI voice agent transcripts for high-risk customers and high-volume campaigns;
- Consumer complaint intake (see Section 11) and trend analysis across complaints, opt-out rates, and carrier feedback;
- Audit logs covering API activity, content submissions, recipient lists, and administrative actions, retained in accordance with Section 14.
11. Complaint Handling and Escalation
Tells maintains channels for receiving complaints from consumers, carriers, regulators, and customers regarding potential UDAAP conduct on the platform. The complaint handling process is as follows:
- Intake. Complaints received via support email, web form, carrier escalation, or regulator inquiry are logged in a centralized record at the time of receipt.
- Triage. Each complaint is triaged by severity: (i) regulator or law-enforcement inquiry, (ii) carrier or aggregator escalation, (iii) consumer complaint alleging deception or harassment, (iv) consumer complaint alleging opt-out failure, (v) other.
- Investigation. The Policy Owner or designee investigates the complaint, including reviewing logs, content samples, customer onboarding records, and any relevant recordings or transcripts.
- Remediation. Where a violation is substantiated, Tells will take proportionate action, including warning, content blocking, account suspension, account termination, mandatory remediation by the customer, refund or credit where appropriate, and notification to affected carriers or regulators where required.
- Closure and trending. Closed complaints are retained and reviewed periodically for trends that may indicate systemic issues warranting policy or control changes.
12. Training
All Tells personnel whose duties involve customer onboarding, content review, complaint handling, sales, engineering of messaging and voice services, or AI voice agent configuration shall receive UDAAP and consumer-protection training:
- At hire, prior to assuming responsibilities that present UDAAP exposure;
- At least annually thereafter; and
- On an ad-hoc basis following material regulatory developments, policy changes, or incidents.
Training records, including attendees and dates, shall be retained in accordance with Section 14.
13. Third-Party and Subcontractor Oversight
Tells's services depend on carriers, aggregators, AI/ML vendors, telephony platforms, and other subprocessors. Tells will:
- Conduct risk-based due diligence on material subprocessors, including review of their consumer-protection posture where applicable;
- Bind material subprocessors to contractual obligations that are consistent with this Policy, including confidentiality, lawful processing, and incident notification;
- Monitor subprocessor performance and incident history; and
- Discontinue use of any subprocessor whose conduct materially conflicts with this Policy.
14. Recordkeeping
Tells will retain records relevant to UDAAP compliance for the period required by applicable law and customer contract, and in no case for less than the periods set forth below, subject to lawful deletion requests and data-minimization obligations:
- Customer onboarding and KYC records: duration of the customer relationship plus three (3) years;
- Brand and campaign registration records: duration of registration plus three (3) years;
- Message and call audit logs: as set forth in the applicable customer contract or data processing addendum;
- AI voice agent transcripts and configuration history: as set forth in the applicable customer contract;
- Complaints and investigation records: five (5) years from closure;
- Training records: three (3) years from completion; and
- Policy versions and approvals: indefinitely.
15. Violations and Discipline
Violations of this Policy by Tells personnel may result in disciplinary action, up to and including termination of employment and referral to law enforcement where warranted. Violations by customers, resellers, or downstream users may result in suspension or termination of platform access, forfeiture of prepaid balances to the extent permitted by contract, and reporting to carriers, aggregators, or regulators where required by law or contract.
16. Policy Review and Approval
This Policy is reviewed at least annually by the Policy Owner. Material changes require approval by Tells executive leadership. Interim updates may be made by the Policy Owner to reflect non-material clarifications, organizational changes, or updates to cited authorities.
Questions, suggested revisions, and reports of suspected violations should be directed to the Policy Owner.