1.Introduction
This privacy policy belongs to 4BTR. When we say "we," "us," or "our," we mean 4BTR. When we say "you" or "your," we mean anyone who uses our platform, visits our website, or speaks with one of our AI receptionists.
4BTR builds and operates AI-powered voice receptionists. Businesses subscribe to our platform, and their callers interact with our AI. That means we handle personal information for two groups: the businesses that subscribe, and the people who call those businesses.
This policy explains what information we collect, why, what we do with it, who sees it, and how you can exercise your rights. It has been prepared in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles, and the Surveillance Devices Act 2007 (NSW). The full list of legislation informing this policy appears in Section 19.
We will update this policy when our practices change. Updates are posted here and, for material changes, communicated directly to Subscribers. You can always find the current version on our website. The Australian Privacy Principles are published by the OAIC at www.oaic.gov.au.
2.What We Collect
The information we collect depends on who you are and how you interact with us.
If you are a Subscriber (a business using 4BTR):
- Your name, business name, ABN or ACN, email, phone number, and address.
- Account credentials and authentication data, including Google OAuth profile information (name, email, profile picture).
- Billing details, processed through Stripe. We do not store your full card number.
- Business content you upload: documents, FAQs, operating hours, and service descriptions. This is what trains your AI receptionist.
- Usage data: which features you use, how often, session durations, and system logs.
If you are a Caller (someone phoning a business that uses 4BTR):
- Your phone number and the date, time, and duration of your call.
- A recording of the conversation and a transcript generated by our speech-to-text system.
- Inferences our AI draws from the call, such as what you were calling about, whether you wanted to book an appointment, and how the call went. These inferences are treated as personal information in their own right.
If you visit our website:
We collect standard analytics: your IP address, browser and device type, pages viewed, and session behaviour. We use cookies for this (see Section 12).
We do not set out to collect sensitive information (health data, political opinions, religious beliefs, and so on). But callers sometimes volunteer sensitive details during a conversation. For instance, someone might describe a medical condition to a clinic's receptionist. When that happens, we handle it strictly: only for the purpose it was given, or with explicit consent, or as required by law.
3.How We Collect It
Most information comes directly from you: when you sign up, configure your assistant, upload documents, or make a call.
Some is collected automatically. Our systems generate call metadata, transcripts, and analytics data as part of normal operation. Our website uses cookies and similar technologies to track usage patterns.
Occasionally, we receive information from third parties: Google provides profile data through OAuth sign-in, payment processors confirm transaction details, and telephony providers supply call routing data. We do not buy personal information from data brokers.
4.Call Recording and AI Disclosure
Important
This is the section that matters most if you are a caller.
Our AI receptionists record calls. Every call answered by a 4BTR receptionist is recorded and transcribed. The recording is used to generate a transcript, log the call, and fulfil whatever the caller needs, whether that is booking an appointment, answering a question, or passing along a message.
Callers are told at the start. The Surveillance Devices Act 2007 (NSW) requires consent from all parties before recording a private conversation, and the Telecommunications (Interception and Access) Act 1979 (Cth) reinforces this at the federal level. Our AI receptionist identifies itself as an AI and states that the call is being recorded. If a caller continues the conversation, that constitutes implied consent. Anyone who does not wish to be recorded can hang up or ask to be directed elsewhere.
What our AI does during and after the call:
- Answers questions using the Subscriber's knowledge base.
- Books, changes, or cancels appointments.
- Creates leads and logs contact details.
- Generates a summary, tags the caller's intent, and scores lead quality.
Every one of those outputs is personal information. We treat it accordingly.
If a decision made by our AI meaningfully affects someone (for example, by determining whether a lead is followed up on), that person can ask us to explain the logic behind it and request a human review. Contact details are in Section 18.
5.Who Controls the Data
We operate as both a data controller and a data processor, depending on the context.
Controller: For our own operations (managing Subscriber accounts, billing, improving our platform, running marketing), we decide what data is collected and why. We are the controller.
Processor: When our AI receptionist handles a call on behalf of a Subscriber, we are processing data on that Subscriber's behalf. The Subscriber is the controller. They decide what their receptionist says, what information it collects, and how long it is kept. We provide the infrastructure.
What this means in practice: If you call a business that uses 4BTR and have questions about how that business uses your data, contact the business. If your question is about 4BTR's systems, infrastructure, or this policy, contact us.
Subscribers: by using 4BTR, you accept responsibility for ensuring your own use of our platform complies with privacy law. That includes giving your callers adequate notice about data collection.
6.Why We Use Your Information
Everything we collect serves a specific purpose.
Running the platform: Processing calls, generating transcripts, scheduling appointments, delivering knowledge base answers, provisioning phone numbers, and producing call logs.
Managing accounts: Creating accounts, authenticating users, processing payments through Stripe, sending invoices, and providing support.
Improving the product: Analysing usage to find bugs, improve AI accuracy, develop features, and make the platform faster and more reliable.
Keeping things secure: Detecting fraud, preventing abuse, investigating incidents, and meeting our obligations under the Notifiable Data Breaches scheme.
Communicating with you: Service notifications (outages, billing, feature updates) go out without requiring opt-in. Marketing messages, including emails, SMS, or calls about new features or promotions, only go out with your consent. You can opt out at any time (see Section 13).
7.Who We Share It With
Subscribers receive their callers' data. If you phone a business that uses 4BTR, that business gets your recording, transcript, contact details, and any AI-generated summary.
Service providers help us run the platform. They receive only the data necessary to perform their function and are bound by contractual obligations to protect it. See Section 8 for the full list.
Regulators and law enforcement receive data when we are legally compelled (via court order, subpoena, or a lawful government request) or when disclosure is necessary to prevent serious harm.
A future acquirer would receive data in the event of a sale or restructure, subject to this policy.
We do not sell personal information. We do not share it for third-party advertising.
8.Sharing Data with Third-Party Services
We use third-party services to operate 4BTR. Some of these services are based overseas. Under APP 8, we are required to tell you where your data goes and take reasonable steps to ensure those recipients protect it to a comparable standard.
| Provider | Location | What They Handle |
|---|---|---|
| Vapi.ai | United States | Voice AI processing, recordings, transcripts |
| Supabase | Japan (Tokyo) | Database: accounts, call logs, contacts, knowledge base |
| OpenAI | United States | Language processing for AI conversations |
| Twilio | United States | Phone number provisioning, call routing, SMS |
| Stripe | United States | Payment processing |
| Vercel | United States | Website hosting and edge functions |
| n8n | Germany (EU) | Workflow automation and API orchestration |
| United States | OAuth authentication (name, email, profile picture) |
We remain legally accountable under the Privacy Act if any of these providers mishandle your data.
9.Security
We protect personal information with a combination of technical and organisational controls, as required by APP 11 and the 2024 amendments to the Privacy Act.
Technical controls include encryption in transit and at rest, multi-factor authentication, role-based access, regular vulnerability assessments, API key rotation, and secure cloud infrastructure.
Organisational controls include access logging and monitoring, incident response procedures, and a privacy-by-design approach to how we build the product.
AI-specific controls include access logging on all voice data processing, separation of training data from live personal information, and regular audits of model outputs for accuracy.
No system is perfectly secure, and we will not pretend otherwise. If you discover a security issue, report it to us immediately using the contact details in Section 18.
10.How Long We Keep It
We do not delete data on an arbitrary schedule. Retention is driven by purpose and legal obligation.
| Data | Kept Until |
|---|---|
| Call recordings | Subscriber's account is closed, or the Subscriber or caller requests deletion, whichever comes first |
| Transcripts and call logs | 12 months after the Subscriber's account closes |
| Account information | 7 years after account closure (Australian tax law) |
| Knowledge base content | 30 days after account closure |
| Payment records | 7 years (tax law) |
| Website analytics | 26 months |
| Marketing consent records | 7 years after the relationship ends |
When data reaches the end of its retention period, we permanently delete it or de-identify it beyond recovery. Electronic records are cryptographically erased where the underlying system supports it.
You can request deletion at any time. We will comply unless a legal obligation prevents it. Details are in Section 15.
11.Data Breaches
We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act.
If personal information is accessed or disclosed without authorisation, and a reasonable person would consider it likely to cause serious harm, we treat it as an eligible data breach. Our process:
- Assess the breach within 30 days.
- Prepare a written statement covering what happened, what data was involved, and what steps affected individuals should take.
- Notify affected individuals directly.
- Report to the OAIC.
If we can take remedial action that eliminates the risk of serious harm, the notification obligation falls away. We err on the side of transparency regardless.
12.Cookies
Our website uses cookies. Here is what they do:
- Essential cookies keep the site working: authentication, session management, security.
- Analytics cookies tell us which pages get traffic and how people use the site.
- Functional cookies remember your preferences.
- Marketing cookies are only set with your consent. They support targeted advertising.
You can block or delete cookies through your browser settings. Blocking essential cookies will break parts of the site.
13.Marketing
We market via email, SMS, and phone. Here are the rules we follow.
Email and SMS comply with the Spam Act 2003. We send commercial messages only with consent, always identify ourselves, and always include a working unsubscribe option. Opt-out requests are processed within five business days.
Telemarketing complies with the Do Not Call Register Act 2006 and the Telecommunications (Telemarketing and Research Calls) Industry Standard 2017. Before making outbound calls, we check our lists against the Do Not Call Register at least every 30 days. We only call during permitted hours: weekdays 9am to 8pm, Saturdays 9am to 5pm, and never on Sundays or public holidays. We state who we are and why we are calling immediately. If you ask us to stop, we stop.
Opting out is straightforward: click unsubscribe, reply STOP, or tell us directly. We do not sell or rent your contact details to anyone.
14.Google API Services
We use Google OAuth for sign-in. The data we receive (your name, email, and profile picture) is used to create and personalise your account. Nothing else.
Our handling of Google API data complies with the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google data for advertising or share it beyond what is necessary to run the service.
15.Your Rights
Access (APP 12): You can ask for a copy of the personal information we hold about you. We will provide it within 30 days. You will need to verify your identity. There is no fee for the request itself; we may charge a reasonable fee for the cost of compiling the information, and we will tell you the amount before proceeding.
Correction (APP 13): If your information is wrong, incomplete, or out of date, ask us to fix it. We will, within 30 days. If we refuse, we will explain why in writing.
Anonymity (APP 2): Where it is practical and lawful, you can deal with us without identifying yourself. Obviously, this is not possible for account creation or paid services.
Deletion: You can ask us to delete your data. We will, unless the law says we have to keep it. Account closure triggers the retention schedule in Section 10.
AI decisions: If an automated decision by our system has materially affected you, you can ask us to explain the logic and to have a person review it.
16.Age Restrictions
You do not need to be 18 to create an account. You do need to be 18 to purchase phone numbers, subscribe to a paid plan, or use telephony features.
We do not knowingly collect personal information from children under 16. If we discover that we have, we delete it. If you believe a child under 16 has provided us with personal information, contact us.
17.Complaints
If you believe we have mishandled your personal information, contact us at the details in Section 18. Include your name, a description of the issue, and any relevant details.
We will acknowledge your complaint within five business days and provide a written outcome within 30 days. For complaints about AI-driven decisions, we will explain the reasoning behind the decision to the extent possible without exposing proprietary system design.
If our response does not resolve the matter, you can escalate to the OAIC:
- Web: www.oaic.gov.au
- Phone: 1300 363 992
- Email: enquiries@oaic.gov.au
- Post: GPO Box 5218, Sydney NSW 2001
18.Contact
4BTR
Lachlan Shields, Sole Trader
ABN 53 947 419 021
- Address: 1204/4 Charles St, Charlestown NSW 2290
- Phone: 0447 273 025
- Email: support@4btr.com.au
19.Applicable Law
This policy is governed by the following Australian legislation and frameworks:
- Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs 1-13)
- Privacy and Other Legislation Amendment Act 2024 (Cth)
- Notifiable Data Breaches scheme (Part IIIC, Privacy Act 1988)
- Surveillance Devices Act 2007 (NSW)
- Telecommunications (Interception and Access) Act 1979 (Cth)
- Spam Act 2003 (Cth)
- Do Not Call Register Act 2006 (Cth)
- Telecommunications (Telemarketing and Research Calls) Industry Standard 2017
- Australia's AI Ethics Principles
Version 1.0 | Effective 27 March 2026