VinReach

CAN-SPAM · CPRA

Last updated: April 19, 2026

How VinReach satisfies the Controlling the Assault of Non-Solicited Pornography And Marketing Act (15 U.S.C. 7701 et seq.) and the California Privacy Rights Act for every message we send on behalf of dealer customers.

CAN-SPAM

  • Accurate headers. From name + reply-to always identify the sending dealership. No header spoofing.
  • Truthful subject lines. No deception — subject lines reference the actual VDP, price, or journey context the recipient engaged with.
  • Ad identification. Outbound marketing is identifiable as a dealer communication in subject line and body copy. No pretense of a personal-from-a-friend message.
  • Physical address. Every commercial email footer carries the dealership's physical mailing address (collected at onboarding).
  • Unsubscribe. One-click unsubscribe link in every email. List-Unsubscribe and List-Unsubscribe-Post headers set per RFC 8058 so Gmail + Apple Mail honor the one-click suppression.
  • Honor within 10 minutes. Unsubscribe state propagates platform-wide in under 10 minutes. No 10-day window nonsense — we hit opt-outs within the nominal dispatch cycle.

CPRA (California)

  • Notice at collection. Tracking pixel disclosure + link to dealer privacy policy surfaced via the consent banner each dealer configures in /settings/providers.
  • Opt-out of sale / share. We do not sell personal information. "Share" signals (GPC + Do-Not-Sell link) are honored immediately — persons.strictest_consent enforces the opt-out monotonically across every downstream send, integration, and audience export.
  • Right to know + delete. Dealer-scoped subject access request flow via the admin console. Deletion requests propagate to sub-processors per the DPA.
  • Right to correct. Dealer-side admins can edit or remove person records on request.
  • Sensitive PI. VinReach does not collect sensitive personal information (race, religion, precise geolocation finer than ZIP). Pixel events collect URL + device fingerprint only.

TCPA (SMS)

  • SMS consent captured at form submission or dealer-provided list ingest. Unverified consent never triggers an outbound message.
  • STOP / UNSUBSCRIBE / CANCEL / QUIT / END are recognized on the inbound webhook and applied within seconds.
  • Quiet-hours enforced per rooftop timezone. Outbound is blocked outside 8am–9pm local by default.
  • 10DLC brand + campaign registration managed via /settings/sms for every dealer before SMS sends activate.

Reporting a violation

If you received a VinReach-delivered message that appears non-compliant, email privacy@vinreach.ai with the message headers. We respond within 1 business day and can suppress the sender + remediate within the 10-minute opt-out SLA.

See the DPA for the full legal agreement covering these obligations.