Stop Choosing Between Answering Calls and Living Your Life

Privacy Policy

Last updated: 1 July 2026

Optiphone Pty Ltd (ABN 70 535 266 834) ("Optiphone", "we", "our", "us") is committed to protecting personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Privacy Policy explains how we collect, hold, use, and disclose personal information, and how you can contact us with a privacy request or complaint.

1. About This Policy

This Policy applies to personal information collected by Optiphone in connection with the Optiphone platform — a software-as-a-service product that provides AI voice assistant technology to Australian home service businesses.

There are two distinct groups of people whose personal information we handle:

  • Operators — businesses and individuals who subscribe to the Optiphone platform. Operators are Optiphone's direct customers and hold accounts on the platform.
  • Callers — members of the public who telephone an Operator's business number that is connected to the Optiphone AI voice assistant. Callers do not have an Optiphone account and do not interact with Optiphone directly.

Different sections of this Policy apply to each group. Please read the sections most relevant to you.

2. About Optiphone

Optiphone Pty Ltd provides an AI voice assistant platform for Australian home service businesses including plumbers, electricians, HVAC technicians, cleaners, and similar trades. The platform enables businesses to deploy AI voice assistants that handle inbound phone calls, view call logs, transcripts, recordings, and analytics, manage caller contacts through a built-in CRM, connect their calendar or scheduling tool so bookings can be made automatically, and manage their billing and subscription.

Company name: Optiphone Pty Ltd

ABN: 70 535 266 834

Registered address: 16 Toorak Park Avenue, Mermaid Waters QLD 4218, Australia

Privacy contact: [email protected]

3. AI Processing and Third-Party AI Providers

Optiphone does not build, train, or operate its own artificial-intelligence or machine-learning models. All AI functionality on the platform is provided by established third-party AI service providers under commercial agreements. We currently use the following AI providers:

  • ElevenLabs (United States) — the conversational AI voice assistant that answers and conducts inbound calls in real time, and produces the call transcript.
  • Google — Gemini API (United States) — post-call analysis: after a call ends, the transcript text is sent to Google's Gemini API to extract structured information (call reason, booking details, summary, messages) for the Operator's dashboard. Google does not receive the call audio.

Safeguards that apply to all AI processing:

  • We do not train, fine-tune, or improve any AI model using your personal information, voice recordings, transcripts, or calendar data.
  • Under the enterprise / API terms we hold with these providers, your data is not used to train their foundation models and is processed solely to provide the service to us.
  • Each AI provider is bound by a Data Processing Agreement — see Section 9 for locations and safeguards.

If we add or change an AI provider in a way that materially affects how your personal information is handled, we will update this Policy and notify Operators (see Section 16).

4. Information We Collect from Operators

When you sign up for and use the Optiphone platform as an Operator, we collect the following personal information:

Account information

  • Name and email address
  • Phone number
  • Business name and address
  • Account password (stored in hashed form — we never store or transmit plaintext passwords)

Billing information

  • Payment card details are collected and processed directly by Stripe. Optiphone does not store card numbers.
  • Billing address and transaction history

Platform configuration and usage data

  • AI assistant configuration settings, phone numbers, and call scripts
  • Dashboard usage and login history

Calendar and integration connections

If you choose to connect a third-party calendar or scheduling tool (Google Calendar, Microsoft Outlook / Microsoft 365, or ServiceM8), we collect and store:

  • an OAuth access token and refresh token that authorise Optiphone to access the connected calendar (stored encrypted — see Sections 7 and 10)
  • the identifier of the connected calendar and the connection's status / health

This connection is optional and is only created when you explicitly authorise it through the provider's own consent screen. See Section 7 for full detail.

We collect Operator information directly from you when you create an account, update your profile, connect an integration, or contact us for support.

5. Information We Collect from Callers

When a member of the public calls an Operator's business number connected to the Optiphone system, we collect the following on the Operator's behalf:

Call data

  • Caller's phone number (caller ID)
  • Full voice recording of the call
  • Automated transcript of the call
  • Call metadata: date, time, duration, and outcome classification

Caller-provided information

  • Name, address, email address
  • Service requirements and scheduling preferences
  • Any other personal information the caller volunteers during the call

AI-derived structured data

After each call, the transcript is analysed by AI to extract structured information for the Operator's dashboard. This includes:

  • Call reason and categorisation
  • Booking details and scheduling information
  • Messages for the Operator
  • Contact information updates and call summary

Callers are customers of our Operators, not of Optiphone directly. Optiphone collects and processes Caller data as a service provider to the Operator. Operators are responsible for their own privacy obligations to their callers — see Section 17 below.

6. Call Recording — Notice and Consent

Calls from new callers handled by the Optiphone AI system begin with a spoken disclosure informing the caller that:

  • The call is being answered by an AI voice assistant
  • The call is being recorded
  • The recording will be processed by AI systems, including systems hosted overseas

By continuing the call after this disclosure, callers consent to the recording and AI processing of their call. Callers may end the call at any time if they do not wish to proceed.

This notice complies with the Telecommunications (Interception and Access) Act 1979 (Cth) and applicable state and territory listening device laws, which require all parties to a call to be informed before recording begins.

Operators are required under our Terms of Service to preserve the AI assistant greeting that delivers this notice. Operators must not disable or materially alter it in a way that removes the recording disclosure.

7. Calendar and Business-Tool Integrations (Google, Microsoft, ServiceM8)

Operators may optionally connect a third-party calendar or field-service scheduling account so the Optiphone AI assistant can check real-time availability and create, update, or cancel bookings on the Operator's behalf. This feature is opt-in and is only enabled when the Operator explicitly authorises it through the provider's own OAuth consent screen. We request the minimum access required to deliver the booking feature.

What we access, per provider:

ProviderAuthorisationScope / permission requestedData accessed
Google CalendarGoogle OAuth 2.0https://www.googleapis.com/auth/calendar.events (read and write calendar events)Event times, titles, descriptions, and busy/free status on the connected calendar; the ability to create, update, or delete the specific events Optiphone books
Microsoft Outlook / Microsoft 365Microsoft Identity (OAuth 2.0) via Microsoft GraphCalendars.ReadWrite and offline_accessEvent times, titles, and busy/free status on the connected Outlook / Microsoft 365 calendar; the ability to create, update, or delete the events Optiphone books
ServiceM8ServiceM8 OAuth 2.0Job / booking scheduling access (read and write)Scheduled job bookings, booking times, and staff availability in the connected ServiceM8 account; the ability to create or update the bookings Optiphone makes

How we use this data. We use connected calendar data solely to (a) read the Operator's availability so the AI assistant can offer accurate booking times to callers, and (b) write confirmed bookings (which may include a caller's name and service details) back to the Operator's calendar or scheduling system. We do not access or use this data for any other purpose.

How we protect it. The OAuth access and refresh tokens that authorise this access are encrypted at rest using AES encryption; the encryption key is held in a secured secret store, isolated from the application database, and is never stored in our source code. All data exchanged with Google, Microsoft, and ServiceM8 is protected in transit with TLS (HTTPS). Stored calendar credentials and sync data reside in our Oceania-region database; the live phone-call path never reads stored calendar credentials — only background synchronisation processes use them. Access is limited to the connecting Operator and authorised Optiphone staff with a genuine operational need. See Section 10 for our full security controls.

We do not:

  • use Google, Microsoft, or ServiceM8 calendar data to develop, train, or improve any AI or machine-learning model
  • use this data for advertising, marketing, or profiling
  • sell this data, or transfer it to third parties other than the sub-processors listed in Section 9 strictly to operate the feature
  • retain this data beyond what is needed to provide the scheduling feature

Google API Services — Limited Use disclosure

Optiphone's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We request only the minimum Google Calendar scope needed to provide the booking feature, we do not use Google user data to serve advertisements, and we do not allow humans to read this data unless: (i) we have the Operator's affirmative agreement for specific messages or data; (ii) it is necessary for security purposes such as investigating abuse; (iii) it is required to comply with applicable law; or (iv) the data is aggregated and anonymised, and used to improve the reliability of the feature in accordance with applicable privacy and other laws.

Microsoft Graph. Our access to and use of data obtained through Microsoft Graph adheres to the Microsoft APIs Terms of Use and Microsoft's Data Protection Addendum, and is limited to providing the calendar booking feature described above.

ServiceM8. Our access to and use of data obtained through the ServiceM8 API adheres to the ServiceM8 API and developer terms, and is limited to providing the job / calendar booking feature described above. ServiceM8 uses AWS-based infrastructure and may store data in Australia or overseas — see Section 9 for data-location detail.

Disconnecting and revoking access. An Operator can disconnect a connected calendar at any time from their Optiphone dashboard, or revoke Optiphone's access directly with the provider — via Google Account permissions (myaccount.google.com/permissions), your Microsoft account app permissions, or ServiceM8's connected-apps settings. On disconnection we delete the stored OAuth tokens and stop all synchronisation with that provider. See Section 12 for retention.

8. How We Use Personal Information

For Operators, we use your information to:

  • Create and manage your account
  • Provide, maintain, and improve the Optiphone platform
  • Process subscription payments and send billing notices
  • Read your availability and write confirmed bookings to your connected calendar, where you have enabled a calendar integration (see Section 7)
  • Send service-related communications (platform alerts, receipts, product updates)
  • Respond to support requests
  • Comply with legal obligations

For Callers, we (on behalf of the Operator) use your information to:

  • Conduct and record the AI-assisted call
  • Generate a transcript of the call
  • Extract structured call data (reason, booking details, summary, messages)
  • Deliver the call record to the Operator via their dashboard
  • Create a booking on the Operator's connected calendar where a booking was made during the call
  • Maintain the Operator's CRM with your contact details

We do not use Caller voice recordings or transcripts to train AI models or to build biometric profiles. Voice and transcript data is used solely for call processing purposes as described above.

We will not use personal information for a secondary purpose unless that purpose is directly related to the primary purpose and you would reasonably expect it, or we have your consent.

9. Overseas Disclosure of Personal Information (APP 8)

To deliver the Optiphone platform, we disclose personal information to third-party service providers, some of whom operate infrastructure outside Australia. This section sets out who those recipients are, what data they receive, and the safeguards we rely upon.

Under APP 8.1 of the Privacy Act 1988 (Cth), before disclosing personal information to an overseas recipient, Optiphone must take reasonable steps to ensure that recipient will not handle the information in a way that contravenes the APPs. Our reasonable steps consist of contractual protections — specifically, each recipient's published Data Processing Addendum (DPA) or Cloud Data Processing Agreement, which incorporate GDPR-equivalent Standard Contractual Clauses or comparable protections. We maintain copies of each recipient's DPA and have reviewed their security and governance documentation.

Despite these safeguards, if an overseas recipient handles your information in breach of the APPs, Optiphone remains accountable under the Privacy Act.

Our subprocessors and the personal information they receive:

ServicePurposeData receivedLocation
ElevenLabsAI voice assistant — conducts inbound calls in real time; records the call audio and generates the call transcriptCaller voice audio, call transcriptUnited States
Google (Gemini API)Post-call analysis — receives the text transcript after the call ends and extracts structured data (call reason, booking details, summary, messages). Google does not receive call audio — transcript text only.Call transcript textUnited States
Google (Calendar API)Calendar sync — only for Operators who connect Google Calendar. Reads the Operator's availability and writes confirmed bookings to their calendar (see Section 7).Operator calendar event data; booking details (which may include a caller's name and service)United States
Microsoft (Microsoft Graph)Calendar sync — only for Operators who connect Outlook / Microsoft 365. Reads availability and writes confirmed bookings (see Section 7).Operator calendar event data; booking details (which may include a caller's name and service)United States / global Microsoft data centres
ServiceM8Job scheduling sync — only for Operators who connect ServiceM8. Reads staff availability and writes confirmed bookings (see Section 7).Staff availability; booking details (which may include a caller's name and service)Australia or overseas — ServiceM8 uses AWS-based infrastructure and may store data in multiple locations worldwide (see note below)
TwilioTelephony — routes inbound phone calls; handles SMS notificationsCaller phone number, call metadataAustralia (AU1 Sydney) for voice routing; United States for SMS
CloudflareApplication hosting, database storage (D1), and file/recording storage (R2)All platform dataOceania region (database and file storage are region-locked to Oceania)
StripePayment processing — Operator billing and subscription managementOperator billing detailsUnited States
SendGrid (Twilio)Transactional email — platform notifications, alerts, and receiptsOperator email address, notification contentUnited States
Meta Platforms, Inc. (Facebook)Advertising and conversion tracking — the Meta Pixel on our marketing website collects page view and event data to measure the effectiveness of our advertising campaigns and to enable retargeting on Facebook and Instagram. Only fires with your prior cookie consent.Marketing website visitors' page URL, browser/device metadata, IP address, and cookies (_fbp, _fbc)United States

ElevenLabs: ElevenLabs does not offer an Australian data residency option. Call audio and transcripts are processed on infrastructure in the United States. This is disclosed to callers in the AI assistant greeting at the start of calls from new callers. ElevenLabs' Data Processing Addendum (incorporated into their standard Terms of Service) includes GDPR-equivalent Standard Contractual Clauses. ElevenLabs' own retention of call audio is governed by their DPA — please refer to the ElevenLabs Trust Center for current details.

Google (Gemini API): Post-call transcript analysis is performed via the Google Gemini API under Google's Cloud Data Processing Addendum (CDPA). Under Google's enterprise terms, customer data is not used to train Google's foundation models, and processing is performed solely to provide the service. Only the call transcript text — not the audio recording — is sent to Google. Data minimisation principles apply: we send only the transcript content required for extraction, and do not send unnecessary personal identifiers.

Google (Calendar API), Microsoft (Graph), and ServiceM8: These recipients only receive data when an Operator has connected the corresponding calendar or scheduling account. Optiphone reads the Operator's own availability and writes back the bookings it makes; a booking event may include a caller's name and service details. Google Calendar data is handled under Google's Cloud Data Processing Addendum and the Google API Services User Data Policy (including Limited Use — see Section 7); Microsoft Graph data under the Microsoft APIs Terms of Use and Data Protection Addendum; ServiceM8 data under the ServiceM8 developer terms. OAuth credentials for all three are encrypted at rest (see Section 10).

ServiceM8 data location. ServiceM8 uses AWS-based infrastructure and may store account data in multiple locations worldwide, depending on ServiceM8's infrastructure and the user's region. Where an Operator connects ServiceM8, personal information may be collected, stored, and processed by ServiceM8 and its service providers in Australia and other countries, in accordance with ServiceM8's privacy policy and applicable law. We do not represent that ServiceM8 stores data solely within Australia.

10. Data Security and Protection Mechanisms

Optiphone applies layered technical and organisational security measures to protect all personal information, with heightened controls for sensitive data such as voice recordings and third-party calendar credentials.

Encryption in transit

All data transmitted between callers, Operators, Optiphone, and our sub-processors is encrypted using TLS (HTTPS). We do not transmit personal information over unencrypted channels.

Encryption at rest

Sensitive credentials — including the OAuth access and refresh tokens for connected calendars (Google, Microsoft, ServiceM8) — are encrypted at rest using AES encryption. The encryption key is stored in a dedicated secret store, isolated from the application database, and is never committed to source code or stored in plaintext configuration. Account passwords are stored only in salted, hashed form. Call recordings and platform data are stored in access-controlled, region-locked infrastructure.

Data residency

Our primary database and file / recording storage are region-locked to the Oceania region. Where a sub-processor operates overseas, the safeguards in Section 9 apply.

Access controls

Access to personal information is governed by role-based, least-privilege access controls. Operators can access only their own account, call, and calendar data. Optiphone staff access is restricted to personnel with a genuine operational need, is authenticated, and is limited to the minimum data required. The live call-handling path does not read stored calendar credentials; those are used only by background synchronisation processes.

Credential handling

API keys, client secrets, and encryption keys are stored as secured platform secrets, never in our codebase and never in plaintext. Third-party OAuth tokens are only ever stored in encrypted form as described above.

Monitoring and incident response

We maintain an internal incident-response process for identifying, containing, and assessing potential security incidents and data breaches, and we comply with the Notifiable Data Breaches scheme (see Section 14). No method of transmission or storage is completely secure; while we take reasonable steps to protect your information, we cannot guarantee absolute security.

11. Sensitive Information

The Privacy Act 1988 affords heightened protection to certain categories of information, and voice recordings may in some contexts constitute sensitive information.

Optiphone handles voice recordings and connected-calendar credentials with heightened care:

  • Voice recordings are used solely for the purpose of processing calls and generating transcripts and summaries for the Operator
  • We do not use voice recordings to build biometric profiles or to identify callers by voice characteristics
  • Voice recordings are not used for advertising, profiling, or sold to third parties
  • OAuth credentials for connected calendars are treated as sensitive and are encrypted at rest (see Section 10)
  • Access to recordings and calendar credentials is restricted to the relevant Operator and authorised Optiphone staff with a need to access them

12. Data Retention

We retain personal information for as long as necessary to provide our services and meet our legal obligations. Our retention periods are:

Data typeRetention period
Operator account dataDuration of account; deleted within 90 days of account closure on request
Call audio recordingsAutomatically and permanently deleted from file storage after 12 months
Call transcripts and call logsAutomatically hard-deleted from our database after 24 months
Connected-calendar OAuth tokens (Google / Microsoft / ServiceM8)Held only while the calendar is connected; deleted when the Operator disconnects the calendar, revokes access, or closes the account
Call diagnostic and activity logsAutomatically purged after 90 days
Session recordsDeleted on logout or session expiry — no fixed calendar retention period
CRM contact recordsUntil deleted by Operator, or on account closure
Billing records7 years (Australian tax law requirement)

The retention periods above are technically enforced by automated backend processes — they are not policy-only commitments. ElevenLabs may retain call audio on their own infrastructure for a separate period governed by their DPA; please refer to the ElevenLabs Trust Center for current details.

13. Access, Correction, and Complaints

Operators

You may access or correct your personal information at any time by logging in to your account or emailing [email protected]. You may also request deletion of your account and associated data, subject to our legal retention obligations.

Callers

Because Callers are customers of our Operators (not of Optiphone directly), Callers should first contact the Operator whose business they called to request access to, correction of, or deletion of their call records. If the Operator is unable to assist, or if you have a concern about how Optiphone has handled your information, please contact us at [email protected].

Privacy complaints

If you believe we have not handled your personal information in accordance with the APPs, please contact us first. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

14. Notifiable Data Breaches

Optiphone is subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). If we become aware of a data breach that is likely to result in serious harm to affected individuals, we will:

  • Assess the breach as quickly as possible (within 30 days where possible)
  • Notify affected individuals with information about the breach and the steps they should take to protect themselves
  • Notify the OAIC

We maintain an internal incident response process for identifying, containing, and assessing potential data breaches (see Section 10).

15. Cookies

The Optiphone web dashboard and marketing website use the following categories of cookies.

Strictly necessary cookies

We use a session authentication cookie (such as optiphone_session) that is strictly necessary for you to remain logged in to the Optiphone platform. This cookie is HTTP-only, Secure, and SameSite — it cannot be read by JavaScript and is not transmitted in cross-site requests. It expires when you log out or your session times out. This is not an advertising or tracking cookie.

Marketing / advertising cookies (Meta Pixel)

Our marketing website uses the Meta Pixel (provided by Meta Platforms, Inc.) for advertising conversion tracking and retargeting. The Meta Pixel collects data about pages you visit and actions you take on our site and reports this to Meta for use in our advertising campaigns on Facebook and Instagram.

Cookies set by Meta Pixel:

  • _fbp — a first-party cookie set by the Meta Pixel to identify your browser across visits and track conversions.
  • _fbc — set when you arrive at our site via a Facebook ad link; stores your click identifier for attribution purposes.
  • Additional cookies may be set on facebook.com domains by Meta's own infrastructure.

Data shared with Meta: page URL, button clicks, PageView events, IP address, browser and device metadata, and hashed identifiers if event match is enabled. This data is transferred to Meta Platforms, Inc. in the United States — see Section 9 (Overseas Disclosure) above.

The Meta Pixel only activates after you give cookie consent. On your first visit to our marketing website, a consent banner will ask for your permission before the pixel fires. You can change your preference at any time via the link in our footer.

For further information on how Meta uses this data, see Meta's Privacy Policy. You can also opt out of Meta's use of your data for advertising at facebook.com/adpreferences or via the Network Advertising Initiative opt-out.

What we do not use

  • Browser fingerprinting or behavioural profiling technologies
  • Third-party analytics tools (e.g. Google Analytics)

Controlling cookies

You can change your cookie preferences at any time using the link in our footer, or by clearing cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in to the Optiphone dashboard.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify Operators by email or via an in-platform notice at least 30 days before the changes take effect. The "Last updated" date at the top of this page will always reflect when the most recent version was published. Continued use of the platform after changes take effect constitutes your acceptance of the updated Policy.

17. Operator Responsibilities to Callers

When Optiphone processes Caller personal information on behalf of an Operator, the Operator is responsible for their own obligations to their callers under the Privacy Act 1988 (Cth). This means Operators must:

  • Maintain their own privacy policy that discloses: (a) that calls may be handled by an AI voice assistant; (b) that calls are recorded and processed by AI systems, including third-party services located overseas (United States); and (c) how callers can request access to or deletion of their call records
  • Preserve the Optiphone AI assistant greeting that informs callers of recording and AI processing at the start of calls from new callers
  • Only use Caller data for legitimate business purposes related to the service enquiry that generated the call

Callers who wish to access, correct, or delete their call records should contact the Operator in the first instance. If the Operator cannot assist, callers may contact Optiphone at [email protected].

18. Contact Us

For any privacy-related questions, access requests, correction requests, or complaints, please contact our Privacy Officer:

Email: [email protected]

Mail: Optiphone Pty Ltd, 16 Toorak Park Avenue, Mermaid Waters QLD 4218, Australia

We aim to respond to all privacy enquiries within 5 business days.

19. For Operators: Caller Consent Notice Template

If you are an Optiphone Operator, you must include a disclosure in your own privacy policy informing your customers that calls may be handled by the Optiphone AI system. You may use or adapt the following template. Replace all items in [square brackets] with your own details before publishing.

Template — copy and adapt for your own privacy policy

AI Phone Assistant Disclosure

Calls to [Business Name] may be answered by an AI voice assistant provided by Optiphone (optiphone.ai). Calls are recorded and the recording is processed by AI systems, including third-party services located overseas (United States), to generate a transcript and summary of the call for our records.

By continuing a call, you consent to this recording and processing.

To request access to or deletion of your call records, please contact us at [business email address or phone number].

This template satisfies the disclosure requirement under Optiphone's Terms of Service. You should have this disclosure reviewed by your own legal adviser before publishing it, particularly if your business operates in a regulated industry.