Data ethics acceptable use

By Ben Argeband, Founder & CEO of Heartbeat.ai — Concrete do/don’t examples; no moralizing.

Who this is for

This is for recruiters and recruiting ops leaders who need clear boundaries for outreach that protect deliverability, brand, and candidate relationships while keeping workflow speed. If you need something you can hand to leadership, compliance, or procurement, this is written to be operational and auditable.

One non-negotiable: you own compliance. Tools can help you execute, but they can’t own your policies, training, or decisions.

Quick Answer

Core Answer

Use contact data only for relevant recruiting outreach, with clear identity context, limited retention, an easy opt-out, and strict opt-out enforcement via a suppression list.

Key Insight

Ethical outreach is operational: provenance, relevance, frequency caps, and opt-out enforcement matter more than the channel you use.

Best For

Recruiters + ops wanting clear boundaries

Compliance & Safety

This method is for legitimate recruiting outreach only. Always respect candidate privacy, opt-out requests, and local data laws. Heartbeat does not provide medical advice or legal counsel.

Acceptable use in 6 rules (copy/paste)

• Be relevant: Only contact people who plausibly match the role (specialty/setting/location/seniority).
• Be transparent: Say who you are, why you’re reaching out, and what the next step is.
• Be restrained: Use frequency caps and stop rules; don’t pile on across channels.
• Make it easy to stop: Every message includes an easy opt-out.
• Honor opt-outs everywhere: Centralize and enforce via a suppression list across all tools and channels.
• No patient data: Recruiting outreach never uses or implies access to patient information.

Framework: The “Don’t be a creep” standard (practical examples)

I’ve watched teams lose weeks of productivity because they got flagged, blocked, or publicly called out. The “Don’t be a creep” standard is a fast filter before any outreach goes out the door:

• Respect: Treat the person like a professional, not a lead. No harassment, no pressure, no guilt trips.
• Relevance: Your message should make sense for their specialty, licensure, geography, and career stage.
• Transparency: Say who you are and why you’re reaching out.
• Control: Give a clear easy opt-out and honor it immediately across channels.
• Restraint: Frequency caps and quiet hours. If you wouldn’t want it done to you during personal time, don’t do it to them.
• Separation: Recruiting outreach is not patient outreach. No patient data, no clinical context, no insinuations.

What acceptable use is not

• Not permission to spam: volume doesn’t replace relevance.
• Not a reason to ignore gatekeepers or keep pushing after a “no.”
• Not patient outreach: don’t reference care events, cases, or anything that implies clinical surveillance.

Examples you can use in training:

• Acceptable: “Dr. Patel — I recruit hospitalists in the Midwest. Are you open to hearing about a 7-on/7-off role in Dayton? If not, reply ‘no’ and I’ll stop.”
• Not acceptable: “I saw you treated a patient at X hospital…”
• Acceptable: One follow-up after no response, then stop or switch to a lower-friction channel with a single touch.
• Not acceptable: Calling, texting, emailing, and messaging the same day with escalating language.

Do / Don’t (fast reference)

• Do lead with relevance: role + location + why them. Don’t send generic blasts that force the candidate to guess why you contacted them.
• Do identify yourself and your organization. Don’t use deceptive subject lines or fake familiarity.
• Do include an easy opt-out in every channel you use. Don’t bury opt-out language or make people jump through hoops.
• Do treat any “stop/remove/unsubscribe” as an opt-out and enforce it via a suppression list. Don’t rely on individual recruiters to remember.
• Do set frequency caps and stop rules per role. Don’t multi-channel pile-on within 24–48 hours.
• Do keep content strictly recruiting-related. Don’t reference patient care, cases, or anything that implies you’re tracking clinical activity.

Step-by-step method

Step 1: Write a one-page acceptable-use SOP your team will actually follow

Keep it short and enforceable. Your SOP should answer:

• Purpose: “We use contact data to communicate about employment opportunities and career conversations.”
• In-scope audience: Who you recruit and what “relevant” means for your org.
• Channels allowed: Email, phone, SMS, voicemail, professional social (if used), and who can use each.
• Frequency caps: Max attempts per person per role and quiet hours.
• Stop rules: When to stop after no response, and when to stop immediately (any opt-out, any negative response).
• Opt-out enforcement: How opt-outs are captured and applied via a suppression list.

Stop rules examples (use in training)

• Immediate stop: Any opt-out language (“stop,” “remove,” “unsubscribe,” “don’t contact”).
• Immediate stop: Any explicit negative response (“not interested,” “do not call/text/email”).
• Stop and correct: Wrong person/wrong specialty/wrong location (fix targeting; don’t keep trying).
• Stop and route: Gatekeeper requests a different channel or contact point (follow that instruction once, then stop if declined).
• Stop after cap: No response after your defined attempt cap for that role.

Step 2: Separate identity sources from contact channels (provenance)

Procurement and compliance teams don’t just want “where did you get the data?” They want structure: what establishes identity, what enables contact, and what transformations you apply.

Procurement-friendly provenance one-pager (outline):

• Identity sources: What you use to establish professional identity (name, specialty, license/NPI context).
• Contact channels: Email/phone/SMS endpoints used for outreach (acknowledge these decay).
• Transformations you apply: verification, refresh, deduping, and suppression enforcement (describe at a high level).
• Refresh reality: How often you re-check contactability and remove bad endpoints.
• Suppression governance: Where the suppression list lives, who owns it, and how it propagates to tools.
• Audit artifacts: What you can show (opt-out logs, campaign settings, template versions).

This is the clean way to answer due diligence questions without exposing sensitive sourcing details.

What to say if asked “Where did you get my info?”

Keep it simple and factual. Don’t argue. Don’t overshare. Use your provenance structure:

• Identity context: “We recruit in [specialty/region] and use professional registries to confirm identity and credentials.”
• Contact channel: “We use business contact channels to reach out about roles.”
• Control: “If you’d like, I can remove you from outreach. Just reply ‘stop’ and I’ll add you to our suppression list.”

Step 3: Build opt-out and suppression into the workflow (not as an afterthought)

Opt-out is a system, not a promise. Your operating rules should include:

• Every outbound email includes an easy opt-out instruction.
• Every SMS includes a clear stop instruction (and you honor it).
• Any opt-out request updates your suppression list and is applied across all sequences and tools.
• Ops audits suppression enforcement weekly (spot checks across campaigns).

If you need the mechanics and failure modes, use: suppression lists and opt-out management for recruiting ops.

Step 4: Set channel rules that protect deliverability and reputation

• Email: Use role-relevant messaging, avoid deceptive subject lines, and stop after a small number of attempts.
• Phone: Call during reasonable local hours; leave a short voicemail once; don’t hammer the same number.
• SMS: Use sparingly and only when your organization’s policy supports it; include stop language; don’t send long multi-part texts.

The trade-off is… you can increase short-term touches by being aggressive, but you’ll pay for it in blocks, complaints, and brand damage that slows hiring.

Step 5: Define and track the metrics that show you’re staying within bounds

You don’t manage ethics with vibes. You manage it with controls and audits. Track a small set of metrics that indicate whether your outreach is respectful and effective.

Canonical metric definitions (use these consistently):

• Connect Rate = connected calls / total dials (e.g., per 100 dials).
• Answer Rate = human answers / connected calls (e.g., per 100 connected calls).
• Deliverability Rate = delivered emails / sent emails (e.g., per 100 sent emails).
• Bounce Rate = bounced emails / sent emails (e.g., per 100 sent emails).
• Reply Rate = replies / delivered emails (e.g., per 100 delivered emails).

Diagnostic Table:

Use this to diagnose whether your outreach program is operating inside acceptable use.

Visual note: Sources table visual note: Source → What it provides → What it doesn’t → Update reality → Recruiter use.

Weighted Checklist:

Score each campaign before launch. If you score under 80, fix it before you hit send.

• (25 points) Relevance is explicit: specialty/role + location + why them.
• (20 points) Opt-out is clear and simple (email + SMS where applicable) and routes into a centralized suppression list.
• (15 points) Frequency caps are set (per person, per role) and enforced in tooling.
• (10 points) Provenance one-pager exists (identity sources vs contact channels vs transformations).
• (10 points) No sensitive content: no patient data, no clinical event references, no insinuations.
• (10 points) Sender transparency: real name, company, and a direct reply path.
• (10 points) Metrics plan exists (deliverability, bounce, reply, connect, answer) with thresholds and stop rules.

Outreach Templates:

These are intentionally plain. They are designed to be respectful, relevant, and easy to stop. Replace bracketed fields and keep your frequency cap consistent with your SOP.

Email template (initial)

Subject: Quick question about your next role

Hi Dr. [Last Name] — I’m [Name], a recruiter with [Org]. I’m reaching out because we’re hiring a [Role/Specialty] in [City/Region] and your background in [relevant signal] looks aligned.

Are you open to a 5-minute call this week to see if it’s worth a longer conversation? If not, reply “no” and I’ll stop reaching out.

Follow-up rule: If I don’t hear back, I’ll only follow up up to [YOUR CAP] times for this role.

— [Name], [Title], [Org] | [Phone] | [Email]

SMS template (only if your policy supports it)

Hi Dr. [Last Name] — [Name] recruiting for [Org]. Are you open to hearing about a [Role] in [Location]? Reply STOP to opt out.

Follow-up rule: If no response, I’ll stop after [YOUR CAP] attempts for this role.

Voicemail template

Hi Dr. [Last Name], this is [Name] with [Org]. I’m calling about a [Role] opportunity in [Location]. If you’re open to a quick chat, call me back at [Number]. If not interested, no problem.

Common pitfalls

• Assuming a list equals permission. Buying static lists is risky because contact data decays. The modern standard is Access + Refresh + Verification + Suppression.
• Opt-out that doesn’t actually stop outreach. If someone opts out and still gets contacted, you created the worst outcome: you proved you can’t be trusted.
• Over-contacting across channels. Multi-channel is fine; pile-on is not. Set caps and stop rules.
• Using sensitive context. Even if you think you “saw it publicly,” don’t reference patient care, cases, or anything that implies you’re tracking clinical activity.
• Confusing identity with contactability. A stable identifier (like a professional registry record) doesn’t mean the email/phone you found is current or appropriate for outreach.
• Policy without enforcement. If ops can’t audit it, it’s not a policy, it’s a hope.

How to improve results

Ethical outreach should also perform. If it doesn’t, teams tend to compensate with volume and pressure. Improve performance by tightening relevance and improving channel hygiene, not by escalating persistence.

1) Improve targeting before you improve copy

Make sure each outreach list has a clear inclusion rule (specialty, geography, setting, seniority). If you can’t explain why a person is on the list in one sentence, your recruiters will compensate with volume.

2) Reduce wasted touches with verification and ranking

When you reduce wrong numbers and dead inboxes, you reduce the temptation to over-contact. Heartbeat.ai supports workflows that include ranked mobile numbers by answer probability so recruiters can start with the most connectable path instead of brute force.

3) Measurement instructions (weekly ops routine)

Measure this by… running a weekly outreach health review across your last 7 days of activity:

• Email: Deliverability Rate (delivered emails / sent emails, per 100 sent), Bounce Rate (bounced emails / sent emails, per 100 sent), Reply Rate (replies / delivered emails, per 100 delivered). Track by campaign and by sender domain.
• Phone: Connect Rate (connected calls / total dials, per 100 dials) and Answer Rate (human answers / connected calls, per 100 connected). Track by time-of-day and by list category.
• Opt-out enforcement: Count opt-out requests and confirm they are present in the centralized suppression list within the same business day. Spot-check opted-out records against active sequences and dialer queues.
• Complaint signals: Track spam complaints, negative replies, and “stop contacting me” messages. Any spike triggers a template and targeting review.

4) Tighten your stop rules

Define a maximum number of attempts per person per role, and a cool-down period before any future outreach. This protects your brand and keeps your team focused on reachable, relevant candidates.

Legal and ethical use

This page is about acceptable use boundaries and operational controls; consult your counsel for jurisdiction-specific requirements. If you want a broader overview of recruiting compliance topics and internal controls, start here: recruiting compliance resources.

Your obligations depend on jurisdiction, channel, and your organization’s policies. At a minimum, build your program to respect:

• TCPA: Especially relevant for calling/texting practices and consent requirements. Treat SMS as higher-risk than email and govern it accordingly.
• CAN-SPAM: Use accurate sender information, avoid deceptive subject lines, and provide a clear opt-out mechanism for commercial email.
• Opt-out: If someone opts out in any channel, honor it across channels using a centralized suppression list.
• No patient data: Recruiting outreach should never involve patient information or imply access to it.

For clarity on what we do and don’t handle, see: Not HIPAA: no patient data.

Evidence and trust notes

When we reference professional identity context, we anchor to authoritative registries and licensing bodies. These sources help establish identity and credentials; they do not guarantee contactability.

• NPPES NPI Registry (identity and NPI context)
• CMS: National Provider Identifier (NPI) overview
• Federation of State Medical Boards (FSMB) (licensure context)

Channel rules are governed by laws and guidance that vary by jurisdiction and use case. If you need primary references, start with official sources:

• FTC: CAN-SPAM Act compliance guide
• FCC: Telemarketing and robocalls (TCPA-related overview)

How Heartbeat evaluates and communicates trust: Trust methodology.

FAQs

What does acceptable use mean for recruiting contact data?

It means you use contact data for relevant recruiting outreach with transparency, reasonable frequency, and a clear opt-out, and you enforce opt-outs through a centralized suppression process.

What counts as an opt-out?

Any message that reasonably indicates “stop” (for example: “remove me,” “don’t contact,” “unsubscribe,” “STOP”). Treat it as immediate and apply it across channels via your suppression list.

Can I contact clinicians by text?

SMS can be higher-risk than email. If your organization allows it, keep it minimal, identify yourself, include STOP language, and honor opt-outs immediately. Align your process with policies reviewed for TCPA considerations.

How fast should opt-outs be applied?

Operationally, same business day is the standard you should enforce so you don’t re-contact someone who already told you to stop. Make it automatic via a centralized suppression list, not dependent on individual recruiters.

Is it acceptable to call a clinician’s workplace line?

It can be acceptable when the outreach is relevant and respectful, and you follow your stop rules. Expect gatekeepers, keep the message short, and don’t keep calling if you’re told to stop or route elsewhere. If the clinician opts out (directly or through their office), capture it and enforce it via your suppression list.

What should I say if a candidate asks where I got their information?

Keep it factual and brief: you recruit in their specialty/region, you use professional identity context to confirm you’re contacting the right person, and you use business contact channels for outreach. Offer an easy opt-out and enforce it via your suppression list.

How do I keep outreach ethical without killing speed?

Make relevance and suppression automatic: tight targeting rules, short templates, frequency caps, and centralized opt-out enforcement. That reduces wasted touches and keeps recruiters focused on reachable candidates.

Next steps

• Operationalize opt-outs: implement (or fix) your suppression list and opt-out management workflow.
• Standardize templates and guardrails: pull from recruiting templates and scripts and enforce relevance + stop rules.
• Document trust: align your internal policy with the Heartbeat trust methodology so ops can audit it.
• If you want to implement verification, refresh, and suppression in one workflow, create a Heartbeat account.

About the Author

Ben Argeband is the Founder and CEO of Swordfish.ai and Heartbeat.ai. With deep expertise in data and SaaS, he has built two successful platforms trusted by over 50,000 sales and recruitment professionals. Ben’s mission is to help teams find direct contact information for hard-to-reach professionals and decision-makers, providing the shortest route to their next win. Connect with Ben on LinkedIn.