Privacy Policy.

Office Voice is an AI voice product for Australian trades and service businesses, operated from Australia by Four Mile Pty Ltd as trustee for the Four Mile Trust (ABN 48 949 885 135), trading as Office Voice. It integrates with field service management platforms — ServiceM8 first — to answer inbound calls, make outbound calls, and write the results back to your job records.

For privacy requests, questions, or complaints, email privacy@office-voice.com. We acknowledge requests within 2 business days and complete them within 30 days unless the request is unusually broad.

Office Voice processes two kinds of personal information, and the legal relationship is different for each:

• Your account data (you, the tradie or business owner who signed up) — Office Voice is the data controller. This policy governs that information directly.
• Your customers' data (the people who ring your number, or whom we ring on your behalf) — the business that signed up is the data controller; Office Voice is the data processor. You decide what we do with their data, within the limits described here. You are responsible for your own privacy policy covering their information; we provide a template to help.

From you, the account holder:

• Name, email, mobile number, business name, ABN.
• Billing information (handled by our payment provider; we store only the last four digits and the customer ID).
• Voice and persona settings, vocabulary, knowledge base, and business-hours configuration you supply.
• ServiceM8 OAuth tokens for the account you connect, stored encrypted at rest.

About calls Office Voice handles on your behalf:

• Audio recordings of inbound and outbound calls. Recording is disclosed in the call opener; if a customer declines, the call continues without recording or ends, per your tenant configuration.
• Transcriptsderived from those recordings, including the AI's tool calls and decisions.
• Customer identifying information mirrored from ServiceM8 — phone, name, address, email, job history, quotes, invoices — to give the AI context before it speaks.
• SMS threads sent via the ServiceM8 SMS pipeline or our Twilio numbers in the course of an AI conversation.
• Conversation outcomes and quality flags generated by our post-call review (booked / escalated / message-taken; sentiment; detected issues).
• Audit logs of every AI decision affecting a customer — the prompt version, the tool calls, the inputs — retained for compliance with the December 2026 automated decision-making rules under the Privacy Act.

Operational data: standard application logs, error traces, and analytics about how the product is used. These are scrubbed of customer phone numbers, names, and addresses before they reach our logging pipeline.

To run the calls themselves:the recording, transcript, and ServiceM8-mirrored context are composed into the prompt the AI sees on each turn so it can speak to the right customer about the right job. Customer context is fetched before the AI's first substantive turn and held in memory for the duration of the call.

To review quality after the call: every completed conversation runs through an automated review pass that scores adherence to your persona, flags likely issues (missed cues, awkward timing, mispronunciations), and records the business outcome. This runs on 100% of calls, not a sample.

To improve the product over time: when you or we promote a real call to the evaluation set, the transcript is anonymised — customer phone, name, address, and other identifying details are stripped or replaced with stand-in values — and used as a labelled training case for future prompt regression testing. Raw audio is never used for training.

To meet compliance obligations: audit logs, consent records, and DNCR checks exist because Australian telecommunications and privacy law requires them. We cannot delete those records on request — they are kept for the retention period the law specifies — but we can tell you exactly what is in them.

What we do not do:we do not sell personal information; we do not share it with advertisers; we do not use one customer's data to improve another customer's AI. Your tenant's data trains your tenant.

Database, transcripts, and audit logs. Conversation transcripts, conversation outcomes, audit log entries, and tenant configuration are stored in our managed Postgres database (Supabase). Database backups are encrypted.

Call audio recordings. Raw call audio is hosted by our voice sub-processor (Vapi, US-hosted), under their storage and lifecycle terms. We persist the recording URL on your dashboard; the audio bytes themselves live with Vapi. We are migrating call audio to a customer-controlled archive on a published roadmap — until that ships, retention is provider-managed and deletion on request is honoured within 30 days of receipt (see Retention below).

Encryption. Data is encrypted in transit (TLS 1.2+) between us, our sub-processors, and your dashboard. Database storage and backups are encrypted at rest. Vapi's published security posture covers encryption of recording storage on their side.

Access: production access is limited to named engineers under multi-factor authentication. Access is logged. Customer audio is only opened in response to a support request, an incident, or a quality-review task you explicitly initiate.

The AI conversation itself routes call audio and text through sub-processors in the United States and (depending on the voice model) the European Union. By signing up you authorise this transfer; it is unavoidable for the product to work, because the speech recognition, language models, and text-to-speech voices we rely on are hosted by our sub-processors in those regions.

We have a Data Processing Agreement with each sub-processor. Their privacy and DPA pages are linked under Sub-processors below. None of them use Office Voice traffic to train their own foundation models — we run on zero-retention or opt-out-of-training configurations where the provider offers one.

Default retention periods:

• Raw call audio — up to 12 months, subject to our voice sub-processor's (Vapi) storage lifecycle. We do not currently operate a customer-side archive of recordings; the audio bytes live with Vapi. We will delete a specific recording on request within 30 days of receipt (see Deletion requests below).
• Transcripts and conversation outcomes — kept for the life of the tenant account, then 90 days after account closure, then deleted.
• Anonymised evaluation-set cases derived from real calls — retained as long as they remain useful for regression testing. Customer-identifying details are removed before promotion.
• Audit logs, consent records, DNCR check results — retained for 7 years to meet legal recordkeeping obligations under Australian telecommunications law.
• Account and billing records — retained for 7 years after account closure for tax and accounting obligations.

You can ask us to shorten any of the above durations for your tenant, except where the law specifies a minimum.

Under Australian Privacy Principle 13, a customer can ask for their personal information to be corrected; under your tenant's own commitments to them, they may also ask for deletion. The deletion path:

1. The request reaches us, either forwarded by you to privacy@office-voice.com or filed via Dashboard → Privacy → Deletion requests.
2. We confirm the customer's identity through you (we will not action a deletion request that arrives directly from a phone number without your endorsement, because we cannot verify ownership).
3. We remove their records from the live database, the conversation store, and call audio storage.
4. We remove or anonymise any evaluation-set cases derived from their calls.
5. We instruct sub-processors to delete their copies under the DPAs.
6. Backups containing their data age out within 90 days; we do not selectively edit backups, but we mark them as quarantined so they cannot be restored to live.
7. We confirm completion to you within 30 days.

Records we cannot delete on request: audit logs, consent records, DNCR check results, and other entries the law requires us to keep for a specified period. We can describe to you in writing what was retained and why.

Office Voice uses the following sub-processors to deliver the product. Each handles a specific slice of the call; none has access to your full account.

We will update this list before adding or replacing sub-processors and give existing customers 30 days' notice of any material change.

Australia is an all-party-consent jurisdiction for call recording under the Telecommunications (Interception and Access) Act 1979, and the ACCC's position is that AI identity should be disclosed when an AI speaks on a business's behalf. Every Office Voice call opens with both disclosures:

• That the caller is speaking to an AI assistant, not a human staff member.
• That the call is being recorded for the business's records.

If a customer declines recording, the AI either continues without recording or ends the call politely, per the tenant's configuration. The disclosure landing in the transcript is verified after every call; calls where it didn't are flagged and surfaced to you.

Office Voice makes decisions on your behalf in the course of a call — booking a job time, escalating to a human, sending a payment link, declining out-of-area work. These are automated decisions in the sense of APP 1.7–1.9 (effective 10 December 2026).

We log every such decision with the prompt version that produced it, the tools that ran, and the conversation transcript it came from. Higher-stakes decisions — declining service, debt escalation — flow through human-in-the-loop approval gates. New tenants spend their first 30 days in approval-required mode by default: the AI proposes bookings, you confirm by SMS, then the booking commits.

You can ask us at any time to:

• Provide a copy of the personal information we hold about you.
• Correct information that is inaccurate or out of date.
• Delete information, subject to the retention exceptions described above.
• Restrict or object to processing in specific circumstances.
• Lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au) if you are not satisfied with how we have handled your information.

Customers of an Office Voice tenant should contact that tenant first; the tenant is the data controller for their data. We will support the tenant in actioning any request that reaches us.

Office Voice is a business product. We do not knowingly collect personal information from children under 16. If a child rings a tenant's number, their call is treated the same as any other inbound call — recorded under disclosure, transcribed, and retained per the schedule above — and the same deletion path applies.

We will revise this policy as the product, the law, or our sub-processors change. Material changes — new categories of data collected, new sub-processors, shortened retention periods that affect compliance — are notified to account holders by email at least 30 days before they take effect. The effective date at the top of this page records the most recent revision.

Privacy questions, data requests, complaints: privacy@office-voice.com.

General support: support@office-voice.com or see the Support page.