Effective Date: 5.14.2026
Version: 2026.

ACEQUEST LLC (“we,” “us,” or “our”) provides developer-centric healthcare communication tools, including automated text messaging pipelines, for medical item tracking and patient notifications. This SMS Privacy Policy describes how we process personal data and Protected Health Information (PHI) within our text messaging workflows.

Our practices comply with the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and consumer protection mobile carrier mandates (A2P 10DLC rules).

1. Structure of Shared Compliance & Conduit Model

We operate under a Shared Responsibility Model similar to major cloud communication gateways.

• Business Associate Relationship: When we process messaging data that contains PHI on behalf of a Covered Entity, we act strictly as a Business Associate. We execute a formal Business Associate Agreement (BAA) with all healthcare clients prior to routing any live patient data.
• Upstream Gateways: We ensure that all upstream network infrastructure, database backends, and cloud API providers (including platforms like Twilio) are contracted under an active BAA for HIPAA-eligible programmatic messaging channels.

2. Information We Collect and Process

We limit data collection to the minimum required to reliably transmit text alerts regarding medical items:

• Demographic Details: Recipient mobile telephone numbers, name, and account reference numbers.
• Consent Architecture Logs: Comprehensive audit trails tracking the exact time, date, IP address, and method of recipient opt-in consent.
• Metadata & Telemetry: Message delivery receipts, network timestamps, carrier error codes, and system access logs for administrative security audits.

3. Rigid PHI Minimization & Encryption Rules

Standard mobile networks (SMS/MMS) do not support native, end-to-end encryption. To protect patient privacy, we enforce strict content rules:

• Payload Sanitation: No highly descriptive or explicit PHI—including diagnosis codes, pharmaceutical chemical components, or sensitive medical conditions—is permitted in plaintext SMS bodies.
• Secure Portal Redirection: Detailed fulfillment documentation, medical prescription specifics, and equipment invoices are stored behind encrypted, authenticated patient portals. Outbound text messages will only provide a generic status update and a secure cryptographic link to the portal.
• Transit Encryption: All API requests moving data from your clinical software or Electronic Health Record (EHR) to our text broadcast servers are encrypted via TLS 1.3 / HTTPS in transit.

4. Verification of Consumer Opt-In Consent

In accordance with carrier frameworks, text messages will never be dispatched to a mobile subscriber without prior express, documented consent.

• Independent Consent Vectors: Consent must be given directly to each specific clinical sender. Blanket consent or third-party data transfers are strictly invalid.
• Immutable Logs: Senders must preserve proof of opt-in documentation for the duration of the communication campaign, or for at least six (6) years to satisfy HIPAA recordkeeping rules.
• Zero Coercion: Providing consent to receive medical item delivery text alerts is entirely optional and cannot be used as a prerequisite to receiving clinical care or medical equipment supply.

5. Instant Opt-Out (Revocation of Consent)

Recipients maintain the right to revoke communication authorization instantly.

• Universal Keywords: Replying with STOP, QUIT, END, CANCEL, or UNSUBSCRIBE will immediately flag the phone number in our database.
• System-Wide Suppression: Once an opt-out keyword is logged, our platform programmatically blocks any subsequent automated messages from being queued for that number, avoiding accidental carrier violations.

6. Isolation of Third-Party Data Sharing

• Zero Marketing Monetization: Mobile numbers, opt-in choice records, and patient communication history collected for medical tracking are entirely segregated.
• Sharing Restriction: This specialized data is never shared, rented, or sold to third-party advertisers, affiliate marketing groups, or data brokers. Data sharing is limited to legitimate clearinghouses and downstream carriers solely required to route the physical text message to the handset.

7. Security Safeguards and Audits

We maintain technical and administrative controls designed to mitigate data leak risks:

• Webhook Signature Verification: We use cryptographic signature validation on all inbound and outbound webhook requests to stop spoofing attacks.
• Access Control: API keys and data access profiles are restricted through strict multi-factor authentication and role-based access control (RBAC).
• Log Retention Limits: Message payloads and metadata histories are retained only as long as necessary to confirm delivery, after which logs are scrubbed or anonymized to reduce exposure risk.

Consent and Opt-in Policy

---

Verify follows the Twilio Messaging Policy. Before we send an OTP (one-time password) message through Verify, you must obtain the recipient’s opt-in consent. Treat any recipient who has not opted in as opted out by default. We must store evidence of each consent event and provide it to Twilio on request. For example: Include a notice in your application’s sign-up or two-factor authentication (2FA) flow that states the user will receive an OTP message at the phone number they provide. Then record the timestamp of the user’s confirmation.

---

SMS and RCS messaging to the US and Canada

For SMS and RCS messaging to the United States and/or Canada, we must specifically display the following info in our app’s user interface where our user requests the OTP:

1. “Standard message and data rates may apply” disclosure statement.
   1. Statement must be shown verbatim. The word “standard” may be omitted if we are only sending to the US, but not Canada.
2. Terms and Conditions 
   1. The text messaging program that the user is opting into, a statement that “message and data rates may apply”, customer care, account notifications and delivery notifications, how to stop receiving messages info, and a statement that “carriers are not liable for delayed or undelivered messages.”
   2. Sample text to include in Terms and Conditions: “By providing your phone number and opting into our text messaging program, you consent to receive a one-time transactional security code on your mobile device. Standard message and data rates may apply. For assistance, reply HELP to the number from which we received the message, or contact us at acequest777@gmail.com or 18884487212. To stop receiving messages, reply STOP at any time. Carriers are not liable for delayed or undelivered messages.”
3. Privacy Policy 
   1. The Privacy Policy and the Terms and Conditions could be combined in the same document and share the same link, but the name of the shared link should clearly indicate that it is for both.
   2. Sample text: “Privacy Policy and Terms and Conditions.”

Contact Information

ACEQUEST LLC
Mailing Correspondence Only

445 BroadHollow Road Ste 25

Melville, NY 11747

acequest777@gmail.com
646 724 2002

888 448 7212
acequests.com