This article is for Enrollsy customers preparing to go live. By the end, you'll know what your website's Privacy Policy and Terms & Conditions need to contain, why both are required, and where to get help drafting them.
⚠️ Note: This is general guidance, not legal advice. We recommend reviewing your final policies with an attorney to make sure they're compliant with the laws that apply to your business.
What a Privacy Policy and Terms & Conditions are
Privacy Policy. A Privacy Policy is a public-facing document on your website that explains what personal information you collect from customers and visitors, how you use it, how you store it, and whether you share it with anyone else.
Personal information can include the following:
Name
Street or Mailing Address
Email Address
Phone number(s)
Age
Gender
Marital status
Race or Nationality
Religious beliefs
Terms & Conditions. Your Terms & Conditions (sometimes called "Terms of Service" or "Terms of Use") are the rules customers agree to when they register for your programs or use your website. They cover things like program descriptions, payment and refund expectations, SMS messaging disclosures, and limits on liability.
Both documents should be linked from your website footer and from your registration form's opt-in.
Why You Need Them
There are three reasons every Enrollsy customer needs a Privacy Policy and Terms & Conditions on their site.
1. It's the law. Most regions require any website that collects personal information to publish a Privacy Policy. A few examples of laws that may apply to your business:
United States — The California Online Privacy Protection Act (CalOPPA) requires any website that collects personal data from California residents to display a clearly accessible Privacy Policy. Because most Enrollsy customers serve a national audience, CalOPPA effectively applies even if you're not based in California. If your programs serve children under 13, the federal Children's Online Privacy Protection Act (COPPA) also applies.
Canada — PIPEDA (the Personal Information Protection and Electronic Documents Act) requires Canadian businesses to publish a Privacy Policy in plain language and to make it accessible for customer inquiries.
Australia — The Privacy Act of 1988 requires Australian companies to publish a Privacy Policy describing how they collect, use, and disclose personal information.
2. Third-party services require it. Many of the services your website depends on — including Twilio, which Enrollsy uses to send SMS messages on your behalf — require you to publish a Privacy Policy and Terms & Conditions that meet specific standards before they'll let you send messages to your customers. Without compliant policies, registrations that include SMS opt-ins may be rejected.
3. It builds customer trust. A clear, plain-language Privacy Policy reassures parents and adult students that their personal information is handled responsibly. Even if you collect very little data, customers expect to find a Privacy Policy on your site — and not having one can make them assume the worst.
We recommend consulting with your legal counsel to make sure that your terms and conditions and privacy policy are compliant with applicable laws and consistent with standards for your particular campaign and industry. You can also use a free service like RocketLawyer to help you generate a policy.
What to include in Privacy Policy and Terms & Conditions
Because Enrollsy uses Twilio to send SMS messages on your behalf, your website's Privacy Policy and Terms & Conditions need to meet both general privacy-law standards and Twilio/CTIA messaging requirements. Below is a single checklist that satisfies both.
Your privacy policy must:
Be conspicuously displayed and linked from your registration form's opt-in (the initial call-to-action)
Disclose what personal data you collect and how it's used, stored, and shared
State that mobile phone numbers and SMS opt-in data will not be shared with third parties or affiliates for marketing purposes (required by CTIA)
Be written in plain language that a customer can easily understand
Be kept consistent with applicable privacy laws (see "Laws that may apply" below)
Your terms and conditions should generally include:
Program or brand name
Program description
"Message and data rates may apply" disclosure
Message frequency (or recurring-message) disclosure
Customer support contact information
Complete opt-out instructions (HELP and STOP), displayed in bold
A link to your Privacy Policy
A disclosure stating "Carriers are not liable for any delayed or undelivered messages"
Pro tip: Consider creating messaging-specific Privacy Policy and T&C pages rather than editing your main company documents. Dedicated messaging policies are easier to keep current as Twilio/CTIA requirements change.
For the source language behind these requirements, see Twilio's Messaging Policy (section 5.2.1) and the CTIA Messaging Principles and Best Practices.
How to Create Yours
You have two options for creating your Privacy Policy and Terms & Conditions:
Work with an attorney. This is the safest route, especially if your programs serve children, you operate in multiple states or countries, or you handle sensitive information like medical or financial data. An attorney can tailor your policies to the specific laws that apply.
Use a policy generator. Free and paid services like RocketLawyer can generate a starter Privacy Policy and Terms & Conditions that you can adapt. Generators are a fine starting point but not a substitute for legal review — especially for the SMS-specific clauses Twilio requires.
Whichever route you take, use the outline below as a checklist to make sure your final Privacy Policy covers the basics.
Privacy Policy Outline
Privacy Policy Outline
Businesses might need to tailor their privacy terms based on the industry when drafting a privacy policy. While we can't provide you with a privacy policy for your company, here are some general outlines for a privacy policy.
The outline below provides a foundation, but your attorney will help ensure that the policy is comprehensive and compliant with relevant laws, such as the Children's Online Privacy Protection Act (COPPA) and any state-specific regulations.
Introduction
Briefly describe the purpose of the policy and its importance in protecting personal information.
Information Collection
Detail the types of personal information collected (e.g., student's names, birthdates, medical information, parent/guardian contact details).
Explain how this information is collected (e.g., enrollment forms, website interactions).
Use of Information
Describe how the collected information is used (e.g., for child care services, classes, emergency contact, billing).
Information Sharing and Disclosure
Specify circumstances under which information may be shared (e.g., with staff, and government agencies for compliance). Assure that information is not sold or shared with third parties for marketing.
Data Security
Outline the measures taken to protect personal information (e.g., secure storage, restricted access).
Access to Information
Explain how parents/guardians can access or update their child's personal information, or how students can access or update their personal information.
Policy Changes
State that the policy may be updated and how changes will be communicated.
Contact Information
Provide a way for parents/guardians or adult students to contact you with questions or concerns about privacy.
Compliance Statement
Affirm adherence to applicable privacy laws and regulations.
Next Steps
Once your Privacy Policy and Terms & Conditions are published on your website, return to the Going Live checklist to continue your Enrollsy launch.