Privacy Policy

Last updated: 21 April 2026.

This policy explains how VoxQuote collects, uses, shares and protects personal information. We follow the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth).

1. Who this applies to

This policy applies to the tradespeople and businesses who sign up for VoxQuote (our “users”) and the customers they quote (“end customers”).

2. What we collect

• Account data — your email, password (hashed), business name, ABN, phone, business address, logo.
• Quote data — customer names, phone numbers, email addresses, site addresses, job descriptions, line items, prices, and the status and signatures for accepted quotes. Also: audio recordings, transcripts when you dictate a quote, and photos you attach.
• Voice biometric data — raw audio captured when you record a dictation. This is deleted from our storage immediately after the quote is extracted; we never retain audio beyond a single request. We do not perform speaker-identification, voice-printing, or voice biometric matching.
• Billing data — handled by Stripe. We store only a reference ID; we never see or store card numbers. Payments are PCI-DSS compliant via Stripe's SAQ A-EP scope.
• Usage data — IP address, user agent, and event logs for security and debugging (kept up to 90 days).
• Consent records — the timestamp at which you ticked the voice-recording consent box at signup or onboarding. Retained for the life of your account plus 2 years as evidence of APP 3 consent.

3. Why we collect it

• To deliver the Service — recording, transcribing, drafting, sending quotes.
• To notify your customers of quotes via email and SMS.
• To bill you and provide support.
• To keep the Service secure and prevent misuse.
• To improve the Service (in aggregated, de-identified form).

4. Who we share it with

Only these sub-processors, acting on our instructions:

• Supabase — database and authentication (hosted in Asia-Pacific).
• Groq — audio transcription (transcripts are not retained for training by Groq).
• OpenRouter / OpenAI — structured quote extraction from transcripts.
• Resend — transactional email delivery.
• Twilio — SMS (and optional WhatsApp) delivery.
• Stripe — payment processing.
• Vercel — application hosting and edge caching.

We do not sell your personal information. We do not share personal information for advertising.

5. Where the data is stored

Primarily in Australian and other Asia-Pacific data centres operated by the sub-processors above. AI transcription and extraction may be processed in the United States. The major sub-processors (Supabase, Stripe, Twilio, Vercel, OpenAI, Resend) publish SOC 2 and/or ISO 27001 attestations on their public compliance pages; we link to those in the in-app sub-processor list and review them annually. Smaller AI providers (currently Groq, OpenRouter) may not yet hold formal certifications — they're used solely as the transcription / extraction backbone and we'll swap them out if their compliance posture regresses.

Cross-border disclosure to the United States complies with APP 8.1 (Australian Privacy Principle 8) — your express consent at signup authorises the disclosure for the disclosed purpose (voice transcription + structured-quote extraction) and only to the sub-processors named above.

6. How long we keep it

• Account and quote data — for as long as your account is active.
• After you delete your account, we purge personal data within 30 days except where required by law to retain longer (e.g. tax records 5 years under the ATO's record-keeping requirements).
• Audit and security logs — up to 90 days.

7. Your rights

You can, at any time:

• Access and export your data from Settings → Billing → Export.
• Correct data directly in the app.
• Delete your account and associated data (see retention above).
• Ask us questions by emailing privacy@voxquote.com.au.

If you believe we have breached your privacy rights, you can complain to us. If not satisfied, you can complain to the Office of the Australian Information Commissioner at oaic.gov.au.

8. Customers your users upload to VoxQuote

If you are an end customer whose details appear in VoxQuote because a tradesperson sent you a quote, the tradesperson is the primary controller of those details. To have them corrected or removed, contact the tradesperson who sent the quote. We will assist them on request.

9. Cookies & similar technologies

We use a small number of cookies strictly necessary for authentication (Supabase auth cookies), and the browser's localStorage for theme and UI preferences. We do not use advertising or cross-site tracking cookies.

Analytics: we use Vercel Analytics and Vercel Speed Insights to measure page-view counts and Core Web Vitals (page performance — LCP, INP, CLS, FCP, TTFB). These services are cookie-free and do not collect any personally identifying information. The data is transmitted only to Vercel (already our hosting sub-processor) and is retained in aggregate form.

10. Security

We use industry-standard security measures:

• TLS in transit and at rest.
• Row-level security on every data table.
• Separate service-role credentials, rotated regularly.
• Stripe-managed payment details (PCI-DSS).
• Strict content-security-policy and HSTS headers.

11. Notifiable Data Breaches scheme

We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. If an eligible data breach occurs (one likely to result in serious harm to affected individuals), we will:

• Investigate and contain within 72 hours of becoming aware.
• Notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable, and in any event within 30 days of becoming aware.
• Publish a statement that includes the kinds of information involved, the nature of the breach, and the steps individuals should take.

12. Overseas disclosure (APP 8)

When we send your personal information offshore (for example, to OpenAI or Groq servers in the United States for AI transcription and extraction) we take reasonable steps to ensure the recipient does not breach the APPs. Our overseas sub-processors are bound by written data-processing agreements including GDPR-compatible Standard Contractual Clauses. You consent to this overseas disclosure by ticking the voice-recording consent box.

13. Consent withdrawal

You may withdraw your consent to voice processing at any time via Settings → Privacy. Withdrawing consent disables the voice-quote feature but does not affect historical quotes already created.

14. Anonymity & pseudonymity (APP 2)

The nature of quoting and invoicing requires real identifying details (ABN, business name on tax invoices). Anonymous use is not practicable. End customers may be quoted under a pseudonym if you choose to capture one.

15. Children

The Service is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided information to us, contact us and we'll delete it.

16. Direct marketing (APP 7)

We do not use your personal information for direct marketing except the Service's own transactional and account notifications (e.g. billing, trial reminders). We will never sell or rent your contact details.

17. Changes

When we update this policy we'll bump the “Last updated” date and, if the change is material, notify you by email and in-app at least 14 days in advance.

18. Contact

Privacy Officer — privacy@voxquote.com.au.

Office of the Australian Information Commissioner (OAIC) — 1300 363 992 — oaic.gov.au.