Skip to main content

Privacy Policy

Last updated: May 2026

1. Overview

Vervox AI (“Vervox”, “we”, “us”, “our”) is operated by The Trustee for Vithon Holdings Trust (ABN 96 894 762 787), trading as Vervox, registered in Victoria, Australia. This Privacy Policy explains how we collect, use, store, and protect your information when you use our AI phone receptionist service and website at vervox.ai.

2. Information We Collect

We collect the following types of information:

  • Account information: Your name, email address, phone number, business name, and industry when you sign up.
  • Call data: Inbound caller phone numbers, call duration, call recordings, and AI-generated transcripts.
  • Lead data: Information collected from callers by our AI, including their name, phone number, reason for calling, location, and urgency level.
  • Usage data: How you interact with our dashboard, features used, and performance metrics.
  • Payment information: Processed securely by Stripe. We do not store your credit card details.

3. How We Use Your Information

  • To provide and improve our AI phone receptionist service
  • To send you lead notifications via SMS and email
  • To process payments and manage your subscription
  • To communicate service updates, outage notifications, and support responses
  • To analyse aggregated usage patterns to improve our service (anonymised)
  • To comply with legal obligations

4. Call Recordings & Transcripts

Call recordings are stored securely in encrypted AWS S3 buckets in the ap-southeast-2 (Sydney) region. Recordings are retained for the lifetime of your account. You can delete individual recordings from your dashboard at any time. When you close your account (Settings → Account → Delete account), our purge job removes every call audio file, transcript and associated lead record from primary storage; you can also email us at support@vervox.ai to request earlier deletion of specific recordings or your full account.

Every call answered by Vervox opens with a recording disclosure before any private content is exchanged. The disclosure wording is locked on at the policy layer and is chosen to satisfy the strictest two-party-consent states (VIC, WA, SA). Tenants can customise the wording from settings; they cannot turn the disclosure off.

5. Data Sharing & Subprocessors

We do not sell your data. We share data with the following subprocessors to operate the service. Where a provider is based outside Australia, the relevant data crosses the Australian border for processing under that provider’s contractual safeguards.

  • Twilio (United States): Telephony for inbound calls and outbound SMS. Call audio is routed via Twilio’s edge before reaching our servers.
  • Deepgram (United States): Speech-to-text on legacy voice paths. Caller audio is sent for real-time transcription.
  • Cartesia (United States): Text-to-speech on legacy voice paths. Synthesised audio is generated from agent responses.
  • Google — Gemini Live (multi-region, may include United States): Audio-native language model used on the conversational voice path. Caller audio and transcripts may be processed outside Australia.
  • OpenAI / Anthropic (United States, optional): Language models used on selected legacy voice paths and for the in-product support chat. Conversation transcripts are processed outside Australia.
  • Stripe (United States): Payment processing. Card details are tokenised by Stripe and never touch our servers.
  • Amazon Web Services — AWS Sydney, ap-southeast-2 (Australia): Cloud infrastructure hosting. Call recordings, transcripts, leads, and customer records are stored in Sydney.
  • SendGrid — Twilio Inc. (United States): Default transactional email delivery (lead notifications, trial reminders, billing receipts, daily summaries, account emails). Recipient address, message subject and body are processed by SendGrid in the US. Lead-notification bodies contain caller name, phone number, suburb and call summary.
  • Amazon SES (United States or Australia): Failover and alternative transactional email provider, selectable by the operator. Headers and message bodies are processed by AWS infrastructure in the configured region.
  • Plausible Analytics (European Union): Privacy-friendly, cookieless website analytics for the marketing site (vervox.ai). Aggregates anonymous traffic counts, referrers, and page views; sets no cookies and does not track individuals across sites.
  • Google Analytics 4 — Google LLC (United States): Pageview, traffic-source, and campaign-attribution analytics on the public marketing site only (vervox.ai and any subdomains under the unauthenticated “(marketing)” route group). Not loaded on the authenticated dashboard at app.vervox.ai or dev.vervox.ai — we deliberately keep customer data out of Google’s analytics pipeline. Configured with IP anonymisation, Google Signals disabled, and ad-personalisation signals disabled. Marketing pageviews and referrer URLs are processed by Google in the US. Disabled by default; activated when the operator wires a measurement ID.
  • PostHog (European Union): Product analytics for the signed-in dashboard. Receives typed product events (signup-step completion, settings autosave, Smart Booking activation) keyed to your internal business id. Operated in cookieless mode; no caller PII (phone numbers, transcripts, recordings) is ever sent. EU region selected to keep data closest to AU residency commitments.

All providers are bound by their own privacy policies and data-processing agreements. We restrict each provider’s access to the minimum data required for its function, and we do not authorise any provider to use your data to train their own models.

6. Data Security

We use industry-standard security measures including encryption at rest and in transit (TLS 1.2+), AWS IAM access controls, Cognito authentication, and regular security reviews. Access to production systems is restricted to authorised personnel only.

7. Your Rights

Under the Australian Privacy Act 1988 and applicable laws, you have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your data and account
  • Export your lead and call data
  • Opt out of marketing communications

Account deletion and a Privacy Act §APP 12 data export of your leads, calls, transcripts and appointments are both self-serve from Settings → Account. For anything else, email us at support@vervox.ai.

8. Cookies & analytics

Our website uses essential cookies for authentication and session management on the signed-in dashboard. We do not use third-party tracking or advertising cookies.

Our analytics are cookieless. Plausible (marketing site) aggregates anonymous traffic counts without cookies or cross-site tracking. PostHog (signed-in dashboard) runs in memory-only mode keyed to your internal business id; it does not set persistent cookies and does not record screen content. Neither tool receives caller phone numbers, transcripts, or recordings.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or an in-app notification. Continued use of the service constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:
support@vervox.ai
The Trustee for Vithon Holdings Trust (ABN 96 894 762 787), Melbourne, VIC, Australia