Compliance Overview

Armour Consortium AI - Cart Recovery API
Last Updated: December 2025

Executive Summary

Armour Consortium AI operates the most compliant cart recovery API in the industry. We enforce consent at the API level, respect explicit opt-outs, and never store personal data.

Our Philosophy: Generate the highest-converting content on earth while respecting customer preferences. We don't water down messaging for imaginary compliance concerns - we enforce the rules that actually matter.

1. Consent Handling

1.1 Three-Tier Consent Model

Our API enforces a sophisticated consent model that respects customer preferences:

Consent Flag Value	SMS/WhatsApp Treatment	Email Treatment
`accepts_sms_marketing: false`	BLOCKED - No SMS/WhatsApp generated	No effect
`accepts_sms_marketing: null/missing`	TRANSACTIONAL - Cart reminder only, no promotional offers	Generated (soft opt-in)
`accepts_sms_marketing: true`	PROMOTIONAL - Full marketing with discounts/incentives	Generated
`accepts_email_marketing: false`	No effect	BLOCKED - No email generated
`accepts_email_marketing: null/missing/true`	No effect	GENERATED - Soft opt-in applies

1.2 Dual Opt-Out Protection

When both accepts_email_marketing: false AND accepts_sms_marketing: false:

API returns HTTP 200 with available_channels: []
Warning: COMPLIANCE_BLOCKED
No Ensemble processing triggered
No charge applied
No content generated for any channel

This protects merchants from accidentally contacting customers who have opted out of all marketing.

1.3 Why This Matters

Most competitors either:

Ignore consent entirely (illegal)
Block all messaging unless explicit consent exists (overly cautious, loses revenue)

We take the correct middle ground:

Respect explicit opt-outs immediately
Apply soft opt-in where legally permitted
Generate transactional vs. promotional content based on consent level

2. Regional Compliance

2.1 UK (PECR + UK GDPR)

Requirement	Our Implementation
Soft Opt-In	Correctly applied for cart abandonment
Opt-Out Respect	API blocks generation on `false` consent
Data Minimisation	Transient processing, no storage
Lawful Basis	Legitimate interests or soft opt-in

ICO Guidance Compliance: The ICO confirms that a single reminder about an in-progress purchase is not unsolicited marketing. Our cart recovery messages fall within this exemption when the customer:

Initiated the transaction
Provided contact details during checkout
Has not explicitly opted out

2.2 EU (GDPR + ePrivacy)

Requirement	Our Implementation
Article 6 Lawful Basis	Legitimate interests (merchant), contract (processor)
Article 28 DPA	Comprehensive DPA in place
Article 30 RoPA	Internal processing records maintained (available on request)
Article 32 Security	TLS, no storage, rate limiting
Soft Opt-In	Applied per member state interpretation

2.3 USA (CAN-SPAM + TCPA + CCPA)

Requirement	Our Implementation
CAN-SPAM Unsubscribe	ESP handles unsubscribe link injection (SendGrid, Klaviyo, Elastic Email, etc.)
CAN-SPAM Address	ESP handles physical address injection
TCPA Consent	Merchant responsibility; we honour opt-out flags passed to API
TCPA 2025 Opt-Out	"STOP to end" auto-included in SMS (merchant handles STOP replies)
CCPA Disclosure	Privacy Policy includes CA section
CCPA Opt-Out	We do not sell personal information

See US Compliance Guide for details.

3. What Sets Us Apart

We've built compliance into the API itself:

Consent enforcement at API level - Not left to merchant implementation
Three-tier model - Not just on/off, but a transactional middle ground
Dual opt-out protection - COMPLIANCE_BLOCKED with no charges when both channels refused
Zero PII storage - Transient processing eliminates breach risk
Complete documentation - DPA, RoPA, LIA, sub-processors all maintained

Our approach: Generate effective, engaging recovery content while respecting customer preferences. The law doesn't require bland messaging - it requires consent and transparency.

4. Merchant Responsibilities

As the Data Controller, merchants must:

Responsibility	Requirement
Accurate Consent Flags	Pass correct `accepts_sms_marketing` and `accepts_email_marketing` values
Privacy Policy	Maintain appropriate privacy policy disclosures for third-party services
Opt-Out Handling	Honour unsubscribe requests within 10 days
Transmission Decisions	Decide when to send generated content
Regional Compliance	Ensure compliance with their customers' jurisdictions

We generate content. You decide when the law allows you to send it.

5. Consent Flag Reference

5.1 SMS/WhatsApp Consent

{
  "customer": {
    "accepts_sms_marketing": true  // false, null, or omitted
  }
}

Value	Meaning	Content Type
`true`	Explicit consent	Full promotional
`null` / omitted	No explicit preference	Transactional only
`false`	Explicit refusal	BLOCKED

Transactional content: Cart reminder, items, and recovery link only - no discounts, free gifts, or promotional language.

5.2 Email Consent

{
  "customer": {
    "accepts_email_marketing": true  // false, null, or omitted
  }
}

Value	Meaning	Content Type
`true`	Explicit consent	Full promotional
`null` / omitted	Soft opt-in applies	Standard recovery
`false`	Explicit refusal	BLOCKED

Note: Email uses "soft opt-in" - standard recovery content is generated unless explicitly opted out.

5.3 General Marketing Consent (Legacy Fallback)

{
  "customer": {
    "accepts_marketing": true  // Legacy catch-all
  }
}

Value	Meaning	Email Treatment	SMS/WhatsApp Treatment
`true`	General marketing consent	Promotional (soft opt-in)	Transactional only
`null` / omitted	No preference stated	Promotional (soft opt-in)	Transactional only
`false`	General refusal	Transactional (cart reminder only)	BLOCKED

Priority & Fallback Logic (EU/California Compliant):

The specific fields (accepts_email_marketing, accepts_sms_marketing) always take priority when provided. The accepts_marketing field is used as a fallback for EU and California compliance when specific fields are missing.

Fields Provided	Email Treatment	SMS/WhatsApp Treatment
None	Promotional (soft opt-in)	Transactional (sanitized)
`accepts_marketing: false` only	Transactional (sanitized)	BLOCKED
`accepts_marketing: true` only	Promotional (soft opt-in)	Transactional (sanitized)
`accepts_sms_marketing: true`	Promotional (soft opt-in)	Promotional
`accepts_sms_marketing: false`	Promotional (soft opt-in)	BLOCKED
`accepts_email_marketing: false`	BLOCKED	Transactional (sanitized)
`accepts_email_marketing: false` + `accepts_marketing: false`	COMPLIANCE_BLOCKED - no LLM calls, no charge

EU/California Compliance Note: When accepts_marketing: false, SMS/WhatsApp is fully blocked (not just transactional) because:

EU (GDPR/ePrivacy): SMS requires explicit consent; "no marketing" = no SMS
California (TCPA): SMS opt-in requirements are stricter; general marketing refusal extends to SMS

Email is downgraded to transactional mode (cart reminder only, no discount codes or promotional offers) rather than blocked, as abandoned cart emails are permitted under soft opt-in provisions.

6. API Response Examples

6.1 Normal Response (All Channels Available)

{
  "ensemble": "armour-v2.5",
  "subject": "Your skincare routine is waiting...",
  "html_body": "...",
  "messaging": {
    "sms": "Hi Sarah! Your cart's waiting... [URL] Reply STOP to end",
    "whatsapp": "..."
  },
  "available_channels": ["email", "sms", "whatsapp"]
}

6.2 SMS Blocked Response

{
  "ensemble": "armour-v2.5",
  "subject": "Your skincare routine is waiting...",
  "html_body": "...",
  "messaging": {
    "sms": null,
    "whatsapp": null
  },
  "available_channels": ["email"],
  "warnings": ["SMS/WhatsApp blocked: accepts_sms_marketing is false"]
}

6.3 Dual Opt-Out Response

{
  "available_channels": [],
  "warnings": ["COMPLIANCE_BLOCKED: Customer has opted out of all channels"],
  "subject": null,
  "html_body": null,
  "messaging": {
    "sms": null,
    "whatsapp": null
  }
}

7. Documentation Links

Document	Purpose	Link
Data Processing Agreement	Art. 28 GDPR contract	/legal/dpa.html
Privacy Policy	GDPR Art. 13/14, CAN-SPAM, CCPA	/legal/privacy.html
Terms of Service	Contract terms	/legal/terms.html
Records of Processing	Art. 30(2) record	/legal/ropa.html
Legitimate Interests Assessment	Art. 6(1)(f) justification	/legal/lia.html
Sub-Processor List	Art. 28(2) disclosure	/legal/subprocessors.html
US Compliance Guide	TCPA/CAN-SPAM details	/legal/us-compliance.html
Security Measures	Art. 32 summary	/legal/security.html
x402 Exemption	Agent traffic handling	/legal/x402-exemption.html

8. Contact

For compliance questions:

Email: hello@armourconsortium.ai

This compliance overview demonstrates Armour Consortium AI's commitment to lawful, ethical cart recovery that respects customer preferences while delivering industry-leading conversion rates.