Marketing and Newsletter Consent Framework

Intent Platform
Greendev sp. z o.o.

Effective Date: January 27, 2026
Last Updated: January 27, 2026

1. Introduction and Purpose

This Marketing and Newsletter Consent Framework ("Framework") establishes the policies, procedures, and technical requirements for collecting, managing, and processing marketing consent for the Intent platform operated by Greendev spółka z ograniczoną odpowiedzialnością ("Company," "we," "us," or "our").

This Framework ensures compliance with applicable data protection and electronic marketing regulations, including:

• The General Data Protection Regulation (EU) 2016/679 ("GDPR")
• The ePrivacy Directive 2002/58/EC as amended
• The Polish Telecommunications Law (Prawo telekomunikacyjne)
• The CAN-SPAM Act (United States)
• The California Consumer Privacy Act as amended by the CPRA
• Other applicable national and state privacy laws

2. Legal Framework

2.1 GDPR Requirements (Article 7)

Under GDPR, consent for marketing communications must be:

• Freely given: Consent must not be bundled with acceptance of terms and conditions or made a condition of service. Users must have a genuine free choice.
• Specific: Consent must be obtained separately for each distinct processing purpose. Marketing consent must be separate from consent for other purposes.
• Informed: Users must be provided with clear information about the identity of the controller, the purposes of processing, the types of communications they will receive, and how to withdraw consent.
• Unambiguous: Consent must be given through a clear affirmative action. Pre-ticked boxes, silence, or inactivity do not constitute valid consent.

2.2 Polish Telecommunications Law

Under Polish law, electronic marketing communications require prior consent obtained through an opt-in mechanism. Poland does not recognize the "soft opt-in" exception available in some EU member states. Therefore, all marketing communications require explicit prior consent, including to existing customers.

2.3 ePrivacy Directive

The ePrivacy Directive requires prior consent for:

• Sending unsolicited electronic communications for direct marketing purposes
• Using cookies or similar tracking technologies for marketing or analytics purposes beyond what is strictly necessary for service provision

2.4 CAN-SPAM Act (United States)

The CAN-SPAM Act requires commercial email messages to:

• Contain accurate header information identifying the sender
• Use non-deceptive subject lines that accurately reflect message content
• Include a valid physical postal address
• Provide a clear and conspicuous opt-out mechanism
• Honor opt-out requests within ten (10) business days
• Identify the message as an advertisement where applicable

2.5 Gmail and Yahoo Bulk Sender Requirements (2024)

As of February 2024, bulk email senders (sending more than 5,000 messages per day) must implement one-click unsubscribe functionality using RFC 8058 List-Unsubscribe headers. This requirement applies regardless of geographic location and is enforced through email deliverability policies.

3. Consent Collection Mechanisms

3.1 Registration Flow

During account registration, marketing consent must be collected as follows:

• Marketing consent checkbox must be separate from Terms of Service acceptance.
• The checkbox must be unchecked by default (no pre-ticked boxes).
• Consent language must clearly identify: the Company as sender, the types of communications (newsletters, product updates, promotional offers), the approximate frequency, and the method to withdraw consent.
• Marketing consent must not be a condition of account creation or service access.

3.2 Newsletter Signup Forms

Standalone newsletter signup forms (not part of registration) must:

• Clearly identify the Company as the sender of communications.
• Describe the content and frequency of communications.
• Implement double opt-in (recommended): After form submission, send a confirmation email requiring the user to click a verification link to activate the subscription.
• The verification link should expire within 48 hours.
• Until verification is complete, no marketing emails should be sent.

3.3 In-App Consent Collection

If marketing consent is requested within the application (e.g., through modals or banners), the same standards apply: clear language, unchecked default state, and separation from functional consent.

4. Consent Logging Requirements

4.1 Required Data Points

For each consent record, the following information must be captured and stored:

4.2 Retention Period

Consent records must be retained for the duration of the consent plus a minimum of three (3) years after consent withdrawal to demonstrate compliance with regulatory requirements. Consent records constitute an immutable audit trail and must not be modified or deleted except as required by law.

5. Withdrawal Mechanisms

5.1 Unsubscribe Link in Emails

Every marketing email must contain a clearly visible unsubscribe link that:

• Is located in the email footer in a legible font size.
• Enables one-click unsubscribe without requiring login or additional steps.
• Processes the unsubscribe request immediately upon click.
• Displays a confirmation page acknowledging the unsubscribe.

5.2 RFC 8058 List-Unsubscribe Headers

All bulk marketing emails must include RFC 8058 compliant headers:

List-Unsubscribe: <mailto:unsubscribe@useintent.ai>, <https://useintent.ai/unsubscribe>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

5.3 Account Settings

Users with accounts may manage their marketing preferences through their account settings at useintent.ai/settings/communications. This interface must allow users to:

• View their current consent status
• Withdraw consent for specific or all marketing communications
• Update their preferences without requiring assistance from support

5.4 Direct Request

Users may withdraw consent by contacting matt@useintent.ai. Such requests must be processed within:

• Ten (10) business days for US recipients (CAN-SPAM requirement)
• Without undue delay, and in any event within one (1) month, for EU recipients (GDPR requirement)

5.5 Suppression List

Upon withdrawal of consent, the email address must be added to a suppression list. The suppression list:

• Must be maintained indefinitely
• Must be synchronized across all email sending systems
• Takes precedence over any other marketing list
• Must be checked before any marketing email is sent

6. Email Content Requirements

6.1 Required Elements

All marketing emails must include:

• Accurate sender identification: "From" field must accurately identify Greendev sp. z o.o. or Intent.
• Non-deceptive subject line: Subject must accurately reflect email content.
• Physical postal address: Głowackiego 3/5/1, 20-060 Lublin, Poland.
• Unsubscribe link: Clear, functional, one-click unsubscribe mechanism.
• Privacy Policy link: Link to useintent.ai/privacy.

6.2 Standard Email Footer

The following footer template should be used for all marketing emails:

You received this email because you subscribed to marketing communications from Intent. To unsubscribe, click here [UNSUBSCRIBE LINK]. Greendev sp. z o.o., Głowackiego 3/5/1, 20-060 Lublin, Poland. Privacy Policy: useintent.ai/privacy

6.3 Prohibited Content

Marketing emails must not contain:

• False or misleading header information
• Deceptive subject lines
• Content that exceeds the scope of the consent given
• Third-party promotions without clear disclosure
• Illegal, harmful, or offensive content

7. Analytics Consent

7.1 Session Recording (Smartlook)

If session recording tools such as Smartlook are used, separate consent may be required depending on the nature of data collected. Session recording consent should be:

• Separate from marketing consent
• Integrated with the cookie consent mechanism
• Clearly explained to users, including the purpose and data collected

7.2 Error Tracking (Sentry)

Error tracking through Sentry that collects only technical data necessary for service operation may be processed under the legitimate interest basis. However, if Sentry is configured to collect personal data beyond what is strictly necessary, consent may be required.

8. Compliance Monitoring and Audit

8.1 Quarterly Reviews

The following elements must be reviewed quarterly:

• Consent collection mechanisms functionality
• Unsubscribe processing accuracy and timing
• Suppression list integrity and synchronization
• Consent record completeness and accuracy
• Spam complaint rates (target: below 0.1%)

8.2 Annual Compliance Audit

An annual comprehensive audit must include:

• Full review of consent processes against current legal requirements
• Assessment of regulatory updates and necessary policy changes
• Verification of third-party vendor compliance
• Policy and procedure updates as needed

8.3 Incident Response

In case of compliance issues:

• Immediately suspend affected campaigns
• Conduct root cause analysis within 48 hours
• Implement corrective actions
• Document the incident and response for regulatory purposes

9. Third-Party Email Service Providers

9.1 Vendor Requirements

Any email service provider used for marketing communications must:

• Execute a Data Processing Agreement compliant with GDPR Article 28
• Support consent logging and management features
• Implement RFC 8058 one-click unsubscribe headers
• Maintain suppression list synchronization capabilities
• Provide audit and compliance reporting features

9.2 Data Processing Agreement

Data Processing Agreements with email marketing vendors must include:

• Processing only on documented instructions
• Confidentiality obligations for personnel
• Appropriate technical and organizational security measures
• Restrictions on sub-processor engagement
• Assistance with data subject rights requests
• Audit rights for the Company

10. Consent Form Templates

10.1 Registration Consent Checkbox

10.2 Double Opt-In Confirmation Email

Subject: Please confirm your Intent newsletter subscription

11. Contact Information

For questions about marketing communications or consent:

— END OF MARKETING CONSENT FRAMEWORK —