Compliance at Josey.ai

1. Shared Responsibility Model

Telemarketing, SMS, and data privacy laws in the United States (and equivalents in Canada, the EU, and the UK) almost always place legal responsibility on the party whose business is being promoted — not on the software they use. Josey.ai is built on that principle.

Our Terms of Service and Acceptable Use Policy encode this split. Using Josey.ai without understanding it is the single biggest risk to your business.

2. TCPA & Federal Telemarketing Framework

The Telephone Consumer Protection Act (TCPA, 47 U.S.C. § 227), the FCC’s implementing rules, and the FTC Telemarketing Sales Rule (TSR, 16 C.F.R. Part 310) are the backbone of U.S. outbound-call regulation. Josey.ai’s platform is designed with those rules in mind:

• Consent-first workflows. When customers connect a lead source (Facebook Lead Ads, Google Ads, Follow Up Boss, CSV import), we record the source and a consent attestation alongside every contact record.
• Prior-express-written-consent fields. Contacts imported as “cold” are flagged in the system and the customer must affirmatively confirm a lawful basis before outreach begins.
• Do Not Call scrubbing. Every outbound campaign is checked against the federal DNC registry at dial time. Numbers on the registry are blocked unless the customer has an Established Business Relationship within the applicable window and has attested to it.
• Internal DNC. When a lead says “stop,” “remove me,” “do not call,” or an equivalent phrase, we add that number to the customer’s internal suppression list automatically and permanently.
• Calling windows. Dials are restricted to 8:00 a.m. – 9:00 p.m. local time at the called party’s area code, per federal rule.
• Caller identification. Outbound calls are originated through carriers that support STIR/SHAKEN attestation. Customers are required to identify themselves and the company on whose behalf they are calling early in the call.

3. AI Disclosure on Calls

Several states — including California (AB 2905, AB 3030 analogues), Florida, and Texas — require that a called party be informed when an AI or synthetic voice is used. Regardless of jurisdiction, Josey.ai treats AI disclosure as a baseline standard.

• Every outbound AI call begins with a disclosure that the call may be conducted or assisted by an automated voice system.
• The disclosure is hardcoded into the opening turn of the AI assistant and cannot be disabled by customers.
• If the called party asks “am I talking to a real person?” the assistant is instructed to answer honestly and offer to connect them to a human or to end the call.
• Call outcomes and disclosures are logged for audit purposes.

4. Call Recording & Two-Party Consent

Roughly a dozen U.S. states require all parties on a call to consent to recording (California, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Oregon, Pennsylvania, Washington, and others). Josey.ai detects two-party-consent jurisdictions based on the area code of the called party and plays an audible recording notice before recording begins.

• Recordings and transcripts are stored encrypted at rest and isolated per customer organization.
• Customers may disable call recording globally from their account settings.
• Recordings are retained only for as long as the customer’s plan permits, and are deleted upon account closure within the window described in our Privacy Policy.

5. SMS & 10DLC Compliance

All transactional SMS sent from the Josey.ai platform is delivered via Twilio on registered 10DLC (ten-digit long code) campaigns. We do not use unregistered numbers or shared short codes for outbound messaging.

• Every SMS program is registered with The Campaign Registry (TCR) and includes a sample message, use case, and consent language.
• Opt-in is obtained in-product at Settings → Notifications with a visible consent disclosure.
• STOP, HELP, and START keywords are honored platform-wide.
• Josey.ai does not send promotional or marketing SMS on customers’ behalf — the SMS channel is strictly transactional.

6. Acceptable Use Policy (Summary)

Our full Acceptable Use Policy is incorporated into the Terms of Service. The use cases below are categorically prohibited on Josey.ai:

• Debt collection (including first-party) without a valid license in the state of the consumer
• Payday lending, title lending, or “cash advance” offers
• Cryptocurrency investment solicitations or token sales
• Nutraceutical, CBD, kratom, or supplement sales
• Political campaigns, ballot-measure advocacy, or GOTV robocalls without written consent from each recipient
• Adult content, escort services, or gambling promotion
• Deceptive or impersonating calls (e.g., pretending to be a government agency, utility, or bank)
• Calls to numbers ported from landlines or reassigned numbers where consent cannot be verified via the FCC Reassigned Numbers Database
• Calls or SMS to jurisdictions where the customer is not licensed or registered to solicit the business being promoted
• Any form of harassment, threats, or intimidation

Violations result in immediate account suspension, forfeiture of prepaid fees, and potential referral to regulators or law enforcement.

7. Data Privacy — CCPA, CPRA, GDPR, PIPEDA

Josey.ai supports the rights of individuals whose data is processed through the platform, regardless of whether those individuals are the customer or one of the customer’s leads.

• Right to know / access — individuals may request a copy of personal data Josey.ai holds about them.
• Right to delete — Josey.ai will honor verified deletion requests within 30 days, subject to legal retention obligations.
• Right to correct — individuals may request correction of inaccurate personal data.
• Right to opt out of sale / sharing — Josey.ai does not sell personal data. We do not “share” personal data for cross-context behavioral advertising.
• Right to limit use of sensitive personal information — supported via direct request.
• Non-discrimination — exercising your rights will not result in denial of service.

Data-subject requests can be sent to privacy@josey.ai. Where Josey.ai acts as a processor on behalf of a customer (“controller”), we will forward the request to that customer and assist with response. For EU/UK data subjects, Josey.ai relies on Standard Contractual Clauses for any cross-border data transfers.

8. Security Program

• Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• PostgreSQL row-level security isolating every organization’s data
• Principle of least privilege on all internal access; audit logs retained for security review
• Secret management for API keys and OAuth tokens; no customer secrets stored in plaintext
• Quarterly dependency and vulnerability scanning; prompt patching on critical advisories
• Incident-response plan with a 72-hour notification commitment for confirmed personal-data breaches

9. Sub-processors

Josey.ai relies on a small number of vetted sub-processors to operate the platform. Each is bound by a written data-processing agreement.

We notify customers of material changes to our sub-processor list at least 30 days before any new provider processes customer data.

10. Reporting Abuse or a Concern

If you believe a Josey.ai customer has contacted you in violation of law or our Acceptable Use Policy, or you want your number removed from a customer’s lists platform-wide:

We acknowledge abuse reports within two business days. Confirmed violations trigger account suspension and a written response to the complainant.

11. DMCA & Content Takedown

Copyright-infringement notices should be directed to our designated agent at legal@josey.ai and include the elements required by 17 U.S.C. § 512(c)(3). Counter-notices follow the same process.

12. Not Legal Advice

This page describes how Josey.ai approaches compliance. It is not legal advice and is not a substitute for consulting your own attorney about your specific use case, industry, or jurisdiction. Telemarketing and privacy law change frequently. You are responsible for ensuring your use of Josey.ai is lawful in every jurisdiction you contact.

13. Contact