Privacy Policy

TransferToAI Pty Ltd
Last Updated: November 3, 2025
Effective Date: November 3, 2025
Jurisdiction: Australia, Queensland

TransferToAI Pty Ltd ("Company," "we," "us," "our") is an AI-powered receptionist platform for dental clinics in Australia. We process personal information—particularly patient contact data and call recordings—as both a Data Controller and Data Processor depending on your arrangement.

Contact Information:
Email: privacy@transfertoai.com.au
Phone: 0468 854 357

Table of Contents

Introduction & Australian Privacy Framework
What Personal Information We Collect
How We Collect Your Information
Why We Collect & Use Your Information (Legal Basis)
Who We Share Your Information With
International Data Transfers
Data Security & Encryption
Data Retention & Deletion
Your Rights Under Australian Privacy Law
Cookie Policy & Tracking
Contact & Complaints Process
Changes to This Policy
Additional Compliance Frameworks

1. Introduction & Australian Privacy Framework

1.1 About TransferToAI

Legal Entity: TransferToAI Pty Ltd
Website: www.transfertoai.com
Privacy Officer: privacy@transfertoai.com.au
Phone: 0468 854 357

We comply fully with the Australian Privacy Act 1988, including all Australian Privacy Principles (APPs).

1.2 Australian Privacy Act 1988 Compliance

Australian Privacy Principles (APPs) We Follow:

APPRequirementAPP 1Open and transparent management of personal information (We publish this policy and are transparent about our data practices)APP 3Collection of solicited personal information (We only collect information you knowingly provide: clinic name, email, phone, patient data)APP 5Notification of collection of personal information (We inform you what data we collect and how we use it)APP 6Use or disclosure of personal information (We use data only for purposes disclosed or reasonably related)APP 9Adoption, use or disclosure of personal information (Your clinic's patient data used only for your clinic operations)APP 13Correction of personal information (You can request corrections to your clinic data)

Additional Australian Legal Compliance:

Telecommunications Interception and Access Act 1979: Call recording requires consent (disclosed via IVR)
Privacy Act 1988 - Notifiable Data Breaches Scheme (NDB): We notify you within 30 days of any breach involving serious harm risk
Health Records Act 2001 (Victoria): If your clinic is in Victoria, we comply with health-specific privacy principles
Dental Board of Australia: We support your clinic's compliance with professional standards

2. What Personal Information We Collect

2.1 Information YOU Provide (Solicited)

Clinic Account Information:

Clinic name
Clinic address (city, state, postcode)
Account owner email
Account owner phone number
Clinic type (private practice, corporate, DSO, etc.)
Number of dentists in clinic
PMS system used (Dentally, Pabau, Curve Dental, etc.)
Your username and password (hashed, never plain text)

Patient Information Processed During Call Recording:

Caller name (if provided)
Caller phone number
Call date and time
Call duration
Call recording (audio file, encrypted)
Caller-provided information (reason for call, preferred appointment time, chief complaint, insurance details, medical history)
AI-captured notes (clinic-specific details extracted from call)

Billing & Payment Information:

Name on payment method
Billing address
Payment card type and last 4 digits
Invoice history
Subscription tier and renewal dates
Payment processing is handled by Stripe; we do not store full card details

Communications:

Support emails and chat messages
Feedback and feature requests
Complaint correspondence
Call transcripts (optional, if you request them)

2.2 Information We Collect Automatically (Unsolicited)

Device type and operating system
Browser type
Pages visited and time on page
Clicks and interactions
Referral source (how you found us)
Geographic location (approximate, via IP)
Dashboard login/logout timestamps
Feature usage metrics (which clinic tools you use most)

Call System Data:

Call attempt timestamp
Call answered/unanswered
Call duration
Call queue position
AI confidence scores for responses
Patient hold time

Cookies & Similar Technologies:

Session cookies (for authentication)
Analytics cookies (Google Analytics 4)
Marketing cookies (Google Ads, Facebook Pixel)
Functional cookies (remembering your preferences)

See our Cookie Policy for details.

2.3 Information from Third Parties

We may receive information from:

Your PMS provider (Dentally, Pabau, Curve Dental—if you authorize integration)
Payment processor (Stripe payment verification)
Analytics provider (Google—aggregated usage data)
Chat support platform (Intercom—customer interactions)
Email provider (delivery and open rates)

3. How We Collect Your Information

3.1 Collection Methods

Data TypeCollection MethodTimingWebsiteWebsite registration formWhen you sign upEmailCommunications & support requestsWhen you contact usAutomated logsSystem events, errorsContinuous (backend)Payment processorBilling informationDuring purchase/renewalThird-party integrationPatient/clinic dataWhen connected to PMS

3.2 Consent for Collection & 3.2A IVR Recording Consent Message

Exact Script – ENGLISH VERSION:

"Thank you for calling [Clinic Name]. This call may be recorded for quality, training, and appointment scheduling purposes. If you consent to recording, please say Yes or press 1. If you do not consent, say No or press 2. Your consent is optional and will not affect your service."

SPANISH VERSION (if applicable):

"Gracias por llamar a [Nombre Clínica]. Esta llamada puede ser grabada para propósitos de calidad, capacitación y programación de citas. Si consiente la grabación, diga Sí o presione 1. Si no consiente, diga No o presione 2. Su consentimiento es opcional y no afectará su servicio."

Handling of Responses:

If patient consents (YES/1): Recording starts; consent logged with timestamp
If patient declines (NO/2): No recording; conversation proceeds in-memory only
If patient presses nothing: System repeats prompt (max 3 attempts), then defaults to NO

4. Why We Collect & Use Your Information (Legal Basis)

4.1 Lawful Basis for Processing

BasisUsesAPP 6 - Contractual PerformanceTo deliver the Service (answer calls, record, schedule appointments); to bill and manage your subscription; to provide customer support; to handle disputes and refundsLegitimate Business InterestTo improve our AI models (using anonymized data); to conduct system security and fraud prevention; to analyze usage trends and optimize performance; to develop new features; to ensure legal complianceLegal ObligationTo comply with Australian Privacy Act 1988; to meet Notifiable Data Breaches Scheme requirements; to assist law enforcement (with proper legal process); to meet tax and accounting obligationsExplicit ConsentFor marketing communications (newsletters, product updates); for testimonials or case studies (with your permission); for retargeting ads across web platforms

5. Who We Share Your Information With

5.1 Data Sharing Principle of Minimum Necessary

Service Providers (Data Processors):

VendorPurposeData SharedLocationDPA StatusAWSAmazon Cloud hosting, storage, backupsAll encrypted clinic/call dataSydney (ap-southeast-2)SignedStripePayment processingCard data (last 4 digits only), billing addressUS / AUSignedTwilioVoice API SMS deliveryPatient phone numbers, calls only, SMS contentAU-1 (Sydney)SignedGoogle Cloud (Vertex AI)Gemini LLM, conversation processingCall transcriptions, appointment detailsaustralia-southeast1 (Sydney)CoveredAzureCognitive Services, Text-to-SpeechTranscriptions (streaming only, not stored)australia-east (Sydney)CoveredCellcastSMS confirmations, appointment remindersPhone numbers, clinic name, appointment datetimeAustralia (multi-region)SignedGoogle Analytics 4Usage analyticsAnonymized visit data (no personal info)USSignedIntercomCustomer support chatSupport messages, email, chat transcriptsUS / AUSignedSendGridEmail deliveryClinic email address only (no patient data)US / AUSigned

All vendors have signed Data Processing Agreements (DPAs) binding them to:

Maintain confidentiality
Implement security measures equivalent to ours
Comply with GDPR standards (even though Australia is not GDPR jurisdiction, we contractually enforce GDPR-level standards)
Notify us of breaches within 24 hours
Delete or return data upon contract termination

5.2 Your PMS Integration

When you connect your PMS (Practice Management System), you authorize:

Data flowing OUT (TransferToAI → Your PMS):

Patient name (first, last)
Phone number
Appointment datetime
Service type booked
Special requests (captured by AI)
Appointment status (confirmed, cancelled, no-show)

Data flowing IN (Your PMS → TransferToAI):

Business hours (so AI doesn't book outside hours)
Available services & pricing
Dentist schedules (who's available when)
Break schedules (clinic closures)
Previous appointment history (read-only)
Patient notes (allergies, medical conditions)
Contact preferences (SMS vs. email)

Supported PMS Providers:

Dentally (contact@dentally.io)
Pabau (support@pabau.com)
Curve Dental (support@curvedental.com)
Open Dental (support@opendental.com)
Other integrations on request

YOU are responsible for:

Maintaining confidentiality
Implementing security measures equivalent to ours
Authorizing the connection (via secure OAuth API)
TransferToAI is NOT liable for your PMS provider's data practices

5.3 Legal Disclosure

We MAY disclose your information when legally required:

Law Enforcement: With valid court order, warrant, or subpoena
Regulatory Authorities: OAIC (Office of Australian Information Commissioner), Dental Board of Australia, ACMA (Australian Communications Media Authority)
Legal Proceedings: If sued or involved in litigation
Public Safety: If necessary to prevent imminent harm or death
Notifiable Data Breaches: If required to notify parties affected by breach

5.4 Aggregate & Anonymized Data

We MAY share anonymized, aggregated data for:

Industry benchmarking reports (e.g., "Average Australian clinics answer 78% of after-hours calls")
Academic research (no identifiable clinic info)
Marketing materials (e.g., "Over 500 Australian dental clinics use TransferToAI")

This data is NEVER identifiable to your clinic and contains NO patient information.

5.5 Business Transfers

If TransferToAI is acquired, merged, or goes into receivership:

All patient call recordings and sensitive clinic data remain in Australia
Data NEVER leaves Australia without explicit authorization
You will be notified of the change and your privacy rights
You will have 30 days to request data deletion

6. International Data Transfers

6.1 Data Residency – Australia-First Policy

Call recordings: AWS Sydney (ap-southeast-2)
Clinic account data: AWS Sydney
Backups: AWS Sydney region only
Database: PostgreSQL in Sydney

6.2 Third-Party Vendors in US

Your clinic data in US vendors is ONLY:

Payment card data (minimal, last 4 digits)
Email addresses (no patient info)
Anonymized usage analytics

Patient call recordings (personal identifiable information) STAY IN SYDNEY.

Under Australian Privacy Act, you have the right to:

Know which of your data is transferred internationally
Request that data remain in Australia (we will honor this)
Request return or deletion of data from US vendors
Contact the OAIC if concerned about overseas disclosure

6.3 US Vendors' Security Standards

Data stored in US under encryption (AES-256)
Compliance with GDPR standards (even though not required for Australia)
No transfer to countries outside US/EU without your consent
Notification of government data requests within 24 hours

7. Data Security & Encryption

7.1 Technical Security Controls

Encryption at Rest:

DataStorageEncryptionPatient call recordingsAES-256 encryptionAuthenticated encryptionClinic account dataAES-256 encryptionAuthenticated encryptionBackupsAES-256 encryptionAuthenticated encryptionDatabase passwordsBcrypt hashing (12 rounds)Non-reversibleAPI keysAWS Secrets ManagerEncrypted storage

Encryption in Transit:

All website traffic: TLS 1.3 HTTPS
All API communication: TLS 1.3
No unencrypted data transmission allowed
Perfect Forward Secrecy enabled (ephemeral keys)
OCSP stapling for certificate validation

Encryption Standards:

Algorithm: AES-256-GCM (Galois Counter Mode) - authenticated encryption
Key rotation: Annual, with versioning
Session keys: Ephemeral (discarded post-call)
FIPS 140-2 Level 2 equivalent: Military-grade encryption

7.2 Infrastructure Security

Firewalls: AWS Security Groups with port whitelisting (HTTPS only)
Access Control: Role-based access control (RBAC); clinic staff access only own clinic data
Penetration Testing: Monthly by independent security firm
Breach Response: Immediate containment, forensic analysis, notification within 24-48 hours

7.3 Physical Security

AWS data centers: ISO 27001 certified
Biometric access controls to server facilities
24/7 surveillance and security personnel
Redundant power supplies and cooling systems

8. Data Retention & Deletion

8.1 Data Retention by Subscription Tier

Data TypeStarter (30 days)Professional (90 days)Enterprise (180 days)Call Recordings30 days90 days180 daysTranscriptions30 days90 days180 daysCall Metadata12 months24 months36 monthsConsent Logs30 days post-expiry30 days post-expiry30 days post-expiry

Deletion Method: DELETE WHERE createdat > NOW() - retention_days (automated daily job at 02:00 UTC / 10:00 AEST)

8.2 Your Right to Data Deletion

Upon deletion:

All clinic account information permanently removed
All call recordings permanently deleted
All patient data purged
Anonymized analytics retained (cannot identify your clinic)
Backup copies deleted after 30-day disaster recovery window

Exception: Data may be retained if legally required (tax, legal proceedings, regulatory compliance). We will inform you of any data we must retain and why.

8.2A Consent Logs Database Schema

Auditable Evidence:

Column NameData TypePurposecallidUUIDUnique call identifier (TTAI-2025-XXXXX)clinicidUUIDClinic requesting recordingconsentgivenBOOLEANTRUE if patient consented, FALSE if notconsentmethodENUMHow consent captured (DTMF pressed 1, speech said yes, manual admin override)timestampDATETIMEExact time (UTC+10 AEST) consent recordedconsentexpiryDATETIMEExpiry date timestamp (30 days)recordingurlTEXTS3 path where recording stored (if consentTRUE)ipaddressINETCaller IP for audit trailclinictimezoneTEXTClinic timezone for compliance audit

Retention: Consent logs retained for 30 days post-expiry, then encrypted deletion
Encryption: All rows encrypted AES-256 at rest
Access Control: Audit-logged RBAC; only clinic admin & TransferToAI legal can access
Immutability: Logs are append-only; no modification/deletion allowed (tamper-proof)

8.3 Data Retention After Trial Expiry

When your 14-day trial expires without converting to paid subscription:

All trial data (call recordings, clinic info) deleted after 30 days
No backup copies retained
Anonymized analytics discarded

9. Your Rights Under Australian Privacy Law

9.1 Your Privacy Rights

RightDetailsRight to Access (APP 12)Request a copy of all personal information we hold about you or your clinic (including clinic account data, call recordings, analytics); provided in readable format (PDF, CSV, JSON); email privacy@transfertoai.com.auRight to Correction (APP 13)Request correction of inaccurate or incomplete information; we will update within 30 days or notify you if we disagree; well notify third parties where practicableRight to DeletionRequest deletion of your data (see Section 8.2 above); we may refuse if legally required to retain; well notify you of any data we retain and whyRight to Opt-Out (Marketing)Unsubscribe from marketing emails anytime (click unsubscribe link at bottom of email); immediate opt-out within 24 hours; youll still receive service notificationsRight to Know Our Privacy PracticesThis policy is publicly available; provided in clear, plain language; updated whenever practices change

9.2 Sensitive Information Protection

We protect health information by:

Encrypting with highest encryption standard
Limiting staff access to minimum necessary
NOT using for marketing or secondary purposes
Obtaining explicit consent for any unusual use

We do NOT collect biometric data (fingerprints, facial recognition, etc.).

10. Cookie Policy & Tracking

Summary:

Essential Cookies (Required): trialsessionid, clinicdashboardauth, securitycsrftoken
Analytics Cookies (Voluntary): ga, gaXXXXXXXXXX, fbq
Marketing Cookies (Voluntary): googleads, facebookpixel
Your Cookie Rights: You can disable marketing cookies via our banner (appears on first visit) or browser settings; Google Analytics opt-out: https://tools.google.com/dlpage/gaoptout; our system honors Do Not Track browser signals

For detailed information on cookies, see our separate COOKIE POLICY at www.transfertoai.com/cookies

11. Contact & Complaints Process

11.1 Privacy Questions or Requests

Contact Method 1 – Email (Recommended):

Email: privacy@transfertoai.com.au
Subject line: "Privacy Request [Your Clinic Name]"
Include: Clinic name, account email, nature of request
Response time: Within 10 business days

Contact Method 2 – Phone:

Phone: 0468 854 357
Hours: Monday - Friday, 9 AM - 5 PM AEST
Leave message with callback number

Contact Method 3 – Mail:

TransferToAI Pty Ltd
Brisbane, Queensland, Australia
Attn: Privacy Officer
Include: Return address for response

11.2 Complaint Resolution Process

We acknowledge receipt within 2 business days
We investigate thoroughly
We provide written response within 14 days (or explain delay)
If resolved, no further action needed
If unsatisfied, request escalation to Privacy Officer (different staff member reviews decision)
We provide written response within 14 days

If unsatisfied with our response, you may complain to OAIC:

Email: enquiries@oaic.gov.au
Phone: 1300 363 992
Post: GPO Box 5218, Sydney NSW 2001

12. Changes to This Policy

We may update this Privacy Policy to reflect:

Changes to Australian Privacy Law
Changes to our data practices
New security measures or technologies
New third-party integrations
Organizational changes or acquisitions

For material changes (e.g., new data sharing, retention changes):

We will email notification to your clinic email address
Changes effective after 30-day notice period
You may request account deletion if you disagree

Updates published on our website with "Last Updated" date above. Continued use of the Service after 30-day notice constitutes acceptance of updated Privacy Policy.

13. Additional Compliance Frameworks

13.1 GDPR-Like Standards (Even Though Not Legally Required)

Data minimization: Collect only necessary data
Purpose limitation: Use only for stated purposes
Storage limitation: Delete when no longer needed
Integrity & confidentiality: Security (encryption)
Accountability: Audit trails, transparency

13.2 AHPRA-Aligned Healthcare Compliance

TransferToAI is an ADMINISTRATIVE ASSISTANT, not a medical device.

Important Disclaimer:

We do NOT provide medical diagnoses
We do NOT recommend treatments or medications
We do NOT replace professional dental judgment
We do NOT store Protected Health Information (PHI) beyond appointment metadata
We do NOT make clinical decisions

Clinical decision-making remains solely your responsibility. We are administrative-only.

We comply with:

Australian Healthcare Practitioner Regulation Agency (AHPRA) Standards
Advertising Code of Conduct (no false/misleading claims)
Patient information handling practices
Professional conduct requirements (for dental practitioners)
Record keeping standards
Australian Privacy Principles (APPs 1-13)

13.3 HIPAA-Aware Design

While HIPAA (Health Insurance Portability and Accountability Act, USA) does not apply in Australia, TransferToAI has architected our system with HIPAA privacy principles in mind.

Why HIPAA-Aware Matters:

Enterprise healthcare procurement often requests HIPAA awareness
Australian Privacy Principles exceed HIPAA minimums in many areas
Future regulatory preparedness if TransferToAI expands internationally
Security posture alignment with global healthcare standards

HIPAA Principles We Implement:

Minimum Necessary Rule – We collect only data necessary for appointment scheduling
Confidentiality, Integrity, Availability (CIA Triad) – Encryption, audit logs, backups
Administrative, Physical, Technical Safeguards – Employee training, facility security, firewalls
Breach Notification – We exceed HIPAA timelines (HIPAA 60 days; Australian NDB 30 days; TransferToAI 24h to clinic, 72h to regulator)

HIPAA Requirements TransferToAI implements:

Name required, phone required, appointment datetime required, service type required
Medical diagnosis: NEVER collected
Insurance information: NEVER collected
Social security numbers: NEVER collected

Summary of Key Points

✅ Your data is YOUR property. You retain ownership of clinic and patient data.
✅ We only process data to deliver the Service. No selling to third parties; no use for other purposes without consent.
✅ Data stays in Australia. Call recordings and clinic data hosted in Sydney (AWS ap-southeast-2).
✅ Encrypted end-to-end. AES-256 encryption at rest; TLS 1.3 in transit.
✅ You control access. Only your clinic staff can access your data (role-based controls).
✅ You can request access, correction, or deletion. Your privacy rights are protected.
✅ We comply with Australian Privacy Act 1988. All Australian Privacy Principles (APPs) followed.
✅ Breach notification within 30 days. If something happens, we tell you and OAIC.
✅ Service providers bound by DPA. All vendors contractually obligated to protect data.
✅ Your privacy is our responsibility. If you have any questions or concerns, please contact us immediately.

Last Updated: November 3, 2025
Jurisdiction: Australia, Queensland
Next Review Date: November 3, 2026

Privacy Officer: privacy@transfertoai.com.au | Phone: 0468 854 357