Privacy practices, plain language.

VerticalAI Pty Ltd is an Australian proprietary company based in Perth, Western Australia. We provide an inbound voice agent platform for Australian businesses.

For privacy questions, email privacy@verticalai.com.au. For legal matters, email legal@verticalai.com.au.

Account data. Email address, name, and organisation name supplied at sign-up. Roles and team memberships you assign.

Billing references. Stripe customer and payment-method tokens, billing email, and invoice IDs. We never receive or store card numbers, expiry dates, or CVV; Stripe Checkout and Customer Portal handle that data directly.

Conversation data. Text transcripts of voice and chat sessions, and any caller-supplied details collected by your flow (such as name, phone number, or appointment preferences). We do not record or store call audio.

Usage telemetry. Latency events, error traces, and feature interaction logs. Errors flow through Sentry with request bodies on billing, webhook, and auth routes stripped, and sensitive headers redacted, before send.

We process personal information to operate, support, and improve the service you have asked us to provide.

Contract. Account creation, billing, flow operation, and the conversations your callers have with your agent.

Legitimate interests. Service security and abuse prevention, audit logging, error monitoring, and product improvement based on aggregate usage patterns.

Consent. Optional product updates and marketing email. You can withdraw consent at any time using the unsubscribe link or by emailing privacy@verticalai.com.au.

Legal obligation. Records we are required to keep under tax, financial-services, or telecommunications law.

Account, billing, and configuration data is retained while your account is active. Conversation transcripts and session events follow your organisation's retention window: 30, 90, 365, or 730 days, with 365 days the default. A daily scheduled job in Postgres purges rows past the window.

Submitting a deletion request triggers hard deletion of conversation transcripts and personal data with a 7-day operational SLA, well inside the 30-day window required by the Australian Privacy Act and GDPR Article 17.

The append-only audit log is retained for the lifetime of the account for security and accountability purposes. It records actor, action, and resource for billing, membership, and configuration changes; it does not contain conversation content.

Before any transcript line is written to the database, it passes through a redactor that masks credit card numbers (Luhn-validated), Australian Tax File Numbers, Medicare numbers, and US Social Security numbers. Operators should still avoid collecting regulated identifiers as flow variables where the conversation does not require it.

We share personal information only with the sub-processors required to deliver the service. Each is bound by a data processing agreement that limits processing to instructed purposes.

The full list of sub-processors, the data shared with each, and the region in which they operate is published at /sub-processors. We notify customers of material changes at least 30 days before a new sub-processor processes customer data.

We do not sell personal information.

Email privacy@verticalai.com.au with your account email and the request. We respond within 30 days. We may request proof of identity before actioning a request that affects access to personal data. Self-serve export and erasure from inside the app are rolling out shortly.

We comply with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth). Where an eligible data breach is likely to result in serious harm, we notify affected individuals and the Office of the Australian Information Commissioner as soon as practicable, and within 72 hours of becoming aware where feasible.

Our incident response procedure rotates Stripe and Supabase credentials, audits the affected window via the audit log, and produces a written notice describing the breach, the kinds of information involved, and the steps individuals should take.

Customer data at rest stays in Sydney. Some sub-processors, including Stripe and our LLM, STT, and TTS vendors, operate from the United States and process limited data in transit.

Cross-border transfers rely on the standard contractual clauses or equivalent safeguards published by each vendor. The full list and the data shared with each is published at /sub-processors.

The service is for Australian businesses and is not directed to anyone under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact privacy@verticalai.com.au and we will delete it.

We post material changes here and notify account owners by email and via an in-product banner at least 30 days before they take effect. Minor edits (clarifications, formatting) are dated at the top of this page.

Email privacy@verticalai.com.au with privacy questions, access requests, or breach reports.

If you remain unsatisfied after raising a complaint with us, you may escalate to the Office of the Australian Information Commissioner at oaic.gov.au.