Privacy Policy
Last updated: 14 March 2026
Effective date: 7 April 2026
1. Introduction
AliceHQ.AI Limited ("AliceHQ", "we", "us", "our") is committed to protecting the privacy of individuals whose personal information we collect and process. This Privacy Policy explains how we collect, use, store, and disclose personal information in connection with the AliceHQ platform and related services ("Service").
This policy applies to:
- Customers: Businesses and individuals who subscribe to the Service
- End Users: Individuals who interact with the Service through customer-configured channels (voice calls, SMS, web chat, social messaging)
- Website Visitors: Individuals who visit alicehq.ai
We comply with the New Zealand Privacy Act 2020 and the Information Privacy Principles ("IPPs") set out in that Act.
2. Who We Are
AliceHQ.AI Limited
New Zealand Company
NZBN: 94-29053397188
Unit 6, 440 Barbadoes Street, Edgeware, Christchurch 8013, New Zealand
Email: privacy@alicehq.ai
Website: alicehq.ai
Our Privacy Officer can be contacted at privacy@alicehq.ai.
3. Information We Collect
3.1 Customer Information
When you create an account and subscribe to the Service, we collect:
- Name, email address, phone number
- Business name and address
- Billing information (processed by Stripe — we do not store full payment card numbers)
- Account preferences and configuration settings
3.1a Free Call Audit (Trades)
When you sign up for the free 30-day call audit programme, we additionally collect:
- NZ mobile phone number (used to provision your dedicated audit number)
- Business name
- Consent timestamp (date and time you agreed to these terms)
- UTM parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term) — used solely to measure which marketing channel referred you; never shared or sold
3.2 End User Information
When End Users interact with the Service through your configured channels, we may collect:
- Name, phone number, email address (as provided during conversation)
- Conversation content (voice recordings, transcripts, chat messages)
- Booking details, appointment information, and other transactional data
- IP address and device information (for web chat interactions)
3.3 Automatically Collected Information
When you use the Service or visit our website, we automatically collect:
- Usage data (pages visited, features used, actions taken)
- Device information (browser type, operating system)
- IP address and approximate location
- Cookies and similar tracking technologies (see Section 9)
3.4 Information from Third-Party Integrations
When you connect third-party services (e.g., Google Calendar, CRM systems), we access information from those services as necessary to provide the Service, in accordance with the permissions you grant.
4. How We Use Information
We use personal information for the following purposes:
| Purpose | Lawful Basis (IPP) |
|---|---|
| Providing and operating the Service | Directly related to the purpose of collection (IPP 10) |
| Processing conversations and executing actions | Directly related to the purpose of collection (IPP 10) |
| Billing and account management | Directly related to the purpose of collection (IPP 10) |
| Customer support | Directly related to the purpose of collection (IPP 10) |
| Service improvement and analytics | Directly related to purpose of collection (IPP 10), using de-identified data where possible |
| Security and fraud prevention | Legal obligation and security of the Service (IPP 10(d)) |
| Communicating service updates | Directly related to customer relationship (IPP 10) |
| Complying with legal obligations | Legal obligation (IPP 10(d)) |
We do not use personal information for:
- Selling to third parties
- Advertising or marketing to End Users
- Training AI models on identifiable customer or End User data
- Profiling individuals for automated decision-making that produces legal effects
5. AI Processing
5.1 How AI Processes Data
The Service uses third-party AI language models to process conversations and generate responses. When a conversation occurs:
- The conversation content is sent to an AI model provider for processing
- The AI generates a response and may trigger actions (e.g., creating a booking)
- A receipt (audit log) of the action is created and stored
5.2 AI Model Providers
We use the following AI model providers as sub-processors:
- OpenAI — Conversation processing
- Anthropic (Claude) — Conversation processing
- Groq — Low-latency processing
Each provider has their own data processing commitments. We have reviewed their terms to ensure compatibility with the New Zealand Privacy Act 2020.
5.3 AI Data Retention by Providers
We use API configurations and contractual terms designed to prevent our AI providers from retaining conversation data for model training. Under OpenAI's and Anthropic's current API terms, customer data submitted via the API is not used for training. We review these terms periodically but cannot independently verify provider-side compliance.
5.4 Voice Processing
For voice conversations, we use:
- Twilio for telephony (call routing, recording)
- Deepgram for speech-to-text transcription of voice calls
- ElevenLabs for text-to-speech response generation
When handling a voice call, Alice announces at the start of the call that she is an AI assistant and that the call may be recorded and transcribed for quality and service purposes.
Voice recordings and transcripts are stored as part of the conversation record and are subject to the same retention policies as other Customer Data.
6. Information Sharing and Disclosure
We share personal information with:
6.1 Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure hosting, data storage | United States (us-central1) |
| Firebase (Google) | Database, authentication | United States |
| Stripe | Payment processing | United States |
| Twilio | Voice calls, SMS | United States |
| OpenAI | AI conversation processing | United States |
| Anthropic | AI conversation processing | United States |
| Groq | AI conversation processing | United States |
| ElevenLabs | Text-to-speech | United States |
| Resend | Transactional email | United States |
| ClickSend | SMS delivery (audit onboarding) | Australia |
| Deepgram | Speech-to-text transcription of voice calls | United States |
| Meta Platforms (Facebook) | Conversion tracking and advertising analytics | United States |
6.2 At Customer Direction
We share End User information with the Customer whose channels the End User interacted with, and with third-party services the Customer has connected (e.g., CRM, calendar).
6.3 Legal Requirements
We may disclose personal information if required by law, regulation, legal process, or governmental request, including to New Zealand regulatory authorities.
6.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal information may be transferred to the successor entity, subject to the same privacy protections.
7. Cross-Border Data Transfers
Our primary infrastructure is hosted on Google Cloud Platform in the United States (us-central1 region). This means personal information collected from New Zealand individuals is transferred to and processed in the United States.
Under the New Zealand Privacy Act 2020 (IPP 12), we rely on your express authorisation for cross-border transfers. By using the Service, you acknowledge that your data will be processed in the United States, which does not have privacy protections equivalent to the NZ Privacy Act 2020. We mitigate this through contractual commitments with our sub-processors, including data processing agreements and security requirements. For End Users whose data is collected via Customer channels, Customers are responsible for providing appropriate notice.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Customer account data | Duration of subscription + 30 days |
| Conversation records (transcripts, recordings) | Duration of subscription + 30 days, or as configured by Customer |
| Billing records | 7 years (NZ tax requirements) |
| Website analytics | 26 months (anonymised) |
| Support correspondence | 2 years after resolution |
| Waitlist/marketing signups | Until unsubscribe + 30 days |
| Free call audit data (phone, business name, call recordings, UTM) | 30 days active audit + archived; deleted within 30 days of expiry unless upgraded |
After the retention period, data is permanently deleted from our systems and backups within 90 days.
Customers can request earlier deletion of their data at any time (see Section 10).
9. Cookies and Tracking
9.1 Cookies We Use
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Authentication | Session |
| Preferences | User settings | 1 year |
| Analytics (if enabled) | Usage metrics | 26 months |
9.2 Cookie Choices
You can control cookies through your browser settings. Disabling essential cookies may prevent you from using the Service.
Our marketing pages (such as the audit signup page) use Meta Pixel for conversion tracking, which may place third-party cookies. The Service platform itself does not use third-party advertising or tracking cookies. You can control cookie preferences through your browser settings.
10. Your Rights
Under the New Zealand Privacy Act 2020, you have the right to:
10.1 Access (IPP 6)
Request access to the personal information we hold about you. We will respond within 20 working days.
10.2 Correction (IPP 7)
Request correction of inaccurate personal information. If we decline a correction request, we will attach your requested correction as a statement to the information.
10.3 Deletion
Request deletion of your personal information, subject to our legal retention obligations (e.g., tax records).
10.4 Data Portability
Export your data through the platform's export functionality, or request a data export from us.
10.5 Complaints
If you are not satisfied with our response, you may lodge a complaint with the New Zealand Privacy Commissioner:
- Website: privacy.org.nz
- Phone: 0800 803 909
- Email: enquiries@privacy.org.nz
10.6 End User Rights
End Users may exercise their rights under the Privacy Act 2020 (including access under IPP 6 and correction under IPP 7) by contacting privacy@alicehq.ai. We will respond within 20 working days. Where we process End User data on behalf of a Customer, we will coordinate with the Customer to fulfil the request. Alternatively, End Users may contact the Customer whose channels they interacted with.
11. Security
We implement appropriate technical and organisational measures to protect personal information, including:
- Encryption in transit (TLS 1.2+) and at rest
- Access controls and authentication (Google Cloud IAM)
- Regular security assessments
- Incident response procedures
- Employee security awareness
No system is perfectly secure. In the event of a data breach that poses a risk of harm, we will notify affected individuals and the Privacy Commissioner as required by the Privacy Act 2020. We target notification to the Privacy Commissioner within 72 hours of becoming aware of a notifiable breach, and notification to affected individuals as soon as practicable thereafter.
For security concerns, contact security@alicehq.ai.
12. Children's Privacy
The Service is not directed at individuals under 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will take steps to delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify Customers of material changes via email at least 14 days in advance. The current version is always available at alicehq.ai/privacy.
14. Contact Us
For privacy-related enquiries:
AliceHQ.AI Limited
Privacy Officer
Unit 6, 440 Barbadoes Street, Edgeware, Christchurch 8013, New Zealand
Email: privacy@alicehq.ai
Website: alicehq.ai
For general enquiries: hello@alicehq.ai
For security issues: security@alicehq.ai
See also our Terms of Service.
← Back to home