AIssie - AI Chat and Voice Assistants for Small Businesses

Privacy Policy

Effective Date: 08/09/2025

Last Reviewed: 21/05/2026

1. Who We Are

This Privacy Policy explains how AIssie (ABN 11371239323) ("AIssie", "we", "us", or "our") collects, uses, discloses, and protects personal information when you use our software-as-a-service platform, websites, and related services (the "Services"). We are based in Australia and primarily serve customers in Australia.

Contact: contactus@aissie.com.au

We manage personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. Scope

This Policy applies to: (a) our public websites, admin portals, widgets/embeds, and APIs; (b) chat, form, and voice interactions facilitated by AIssie agents on our customers' channels; and (c) support, billing, and account administration.

Customer responsibility: When our business customers deploy AIssie, they are responsible for their own privacy notices to end users and for ensuring any required consents are obtained. We process end-user personal information on the customer's instructions.

3. Information We Collect

Information you provide directly: name, role, company, email, phone, postal address, account and profile data; support enquiries; marketing preferences; and billing details (we do not store full card numbers—payments are handled by our payment provider).
Information captured by your AIssie agents: conversation content (messages, prompts, contextual data); uploads to knowledge bases (documents, URLs, media); lead/form data (e.g., name, email, phone, address, enquiry details); and, where enabled, call metadata, call recordings and transcripts.
Automatically collected information: usage and diagnostic data (IP, device/browser type, pages/views, referral URLs, timestamps, performance/security logs).
Sensitive information: we do not intentionally seek to collect sensitive information. If your agent may capture such information, you must ensure a lawful basis and appropriate notices/consents. Recording/transcription features can be disabled.

4. How We Use Personal Information

To provide and operate the Services (hosting agents, routing messages/calls, generating responses, storing knowledge bases, analytics, and delivering email/SMS/voice notifications as configured by you).
To secure and maintain the Services (monitoring, preventing abuse, incident detection, troubleshooting, and backups).
To bill and administer accounts.
To improve our products and user experience, using aggregated or de-identified data where possible.
To communicate with you about updates, security, and product changes. You may opt out of non-essential marketing at any time.

Model training: Customer content is never used to train general models.

4A. Just-in-Time Notices & Customer Responsibility

When you configure an agent to request personal information (for example, addresses for bookings, deliveries, or eligibility checks), you must ensure your end users are told what is being collected, why, and how it will be used and stored. Where required, you must obtain consent (e.g., for call recording, or optional marketing). You are responsible for ensuring your prompts, flows, and scripts comply with applicable law and your own privacy notices.

We recommend using short, "just-in-time" notices in the conversation (e.g., "We'll use your address to arrange delivery and won't use it for marketing unless you agree.") and limiting collection to what is reasonably necessary for the stated purpose.

4B. Data Minimisation & Prohibited Data

Collect only what is needed: configure agents to request the minimum personal information necessary for the stated purpose (e.g., address only if fulfilment or verification truly requires it).
Do not collect high-risk data via chat/voice: payment card numbers (beyond redacted last 4), full driver licence details, passport numbers, Medicare numbers, Tax File Numbers, health or biometric information, or any special-category/sensitive information unless you have a clear legal basis and appropriate safeguards in place.

5. Our Role Under the APPs

For end-user data processed on behalf of a business customer, we typically act as a processor/service provider.
For data collected from our own website visitors, trial sign-ups, or marketing contacts, we act as a controller and comply with the APPs (including openness, access and correction, data quality, and security).

6. Legal Grounds (Australia)

We collect and use personal information where reasonably necessary for our functions or activities, including delivering and supporting the Services, meeting legal obligations, preventing security incidents and fraud, and conducting internal analytics and service improvement (using de-identified or aggregated data where practicable). Where required, we rely on your consent (e.g., certain marketing communications or optional call recordings). You may withdraw consent at any time.

7. Disclosures and Sub-Processors

We may disclose personal information to trusted service providers engaged to operate the Services, under written agreements requiring appropriate safeguards and use only for our instructions. Typical categories include:

Cloud hosting & storage: Microsoft Azure (primary region: Australia East).
In-memory cache: Redis (Australia East).
Telephony & messaging: Twilio; email delivery via Twilio SendGrid.
Voice synthesis/transcription: ElevenLabs (if enabled).
Payments: Stripe (we do not store full card details).
AI inference: Azure OpenAI (Microsoft Azure, global regions) — used for real-time AI response generation; content is processed transiently and not retained by the provider.
Analytics: Google Analytics (via Google Tag Manager, container GTM-T7FC25CG) — used for website analytics; may collect IP addresses, device information, and browsing behaviour. See Section 11 for cookie details and opt-out options.
Security/monitoring: tools used for performance, error tracking, and security.

8. Overseas Disclosures & Data Residency

Our primary hosting location for databases is Australia East. We use the following overseas providers for AI inference and voice synthesis:

Azure OpenAI (Microsoft Azure, global regions) — real-time AI inference; content may be processed in any region where Azure OpenAI operates and is not retained by the provider.
ElevenLabs (United States) — voice synthesis and transcription (if enabled); content is processed transiently and not stored by the provider.

We have Data Processing Agreements (DPAs) or equivalent contractual commitments in place with each of these providers to ensure personal information is handled consistently with the Australian Privacy Principles (APP 8). These agreements require providers to implement appropriate technical and organisational safeguards.

Where personal information is disclosed overseas to other recipients, we take reasonable steps to ensure it is handled consistently with the APPs, including through contractual commitments and technical controls.

9. Data Security & Retention

Encryption: TLS in transit; server-side encryption for databases and object storage.
Access controls: role-based access, least privilege, multi-factor authentication.
Backups & resilience: regular backups and monitoring.
Telephony/voice: if enabled, call recordings and transcripts are stored with our voice providers; call-recording notices and consents remain your responsibility.

Retention: Personal information is not automatically deleted on a fixed schedule. Data remains in the Service until you request deletion or your account is closed. However, AIssie reserves the right to delete data without requiring your consent where it is older than 12 months, subject to the following exceptions:

Legally required records (e.g., account and billing records) are retained for 7 years from the date of the transaction as required by Australian tax and accounting law.
Data held by third-party sub-processors (such as Twilio, ElevenLabs, or Stripe) is subject to those providers' own retention practices and is outside AIssie's direct control.

You may request deletion of your data at any time by contacting us, subject to any legal obligations to retain certain records.

Unsolicited personal information (APP 4): If we receive personal information that we did not solicit and that we could not have lawfully collected under APP 3, we will take reasonable steps to destroy or de-identify that information as soon as practicable, unless it would be unlawful to do so.

10. Direct Marketing

We may send product updates or marketing communications where permitted. You can opt out via the unsubscribe link or by contacting us. Service and security notices are transactional and not subject to opt-out.

11. Cookies

We use cookies and similar technologies on our website. The following categories of cookies are used:

Essential cookies: required for the website and platform to function (e.g., session authentication, security). These cannot be disabled without affecting core functionality.
Analytics cookies: we use Google Analytics (via Google Tag Manager, container ID: GTM-T7FC25CG) to understand how visitors use our website. Google Analytics sets cookies including _ga (expires 2 years), _ga_* (expires 2 years), and _gid (expires 24 hours). These cookies collect IP addresses, device and browser information, pages visited, and referral sources. Google may process this data in the United States. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on or by adjusting your browser's cookie settings.
Preference cookies: used to remember your settings and preferences across sessions.

You can control or disable non-essential cookies through your browser settings. Disabling analytics cookies will not affect your ability to use our Services.

12. Access and Correction (APPs 12 & 13)

You may request access to the personal information we hold about you and request corrections if you believe it is inaccurate, out-of-date, incomplete, or misleading. We will respond within a reasonable time and may need to verify your identity. In some cases, access may be refused where permitted by law (we will explain why).

We also take reasonable steps to ensure personal information we hold is accurate, up-to-date, complete, and relevant for the purposes for which it is used (APP 10).

13. Anonymity and Pseudonymity (APP 2)

Where practical, you may interact with us anonymously or using a pseudonym (e.g., for general enquiries). For account provisioning, billing, support, or security, identifying information may be necessary.

14. Children

Our Services are intended for business use. We do not knowingly collect personal information from children. If you believe a child's information has been provided to us, please contact us and we will take appropriate steps.

15. Notifiable Data Breaches (NDB) Scheme

Upon becoming aware of a potential eligible data breach, we will assess it within 30 days as required by the Privacy Act 1988 (Cth) (s.26WH). Where a breach is confirmed to be an eligible data breach likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by law, and notify affected business customers without undue delay.

16. Complaints

If you have concerns about our handling of your personal information, please contact us at contactus@aissie.com.au. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If resolution takes longer, we will explain the reason and expected timeline. If you are not satisfied with our response, you may refer the matter to the OAIC (see: oaic.gov.au).

17. Changes to This Policy

We may update this Policy from time to time. The latest version will be posted on our website with the effective date. Significant changes may be notified via email or in-product notices.

18. Data Processing Addendum (DPA)

For business customers, our DPA sets out additional terms for handling personal information processed on your behalf, including security controls, deletion/return of data, and sub-processors. Contact us at contactus@aissie.com.au to obtain a copy.

Appendix: Current Sub-Processors (Summary)

Microsoft Azure — Cloud hosting, storage, databases (primary region: Australia East).
Azure OpenAI — AI inference (global regions); transient processing only, content not retained by provider.
Redis — In-memory caching (Australia East).
Twilio — Telephony/SMS/WhatsApp; SendGrid for email delivery.
ElevenLabs — Voice synthesis/transcription (if enabled); transient processing only.
Stripe — Payment processing (card data handled by Stripe; AIssie does not store full card numbers).
Google Analytics — Website analytics (via Google Tag Manager); may process data in the United States.