Call Cleo – Privacy Policy

Purpose & Scope

This Privacy Policy explains how Call Cleo Pty Ltd ("Call Cleo", "we", "us", "our") collects, uses, discloses and protects personal information. It is designed to:

• Maintain transparency about our data handling practices;
• Help individuals understand their privacy rights;
• Support compliance with the Australian Privacy Principles (APPs) (including the Information Privacy Principles);
• Build trust with allied health clinics (our customers) and their patients.

Who this applies to

• Customers: Allied health clinics and their staff who use our Service;
• End Users/Patients: Individuals who interact with our AI receptionist (e.g., via phone calls) on behalf of a Clinic;
• Online Users: Visitors to our websites and apps;
• Partners: Business partners and vendors.

Processor role: For Patient data handled through our Service, the Clinic is the data controller (or equivalent) and Call Cleo acts as data processor, processing personal information only on the Clinic's documented instructions. Clinics are responsible for obtaining any required notices and consents from Patients.

Our Service

Call Cleo provides an AI-powered receptionist and scheduling assistant for allied health clinics. Depending on configuration, the Service can answer/place calls, triage, transcribe conversations, capture messages, and create/manage appointments using integrations (e.g., Cliniko, Nookal, Halaxy, optionally other practice platforms). Telephony and real-time media may be provided by third-party carriers and real-time communications providers (e.g., LiveKit, and in some configurations carriers such as Twilio).

Types of Personal Information We Collect

We may collect the following categories, depending on your relationship with us and configuration:

Customer-Provided & Processed Data (B2B)

• Business Information: Clinic name, address, phone, website, practice management identifiers;
• Staff/Authorised Users: Names, roles, emails, phone numbers; user account preferences;
• Integrations: API keys/tokens and configuration (e.g., practice management connection details);
• Billing: Payment method details (processed through a payment processor), ABN, invoices, transaction records.

End User / Patient Data (processed on behalf of Clinics)

• Call Data: Caller ID, call metadata (start/end time, duration), optional call recordings* and transcriptions*;
• Appointment Data: Names, contact details, practitioner/service preferences, appointment time/location, notes;
• Content of communications with or via the Service.

* See Retention and Ephemeral Processing below.

Automatically Collected Data (Online Users & Platform)

• Device/Technical: IP address, device type, OS, browser, language, time zone, approximate location;
• Usage/Log: Authentication events, feature usage, diagnostics, crash/error logs, security logs;
• Cookie/Similar: As described under Cookies.

We do not seek to collect more sensitive information than is necessary for the Service. Clinics should avoid providing unrelated health or sensitive data. Where sensitive information (e.g., health information) is unavoidably processed (such as to schedule appointments), we handle it with additional safeguards.

How We Collect Personal Information

We collect personal information:

• Directly from you (phone, email, web, forms, support requests);
• Via our Service during calls/interactions with the AI receptionist;
• From Clinics (e.g., appointment information from a practice management system);
• From service providers that support the Service (e.g., telephony carriers, RTC platforms);
• Via cookies, analytics and similar technologies when you use our websites/apps;
• From publicly available sources as permitted by law.

Cookies & Similar Technologies

We use cookies and similar technologies to operate our site, remember settings, secure accounts, and understand usage.

Types

• Essential cookies (authentication, security, preferences). Required for the site to function;
• Analytics cookies (e.g., usage analytics). Used to improve performance and features;
• Functionality cookies (remember choices/settings).

Managing preferences: You can control cookies via your browser settings. Blocking essential cookies may impact site functionality. Where local law requires consent, we will only set non-essential cookies after you opt in.

For assistance, contact support@callcleo.app

Purposes of Use

We use personal information for:

Service Delivery & Operations

• Provide, operate and maintain the Service;
• Account creation/management and user authentication;
• Scheduling, call handling and message intake per Clinic configuration;
• Integrations with Clinic systems (e.g., Cliniko) and communications platforms;
• Fraud prevention, security monitoring, troubleshooting, and service quality;
• Usage analytics and product improvement.

Communications & Business Admin

• Respond to enquiries and support requests;
• Send operational notices (service updates, security alerts, changes to terms);
• Billing, invoicing and payment processing;
• Marketing communications where permitted by law and/or with consent (you may opt-out at any time).

Legal & Compliance

• Comply with laws, regulatory requests and lawful orders;
• Enforce our agreements and protect our rights, users, and the public.

Legal Basis (Australia)

Under Australian law (APPs), we collect, use and disclose personal information for:

• Primary purpose for which it was collected (e.g., delivering and supporting the Service, payments and account administration);
• Directly related secondary purposes that you would reasonably expect;
• With consent, including for direct marketing and any non-essential cookies (you may withdraw consent at any time);
• Required or authorised by law, including record-keeping, tax/audit and responding to lawful requests.

For Patient data handled on behalf of Clinics, the Clinic determines the applicable legal basis and is responsible for obtaining and managing required notices and consents.

Disclosures to Third Parties

We disclose personal information only as necessary for the purposes above, with consent, or as permitted by law. Typical recipients include:

• Employees/contractors/related entities under confidentiality obligations;
• IT and infrastructure providers (e.g., hosting, data storage, real-time communications);
• Practice management platforms and other systems you connect (e.g., Cliniko, Nookal, Halaxy);
• Payment processors (e.g., Stripe);
• Messaging and telephony providers (e.g., carriers, ClickSend for SMS if enabled);
• Analytics/quality providers (platform analytics, error tracking);
• Professional advisers, auditors, insurers and insurance brokers;
• Agents/partners involved in service delivery;
• Prospective buyers and their advisers in connection with a merger, acquisition or asset sale;
• Courts, tribunals, regulators and law enforcement where required or authorised by law;
• Debt collection and recovery services for unpaid invoices, where lawful.

We will only disclose sensitive information (e.g., health information) with consent or where otherwise permitted by law.

Overseas Disclosure & Cross-Border Transfers

We primarily store and process data in Australia. Some third-party providers may process data in other countries. When we disclose personal information overseas, we take reasonable steps to ensure the recipient will handle it in a way that is consistent with this Policy and the APPs (e.g., contractual and technical safeguards). For Australian residents, any overseas disclosure complies with APP 8.

Sub-processors and Key Service Providers

We use carefully selected providers under written contracts with confidentiality and security obligations. Depending on your configuration, these may include: Twilio, Livekit, OpenAI, Anthropic and Click Send.

A current list of sub-processors will be maintained and made available on request. We will provide notice of material changes as required by the DPA.

Retention

We aim to collect and retain only what we need.

• Default (Ephemeral): By default, Call Cleo processes call audio and transcripts ephemerally and does not retain them beyond transient processing required to provide the Service.
• Optional configurable retention: If a Clinic explicitly enables retention in writing, we will retain recordings/transcripts for quality assurance, dispute resolution and feature delivery, then delete or de-identify them unless longer retention is required by law. This option can be disabled at any time.
• PII Redaction: Where requested, Call Cleo can redact any PII data enabling secure, privacy based retention.
• Account & Billing Data: For the life of the account plus 30–90 days after termination, or longer if required for tax, audit and legal purposes (e.g., up to 7 years in Australia).
• Operational Logs: Typically 90 days unless a longer period is required for security, debugging or legal compliance.

Once the relevant retention period expires, we will delete or de-identify the data. If deletion is requested during an active retention window, we will action it subject to technical feasibility and legal obligations.

Your Rights & Choices

Your privacy rights depend on your location and applicable law.

All users are protected under the Australian Privacy Principles (APPs)

• Access: You may request access to personal information we hold about you;
• Correction: You may request we correct inaccurate, outdated or incomplete information;
• Opt-out of marketing: Use unsubscribe links or contact us to opt-out;
• Complaints: See Complaints below.

How to exercise rights

• Clinic customers: Use your in-product settings or contact us at support@callcleo.app
• Patients/End Users: Please contact your Clinic directly (data controller). If we receive your request, we may notify the Clinic and assist them as appropriate.

An administrative fee may apply for complex or manifestly unfounded/excessive requests where permitted by law. We will respond within 30 days or as required by law.

Security

We use technical and organisational measures appropriate to the risk, including:

• AES 256 encryption in transit and at rest (for stored data);
• Role-based access controls for staff accounts;
• Network security, rate-limiting and monitoring;
• Secure development and code review practices;
• Vendor due diligence and appropriate data processing agreements and contractual safeguards with providers;
• Documented incident response procedures and staff security training.

While we work hard to protect personal information, transmission over the internet is not entirely secure and any transmission is at your own risk.

Links to Other Websites

Our website may contain links to third-party websites. We are not responsible for the privacy or security of those sites. This Policy does not apply to third-party websites and services. Please review their privacy policies.

Amendments

We may update this Policy at any time. Material changes will be notified at least 30 days before they take effect (e.g., by email or in-product notice). Minor updates will be posted on our website. We recommend checking this page periodically to stay informed.

Complaints & Contact

If you have questions, requests or concerns about privacy: