Messaging Terms & Proof of Consent (SMS Opt-In)
Nexus Real Estate LLC and Affiliated Entities
1. Purpose and Scope
This document establishes the formal record and operational framework by which Nexus Real Estate LLC ("Nexus," "we," "us," or "the Company") and its affiliated entities collect, document, retain, and produce proof of express consent for the transmission of SMS (Short Message Service) and MMS (Multimedia Message Service) communications to consumers, leads, clients, tenants, landlords, agent partners, business partners, and other individuals who interact with the Company across the United States, Canada, the European Union and European Economic Area, and the United Kingdom.
The Company maintains this Proof of Consent record to demonstrate full compliance with the governing telecommunications, consumer protection, and data protection regimes of each jurisdiction in which it transmits commercial or transactional messages, and to satisfy the evidentiary standards imposed by mobile carriers, campaign registries, and regulatory authorities worldwide.
The Company's governing premise is that the highest applicable standard of consent in any jurisdiction touched by a given message will be the operative standard applied to that message. Where a consumer's identity, residence, or mobile number places them under more than one legal regime, the Company applies the most protective of those regimes as a matter of policy.
1.1 Affiliated Entities Covered
This Proof of Consent record applies uniformly across the following entities and business relationships, each of which relies upon the same consent capture infrastructure and retention procedures described herein:
Nexus Real Estate LLC. The principal real estate brokerage licensed in Massachusetts, New Hampshire, and the District of Columbia, including all operational divisions and platforms (consumer portals, agent portals, landlord portals, tenant portals, business partner portals, and internal administrative systems).
Canadian Benefits. Operating as a distinct marketing company domiciled in Canada, for commercial electronic messages directed to recipients in Canada, the United States, the European Economic Area, and the United Kingdom.
Partner agents. Operating under Nexus Real Estate LLC's brokerage license or referral agreements, including collaborations through The Jason Mitchell Group and Coldwell Banker.
Receiving brokerages and cooperating agents. Both domestic and international, to whom consumer leads are referred pursuant to signed referral agreements, solely with respect to consent-based communications initiated by or on behalf of Nexus.
Business partner vendors. Integrated into the Nexus service platform (mortgage lenders, home service providers, insurance partners, title and settlement companies) to the extent messaging is sent by Nexus on their behalf or through the Nexus communications infrastructure.
1.2 Territorial Reach
This record applies to: (a) any message transmitted to a telephone number assigned to a U.S. carrier, regardless of the recipient's physical location; (b) any message transmitted to a telephone number assigned to a Canadian carrier, or to any recipient physically located in Canada at the time of sending; (c) any message transmitted to a recipient located in the European Economic Area or the United Kingdom, or to a telephone number assigned to an EEA or UK carrier; and (d) any message whose sender, processing infrastructure, or data controller is established within any of the foregoing jurisdictions, where the applicable law so requires.
2. Definitions
Express Written Consent (U.S.). A consumer's written agreement, electronic or otherwise, that bears the signature or affirmative action of the consumer and clearly authorizes the Company to deliver advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice, to the telephone number designated by the consumer. Consent must be conspicuous, separately authorized (not pre-checked), and not required as a condition of purchase.
Express Consent (Canada, CASL). A recipient's oral or written agreement to receive a commercial electronic message, obtained through a clear, affirmative action that identifies the sender, the purposes for which consent is sought, and the recipient's right to withdraw consent, and that is not bundled with any other request or condition.
Consent (EU/UK, GDPR Article 4(11) and Article 7). A freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them. For electronic marketing under the ePrivacy Directive 2002/58/EC (as implemented in each member state and in the UK through the Privacy and Electronic Communications Regulations 2003), consent must additionally be separate from any other consent and freely revocable at any time.
Opt-In. The affirmative action by which a consumer provides consent to receive SMS/MMS messages, including but not limited to checking a non-pre-checked box, submitting a web form, replying to a confirmation message, or signing a paper or electronic authorization.
Opt-Out / Withdrawal of Consent. The affirmative action by which a consumer withdraws previously given consent, including by replying STOP, END, QUIT, UNSUBSCRIBE, CANCEL, ARRÊT (French), ANNULER, OPTOUT, or any linguistic equivalent to any SMS message, by written request, or by verbal request to a Company representative. Under GDPR, withdrawal must be as easy as granting consent.
Proof of Consent. The collection of records, data fields, and evidentiary artifacts maintained by the Company to demonstrate, on a per-recipient basis, that valid consent was obtained, including the content of the consent language, the method and timestamp of capture, the channel through which consent was given, the legal basis relied upon, and the identity of the controller and any joint or independent controllers.
Campaign. A discrete messaging use case registered with The Campaign Registry (TCR) for U.S. 10DLC compliance, with the equivalent Canadian carrier and CRTC-aligned registration processes, or implemented in compliance with EEA/UK sender identification and disclosure requirements.
Data Subject (EU/UK). An identified or identifiable natural person to whom personal data relates, as defined in GDPR Article 4(1) and UK GDPR Article 4(1).
Controller / Processor. As defined in GDPR Article 4(7) and 4(8), respectively. Nexus Real Estate LLC and Canadian Benefits act as independent controllers, or jointly as controllers where they determine purposes and means together, with respect to the personal data processed for SMS communications.
3. Governing Legal and Regulatory Framework
3.1 United States — Federal Law
Telephone Consumer Protection Act. The TCPA, 47 U.S.C. § 227, prohibits the making of any call (which the Federal Communications Commission has interpreted to include SMS and MMS messages) using an automatic telephone dialing system or an artificial or prerecorded voice to any telephone number assigned to a cellular service, without the prior express consent of the called party. For calls or messages that constitute advertising or telemarketing, the TCPA requires prior express written consent. The FCC's implementing regulations appear at 47 C.F.R. § 64.1200.
Damages and Enforcement. Violations of the TCPA carry statutory damages of $500 per unsolicited message, trebled to $1,500 per message for willful or knowing violations. The statute provides a private right of action, and class action exposure is substantial.
3.2 United States — Carrier and Industry Requirements
Carrier Enforcement. Independent of statutory requirements, the four major U.S. mobile carriers (AT&T, T-Mobile, Verizon, and UScellular) enforce messaging rules through The Campaign Registry for 10DLC traffic and through the CTIA Short Code Monitoring Handbook for short codes.
Required Disclosures. These rules require that every messaging campaign disclose in its opt-in flow the program name, message frequency, the statement that message and data rates may apply, instructions for obtaining help (HELP) and opting out (STOP), and a link to the program's Privacy Policy and Terms of Service.
3.3 United States — State Law
Massachusetts. Enforces the Massachusetts Telemarketing Solicitation Act (M.G.L. c. 159C) and consumer protection rules under M.G.L. c. 93A, authorizing treble damages and attorneys' fees for willful or knowing violations.
New Hampshire. Regulates telephone solicitations under RSA 359-E.
District of Columbia. Regulates telemarketing under the Telephone Consumer Solicitation Control Act (D.C. Code § 22-3226.01 et seq.).
Other States. Additional state telemarketing and privacy statutes (such as the Florida Telephone Solicitation Act, the Washington Commercial Electronic Mail Act, and the California Consumer Privacy Act as amended by the California Privacy Rights Act) apply to messages directed to recipients in those states.
3.4 Canada
Canada's Anti-Spam Legislation (CASL). S.C. 2010, c. 23, governs the sending of commercial electronic messages to Canadian recipients or from Canadian senders. Under CASL, a sender must obtain either express consent or, in limited circumstances, rely upon implied consent arising from an existing business or non-business relationship. Every commercial electronic message must (a) identify the sender, (b) provide valid contact information, and (c) contain a functioning unsubscribe mechanism that operates for a minimum of 60 days after the message is sent.
Enforcement. CASL is enforced primarily by the Canadian Radio-television and Telecommunications Commission (CRTC), with additional enforcement authority vested in the Competition Bureau and the Office of the Privacy Commissioner of Canada. Administrative monetary penalties may reach $1,000,000 per violation for individuals and $10,000,000 per violation for organizations.
PIPEDA. The Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, governs the collection, use, and disclosure of personal information in the course of commercial activity in federally regulated sectors and in any province that has not enacted substantially similar legislation.
Provincial Privacy Regimes. Provinces with substantially similar regimes include Alberta (PIPA), British Columbia (PIPA), and Quebec (Law 25, formerly Bill 64, as amended). Quebec's Law 25 imposes particularly stringent consent, transparency, and privacy-by-default obligations, and is enforced by the Commission d'accès à l'information.
Telemarketing Rules. The CRTC's Unsolicited Telecommunications Rules and associated Do Not Call List requirements apply to telemarketing calls and, by extension, to certain SMS practices.
3.5 European Union, European Economic Area, and United Kingdom
General Data Protection Regulation. Regulation (EU) 2016/679 ("GDPR") governs the processing of personal data of data subjects located in the European Union and the European Economic Area. The UK GDPR, together with the Data Protection Act 2018, establishes a parallel regime in the United Kingdom.
ePrivacy Regime. For electronic marketing communications specifically, the ePrivacy Directive (2002/58/EC), as implemented by each EU member state, and the UK's Privacy and Electronic Communications Regulations 2003 ("PECR"), impose additional requirements, including a general prohibition on unsolicited direct marketing by electronic means (including SMS) to natural persons absent the recipient's prior consent.
Consent Standard. Consent under GDPR Article 6(1)(a), and under the ePrivacy regime more generally, must be: (a) freely given, (b) specific to each stated purpose, (c) informed (including as to the controller's identity, the purposes of processing, and the right of withdrawal), and (d) unambiguous, expressed through a clear affirmative act. Pre-ticked boxes, silence, and inactivity are expressly insufficient. The burden of proving consent lies with the controller. Consent must be withdrawable at any time, and withdrawal must be as easy to exercise as granting consent was.
Penalties. Administrative fines under GDPR Article 83 may reach €20,000,000 or 4% of the undertaking's total worldwide annual turnover, whichever is higher. Parallel penalties apply under the UK GDPR (up to £17,500,000 or 4% of turnover) and under national ePrivacy implementations.
Soft Opt-In Exception. A limited "soft opt-in" exception exists under the ePrivacy Directive and PECR, permitting direct marketing to existing customers in relation to similar products or services where the customer was given a clear and simple opportunity to object at the time of data collection and in every subsequent message. This exception does not extend to non-customer prospects, to cross-brand promotion, or to partner messaging, and the Company does not rely upon it for any prospect or referral-sourced recipient.
Article 27 Representatives. Where the Company is not established in the EU or UK but offers services to, or monitors the behaviour of, data subjects in those jurisdictions, Article 27 of the GDPR (and its UK equivalent) requires the designation of a representative in the EU and, separately, in the UK, through whom supervisory authorities and data subjects may communicate with the Company.
3.6 Real Estate Licensing Considerations
Brokerage Licensing. In its capacity as a licensed real estate brokerage, Nexus is additionally subject to state and provincial real estate commission rules governing advertising, solicitation, and team communications.
Sender Identification. Consent capture language and sender identification align with the brokerage name on record with the Massachusetts Board of Registration of Real Estate Brokers and Salespersons, the New Hampshire Real Estate Commission, the D.C. Real Estate Commission, and with any analogous Canadian provincial real estate council where a licensed agent is involved in the communication.
International Disclosure. Where a message is directed to an EEA or UK recipient, the sender's legal name, commercial register number, and licensing authority are disclosed in a manner consistent with the local transparency and sender identification requirements.
4. Methods of Consent Collection
The Company collects SMS consent through several approved channels. Each channel produces a distinct evidentiary record, all of which are aggregated into the unified Consent Ledger described in Section 6. No other method of consent collection is permitted without prior review and written approval from the Company's compliance function.
4.1 Web Form Opt-In
Primary Channel. The principal consent capture channel is the Company's suite of web forms, deployed on the primary Nexus website, consumer-facing landing pages, property inquiry forms, buyer and seller intake forms, tenant application forms, landlord onboarding forms, and partner registration forms.
Checkbox Requirements. Each web form that collects a telephone number for SMS communications includes, directly adjacent to the phone number field and above the submission button, a discrete and non-pre-checked checkbox (or separate checkboxes, where distinct purposes are presented). The disclosure language is adapted to the recipient's jurisdiction and is presented in the recipient's preferred language where such a preference has been collected. Where jurisdiction is unknown at the moment of capture, the Company presents language that satisfies the most protective applicable standard (EU/UK GDPR) and therefore satisfies all others.
Evidentiary Fields Captured. The submission event captures the following evidentiary fields: timestamp in ISO 8601 format with UTC offset, originating IP address, user agent string, form URL, referrer URL, the full text of the disclosure language as rendered at the time of submission, the language in which the disclosure was rendered, a cryptographic hash of the rendered form, the inferred jurisdiction (based on IP geolocation, declared country of residence, and telephone country code), the legal basis relied upon, and the submitted phone number in E.164 format.
Separate Checkboxes for Separate Purposes. For EEA and UK recipients, and for Canadian recipients where purposes extend beyond those reasonably incidental to the requested service, consent is collected through separate checkboxes for each distinct purpose (for example, service-related transactional messaging; marketing by Nexus; marketing by named affiliates; referral communications), and no checkbox is pre-selected.
4.2 Double Opt-In Confirmation
Requirement. For all marketing campaigns directed to U.S., Canadian, EEA, or UK recipients, the Company implements double opt-in.
Operation. Immediately upon receipt of a web form submission containing SMS consent, the Company transmits a confirmation message requesting an affirmative reply (YES, or the linguistic equivalent in the recipient's language). The recipient's affirmative reply is recorded and required before any further marketing messages are sent.
4.3 Electronic Signature on Brokerage and Service Agreements
DocuSign Capture. Consent to SMS communications may also be collected through electronic signature on standard brokerage documents executed via DocuSign.
Discrete Clause Requirement. Where a brokerage document contains an SMS consent clause, that clause appears as a discrete, separately initialed or separately acknowledged provision rather than as a boilerplate provision buried in general terms. This segregation is required by the TCPA for U.S. marketing consent, by CASL for Canadian commercial electronic messages, and by GDPR Article 7(2) for EEA and UK consent that is obtained in the context of a written declaration dealing also with other matters.
4.4 SMS Keyword Opt-In
Mechanism. Consumers may opt in to specific campaigns by texting a designated keyword to the Company's registered 10DLC number (U.S.), dedicated Canadian short or long code, or appropriate EEA/UK sender number.
Record Capture. Inbound messages are captured with timestamp, originating mobile number, keyword used, and the confirmation message sent in response, and are cross-referenced against the Company's registered sender records for the applicable jurisdiction.
4.5 In-Person and Verbal Consent
Capture Methods. At open houses, property tours, trade shows, and in-person client meetings, consent may be captured through a tablet-based web form (Section 4.1), through written sign-in sheets bearing jurisdictionally appropriate disclosure language and a consumer signature, or through a verbal authorization that is documented contemporaneously by the agent and confirmed by the Company transmitting an opt-in confirmation message requiring a YES reply before further messaging.
Verbal Consent Insufficiency. Verbal consent alone is not sufficient for marketing messages under the TCPA, CASL, or GDPR/PECR. Verbal consent must be paired with a double opt-in confirmation sequence to establish a compliant record.
5. Required Disclosures at Point of Consent
Every consent collection point, regardless of channel or jurisdiction, presents the disclosures required by the most protective applicable regime. The following disclosure elements are uniformly applied:
Identity of the Sender and Controller. The full legal name of the sending entity ("Nexus Real Estate LLC" or "Canadian Benefits," as applicable), together with any affiliated partner brand on whose behalf messaging may be sent, and, for EEA/UK recipients, the identity and contact details of the data controller, any joint controllers, and the Article 27 representative in the EU and in the UK.
Nature and Purposes of Messages. A description of the categories of messages (marketing, promotional, transactional, informational, referral communications), with sufficient specificity that the consumer can evaluate each purpose independently. For GDPR and CASL, each distinct purpose is presented for separate consent.
Legal Basis. For EEA/UK recipients, the legal basis relied upon (consent under Article 6(1)(a) for marketing; contract performance under Article 6(1)(b) for transactional messages necessary to the service requested; or legitimate interests under Article 6(1)(f) where applicable, balanced against the data subject's rights).
Voluntariness. A clear statement that consent is not a condition of any purchase, service, or tenancy (TCPA-mandated for U.S. marketing consent; CASL-aligned; and required by GDPR Article 7(4) which provides that consent is not freely given if it is bundled with the provision of a service).
Message Frequency. Stated as a range (for example, "up to 10 messages per month") or as "message frequency varies."
Cost Disclosure. The statement "Message and data rates may apply," or a substantively equivalent disclosure.
Help and Opt-Out Instructions. Instructions for obtaining help ("Reply HELP") and for opting out ("Reply STOP"), together with acknowledgment that opt-out is available at no cost to the consumer, in the recipient's language where known. For Canada, the unsubscribe mechanism must remain functional for at least 60 days. For EEA/UK, withdrawal must be as easy as granting consent.
Data Subject Rights (EEA/UK). For EEA and UK recipients, a plain-language summary or link to a full explanation of the data subject's rights under GDPR Articles 15 through 22 (access, rectification, erasure, restriction, portability, objection, and rights relating to automated decision-making), the right to withdraw consent at any time without affecting the lawfulness of prior processing, and the right to lodge a complaint with a supervisory authority (identified by name and with a link).
International Transfers. Where personal data is transferred outside the EEA, the UK, or Canada to a jurisdiction not recognized as providing an adequate level of protection, a disclosure of the safeguards relied upon (Standard Contractual Clauses, UK International Data Transfer Agreement or Addendum, Canadian transfer agreements, or other approved mechanisms), and instructions for obtaining a copy.
Retention Period. The period for which personal data will be retained, or the criteria used to determine that period, as required by GDPR Article 13(2)(a).
Privacy Policy and SMS Terms of Service. Hyperlinks, directly adjacent to the consent checkbox, to the Company's Privacy Policy and to a dedicated SMS Terms of Service page.
6. The Consent Ledger: Fields Captured and Retained
The Company maintains a unified Consent Ledger, stored in a database of record with access controls and append-only audit logging, that captures every consent event across every channel and jurisdiction. For each consent event, the following fields are recorded:
Consent ID. Unique identifier for the consent event (UUID v4).
Consumer Name. First and last name as provided by the consumer.
Mobile Number. E.164-formatted telephone number to which consent applies.
Telephone Country Code. ITU-T E.164 country code, used as one input to jurisdictional determination.
Declared Country of Residence. As provided by the consumer, where requested.
Inferred Jurisdiction. The regulatory regime(s) the Company applies to this consent (U.S., Canadian, EEA member state, UK, or combinations), together with the basis for the inference.
Email Address. Contact email if provided, for cross-channel linking and opt-out processing.
Consent Timestamp. ISO 8601 datetime with UTC offset, recorded server-side at the moment of capture.
Consent Channel. Web form, double opt-in confirmation, DocuSign signature, keyword opt-in, written authorization, or in-person sign-in.
Legal Basis. For GDPR/UK GDPR events, the Article 6 legal basis relied upon for each purpose. For Canadian events, express consent or the specific implied consent category relied upon under CASL. For U.S. events, the category of consent (prior express written consent for marketing, or prior express consent for informational).
Consent Scope (Per Purpose). Each purpose for which consent was obtained, with an individual timestamp and legal basis per purpose.
Disclosure Text and Language. Verbatim text of the consent language presented to the consumer at the moment of capture, together with the language code (ISO 639-1) in which it was presented.
Controller Identity. The specific controller or joint controllers at the time of capture.
Form or Document URL. The specific web page, campaign asset, or document URL where consent was captured.
IP Address. Originating IP address of the submission, stored for the retention period.
User Agent. Browser user agent string, for web-based captures.
Form Hash. Cryptographic hash (SHA-256) of the rendered form HTML at submission time, preserving an immutable record of what the consumer saw.
Double Opt-In Timestamp. Datetime of the consumer's affirmative reply (where applicable).
Originating Campaign. TCR campaign identifier (U.S.), Canadian carrier campaign reference, or EEA/UK sender registration reference.
Brand Association. Sending brand (Nexus Real Estate LLC, Canadian Benefits, or named partner agent).
International Transfer Mechanism. Where the consent event triggers a cross-border transfer of personal data, the specific safeguard relied upon and the transfer agreement reference.
Withdrawal Status. Active, Withdrawn, or Suppressed.
Withdrawal Timestamp. Datetime of withdrawal, where applicable.
Withdrawal Channel. STOP reply, email unsubscribe, web portal, data subject request (DSAR), verbal or written request.
The Consent Ledger is the authoritative record against which any subsequent outbound message must be validated. No outbound marketing SMS or MMS message may be transmitted to any mobile number for which the Ledger does not reflect an active, in-scope, jurisdictionally appropriate consent event.
7. Retention Period and Storage
United States Retention. U.S. consent records are retained for a minimum of four (4) years following the later of: (a) the date of withdrawal; or (b) the date of the last outbound message sent to the consumer. This retention aligns with the four-year TCPA statute of limitations under 28 U.S.C. § 1658.
Canadian Retention. Canadian consent records are retained for a minimum of three (3) years following withdrawal or last outbound message, reflecting the CRTC's documented expectations for CASL record-keeping, and in any event for no less than the period necessary to demonstrate compliance in the event of audit.
EEA and UK Retention. EEA and UK consent records are retained for the period necessary to fulfil the purposes for which the data was collected and to demonstrate compliance with accountability obligations under GDPR Article 5(2) and Article 7(1). Upon withdrawal, consent evidence necessary to demonstrate prior lawful processing is retained for the applicable limitation period, but no longer, and is segregated from any data used for further processing.
Brokerage Document Retention. Records for agreements executed through DocuSign are retained for the longer of the period specified in the underlying brokerage agreement or seven (7) years, consistent with real estate record retention requirements in each licensing jurisdiction, subject in all cases to the data minimisation and storage limitation principles of GDPR Article 5(1)(c) and (e) for EEA and UK data subjects.
Storage and Access. Records are stored in encrypted form at rest and in transit. Access is limited to authorized personnel under the principle of least privilege. An append-only audit log captures every read, export, and modification event against the Consent Ledger. EEA and UK personal data is hosted in, or transferred to, only those jurisdictions for which appropriate safeguards have been established.
8. Opt-Out and Withdrawal of Consent
Inbound STOP Handling. The Company honors opt-out and withdrawal requests immediately upon receipt. Inbound replies of STOP, END, QUIT, UNSUBSCRIBE, CANCEL, OPTOUT, ARRÊT, ANNULER, or any equivalent in the recipient's language (case-insensitive) trigger the following actions: (1) an automated confirmation message is sent in the recipient's language, substantively confirming that no further messages will be sent and describing how to re-subscribe; (2) the Consent Ledger record for the opt-out number is updated to Withdrawn with the corresponding timestamp, channel, and (for EEA/UK) a record demonstrating that withdrawal was as easy as granting consent; and (3) the number is added to a global suppression list that is checked against every outbound send from every Company brand.
Non-SMS Channels. Opt-outs received through channels other than SMS (such as email replies, web portal requests, verbal requests to an agent, written correspondence, or GDPR Article 17 erasure requests) are logged into the Consent Ledger within one business day and applied to the suppression list within the same timeframe.
Canadian Timing Requirements. For Canadian recipients, the unsubscribe mechanism remains functional for no less than 60 days after each commercial electronic message, and withdrawal requests are honored within ten (10) business days of receipt, as required by CASL.
EEA and UK Rights Handling. For EEA and UK recipients, withdrawal of consent is honored without delay. Exercise of any data subject right under GDPR or UK GDPR Articles 15 through 22 is acknowledged within 72 hours and substantively addressed within one month, extendable by two further months for complex requests upon notice to the data subject.
Re-Subscription. A consumer who has withdrawn consent may subsequently re-subscribe only by affirmatively initiating a new opt-in sequence meeting the standards of Section 4, with a fresh Consent Ledger record.
9. Obligations of Partner Agents and Affiliates
Partner agents, cooperating brokerages, and business partner vendors who send SMS messages to Nexus contacts, or who receive Nexus referrals and subsequently message those referrals, are contractually bound to the consent standards set forth in this document. The following obligations apply:
Pre-Send Verification. No partner or affiliate may send SMS marketing messages to a Nexus-sourced contact without first confirming, through the Nexus partner portal or the Consent Ledger API, that the contact has provided consent scoped to that partner or to the referral relationship, in the jurisdiction applicable to the recipient.
Approved Language. Each partner agent must include the Nexus-approved opt-in disclosure language, in the appropriate language and with the jurisdictionally appropriate elements, on any consent form the partner uses to collect consent from Nexus-sourced contacts, and must transmit captured consent events to the Consent Ledger within 24 hours of capture.
Sender Identification. Partner agents operating under The Jason Mitchell Group, Coldwell Banker, or other cooperating brokerages must identify themselves in the first marketing message to a consumer in a manner consistent with local sender identification requirements.
Cross-Border Messaging. Canadian Benefits, when messaging U.S., EEA, or UK recipients, operates under the Nexus consent framework and under the applicable data protection regime of each recipient, and may not rely on Canadian consent capture records alone.
Data Processing Agreements. Partners acting as data processors on behalf of Nexus for EEA or UK personal data are bound by GDPR Article 28 data processing agreements incorporating the required content, including confidentiality, security, sub-processor controls, data subject request assistance, and post-termination deletion or return.
Non-Compliance Consequences. Any partner or affiliate that fails to comply with these obligations is subject to immediate suspension from the Nexus referral network and is contractually responsible for indemnifying the Company against any liability arising from non-compliant messaging.
10. Production of Proof of Consent
Upon receipt of a consumer inquiry, a complaint, a regulator request (including from the FCC, FTC, state attorneys general, the CRTC, the Office of the Privacy Commissioner of Canada, a provincial privacy regulator, an EEA supervisory authority, or the UK Information Commissioner's Office), a carrier audit, or a litigation demand, the Company can produce, within five (5) business days, a Proof of Consent package for any specified telephone number. The package includes:
Authenticating Declaration. A signed declaration or affidavit from the Company's compliance officer authenticating the records.
Consent Ledger Export. A complete export of the Consent Ledger record for the specified number, including all fields described in Section 6.
Preserved Rendering. A preserved rendering of the consent form or document as displayed to the consumer at the time of capture, in the language rendered.
Message Logs. The confirmation message transmission logs and any double opt-in reply records.
Withdrawal History. The withdrawal history, if any, associated with the number, with demonstration that withdrawal was honored in the required timeframe.
Audit Log. The audit log entries reflecting the creation, modification, and access events for the Consent Ledger record.
EEA/UK Supplements. For EEA/UK-related records, documentation of the legal basis, the controller identity, any joint controller arrangements under Article 26, the international transfer mechanism, and the retention justification.
Production packages are prepared in PDF format with an accompanying machine-readable export (JSON or CSV), together with cryptographic hashes that allow the recipient to verify the integrity of the produced files.
11. Governance, Training, and Review
Compliance Officer and DPO. The Company's designated compliance officer and, where required by GDPR Article 37, Data Protection Officer (DPO), are responsible for the maintenance of this Proof of Consent record, the operation of the Consent Ledger, the production of Proof of Consent packages on demand, and the periodic review of consent capture language and infrastructure. The DPO's identity and contact details are published on the Company's website and notified to the competent supervisory authorities.
Article 27 Representatives. The Company has designated Article 27 representatives in the European Union and in the United Kingdom, whose identities and contact details are included in every customer-facing disclosure directed at data subjects in those jurisdictions.
Training. All personnel with access to consumer contact information receive compliance training upon onboarding and annually thereafter, covering the TCPA, CASL, PIPEDA, Quebec Law 25, GDPR, UK GDPR, the ePrivacy Directive as implemented locally, PECR, and the practical operation of the Consent Ledger, the handling of withdrawal requests, and the escalation of data subject rights requests and consumer complaints.
Review Cadence. This record is reviewed no less than annually and updated promptly upon any material change in applicable law, carrier or industry requirements, the Company's messaging platforms, or the roster of affiliated entities. A data protection impact assessment (DPIA) is conducted and maintained for the SMS program in accordance with GDPR Article 35 and equivalent provisions.
12. Attestation
The undersigned, on behalf of Nexus Real Estate LLC, attests that the foregoing record accurately describes the Company's standing practices for the collection, documentation, and retention of SMS opt-in consent across the United States, Canada, the European Union, the European Economic Area, and the United Kingdom, and that the Company maintains the infrastructure and records necessary to produce Proof of Consent for any consented recipient upon reasonable request by any competent authority or affected individual.
Authorized Signatory: _______________________________
Nexus Real Estate LLC
Title: _______________________________
Date: _______________________________
Data Protection Officer (where applicable): _______________________________
EU Article 27 Representative: _______________________________
UK Article 27 Representative: _______________________________
Appendix A: Approved Consent Language Templates
A.1 Standard Marketing Opt-In — United States
[ ] By checking this box, I agree to receive recurring automated marketing and informational text messages from Nexus Real Estate LLC at the mobile number I provided. Consent is not a condition of any purchase or service. Message frequency varies. Message and data rates may apply. Reply HELP for help or STOP to cancel. See Privacy Policy and SMS Terms.
A.2 Standard Marketing Opt-In — Canada (English)
[ ] I expressly consent to receive commercial electronic messages, including text messages, from Nexus Real Estate LLC and Canadian Benefits at the mobile number I provided, regarding real estate services, property opportunities, and related offerings. I understand that I may withdraw my consent at any time by replying STOP. Message and data rates may apply. See Privacy Policy and SMS Terms.
A.3 Standard Marketing Opt-In — Canada (French / Français)
[ ] Je consens expressément à recevoir des messages électroniques commerciaux, y compris des messages texte, de la part de Nexus Real Estate LLC et de Canadian Benefits au numéro de téléphone mobile que j'ai fourni, concernant les services immobiliers, les offres de propriétés et les services connexes. Je comprends que je peux retirer mon consentement à tout moment en répondant ARRÊT. Des frais de messagerie et de données peuvent s'appliquer. Consulter la Politique de confidentialité et les Conditions SMS.
A.4 Standard Marketing Opt-In — EEA and UK (English)
[ ] I consent to receive marketing text messages from Nexus Real Estate LLC regarding real estate services and related offerings at the mobile number I provided. I understand that I may withdraw my consent at any time, free of charge, by replying STOP, and that withdrawal will not affect the lawfulness of processing based on consent before its withdrawal. My personal data will be processed in accordance with the Privacy Notice, including information about international transfers, retention, my rights under GDPR, and my right to lodge a complaint with my national supervisory authority.
[ ] (Separate, optional) I consent to receive marketing text messages from named Nexus partner brands (The Jason Mitchell Group, Coldwell Banker) on the same basis.
A.5 Transactional/Informational Opt-In (Tenant or Client Portal) — All Jurisdictions
[ ] I agree to receive transactional text messages from Nexus Real Estate LLC regarding my account, property, tenancy, or transaction, including appointment reminders, maintenance updates, closing communications, and document notifications. Message and data rates may apply. Reply STOP to cancel.
A.6 Double Opt-In Confirmation Message
Nexus Real Estate: You signed up for property alerts & updates. Reply YES to confirm. Msg freq varies. Msg&data rates may apply. Reply HELP for help, STOP to cancel. nexusre.com/sms
A.7 HELP Reply
Nexus Real Estate: For help, contact support@nexusre.com or call (XXX) XXX-XXXX. Reply STOP to unsubscribe. Msg&data rates may apply.
A.8 STOP / Withdrawal Reply
You have been unsubscribed from Nexus Real Estate messaging and will receive no further messages. Reply START to re-subscribe.
Appendix B: Sample Consent Record Export
The following is a representative example of a single Consent Ledger record as exported in response to a regulator inquiry or litigation demand. Personally identifying fields are illustrative only.
Consent ID: c4f8e2a1-9b3d-4c7e-a1b2-8f9d0e1c2a3b
Consumer Name: Jane A. Consumer
Mobile Number (E.164): +442071234567
Telephone Country Code: +44 (United Kingdom)
Declared Country of Residence: United Kingdom
Inferred Jurisdiction: UK GDPR and PECR (operative); EEA GDPR (non-operative)
Email: jane.consumer@example.co.uk
Consent Timestamp (UTC): 2026-03-14T19:42:17Z
Consent Channel: Web form + SMS double opt-in
Legal Basis: UK GDPR Article 6(1)(a) consent; PECR Regulation 22 consent
Consent Scope: Marketing (Nexus); Separately, Marketing (named partners) — DECLINED
Controller Identity: Nexus Real Estate LLC
Form URL: https://nexusre.com/uk/buyers/intake
IP Address: 198.51.100.47
User Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_4) AppleWebKit/605 ...
Form Hash (SHA-256): a3f9...e21b (64-char hex)
Disclosure Text and Language: [Full English text as rendered at time of capture]
Double Opt-In Reply: YES received 2026-03-14T19:43:02Z from +442071234567
Sender Registration Reference: [UK-registered sender ID]
International Transfer Mechanism: UK International Data Transfer Addendum to EU SCCs, Module 1; transfer agreement ref NX-UK-2026-014
Retention Justification: Active consent; retention for limitation period post-withdrawal
Withdrawal Status: Active
Withdrawal Timestamp: N/A
Last Outbound Message: 2026-04-20T14:10:00Z
Appendix C: Regulatory and Industry Reference
United States — Federal
Telephone Consumer Protection Act. 47 U.S.C. § 227.
FCC TCPA Regulations. 47 C.F.R. § 64.1200.
CAN-SPAM Act. To the extent relevant to cross-channel communications.
Statute of Limitations. 28 U.S.C. § 1658 (four-year limitations period).
United States — Industry
CTIA Messaging Principles and Best Practices. Carrier-endorsed standards.
The Campaign Registry (TCR). 10DLC registration and requirements.
CTIA Short Code Monitoring Handbook. Short code compliance standards.
United States — State
Massachusetts. M.G.L. c. 159C (Telemarketing Solicitation) and c. 93A (Consumer Protection).
New Hampshire. RSA 359-E (Telemarketing).
District of Columbia. D.C. Code § 22-3226.01 et seq. (Telephone Consumer Solicitation Control Act).
Florida. Florida Telephone Solicitation Act, Fla. Stat. § 501.059.
Washington. Commercial Electronic Mail Act, RCW 19.190.
California. California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA).
Canada — Federal
CASL. Canada's Anti-Spam Legislation, S.C. 2010, c. 23.
PIPEDA. Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5.
CRTC Rules. Unsolicited Telecommunications Rules and National Do Not Call List.
Canada — Provincial
Alberta. Personal Information Protection Act (PIPA).
British Columbia. Personal Information Protection Act (PIPA).
Quebec. Act Respecting the Protection of Personal Information in the Private Sector, as amended by Law 25.
European Union and European Economic Area
GDPR. General Data Protection Regulation, Regulation (EU) 2016/679.
ePrivacy Directive. Directive 2002/58/EC, as amended by Directive 2009/136/EC, together with each member state's national implementing law.
EDPB Guidelines. European Data Protection Board Guidelines on Consent under Regulation 2016/679 (Guidelines 05/2020) and related guidelines on transparency and direct marketing.
United Kingdom
UK GDPR. Together with the Data Protection Act 2018.
PECR. Privacy and Electronic Communications (EC Directive) Regulations 2003.
ICO Guidance. Information Commissioner's Office guidance on direct marketing and electronic communications.
