Add SMS consent and A2P messaging disclosures to privacy and terms

src/pages/privacy.astro

@@ -22,7 +22,7 @@ const canonicalUrl = "https://pilotprotocol.network/privacy";
 
   <h1>Privacy <em>Policy</em></h1>
   <p class="article-meta" style="display:flex;gap:14px;font-family:var(--mono);font-size:10px;letter-spacing:.12em;text-transform:uppercase;color:var(--ink-dim);padding:14px 0;border-top:1px solid var(--line);border-bottom:1px solid var(--line);margin:0 0 36px;">
-    Effective: May 28, 2026 · Last updated: June 17, 2026
+    Effective: May 28, 2026 · Last updated: June 26, 2026
   </p>
 
   <p><strong>Pilot Protocol</strong> is operated by Vulture Labs. This Privacy Policy explains what data we collect, why we collect it, and what rights you have. It covers the Pilot Protocol daemon, the pilotprotocol.network website, the rendezvous service, and any Pilot-operated specialist agents (together, the "Services").</p>
@@ -63,39 +63,51 @@ const canonicalUrl = "https://pilotprotocol.network/privacy";
     <li><strong>Cloudflare Web Analytics</strong> — Cookieless, privacy-first analytics provided by Cloudflare. No personal data, no cookies, no fingerprinting. Aggregated page-view counts only.</li>
   </ul>
 
-  <h2>4. Legal Basis for Processing (GDPR)</h2>
+  <h2>4. Phone Numbers &amp; SMS Messaging</h2>
+  <p>If you provide a mobile phone number — for example, to verify your identity, secure your account, or receive service notifications — we collect and process the following:</p>
+  <ul>
+    <li><strong>Mobile phone number</strong> — The number you submit, used to send transactional SMS text messages such as one-time verification codes, security alerts, and account or service notifications.</li>
+    <li><strong>SMS consent records</strong> — A record of your opt-in (the phone number, the timestamp, and the disclosure wording you agreed to), retained to demonstrate that you consented to receive messages, as required by mobile carriers and applicable law.</li>
+    <li><strong>Message metadata</strong> — Delivery status and timestamps returned by our SMS delivery provider. We do not use the contents of these messages for any purpose beyond delivering the service you requested.</li>
+  </ul>
+  <p>Providing a phone number is optional. SMS messages from Pilot Protocol are <strong>transactional only</strong> — we do not send marketing or promotional text messages. Message frequency varies, and message and data rates may apply. You may opt out at any time by replying <strong>STOP</strong> to any message; reply <strong>HELP</strong> for assistance. See our <a href="/terms">Terms of Service</a> for the full SMS program disclosures.</p>
+  <p><strong>We do not sell your phone number, and we do not share mobile information or SMS opt-in and consent data with third parties or affiliates for their own marketing or promotional purposes.</strong> Phone numbers are disclosed only to our SMS delivery provider, and solely to transmit the messages you requested.</p>
+
+  <h2>5. Legal Basis for Processing (GDPR)</h2>
   <p>We process data under Article 6 of the UK and EU GDPR:</p>
   <ul>
     <li><strong>Legitimate interests (Art. 6(1)(f))</strong> — Operating the rendezvous service, maintaining network security, and analyzing aggregated usage to improve the protocol. We have balanced these interests against your rights and concluded they do not override them given the minimal nature of the data.</li>
-    <li><strong>Consent (Art. 6(1)(a))</strong> — For Google Analytics cookies and any optional telemetry. You may withdraw consent at any time by clearing your browser's <code>pilot_consent</code> localStorage entry.</li>
+    <li><strong>Consent (Art. 6(1)(a))</strong> — For Google Analytics cookies, any optional telemetry, and SMS messages sent to a phone number you provide. You may withdraw consent at any time — for analytics, by clearing your browser's <code>pilot_consent</code> localStorage entry; for SMS, by replying <code>STOP</code> to any message.</li>
   </ul>
 
-  <h2>5. Data Retention</h2>
+  <h2>6. Data Retention</h2>
   <ul>
     <li><strong>Daemon registration data</strong> (IP, hostname, public key, tags, version) — Retained while your agent is registered. Automatically removed if the agent is offline for 30 consecutive days.</li>
+    <li><strong>Phone number &amp; SMS consent records</strong> — Retained while your number is enrolled to receive messages, and for a reasonable period afterward to evidence consent and opt-out as required by carrier rules and applicable law. Removed on request or after you opt out.</li>
     <li><strong>Server access logs</strong> — Retained for 30 days, then automatically deleted.</li>
     <li><strong>GA4 analytics data</strong> — Retention governed by Google's default settings (currently 14 months for event-level data, reset on each new visit).</li>
     <li><strong>Cloudflare Web Analytics</strong> — Aggregated data retained for 30 days.</li>
   </ul>
 
-  <h2>6. Sub-Processors</h2>
+  <h2>7. Sub-Processors</h2>
   <p>We use the following third-party service providers to operate the Services:</p>
   <ul>
     <li><strong>Google Cloud Platform (GCP)</strong> — Hosts the rendezvous registry and any Pilot-operated specialist agents. Data at rest in <code>us-central1</code>.</li>
+    <li><strong>SMS delivery provider</strong> — A third-party messaging provider transmits transactional SMS (verification codes, security alerts, and notifications) to phone numbers you provide. It receives only the phone number and message content necessary for delivery and is bound by a GDPR Article 28 data processing agreement.</li>
     <li><strong>Cloudflare, Inc.</strong> — Provides CDN, DNS, DDoS protection, Web Analytics, and serverless compute (Cloudflare Pages) for pilotprotocol.network. Processed globally at Cloudflare edge locations.</li>
     <li><strong>Google LLC</strong> — Google Analytics 4 (GA4) for website analytics, consent-gated. Data processed in the United States.</li>
   </ul>
   <p>All sub-processors are bound by data processing agreements (DPAs) compliant with GDPR Article 28.</p>
 
-  <h2>7. International Data Transfers</h2>
+  <h2>8. International Data Transfers</h2>
   <p>Data may be transferred to and processed in the United States (GCP us-central1, Cloudflare global edge, Google Analytics). For transfers from the EEA, UK, or Switzerland, we rely on:</p>
   <ul>
     <li><strong>Standard Contractual Clauses (SCCs)</strong> — EU Commission Implementing Decision 2021/914, plus the UK International Data Transfer Addendum.</li>
     <li><strong>EU-US Data Privacy Framework (DPF)</strong> — Google LLC and Cloudflare, Inc. are certified under the DPF.</li>
   </ul>
   <p>For jurisdictions without an adequacy decision, we implement supplementary measures including encryption at rest (AES-256) and in transit (TLS 1.3).</p>
 
-  <h2>8. Your Rights</h2>
+  <h2>9. Your Rights</h2>
   <p>Depending on your jurisdiction, you may have the following rights:</p>
 
   <h3>GDPR (EEA, UK, Switzerland)</h3>
@@ -120,22 +132,22 @@ const canonicalUrl = "https://pilotprotocol.network/privacy";
 
   <p>To exercise any of these rights, email <a href="mailto:founders@pilotprotocol.network">founders@pilotprotocol.network</a>. We will respond within 30 days (GDPR) or 45 days (CCPA). Verification of identity may be required for certain requests.</p>
 
-  <h2>9. Data Protection Officer &amp; EU Representative</h2>
+  <h2>10. Data Protection Officer &amp; EU Representative</h2>
   <p>Given the limited scope and nature of data processing (no large-scale processing of special categories of data, no systematic monitoring of data subjects on a large scale), Vulture Labs is exempt from the obligation to appoint a Data Protection Officer under GDPR Article 37 and from the obligation to designate an EU Representative under GDPR Article 27. If this assessment changes as the Services grow, we will update this policy and make the necessary appointments.</p>
 
-  <h2>10. Children's Privacy</h2>
+  <h2>11. Children's Privacy</h2>
   <p>The Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.</p>
 
-  <h2>11. Automated Decision-Making</h2>
+  <h2>12. Automated Decision-Making</h2>
   <p>We do not use any form of automated decision-making or profiling that produces legal effects or similarly significant effects on individuals (GDPR Article 22). The rendezvous service uses automated matching of tags and hostnames, but this is purely operational and has no effect on individual rights.</p>
 
-  <h2>12. Security</h2>
+  <h2>13. Security</h2>
   <p>We implement appropriate technical and organizational measures to protect data: TLS 1.3 for all transit, AES-256-GCM for encrypted tunnels, access controls on infrastructure, and regular security reviews. In the event of a data breach, we will notify affected users and relevant authorities as required by applicable law.</p>
 
-  <h2>13. Changes to This Policy</h2>
+  <h2>14. Changes to This Policy</h2>
   <p>We will post changes to this page and update the "Last updated" date. For material changes, we will provide additional notice (website banner, daemon notification, or email where available). Continued use after changes constitutes acceptance.</p>
 
-  <h2>14. Contact</h2>
+  <h2>15. Contact</h2>
   <p>For privacy-related inquiries or to exercise your rights:</p>
   <p>Email: <a href="mailto:founders@pilotprotocol.network">founders@pilotprotocol.network</a></p>
   <p>We aim to acknowledge all privacy requests within 5 business days.</p>

src/pages/terms.astro

@@ -22,7 +22,7 @@ const canonicalUrl = "https://pilotprotocol.network/terms";
 
   <h1>Terms of <em>Service</em></h1>
   <p class="article-meta" style="display:flex;gap:14px;font-family:var(--mono);font-size:10px;letter-spacing:.12em;text-transform:uppercase;color:var(--ink-dim);padding:14px 0;border-top:1px solid var(--line);border-bottom:1px solid var(--line);margin:0 0 36px;">
-    Effective: May 28, 2026 · Last updated: May 28, 2026
+    Effective: May 28, 2026 · Last updated: June 26, 2026
   </p>
 
   <p>These Terms of Service ("Terms") are a binding agreement between <strong>Vulture Labs</strong> ("Pilot Protocol," "we," "us," "our") and you ("you," "User") governing your use of pilotprotocol.network, the Pilot rendezvous service, any Pilot-operated specialist agents, and related documentation and APIs (together, the "Services").</p>
@@ -101,10 +101,23 @@ const canonicalUrl = "https://pilotprotocol.network/terms";
 
   <p>Before initiating formal proceedings, you agree to contact us at <a href="mailto:founders@pilotprotocol.network">founders@pilotprotocol.network</a> and attempt to resolve the dispute informally for a period of at least thirty (30) days.</p>
 
-  <h2>11. Changes to These Terms</h2>
+  <h2>11. SMS / Text Messaging Program</h2>
+  <p>Pilot Protocol offers an optional SMS text-messaging program. If you provide a mobile phone number and opt in, you agree to the following in addition to the rest of these Terms.</p>
+  <ul>
+    <li><strong>Program description</strong> — By opting in, you consent to receive <strong>transactional</strong> SMS text messages from Pilot Protocol, such as one-time verification codes, security alerts, and account or service notifications. We do not send marketing or promotional text messages.</li>
+    <li><strong>Message frequency</strong> — Message frequency varies and depends on your activity (for example, each time you request a verification code).</li>
+    <li><strong>Message and data rates</strong> — Message and data rates may apply, according to the plan you have with your mobile carrier. Pilot Protocol does not charge for SMS messages.</li>
+    <li><strong>Opt out</strong> — You may cancel the SMS service at any time by replying <strong>STOP</strong> to any message. After you send <code>STOP</code>, we will send a one-time confirmation that you have been unsubscribed and will stop sending you SMS messages. To rejoin, opt in again as you did originally.</li>
+    <li><strong>Help</strong> — Reply <strong>HELP</strong> to any message for assistance, or email <a href="mailto:founders@pilotprotocol.network">founders@pilotprotocol.network</a>.</li>
+    <li><strong>Carrier liability</strong> — Mobile carriers are not liable for delayed or undelivered messages.</li>
+    <li><strong>Eligibility</strong> — You must be the account holder or have authorization to enroll the phone number, and the number must be capable of receiving SMS.</li>
+  </ul>
+  <p>How we collect and handle the phone number and consent data you provide is described in our <a href="/privacy">Privacy Policy</a>. We do not sell your phone number or share SMS opt-in or consent data with third parties for their own marketing purposes.</p>
+
+  <h2>12. Changes to These Terms</h2>
   <p>We will post changes to this page and update the "Last updated" date. For material changes, we will provide additional notice (website banner, email where available, or daemon notification). Continued use after the effective date of changes constitutes acceptance of the revised Terms.</p>
 
-  <h2>12. Contact</h2>
+  <h2>13. Contact</h2>
   <p>Questions about these Terms?</p>
   <p>Email: <a href="mailto:founders@pilotprotocol.network">founders@pilotprotocol.network</a></p>