Privacy Policy

1. Introduction

This Privacy Policy outlines how Evolving Technologies Pty Ltd (ABN 72 654 819 128), trading as Valory ("we", "us", or "our"), collects, uses, discloses, stores, and protects personal information in connection with our AI voice agent platform and related services (collectively, the "Service").

We are committed to protecting your privacy and managing your personal information in an open and transparent manner, in accordance with the Privacy Act 1988 (Cth) (the "Privacy Act") and the Australian Privacy Principles (APPs).

This Policy applies to:

• our customers (Australian businesses and organisations who subscribe to the Service); and
• where applicable, their end-users (the individuals who interact with the Service, such as callers, customers, patients, clients, or other persons).

Your Business Customer's Role

When we process personal information about end-users (such as callers to your business), we generally do so on behalf of the business customer as a service provider. The business customer is typically responsible for:

• determining what personal information is collected and how it is used;
• providing appropriate privacy notices to end-users explaining how their personal information will be collected and used;
• obtaining any required consents from end-users (including consent for call recording and, where applicable, the handling of Sensitive Information such as health information);
• ensuring that they have a lawful basis to collect and disclose personal information to us; and
• complying with their own obligations under the Privacy Act and applicable privacy laws.

If you are an end-user with questions about how a particular business handles your personal information, we encourage you to contact that business directly or refer to their privacy policy.

Our Contact Details

• Company Name: Evolving Technologies Pty Ltd
• Trading As: Valory
• ABN: 72 654 819 128
• Registered Address: 3 Albert Coates Lane, Melbourne, VIC 3000, Australia
• Privacy Contact Email: legal@valory.com.au
• Phone: 0487 434 580

2. Information We Collect

We collect information that is reasonably necessary to provide, secure, and improve our Service. The types of personal information we may collect include:

2.1 Account Information

When you register for the Service, we collect information necessary to create and manage your account, including:

• business name and trading name
• contact name and job title
• email address
• phone number
• Australian Business Number (ABN) or other business identifiers
• business address
• account credentials (e.g. passwords, which are stored in encrypted or hashed format).

2.2 Payment Information

To process subscriptions and usage fees, we collect billing details such as billing address, billing contact name, and payment method type. Payment information is securely processed by our third-party payment processors (such as Stripe). We do not store your full credit card numbers, debit card numbers, or bank account numbers on our systems.

2.3 Call Data

As the core of our Service, we process data generated from phone interactions ("Call Data"), including:

• call recordings and real-time audio streams
• call transcripts and AI-generated summaries
• call metadata (e.g. caller's phone number, recipient's phone number, timestamps, call duration, caller ID information)
• information provided by the caller during the conversation (e.g. name, contact details, reason for call, booking requests, appointment preferences, or other personal information disclosed during the call)
• booking, reservation, and scheduling details captured or created during the call
• AI-generated outputs, classifications, and actions taken during or as a result of the call.

Call Data may contain personal information about end-users (callers) and, in some cases, may include Sensitive Information depending on the nature of the call and the business being contacted.

2.4 Sensitive Information (including Health Information)

Depending on how you use the Service, callers may share Sensitive Information (as defined in the Privacy Act), which includes (without limitation):

• health information (information about a person's physical or mental health, disabilities, or health services provided to them)
• racial or ethnic origin
• political opinions or membership of political associations
• religious beliefs or affiliations
• philosophical beliefs
• membership of professional or trade associations or unions
• sexual orientation or practices
• criminal record
• genetic information or biometric information.

We do not intentionally solicit or request unnecessary Sensitive Information. However, we may collect and handle Sensitive Information where it is:

• provided by you or your end-users voluntarily in the course of using the Service (for example, to make or manage a health-related appointment, or where a caller discloses health information relevant to their enquiry); and
• reasonably necessary for us to provide the Service to you.

We handle Sensitive Information in accordance with this Policy and the Privacy Act. We will only collect, use, or disclose Sensitive Information where:

• we have obtained consent (or the business customer has confirmed that appropriate consent has been obtained from the end-user);
• the collection, use, or disclosure is required or authorised by or under an Australian law or court/tribunal order;
• a permitted general situation or permitted health situation exists under the Privacy Act; or
• it is otherwise permitted under the Privacy Act and APPs.

For training and service improvement purposes, we will only use Sensitive Information in de-identified or aggregated form, or where appropriate consent has been obtained in compliance with the Privacy Act. We will not use identifiable Sensitive Information for cross-customer training or improvement purposes.

2.5 Integration Credentials

To connect Valory with your other business tools and systems, we may collect and store (in encrypted format):

• OAuth tokens and refresh tokens
• API keys and access credentials
• other authentication credentials for third-party services (e.g. calendar systems, booking platforms, practice management systems, CRMs).

These credentials are stored securely and are used solely to facilitate the integrations you have authorised.

2.6 Usage Data

We automatically collect information about how you and your end-users interact with the Service, including:

• log data (e.g. IP addresses, browser type, operating system, access times, pages and features viewed, referring URLs)
• feature usage and interaction data (e.g. which features are used, frequency of use, configuration settings)
• error logs, crash reports, and performance metrics
• device information (e.g. device type, device identifiers, operating system version).

2.7 Cookies and Similar Technologies

We use cookies and similar technologies (such as web beacons, pixels, and local storage) to operate, secure, and analyse our Service, authenticate users, remember your preferences, and improve user experience. You can control cookie settings through your browser.

We primarily use essential and functional cookies that are necessary for the operation of our Service. We may describe any additional analytics or advertising cookies in this Policy or in a separate cookies notice if and when such cookies are implemented.

3. How We Use Information

We use the information we collect for the following purposes:

• To Provide the Service:
  To set up and manage your account, process and manage phone calls, handle bookings and scheduling, facilitate calendar and system integrations, generate AI outputs and responses, deliver call analytics and insights, and provide customer support.
• To Send Notifications:
  To send SMS confirmations, appointment reminders, and notifications to you and your end-users as part of the Service, in accordance with your configurations.
• To Manage Your Account and Process Payments:
  To process payments, manage subscriptions, track usage-based billing, send invoices, and send administrative communications about your account.
• To Communicate With You:
  To respond to support requests, enquiries, and feedback, and to send important updates about the Service (including security alerts, service changes, and policy updates).
• For Service Improvement and Analytics:
  To analyse usage patterns, diagnose technical issues, fix bugs, improve performance, develop new features, and enhance the overall quality of the Service.
  
  AI Training and Model Improvement: We may use Call Data to train, refine, and improve our AI models, voice processing capabilities, and natural language understanding. When doing so:
  • We primarily rely on aggregated or de-identified information, including de-identified Call Data, for these purposes wherever reasonably practicable.
  • We do not use identifiable Call Data to train models for other customers in a way that would allow those customers to identify you, your business, or any individual end-user.
  • Cross-customer training and model improvement occurs only on data that has been aggregated or de-identified.
  • Where Sensitive Information is involved, we will only use it for training or improvement purposes in de-identified or aggregated form, or where we have obtained appropriate consent in accordance with the Privacy Act and APPs.
• For Direct Marketing (Customers Only):
  We may use your business contact details to send you information about our services, new features, product updates, and events. You can opt out of marketing communications at any time by following the unsubscribe instructions in our communications or by contacting us at legal@valory.com.au.
• For Security and Compliance:
  To protect the security, integrity, and availability of our platform; prevent, detect, and respond to fraud, abuse, security incidents, and other harmful activities; enforce our Terms of Service; and comply with our legal and regulatory obligations.

4. Data Sharing and Disclosure

We do not sell your personal information. We may share personal information under the following limited circumstances:

4.1 Third-Party Service Providers

We engage third-party companies and service providers to perform functions on our behalf. These providers are contractually required to protect your data, maintain confidentiality, and are restricted to using personal information only for the purposes we specify and in accordance with our instructions. Categories of service providers include:

• Payment Processors: To process subscription and usage payments securely (e.g. Stripe).
• Database Hosting and Authentication Providers: To host our application databases, provide authentication services, and secure user accounts (e.g. Supabase, Clerk).
• Telephony and SMS Service Providers: To provide phone call routing, SMS messaging, and related telephony infrastructure (e.g. Twilio, Vapi).
• AI and Voice Processing Providers: To provide AI voice generation, speech recognition, natural language processing, large language model (LLM) capabilities, and conversational AI features. These providers may process audio, transcripts, and related data to deliver the Service and are subject to contractual confidentiality and security obligations.
• Hosting and Infrastructure Providers: To provide application hosting, content delivery networks (CDNs), cloud computing, monitoring, logging, and other infrastructure services (e.g. Vercel, AWS).
• Analytics and Monitoring Providers: To provide analytics, error tracking, performance monitoring, and service improvement insights (e.g. Sentry, Vercel Analytics).

4.2 Your Connected Integrations

When you connect a third-party service (e.g. a calendar, booking platform, practice management system, or CRM) to your Valory account, we will share information with that service as directed by you and as necessary to facilitate the integration and provide the features you have enabled.

4.3 Legal Requirements

We may disclose your personal information if required to do so by law or in response to a valid legal process, such as a court order, subpoena, warrant, or government or regulatory investigation. We may also disclose information where we believe in good faith that disclosure is necessary to:

• comply with applicable laws, regulations, or legal processes;
• protect the rights, property, or safety of Valory, our customers, or others;
• prevent or investigate possible wrongdoing or illegal activity;
• enforce our Terms of Service or other agreements.

4.4 Business Transfers

In the event of a merger, acquisition, sale of assets, corporate restructuring, financing, change of control, or insolvency event, your personal information may be transferred as part of that transaction. We will take reasonable steps to ensure that any recipient continues to handle your personal information in accordance with this Policy and applicable law, and we will provide notice of any such transaction where required by law.

5. Data Security

We implement reasonable technical and organisational measures designed to protect the personal information we process against unauthorised access, modification, disclosure, destruction, or loss. These measures include:

• Encryption: Personal information is encrypted in transit (using TLS/SSL) and at rest (using industry-standard encryption algorithms).
• Access Controls: We enforce strict access controls and the principle of least privilege, so that only authorised personnel can access personal information on a need-to-know basis.
• Secure Architecture: Our platform uses secure architecture with logical data isolation to ensure customer data is separated and protected.
• Credential Security: Sensitive credentials, such as passwords, API keys, and tokens, are stored in encrypted or hashed format and are never stored in plain text.
• Security Monitoring: We implement security monitoring, logging, and alerting to detect and respond to potential security threats.
• Incident Response: We maintain documented procedures to detect, respond to, contain, and mitigate potential security incidents and data breaches.
• Vendor Security: We assess the security practices of our third-party service providers and require them to maintain appropriate security measures.

While we take security seriously and strive to use commercially reasonable means to protect personal information, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, and we cannot warrant that the Service will be immune from security vulnerabilities, cyberattacks, or data breaches.

6. Data Retention

We retain personal information only for as long as reasonably necessary to fulfil the purposes for which it was collected, to provide the Service, to comply with our legal obligations, resolve disputes, and enforce our agreements. Our general retention practices are as follows:

• Account Information: Retained for as long as your account is active and for a reasonable period thereafter for legal, accounting, administrative, and record-keeping purposes.
• Call Data: Retained for the period you configure in your account settings, or for a default period of ninety (90) days if no retention period is configured, unless we are required to keep it longer for legal, regulatory, or contractual reasons.
• Payment Records: Retained for at least seven (7) years as required by Australian taxation law.
• Usage Data and Logs: Retained for a reasonable period for analytics, security monitoring, and service improvement purposes.

We may retain aggregated or de-identified information (which does not identify you or any individual) indefinitely for analytics, research, benchmarking, and service improvement purposes.

After Account Termination: Following termination of your account, we will take reasonable steps to delete or de-identify your personal information within a reasonable timeframe (subject to any applicable retention period you have configured), except where we are required or permitted to retain it for:

• compliance with applicable law (including taxation, accounting, and regulatory requirements);
• legitimate record-keeping and audit purposes;
• dispute resolution, enforcement of our Terms of Service, or protection of our legal rights;
• backup, disaster recovery, and business continuity purposes (subject to eventual deletion).

You may request the deletion of your account and associated personal information by contacting us at legal@valory.com.au. We will process such requests in accordance with our obligations under the Privacy Act.

7. Your Rights (Australian Privacy Act)

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have certain rights regarding your personal information. These rights apply to both customers and individuals (including end-users) whose personal information we may hold.

7.1 Right to Access

You may request access to the personal information we hold about you. We will respond to access requests within a reasonable period (usually within 30 days) and will provide access to the information in the manner you request, if it is reasonable and practicable to do so. We may charge a reasonable fee for providing access in certain circumstances. We may refuse access in limited circumstances permitted by law, in which case we will provide you with reasons for the refusal.

7.2 Right to Correction

You may request correction of any personal information we hold about you that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will take reasonable steps to correct the information if we are satisfied that the information is inaccurate, out of date, incomplete, irrelevant, or misleading, having regard to the purpose for which it is held.

7.3 Right to Make a Complaint

If you believe we have breached the Australian Privacy Principles or mishandled your personal information, you may make a complaint by contacting us at legal@valory.com.au with the details of your complaint. We will investigate your complaint and respond within a reasonable time (usually within 30 days).

If you are not satisfied with our response or how we have handled your complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au
• Post: GPO Box 5288, Sydney NSW 2001

7.4 Exercising Your Rights

To exercise any of the above rights, please contact us at legal@valory.com.au. We may need to verify your identity before processing your request to protect the security of personal information.

Note for End-Users: If you are an end-user (e.g. a caller) whose personal information has been collected by a business using our Service, you should first contact that business directly to exercise your privacy rights. We will assist businesses in responding to legitimate privacy requests from their end-users as required.

8. International Data Transfers

Our Service is primarily hosted and operated in Australia. However, in providing the Service, we use third-party service providers (as described in Section 4.1) that may be located in or process personal information from data centres located outside Australia.

These providers may be based in or process data from countries such as the United States and the European Union, among others.

When we transfer personal information internationally, we take reasonable steps to ensure that overseas recipients do not breach the Australian Privacy Principles (APPs) in relation to such personal information, in accordance with APP 8. These steps may include:

• entering into appropriate contractual arrangements with overseas recipients that require them to handle personal information in a manner consistent with the APPs;
• conducting due diligence and security assessments of overseas service providers;
• selecting providers that are subject to privacy laws or frameworks that provide comparable protections to the Privacy Act;
• implementing technical and organisational safeguards to protect personal information during and after transfer.

We only transfer personal information overseas where it is necessary for the purposes described in this Policy, where we have taken appropriate safeguards, or where we are required to do so by law.

By using our Service, you acknowledge and consent to the transfer of your personal information to locations outside Australia as described in this Section, subject to the safeguards and protections described above and in accordance with the Privacy Act.

9. Children's Privacy

Our Service is designed for use by businesses and is not intended for, or directed at, individuals under the age of 18. We do not knowingly collect personal information directly from children.

If you are a business customer whose end-users may include minors (for example, a medical practice where parents call to book appointments for their children), you are responsible for ensuring that you have obtained appropriate parental or guardian consent for the collection of any personal information about minors and for providing appropriate privacy notices.

If we become aware that we have inadvertently collected personal information from a child without appropriate consent, we will take reasonable steps to delete such information as soon as practicable. If you believe we have collected personal information about a child inappropriately, please contact us at legal@valory.com.au.

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational or business reasons. When we make material changes to this Policy, we will notify you by:

• posting the updated Policy on our website with a new "Last Updated" date; and/or
• sending an email to the contact email address associated with your account; and/or
• providing a notice within the Service.

We encourage you to review this Policy periodically to stay informed about how we are protecting your information.

The updated Policy will take effect from the date it is posted (as indicated by the "Last Updated" date), unless otherwise stated. Your continued use of the Service after the updated Policy takes effect constitutes your acknowledgement of the updated Policy and your agreement to be bound by its terms.

11. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our privacy practices, or if you wish to exercise any of your privacy rights, please contact us:

• Privacy Contact: Privacy Officer
• Email: legal@valory.com.au
• Phone: 0487 434 580
• Post: Evolving Technologies Pty Ltd, 3 Albert Coates Lane, Melbourne, VIC 3000, Australia

We will endeavour to respond to your enquiry as soon as reasonably practicable and within any timeframes required by law.