Privacy Policy

Your Rights in Relation to Privacy

TransferToAI understands the importance of protecting the privacy of your personal information and adopts the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (the Act).

This Privacy Policy sets out how we collect, use and disclose information about you, how we aim to protect the privacy of your personal information, and your rights in relation to your personal information.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on our website and, where appropriate, sending you a direct notification. We encourage you to regularly review this Privacy Policy to stay informed about how we manage your personal information.

A copy of the Australian Privacy Principles may be obtained from the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

Kinds of Personal Information

During the provision of our services or through your use of our website and AI systems, we may collect your personal information. Personal information is information or an opinion about an identified, or reasonably identifiable, individual, whether or not the information or opinion is true and whether or not it is recorded in a material form. This includes information generated, collected, or inferred through your interactions with our AI systems.

If you are a client (or potential client), we may collect personal information including, but not limited to:

• Contact details such as your name, business or personal addresses, email addresses, and phone numbers
• Your employment or professional details
• Details of your company’s ABN and/or ACN
• Financial information including bank account and credit card details where necessary for billing
• Call recordings, voice recordings and transcripts from voice interactions with our AI receptionist
• Customer inquiries and appointment booking information
• Usage data and interaction patterns with our AI systems
• Technical data such as authentication tokens and system logs

We strictly do not use your business call recordings, transcripts, or customer data to train public AI models (LLMs). Your data remains isolated to your instance.

Sensitive Information

Sensitive information is defined in the Act to include information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record or health information.

We do not usually collect sensitive personal information such as marital status, religion or sexual orientation. If we do collect sensitive information, we will only use and disclose it for the primary purpose for which it was obtained, for a directly related secondary purpose, with your consent, or where required or authorised by law.

Please notify us as soon as you can of any changes to the information you have provided or if you are aware of any inaccurate, out of date, misleading or false information.

Collection of Personal Information

We generally collect your personal information through:

• Direct contact with you, whether in person, by phone, email or mail
• The completion of online contact forms, booking forms or sign-up forms on our website
• Information from service providers or publicly available sources where reasonable

When you use our website, we may log for statistical and operational purposes: the date and time of your visit, your IP address, pages accessed and documents downloaded, and the type of browser you use. We may collect information about you through your use of our services, including data and metadata from calls made to or from our systems, to improve service quality and manage our communications.

We may use cookies, pixels and similar technologies (Tracking Technologies) to collect information about how you access and use our website and account, including device and browser information, network connection and IP address. You can manage your preferences regarding these Tracking Technologies through your browser settings.

Purpose of Collection

We may need your personal information for the following reasons:

• To respond to your enquiries or requests via our website
• To provide you with our goods or services, including AI voice receptionist and call answering
• For accounting, billing and other internal administrative purposes
• To add you to our mailing list where you have subscribed to our newsletter
• To personalise and improve your experience with our services
• To detect and prevent fraud, security incidents and abuse of our services
• To comply with legal and regulatory requirements, including those relating to AI and automated decision-making

We do not use your business call recordings, transcripts or customer data to train public AI models. We may use and disclose your personal information to inform you of products or services that may be of interest to you. If you do not wish to receive such communications, you may at any time request not to receive direct marketing from us or use any opt-out mechanism we provide.

Disclosure of Personal Information

Generally, we will only disclose your personal information for the purpose of providing our goods or services. This may include disclosing your personal information to third parties engaged to perform administrative or business management services, such as billing services, cloud storage providers (e.g. Supabase), data analytics services, or other essential business services. All such disclosures are made on a confidential basis under appropriate data protection arrangements and in accordance with applicable law.

We may also disclose your personal information with your consent or where required or authorised by law.

Google User Data – Collection and Usage

TransferToAI integrates with Google Calendar to provide bidirectional calendar synchronization. When you connect your Google Calendar account, we access and process the following Google user data:

Data Accessed

Our application accesses the following Google user data through the Google Calendar API:

• Calendar Events: Event titles, descriptions, start times, end times, timezone information, and event metadata
• Calendar Access: Read and write access to your Google Calendar to synchronize appointments
• OAuth Tokens: Refresh tokens and access tokens (stored securely) to maintain calendar connection

We request the following Google API scopes:

• https://www.googleapis.com/auth/calendar – Full access to manage calendars
• https://www.googleapis.com/auth/calendar.events – Access to create, read, update, and delete calendar events

Data Usage

We use Google Calendar data exclusively for the following purposes:

• Appointment Synchronization: To create, update, and delete appointments in your Google Calendar when they are booked through our AI Receptionist service
• Bidirectional Sync: To import existing calendar events from Google Calendar into our dashboard and keep both systems synchronized
• Availability Management: To check your calendar availability when scheduling new appointments through the AI voice assistant
• Service Delivery: To ensure appointments booked via phone calls are automatically added to your calendar

We do not use Google Calendar data for advertising, marketing, or any purpose other than providing the calendar synchronization service you have requested.

Data Sharing

We do not share your Google Calendar data with any third parties. Your calendar data is used solely within our application to provide calendar synchronization services; it is not sold, rented, or disclosed to advertisers or data brokers, and it is not used for training AI models unrelated to your calendar synchronization. The only exception is when required by law or to protect our rights.

Data Storage & Protection

We implement industry-standard security measures to protect your Google Calendar data:

• Encrypted Storage: OAuth refresh tokens are stored encrypted in our secure database (Supabase) located in Australia
• Encrypted Transmission: All data transmitted between our servers and Google APIs uses TLS 1.3 encryption
• Access Control: Only authorised application servers can access your Google Calendar data using the stored OAuth tokens
• Token Security: Refresh tokens are stored securely and never exposed in client-side code or logs
• Regular Audits: We conduct regular security audits and monitor for unauthorised access

Calendar event data synchronized from Google is stored in our secure database (Supabase) in Australia, encrypted at rest using industry-standard encryption methods.

Data Retention & Deletion

Data Retention: We retain synchronized calendar event data for as long as your account is active and you maintain the Google Calendar connection. OAuth tokens are retained until you disconnect your Google Calendar account.

Data Deletion: You can request deletion of your Google Calendar data at any time by: disconnecting your Google Calendar account through the Settings page in your dashboard; contacting us at [email protected] to request deletion; or deleting your TransferToAI account, which will automatically disconnect and delete all associated calendar data. When you disconnect, we immediately revoke access, permanently delete stored OAuth tokens, and delete synchronized calendar event data within 30 days.

You can also revoke access directly through your Google Account permissions page.

TransferToAI’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. For more information, see https://developers.google.com/terms/api-services-user-data-policy.

Third Parties

Where reasonable and practicable, we will collect your personal information only from you. However, we may be provided with information about you from third parties, such as service providers who assist us in operating our business, business partners, professional advisers, or publicly available sources. In such cases, we will take reasonable steps to ensure you are made aware of the information provided to us. Where required by law, we will seek your consent before collecting information about you from third parties.

Overseas Disclosure

We will not disclose your personal information outside Australia unless you expressly consent, the disclosure is required by law, or the disclosure is to service providers who are subject to privacy protections substantially similar to the Australian Privacy Principles. Before disclosing personal information to an overseas recipient, we will take reasonable steps to ensure that the recipient complies with a similar privacy scheme, but we cannot guarantee that they will.

Security of Your Personal Information

We will do our best to ensure that the personal information we hold is protected from misuse, interference and loss and from unauthorised access, modification or disclosure. We implement industry-standard security measures including encryption (TLS 1.3 in transit, encryption at rest), access controls, secure cloud infrastructure, and regular security monitoring. We typically hold your personal information electronically; where we hold it in paper form, we apply appropriate physical security measures.

We will securely destroy or de-identify your personal information when it is no longer required for any legitimate business purpose or legal obligation. Generally, we retain personal information for a minimum of 7 years where required by Australian tax and corporate laws. We will notify you if we need to retain your information for longer due to specific legal, business or technical requirements. When personal information is no longer needed, we will take reasonable steps to securely destroy or permanently de-identify it (e.g. secure shredding of physical documents and permanent deletion of electronic records with appropriate technical safeguards).

Data Breaches

All staff are responsible for protecting the confidentiality of client and business information. Any actual or suspected data breaches must be reported immediately to our designated Privacy Officer or Data Protection contact. This enables us to comply with our obligations under the Notifiable Data Breaches scheme and take prompt remedial action.

What is an eligible data breach?

An eligible data breach (as defined in s 26WE(2) of the Act) occurs when: (a) there is unauthorised access to or disclosure of the information, and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or (b) the information is lost in circumstances where unauthorised access or disclosure is likely to occur and, assuming it did occur, a reasonable person would conclude that it would be likely to result in serious harm to those individuals.

If we suspect an eligible data breach, we will conduct a reasonable and expeditious assessment within thirty (30) days. If we believe an eligible data breach has occurred, we will prepare a statement setting out our details, a description of the breach, the kind of information concerned, and recommendations about the steps we will take. Where practicable, we will notify affected individuals and submit the notification to the OAIC in accordance with the Notifiable Data Breaches scheme. Mandatory notification requirements may be waived if remedial action results in a reasonable person concluding that the access or disclosure is not likely to result in serious harm.

Maintaining the Quality of Your Personal Information

It is important to us that your personal information is accurate, complete and up-to-date. We take reasonable steps to ensure the personal information we collect, use or disclose is accurate, complete and current. We encourage you to notify us promptly of any changes to your personal details (such as address, phone number or email), to inform us if you notice any errors or inaccuracies in the information we hold, and to respond to our requests for verification. When you notify us of changes or inaccuracies, we will promptly update our records. Where appropriate, we may contact you to verify changes before updating our records.

How You May Access Your Personal Information

Under the Act, you have a right to access and seek correction of your personal information that we collect and hold. If at any time you would like to access or correct the personal information we hold about you, please contact our privacy officer at [email protected] or [email protected].

To obtain access: you may need to provide proof of identity; you should be reasonably specific about the information you require. We will not charge you for making an access request. We may charge a reasonable administration fee for the actual cost of providing access and will notify you in advance of any such fee.

If we refuse your request to access or correct your personal information, we will provide you with written reasons within thirty (30) days, explain how you can make a complaint, and outline other mechanisms available to you under the Act.

Complaints

Please direct all privacy complaints to our privacy officer. We will take privacy complaints seriously and deal with them in a prompt and confidential manner. You will be informed of the outcome of your complaint following completion of our investigation, which will take no more than 30 days. Where a complaint involves automated systems or AI processing, we will provide meaningful information about the logic involved in the automated decision-making process and its significance for you, in accordance with the Act and any applicable regulations, while protecting our intellectual property and system security.

If you are dissatisfied with the outcome of your complaint, you may refer the complaint to the OAIC. Contact details for the OAIC can be found at www.oaic.gov.au.

Contact

For privacy enquiries or complaints, please contact us at:

TransferToAI
ABN: 69 692 075 880
Proudly built in Mackay, Queensland, Australia
Privacy: [email protected]
Support: [email protected]
Phone: +61 0468 854 357
Website: transfertoai.com

Version Control

Policy version: 1.0
Policy date: 1 October 2025