Opt-in Tracking captures per-channel consent across WhatsApp, Email, SMS and Web Push with source attribution, timestamp, and the literal text the contact saw. Auto-honor opt-outs at send time. Export the audit log for DLT, GDPR, DPDP and CCPA reviews. Never accidentally message someone who said stop.
Most teams treat opt-in as a checkbox in their signup form and never think about it again. They store "subscribed = true" somewhere, the broadcast tool reads it, and as long as nothing breaks, life is fine. Then a customer who explicitly typed STOP in WhatsApp last month gets a Diwali promotion, posts a screenshot on Twitter, and the brand spends a week apologising. Or worse — Meta flags the WhatsApp Business account for repeated unsolicited messaging and the account is suspended for 24 hours during peak season.
The industrial-strength version of this problem is the regulatory audit. India's DPDP and TRAI DLT regimes require provable consent per channel per purpose. Europe's GDPR requires the same. When the regulator asks "show me proof that contact X consented to marketing WhatsApp on date Y", a CSV with "subscribed=true" does not cut it. They want the form snapshot, the timestamp, the IP, the literal consent text. Most CRMs cannot produce this and the legal team starts a six-figure remediation project.
Opt-in Tracking in SabNode is consent infrastructure, not a checkbox. Every consent capture records source, timestamp, IP, the exact consent text shown, and the channel scope. Every send checks current status before dispatch. Every opt-out triggers a re-confirm flow if the contact later re-engages. The audit log is regulator-ready by design.
A Contact has independent opt-in status for each channel — WhatsApp, Email, SMS, Web Push, Voice. Status is a four-state enum: subscribed (active, can be messaged for marketing), service-only (only transactional messages, common for WhatsApp 24-hour service window), opted-out (no messaging of any kind), unknown (no consent captured yet). The send pipeline checks current status before every outbound. A marketing template to an opted-out contact fails fast with a logged "consent block" event, never reaching the BSP.
Capture is multi-source. Web forms with a consent checkbox component record the IP, user agent, form ID, page URL, and the exact consent text shown. WhatsApp opt-in via interactive button (the customer clicks "Yes, subscribe me") records the message ID and timestamp. Imports support a consent-source column for backfilling historical permissions with attribution. API endpoints accept consent metadata on every write. Every capture path produces the same auditable artifact.
Updates are bidirectional. Outbound: a contact who replies STOP to a WhatsApp broadcast triggers an automatic opt-out across the channel, confirmation message, and DLQ block for any in-flight sends to that contact. Outbound email unsubscribe link does the same for email. Inbound: a contact who messages "subscribe" or clicks an explicit re-opt-in button gets status flipped back with a fresh attribution record. The preference center (a hosted page or embeddable widget) lets contacts manage their own consent across all channels with a single link, audited.
Compliance export is built in. The audit endpoint returns every consent state change for a contact, with full attribution, on demand. Bulk export for tenant-wide audits runs as a background job and produces a regulator-ready CSV or PDF with the timestamps, sources and consent text. For India, the DLT registration ID can be attached to each capture. For EU, lawful basis (consent, legitimate interest, contract) is selectable per capture. For California (CCPA), do-not-sell flags are first-class. The compliance team should never need to ask engineering for a query again.
Capabilities
WhatsApp, Email, SMS, Web Push, Voice each have independent status: subscribed, service-only, opted-out, unknown. Marketing sends require subscribed. Transactional (OTP, order updates) honors service-only. Opted-out blocks every send including transactional unless explicitly overridden with audit.
Every consent change captures source (web form ID + URL + IP, WhatsApp button ID, import job, manual edit, API call), timestamp, user agent, and the literal consent text the contact saw. Regulator-ready evidence by default, not as a bolt-on.
Every outbound checks current consent before dispatch. Blocked sends log a structured "consent block" event with the reason. No more "we accidentally sent to an opted-out list" — the platform makes it impossible to bypass.
Inbound STOP, UNSUBSCRIBE, OPT-OUT messages on WhatsApp trigger automatic opt-out, confirmation reply, and DLQ-block for in-flight sends. Email unsubscribe links do the same. Reply analysis configurable per language so Hindi and regional opt-out keywords work.
When an opted-out contact later sends an inbound message, the platform routes to a configurable re-engagement flow — typically asking explicit re-subscribe before treating them as marketable. Prevents the "they messaged us so they must want our newsletter" misinterpretation.
Hosted page (or embeddable widget) where contacts manage consent across all channels with one link. Includes purpose-level granularity ("marketing", "product updates", "billing reminders") when configured. Every change captures attribution like any other source.
On-demand audit export per contact or tenant-wide. CSV or PDF with attribution, timestamps, consent text and channel. India DLT registration ID, EU lawful basis, CCPA do-not-sell flags all first-class. Regulator-ready without engineering involvement.
Use cases
Web form has an explicit "I agree to receive WhatsApp marketing from Brand X" checkbox with the consent text. Submission records IP, page URL, exact text. Customer who later replies STOP gets opted out automatically with confirmation. Tenant-wide audit export pulled monthly for the legal team's compliance review.
Each WhatsApp template registered with TRAI DLT carries a registration ID. Capture path records the DLT ID alongside consent. Send pipeline blocks any send where the contact's consent does not match the DLT scope. Regulator audit pulls the export and verifies template-to-consent linkage instantly.
Student opts in to "exam updates" and "course offers" as separate purposes. Marketing broadcasts target only consenting purposes. Student can later opt out of offers but keep exam updates via the preference center. Granular consent improves long-term subscription retention.
Patient opt-out blocks marketing but preserves transactional appointment reminders via service-only status. Critical for clinics that want to respect "do not market to me" without missing safety-critical reminders. Audit log distinguishes the two so compliance can demonstrate the intentional design.
EU contacts captured with lawful basis = consent for marketing, contract for transactional. Right-to-erasure requests honored via the contact-delete flow that purges PII but preserves anonymised consent log for proof of compliance. Audit export structured to the EDPB recommended format.
How it works
Opt-in Tracking is included on every SabNode workspace. No separate billing, no extra setup, flip it on from your workspace settings.
Enable channels (WhatsApp, Email, SMS, Push). Optionally define purposes (marketing, product, billing) for granular consent. Set the default state for newly-created contacts (unknown by default, never subscribed).
Web form components, WhatsApp opt-in buttons, import flows, API endpoints — every source captures attribution automatically. Configure the consent text once and it propagates to all sources.
Send pipeline checks current status before dispatch. Blocks marketing to non-subscribed, blocks all to opted-out. Logged consent-block events surface in the audit feed and DLQ analytics.
STOP keyword detection per language flips status to opted-out, sends a confirmation, blocks in-flight sends. Re-engagement flow routes any future inbound through a re-confirm gate before treating the contact as marketable again.
Tenant-wide audit export on demand. Per-contact history queryable via UI and API. Regulator-ready CSV or PDF with all attribution. Compliance team self-serves without engineering tickets.
Connect directly with your existing stack or leverage the Platform Core tools to extend capabilities natively.
Enhance this feature with deep integrations into our core infrastructure. Connect via API, utilize webhooks, or embed directly using our SDKs.
Manage all settings seamlessly within the core UI.
Extend functionality with custom automated workflows.
Can't find what you're looking for? Talk to our team.
No credit card. No sales call required. Spin up a workspace, plug in a number, and your team is live in under an hour.