Opt-in builder // free tool

ICO-aligned WhatsApp opt-in copy + embeddable form.
Free. No signup.

The ICO and Meta both require explicit opt-in for WhatsApp marketing. Most clinics and agencies are silently in breach. This generator produces UK GDPR + PECR aligned opt-in copy, an embeddable form snippet, and a consent record CSV format you can audit against.

  • ICO-aligned opt-in language by sector.
  • Embeddable HTML form snippet.
  • Consent record CSV format you can audit.
  • Multi-language ready (English + welsh).
01 // Run it
Opt-in copy
Use on forms, terms pages, in-person check-in screens
I want to receive appointment reminders, treatment aftercare, and offers from Mayfair Aesthetics AND receive marketing messages from Mayfair Aesthetics about offers and new services on WhatsApp.

I understand that:
- Mayfair Aesthetics Ltd is the data controller for my WhatsApp contact details.
- My phone number will be used only for the purpose I have ticked above.
- I can withdraw consent at any time by replying STOP, by emailing [email protected], or by adjusting preferences in my account.
- WhatsApp Inc. (a Meta subsidiary) is the technical provider and will process the messages on Meta's infrastructure.
- For full details on how my data is used, retained, and shared, see the privacy policy: https://mayfairaesthetics.co.uk/privacy-policy.

Country and date of consent are logged with this submission.
This service accepts UK and EEA residents only.
Embeddable HTML form
Drop into your website or booking page
<form action="/api/opt-in" method="post" class="optin-form">
  <fieldset>
    <legend>WhatsApp opt-in</legend>
    <p>I want to receive appointment / order messages and marketing offers from <strong>Mayfair Aesthetics</strong> on WhatsApp.</p>
    <label>
      <input type="text" name="phone" placeholder="+44..." required pattern="^\+[0-9]{8,15}$" />
      Phone number including country code
    </label>
    <label>
      <input type="checkbox" name="consent_transactional" required />
      Yes, send me appointment reminders, treatment aftercare, and offers from Mayfair Aesthetics on WhatsApp.
    </label>
    <label>
      <input type="checkbox" name="consent_marketing" required />
      Yes, send me marketing offers from Mayfair Aesthetics on WhatsApp.
    </label>
    <label>
      <input type="checkbox" name="consent_privacy" required />
      I have read the <a href="https://mayfairaesthetics.co.uk/privacy-policy" target="_blank">privacy policy</a> and agree to my data being processed as described.
    </label>
    <button type="submit">Opt in</button>
    <p class="legal">
      You can withdraw consent any time by replying STOP. Data controller: Mayfair Aesthetics Ltd.
    </p>
  </fieldset>
</form>
Consent record CSV format
Log every submission in this shape for ICO audit defence
submission_id,phone_e164,business,consent_transactional,consent_marketing,consent_privacy,timestamp_utc,ip_hash,user_agent,source_url
x3lfeg3t,+447700900123,Mayfair Aesthetics,true,true,true,2026-06-11T00:27:25.961Z,sha256:abc...,Mozilla/5.0,https://yourdomain.co.uk/book
02 // What the number means

What "consent" actually means under UK GDPR + PECR

The Information Commissioner's Office is unambiguous: marketing consent must be specific (one purpose at a time), informed (the customer must know what they are agreeing to and who is processing their data), freely given (no pre-ticked boxes, no "agree or lose service"), unambiguous (one positive action), and revocable (the customer can withdraw at any time).

The generated opt-in copy above maps each of these requirements to a sentence. The HTML form implements them as separate checkboxes (no bundled consent), with the privacy policy linked and the data controller named.

What goes wrong without express consent

  • ICO complaint: A single customer report can trigger an ICO investigation. Penalties under PECR run from formal warnings up to £500,000.
  • Meta block: High block rates on a number triggers a Yellow then Red quality rating and template-send block. Hard to recover.
  • BSP suspension: Resellers like Twilio, Wati, and Respond.io will suspend an account that receives multiple opt-in complaints, sometimes without notice.
  • Reputational damage: Operators who get reported to Trustpilot or trade press for unsolicited WhatsApp marketing rarely recover the brand cleanly.

The consent record is the defence

If a customer ever files an ICO complaint, your defence is the consent record. The CSV format above captures everything needed: submission ID, E164 phone, business identity, separate flags for transactional and marketing consent, privacy policy version acknowledged, timestamp, IP hash for proof of submission, user agent for fraud defence, and the source URL.

Retain consent records for six years (the conservative ICO benchmark for direct marketing) and back them up off-site. NuvenarHub stores consent records automatically and includes a GDPR deletion workflow for erasure requests.

03 // FAQ

Is this legally compliant?

It is aligned with UK GDPR and PECR requirements for express opt-in consent: specific purpose, informed, freely given, unambiguous, revocable. The copy is a strong starting point. For commercially sensitive or regulated-sector messaging, have a UK data protection solicitor review the final consent flow before going live.

Why do I need consent for transactional messages?

Strictly speaking, you do not. Transactional WhatsApp messages (order confirmations, appointment reminders) fall under legitimate interest and do not require explicit consent. We include the option because most operators want a clean consent record across both types to simplify audit defence.

What is the difference between Meta's opt-in and the ICO's opt-in?

Meta requires you to have collected opt-in via 'a reasonable mechanism' before sending Marketing messages. The ICO is stricter: explicit, specific, informed, unambiguous, freely given. Following the ICO standard automatically satisfies Meta. Following only Meta's standard can put you in breach of UK PECR.

Should I store the consent record?

Yes. The CSV format includes a submission ID, the E164-formatted phone number, the business identity, separate consent flags for transactional and marketing, the privacy policy URL acknowledged, a UTC timestamp, an IP hash (not raw IP, for data minimisation), the user agent string, and the source URL of the form. Six years retention is the conservative ICO benchmark.

What if a customer asks me to delete their data?

Under UK GDPR Art. 17, customers have the right to erasure. You must delete the WhatsApp message history, contact record, and consent log entry within 30 days of request. NuvenarHub has a single-click GDPR deletion workflow that handles this end-to-end.

Can I send a 'first contact' WhatsApp without opt-in?

No. Meta blocks template messages to numbers without an opt-in trail, and the ICO classifies it as unsolicited direct marketing under PECR. The only exception is a customer-initiated message (they message you first), which opens a 24-hour service window.

Get audit-ready consent management with the rest of the stack.

NuvenarHub Blast: ICO-aligned opt-in flows, automatic consent record storage, GDPR deletion workflow, opt-out handling, audit trail export. From £99/mo + VAT.

See Blast