Privacy Policy (CALL A ROO)

Introduction

Your privacy is important to us at Call A Roo. This Privacy Policy explains how we collect, use, disclose, and protect personal information in the course of operating our digital lead-capturing services for tradies in Australia. It also outlines the choices and rights you have regarding your personal information under the Australian Privacy Act 1988 (Cth) and other relevant laws. We are committed to handling personal information in an open and transparent way, consistent with the Australian Privacy Principles (APPs). In summary, every individual has the right to know what personal data we collect, why we collect it, and how we use and manage that information[26]. We encourage you to read this Policy carefully and contact us if you have any questions.

By using the Call A Roo website or services, or by submitting your information through our lead capture form, you consent to the collection and use of your personal information as described in this Privacy Policy. If you do not agree with this Policy, please do not use our services or provide personal data to us. This Policy is incorporated into our Terms of Service, and any capitalized terms used but not defined here have the meanings given to them in the Terms.

Who We Are: Call A Roo is a sole trader business based in New South Wales, Australia. For the purposes of Australian privacy law, Call A Roo is the “entity” collecting and controlling personal information. Since we operate as a small business, it’s possible that the Australian Privacy Act may not legally require us to comply if our annual turnover is below AU$3 million. However, we choose to uphold high standards of privacy and data protection in line with the Privacy Act and APPs, given the nature of our service handling personal information. We also comply with specific obligations under other laws such as the Spam Act when applicable.

If you have any concerns about how we handle privacy, you will find our contact details at the end of this policy. We take privacy inquiries seriously and will respond as soon as possible.

Personal Information We Collect

We collect personal information that is reasonably necessary for, or directly related to, the provision of our lead-capturing services and the operation of our business. The types of personal information we collect can be grouped into a few categories:

  • Tradie (Subscriber) Information: If you are a tradie who signs up for Call A Roo, we collect information such as:
  • Contact and Identity Details: Your name, business name or trading name, business contact details (email address, phone number), and mailing or business address. We may also collect your industry or trade type as part of setting up the service.
  • Account Credentials: If you create an account on our website, we collect a username and password (passwords are stored in encrypted form).
  • Billing Information: Payment details such as your credit card number, cardholder name, and billing address. Note: We do not store full credit card numbers on our servers. Payment information is processed securely by Stripe (our third-party payment processor). We may store a payment token or a record of your payment transactions (e.g., the last 4 digits of your card, card expiry, and transaction IDs) for reference. We also generate invoices/receipts which include your name, email, and subscription details.
  • Service Configuration Data: This includes information you provide to configure the service for your needs, such as the phone number(s) that will be used with our system (for detecting missed calls), your preferences on how you receive lead notifications (email or SMS, etc.), and the content of the SMS or form that gets sent to callers (if you customize it). If you integrate any tools (for example, if we allow linking a Google account or other software), we might collect API tokens or credentials necessary for that integration with your permission.
  • Communications with Us: Any correspondence or communication you send to us (for example, support requests, emails, or messages via our site) may be stored, along with our responses.
  • Lead/Caller (Form Submitter) Information: When a caller (prospective client of a tradie) interacts with our service, we collect the information they provide through the form and related automated data:
  • Contact Details: The person’s name, phone number, and/or email address, as entered in the form. In some cases, the phone number may be auto-collected if our system captures the caller ID from the missed call (for instance, we might pre-fill the form link with the caller’s phone number to identify them). Essentially, if someone calls a tradie and doesn’t reach them, their phone number is captured by the tradie’s phone system and passed to us via our integration to trigger the SMS.
  • Job/Inquiry Details: The content of the form submission, which typically includes information about the job or service the caller is seeking. This could be a description of the work needed, location/address for the job, preferred timing, or any other details the form asks (for example, “Describe your problem” or “What do you need done?”). It may also include dropdown or checkbox responses if the form has preset questions.
  • Meta-data: The date and time of the missed call and form submission, and possibly technical data like the IP address used to submit the form, or the device/browser type (if the form captures that). We do not deliberately collect precise geolocation of the form submitter through the digital form, though if the form asks for an address or if the IP suggests a region, that could indirectly reveal location information.
  • SMS Logs: We generate a log of the SMS that was sent to the caller (which includes the caller’s phone number, the time we sent the SMS, and the content of the SMS message). The SMS content typically contains a templated message like “Sorry we missed your call, please fill out this form: [link]”. This log is kept for troubleshooting and record purposes.
  • Follow-up Communication Data: If our system sends the lead information to the tradie via SMS or email, that action may also create logs including timestamps and whether the message was successfully delivered via Twilio or SendGrid. These logs might indirectly contain the lead’s info (since the email or SMS content will have what the lead submitted). We consider those part of the lead’s personal info as well.
  • Website Visitors and Cookies: If you visit our website (which may be WordPress-hosted) without specifically interacting with the lead form or service, we might still collect some limited information:
  • Technical and Analytics Data: Our web server may automatically log standard information such as your IP address, browser type, operating system, referring URL, pages accessed, and timestamp of visits. We use these logs for security monitoring and to analyze website traffic generally. We might use cookies or similar tracking technologies on our site to enhance user experience (for instance, to keep you logged in to your account, or to remember preferences). Any analytics or tracking tools we use will be disclosed (e.g., if we use Google Analytics, we would provide information about how it collects anonymous data). Currently, our focus is on the service itself, and we do not extensively track or profile website visitors beyond basic analytics.
  • Contact or Support Forms: If our website includes a contact form or chat widget for general inquiries, and you fill it out, we will collect whatever information you provide via that form (such as your name, contact info, and the message). This is similar to “Communications with Us” above, and will be used to respond to your inquiry.

We do not intend to collect any sensitive personal information (such as information about race, ethnicity, health, political opinions, etc.) as those are not required for our service. We ask that users (tradies or form submitters) do not submit such sensitive information through our forms. The information we collect is limited to contact details and business/job-related details necessary to facilitate a connection between a potential client and a service provider.

Where you provide us with personal information about someone else (for example, if you are a tradie inputting a client’s details, or a form submitter providing someone else’s contact as an alternate), you should only do so with that person’s consent and only if it’s relevant to the service. By providing another person’s personal information, you represent that you have the authority or permission to do so.

How We Use Personal Information

We collect and use personal information for the primary purpose of delivering and improving our lead-capture service to tradies and their prospective clients. Below are the specific ways we use the information we collect:

  • Providing the Service: The core use of personal data is to perform the functions of our service. For tradies, we use your information to set up and maintain your account, to identify you as an authorized user, and to configure the call forwarding or SMS triggers associated with your phone number(s). For form submitters, the information you provide (or that is provided by the call event) is used to generate a lead entry which we then send to the correct tradie. Essentially, if you fill out the form, we will use that data to create an email or SMS that goes to the tradie containing your details and inquiry. We also might store the data in a Google Sheet or our database so that the tradie can access a log of leads (if we provide such an interface or report). Using the info to route it correctly and notify the tradie is our primary function.
  • Communication: We use contact information to communicate with our users:
  • Service and Transactional Communications (Tradies): We will email or SMS tradies for purposes such as sending service alerts, confirmations, welcome messages, billing invoices, payment receipts, password resets, and notifications of lead submissions. For example, if you’re a tradie, you will receive an email or text each time a new lead form is submitted for you (unless you opt for one channel only). We may also send you important service announcements (e.g., planned downtime notices, security updates, changes to these Terms or Privacy Policy, etc.). These are not marketing communications, but rather essential notices related to the service. Because they are important, you may not opt out of receiving service-related communications except by canceling the service.
  • Communication with Form Submitters: Generally, after the initial missed-call SMS and form, further communication with the form submitter is handled by the tradie (the tradie might call or email them directly using the info provided). Call A Roo itself typically will not send additional messages to the form submitter beyond the initial SMS with the form link unless it is to facilitate their interaction (for example, a confirmation message after they submit the form, if we implement such a feature, like “Thank you for your submission, [Tradie] has received your info”). If any such additional message is automated, it will be strictly related to the inquiry. We do not add form submitters to any mailing lists or send them marketing on our behalf, nor do we share their info with other tradies or businesses. The form submitter’s info is only used to connect them with the specific tradie they tried to call.
  • Marketing and Newsletters (Tradies): We may use tradie contact details (email primarily) to send occasional marketing or promotional communications about our service – for example, to inform you of new features, special offers (like an upgrade incentive or referral program), customer surveys, or relevant content (perhaps tips for managing leads). We will comply with the Spam Act and other relevant laws for any marketing: this means we will only send you such communications if you have consented or if you would reasonably expect to receive them in the context of our existing business relationship. We will also always provide a clear opt-out or unsubscribe option in such emails. If you prefer not to receive marketing emails, you can unsubscribe at any time (each email will have an “unsubscribe” link or instructions). Opting out of marketing communications will not affect your receipt of important service communications as noted above.
    (Note: We do not send marketing messages to form submitters, and we do not sell or disclose their info for marketing. Any marketing communications are directed solely to our customers, the tradies, about our own service.)
  • Payments and Billing: We use tradie personal information for billing and payment processing. For instance, we use your provided payment details to charge subscription fees via Stripe. We also maintain records of transactions (payments made, plan changes, etc.) associated with your account. These records may include personal information like your name, email, billing address and partial card details for invoicing purposes. We may send you billing reminders or notices of issues with your payment method. If you are eligible for any refunds or adjustments, we will use your information to process those to your original payment method. All such processing is done securely in conjunction with Stripe.
  • Service Improvement and Analytics: We may use information about how users interact with our service to improve our offerings. This includes analyzing usage patterns, call/form conversion rates, and feedback. For example, we might look at metrics like how quickly forms are typically submitted after a missed call, or whether email delivery to tradies is successful, in order to identify bottlenecks or improve notification reliability. We might also keep logs and details about any errors or failures (e.g., if an SMS fails to send) to debug and enhance our systems. In doing this, we prefer to use aggregated or de-identified data where feasible (for instance, overall counts of leads captured per month, rather than focusing on personal details), but some personal data might incidentally be reviewed when investigating specific issues or user requests. Any analysis is for internal purposes only, to make the service better and more efficient.
  • Customer Support: If you contact us for help or to report an issue, we will use the information you provided and any relevant information in our systems to resolve your query. For example, if a tradie says “I didn’t get an email for a lead yesterday,” we will look at that tradie’s account, check logs (which include potentially the lead’s info and email logs), and try to find out what happened. We might then email or call the tradie to explain or to get more info. Similarly, if a form submitter were to contact us (which is less common, but possible, e.g., to ask us to delete their info), we will use their details to locate their data in our system and fulfill the request. We keep records of support inquiries to help track recurring issues and to ensure quality service.
  • Security and Fraud Prevention: We may process personal information as needed to detect, prevent, or address fraud, abuse, or security issues. For example, we might monitor login attempts to detect suspicious activity on tradie accounts, or we might verify that a request to change a phone number is legitimate. We also might use information to block certain actions – e.g., if a particular phone number or IP address is repeatedly attempting to exploit our system, we may blackList it. Additionally, if required, we may use personal info to investigate violations of our Terms of Service or to cooperate with law enforcement and regulatory authorities in ensuring the safety of our users and others[27].
  • Legal Compliance: We may use or disclose personal information where necessary to comply with legal obligations. For instance, to respond to a subpoena, court order, or legally binding request (more on disclosures below), or to fulfill record-keeping requirements under taxation law (keeping invoices with personal info for X years), or under telecommunications regulations if applicable. We also keep data to the extent required by law for resolving any disputes (as evidence).

We will not use personal information for purposes other than those above, unless we have your consent or the use is otherwise permitted or required by law. In particular, we do not sell your personal information to third-party marketers, and we do not use the personal details of form submitters or tradies for any purpose unrelated to providing and improving our service (except perhaps to mention aggregated stats in marketing, like “we helped tradies capture X leads,” which wouldn’t identify anyone).

If we ever need to use personal information for a new purpose that is not covered by this Privacy Policy, we will update this Policy and, if required by law, obtain your consent for the new use.

Disclosure of Personal Information (How We Share Data)

Call A Roo respects the confidentiality of personal information. We disclose personal information to third parties only in the ways described in this Policy. The key instances in which information is shared include:

  • Sharing with the Intended Recipient (Tradies and Their Clients): The entire point of our service is to share information between the form submitter and the tradie. If you are a form submitter, the personal information you provide (your name, contact, and job details) will be shared with the tradie who missed your call – that tradie is our customer and the intended recipient of your data. This sharing occurs via an email sent through SendGrid (delivered to the tradie’s email inbox) and/or via SMS through Twilio (delivered to the tradie’s phone), depending on the tradie’s settings. Similarly, if any confirmation or summary is sent back to you as the form submitter (for example, a copy of your submission), that is also a form of sharing (with you). In essence, information flows two ways: from the caller to the tradie (facilitated by us). We do not share a form submitter’s personal information with any tradie other than the one they were trying to reach, and we do not share tradie information with form submitters beyond what is necessary (the form might show the tradie’s business name, for example, so the caller knows who they’re contacting, or the SMS might be labeled as coming from “Call A Roo on behalf of [Tradie]”).
  • Third-Party Service Providers (Processors): Call A Roo uses several trusted third-party services to operate its platform. We share necessary personal information with these third parties solely for the purposes of providing our service and performing functions on our behalf. The main third-party providers we use are:
  • Twilio (SMS Delivery): We integrate with Twilio to send SMS messages. When we send the initial missed-call text to a form submitter, we provide Twilio with the recipient’s phone number and the message content (which includes a link to the form). Likewise, when we send an SMS notification to a tradie about a new lead, we provide Twilio with the tradie’s phone number and the message (which may contain the lead’s info). Twilio acts as our processor to deliver these SMSes through the telecommunications network. Twilio will necessarily process the phone numbers and text content for delivery and logging. Twilio is a U.S.-based company, and messages may be routed or stored on servers outside Australia (often in the U.S.)[28]. Twilio is committed to data protection and offers robust security; they have binding corporate rules and compliance with frameworks like the GDPR, and standard contractual clauses for international transfers[29].
  • SendGrid (Email Delivery): SendGrid (owned by Twilio) is used for sending emails. We use SendGrid’s service to generate and send out emails to tradies that contain lead information, as well as any other service emails (like password resets or confirmations). To do this, we provide SendGrid with the tradie’s email address, and the content of the email (which will include personal info such as the lead’s details, or the tradie’s name, etc., depending on the email). SendGrid then transmits the email to the tradie’s email server. As with Twilio, SendGrid’s infrastructure may be outside Australia (primarily U.S. data centers). They also adhere to high security standards and data protection compliance[29].
  • Stripe (Payment Processing): Stripe is used to process subscription payments. When you enter your payment information, it is sent directly to Stripe via secure, encrypted connections. Stripe will handle the storage of your credit card details (we only see tokens or truncated info). We share with Stripe the necessary billing information: your name, card details, billing address, email (for receipt sending), and the charge amount. Stripe in turn provides us with confirmation of payment or failure. Stripe may process data overseas (often the U.S. or other locations). Stripe is known for its strict security measures (PCI DSS compliance) and privacy safeguards.
  • Google Sheets / Google Cloud: We utilize Google Sheets as a simple database to store the leads information and potentially to allow tradies to view their leads in a spreadsheet format. This means that when a form is submitted, our system might add a new row in a Google Sheet containing the lead’s details (name, contact, job info, timestamp). That Google Sheet might be stored on Google’s servers outside Australia (commonly in the U.S. or possibly in an Asia-Pacific data center). We ensure that access to these Sheets is restricted to authorized personnel (and possibly to the specific tradie if we share a link to them). Google is a global provider that also adheres to strong security and privacy practices; Google has committed to compliance with GDPR and has certifications like ISO 27001, etc.[28]. However, it is an overseas disclosure, which we address below in “Cross-Border Disclosure”.
  • n8n (Automation Tool): n8n is an automation workflow platform we use to glue all the pieces together. We may self-host n8n on a cloud server (the location of which could be in Australia or another country, depending on our hosting choice). n8n orchestrates the flow: for example, when a call is missed, n8n triggers Twilio to send the SMS; when a form is submitted, n8n collects the data, sends it to Google Sheets, and triggers SendGrid to email the tradie. In doing so, n8n will process the data internally (i.e., the data passes through n8n’s runtime). If n8n is hosted on our infrastructure, it does not constitute a separate third-party disclosure beyond our own systems. If we use a cloud provider for hosting n8n, that provider might incidentally process data (like AWS or DigitalOcean if we host the server there). We treat n8n with the same level of security as our core systems. The data might be stored temporarily in logs or execution history on the n8n server, which we secure and restrict access to.
  • Other Providers: We may use other ancillary services over time – for example, an email marketing service for our own communications with tradies, or an analytics service. If any such services are used, and they involve personal data, we will update this Policy. For instance, if we used Google Analytics on our marketing site, Google Analytics would collect some data about site visitors (though typically not personal contact info, but things like IP and device info). We would disclose that here and provide opt-out options. At present, our main third-party data processors are those listed above.

We ensure that any third-party service providers we use are bound to protect your information and to use it only for the purposes we specify. We typically do this through contractual agreements (e.g., data processing addendums) and by choosing reputable providers with strong privacy policies. Many of our providers (Twilio/SendGrid, Google, Stripe) are internationally recognized companies with commitments to privacy compliance (they meet requirements of GDPR, Australian Privacy Act, etc.)[29]. By using our service, you consent to our sharing of your information with these third parties for the purposes stated. We do not allow our service providers to use your data for their own marketing or other purposes unrelated to providing our service.

  • Business Transfers: If Call A Roo (as a business) is ever involved in a merger, acquisition, sale of business assets, or other corporate transaction, personal information held by us may be among the assets transferred to the new owner or entity[30]. For example, if another company acquires Call A Roo, the user databases (including tradie accounts and lead information) would likely be transferred so the service can continue under new ownership. In such an event, we would ensure that the new owner is bound by privacy obligations at least as stringent as those in this Policy. We will provide notice to users before personal information becomes subject to a different privacy policy due to a business transfer[30], giving you an opportunity to review any new policy or opt out if you desire (if applicable).
  • Legal Compliance and Protection: We may disclose personal information if required or authorized by law, or where we have a good-faith belief that such action is necessary to comply with legal obligations or respond to lawful requests. This includes:
  • Responding to law enforcement requests or court orders – for example, producing records in response to a subpoena or warrant.
  • Sharing information with regulatory bodies or government agencies when mandated – e.g., the Office of the Australian Information Commissioner (OAIC) or the Australian Communications and Media Authority (ACMA) if they are investigating a privacy or spam complaint, respectively.
  • Enforcing our Terms of Service – we may disclose data if necessary to investigate or take action regarding potential violations of our Terms, suspected fraud, or security issues[27]. For instance, if a user is abusing the system to send illicit content, we might need to share relevant info with law enforcement or legal counsel.
  • Protecting rights, property, and safety – if someone’s actions on our platform pose a risk of harm to other users, to the public, or to our rights/property, we might share data to prevent or address that harm[27]. This could include exchanging information with other companies or organizations for fraud protection and credit risk reduction (though this is more relevant to e-commerce, it’s less likely in our scenario).

In any scenario of legal disclosure, we will limit the information shared to what is strictly necessary and will object to overbroad requests if applicable. We will also, when appropriate and lawful, attempt to notify the affected user of the request (e.g., if a law enforcement request seeks a tradie’s data, we may inform that tradie unless legally prevented from doing so).

  • Affiliates and Related Entities: Since Call A Roo is a sole trader operation, this may not be applicable (there are no corporate affiliates). But if in the future we have related entities (e.g., a parent company, subsidiaries), we may share personal info within that corporate group as needed to help provide the service. Any such related entity would uphold the same privacy obligations. We currently have no subsidiaries or affiliates to share with.
  • No Unauthorized Third-Party Disclosure: Aside from the categories above, we do not disclose your personal information to third parties. We do not sell, rent, or trade your personal data to outside parties for their own use. For example, we will not give your info to other marketing companies or other tradies. Tradies will only get leads that pertain to them. We won’t share a tradie’s info with other customers. The only sharing of tradie info might be the display of their business name on the form (as mentioned) or necessary transfer via our providers.

In summary, disclosures are mainly to our service providers and between users (tradie and lead). All such disclosures are made with privacy and security in mind, and with agreements in place. We ensure third parties receiving personal info are under duties of confidentiality and are expected to handle data in compliance with applicable privacy laws[31].

Cross-Border Data Transfers

Because we utilize cloud-based services and third-party providers, some personal information may be stored or processed in countries outside Australia. Specifically, as noted, Twilio/SendGrid and Google are known to host data in the United States (and potentially other locations), and Stripe also stores data on its global infrastructure. While we attempt to use Australian data centers when feasible (for example, if Google Sheets can be hosted in an Australian Google Drive data center, we would prefer that), we cannot guarantee that all data remains within Australia.

Countries likely involved: United States is a primary one (Twilio/SendGrid, Stripe, Google main servers). Other countries might include those where our cloud hosting provider runs (if we host n8n or our website on an overseas server), potentially countries in the EU (if using EU-based services or if Twilio uses EU servers for some traffic), or other jurisdictions where our providers have backup servers or support operations.

Whenever personal information is transferred outside of Australia, we will take reasonable steps to ensure the overseas recipient does not breach the Australian Privacy Principles in relation to that information[28]. In practice, this means: – We choose service providers that are reputable and have strong data protection standards. Many of them (e.g., Twilio, Google, Stripe) are subject to GDPR and other international privacy regulations, implying a high baseline of protection[29]. – We have agreements in place that include standard data protection clauses. For instance, Twilio and Google include commitments like EU Standard Contractual Clauses or have Binding Corporate Rules, which contractually require them to protect data to EU/Australian standards even when transferred internationally[28]. – We rely on the “reasonable belief” exception in APP 8.2(a) in some cases, meaning we reasonably believe that the foreign provider is subject to a law or binding scheme (like GDPR) that has the effect of protecting the information in a way that is substantially similar to the APPs[28]. For example, since SendGrid and Google are GDPR-compliant and Privacy Shield (note: Privacy Shield is outdated, but they claim compliance with those principles) certified, we have reason to believe they uphold privacy to similar standards as here. – By using our service or submitting information, you consent to this transfer of your information overseas as necessary for us to fulfill our obligations[28]. We make you aware that data might be stored or accessible in other countries and that different jurisdictions may have different data protection laws. However, our handling of your data will still be governed by this Privacy Policy and the Australian Privacy Act, even if the data is processed offshore.

If you specifically do not want your data transferred overseas, unfortunately we may not be able to provide the service (because key functionality like SMS and email delivery relies on these global networks). We assure you that we evaluate our providers carefully and monitor updates in international data transfer regulations to remain compliant.

Data Security

Call A Roo takes reasonable and appropriate measures to protect the personal information we hold from misuse, interference, loss, unauthorized access, modification, or disclosure[32][33]. We understand the sensitivity of the data (especially contact information and communications between clients and businesses) and prioritize security. Our security measures include:

  • Encryption: Our website and form pages use HTTPS encryption (SSL/TLS) to ensure data in transit between your browser and our servers is encrypted. Similarly, any transmission to third-party services (e.g., via APIs to Twilio/SendGrid/Stripe) is done over encrypted channels. Emails sent via SendGrid are encrypted in transit. SMS messages are sent over telephony networks which we cannot fully encrypt end-to-end, but Twilio uses secure channels up to the point of handoff to carriers. Our internal databases or Google Sheets are stored in secure cloud environments; where possible, data at rest is encrypted (Google, for instance, encrypts data at rest on their servers by default).
  • Access Controls: We restrict access to personal information within our organization to those who need to know that information to operate or improve our service[34]. For example, only the sole trader owner and any essential technical personnel can access the database or Google Sheets where leads are stored. Our admin interfaces (if any) are protected by strong authentication. Passwords are required for tradies to access their accounts; we enforce password best practices (minimum complexity) and recommend you keep your password confidential. For any administrative portals, we use additional protections (like 2-factor authentication) whenever available.
  • Data Segmentation: Each tradie’s leads are kept separate; if using Google Sheets, each tradie might have their own sheet or a segregated portion so that one customer cannot see another’s data. We ensure that when a tradie logs into any dashboard (if provided), they can only view their own information. Likewise, form submitters only see their own submitted data on the form confirmation (not others’).
  • Network and Hosting Security: Our servers (including any n8n instances or web hosting) are configured with firewalls and regular software updates to patch vulnerabilities. We utilize reputable hosting providers that employ robust security measures at the infrastructure level. We run anti-malware and monitor for any unauthorized access attempts. We take regular backups of critical data, and those backups are stored securely (with encryption and access control) to prevent data loss while also protecting confidentiality.
  • Monitoring and Testing: We monitor our systems for possible vulnerabilities and attacks. Unusual activity, such as repeated failed logins or unexpected spikes, are investigated. We may periodically conduct security assessments or audits (including code review and perhaps third-party penetration testing as we grow) to ensure our safeguards are effective. We also stay updated on security best practices and evolving threats.
  • Employee/Contractor Policies: As a small operation, currently only the owner and perhaps a small number of contractors/assistants handle data. Any personnel with access to personal information are required to keep it confidential. We educate ourselves and any team members on privacy obligations and how to handle data safely (for example, not transferring data to personal devices without protection, etc.). If any contractor is engaged (say, for development or support), they would be bound by a confidentiality agreement.

Despite our efforts, it’s important to note that no method of transmission or storage is 100% secure. The internet by its nature carries some risk, and we cannot guarantee absolute security of data. For example, emails might be subject to interception once they leave our SendGrid environment (though TLS encryption mitigates this greatly), and SMS messages, being plaintext over cellular networks, are not encrypted end-to-end. Users should also play a role in security: Tradies must keep their account password secure and not share login details; form submitters should be aware that if they share the link or their device is compromised, their form data could be seen by others.

If we become aware of a data breach that affects your personal information, we will follow applicable laws for notification. Under the Australian Notifiable Data Breaches scheme, if a breach occurs likely to result in serious harm, we will notify the affected individuals and the OAIC as required[35]. We have a data breach response plan to handle such incidents, aiming to contain and remediate any breaches swiftly.

In summary, we employ a combination of technical, physical, and administrative security measures to protect your data, and we continuously seek to improve as new security technologies and practices emerge.

Data Retention and Deletion

We retain personal information only for as long as it is necessary to fulfill the purposes for which we collected it, or as required for legitimate business or legal reasons. Different categories of data may be kept for different periods:

  • Lead Information (Form Submissions): By default, we retain the details of leads captured (the form submissions) for a period necessary to deliver and log the service. This means we store the submission so that the tradie can access it and so that we have a record for support and service improvement. We recognize that keeping personal data indefinitely is not privacy-friendly, so we have a policy to periodically delete or anonymize lead information that is no longer needed. In general, we anticipate that lead data will be most useful within the first few weeks or months of capture (as the tradie will act on it promptly). We may retain the identifiable lead details for up to 12 months from the date of submission in our active systems[36]. This aligns with common business practice for similar services (for instance, some appointment reminder services delete client data after 12 months)[36]. After 12 months, we may delete the personal identifiers (name, contact info) from the stored leads or archive the data in a secure manner. In some cases, we might anonymize the record (e.g., keep the nature of job and date but remove contact info) for aggregate analytical purposes.
  • Example: If a form was submitted on January 1, 2025, that lead’s personal info might be purged by January 1, 2026, unless it’s still needed.
  • We may choose a shorter retention for leads if required by law or if requested (see below on user rights). Tradies might also manage their leads (for instance, if we provide a “delete” option in a dashboard or if a tradie asks us to remove a specific lead, we will comply as appropriate).
  • If a tradie’s account is terminated or canceled, we will generally remove or anonymize the leads associated with that tradie after a brief retention for potential reactivation or disputes. Specifically, if you (tradie) cancel service, we might keep your past leads for, say, 30 days in case you return or there’s an issue, then purge them, since they are no longer needed by us. Note that the tradie likely has received those leads via email/SMS already, so our deletion doesn’t affect their copy.
  • Tradie Account Information: We retain account information (like your name, email, login credentials, and account settings) for as long as your account is active and as needed to provide you the service. If you decide to cancel your subscription, we will mark your account as inactive. We may retain certain account data for a period of time after cancellation in case you reactivate, or for record-keeping purposes. However, if you request deletion of your account, we will remove personal identifying details, leaving only what’s necessary for historical transaction records.
  • Billing Records: We are required under tax laws to retain transaction records (invoices, payments) for a certain number of years (often 5-7 years in Australia for financial records). These records may contain personal data (like your name, business name, and transaction history). We securely retain this information for the legally mandated period, even if you delete your account, to comply with our legal obligations.
  • Communications: If you emailed us or we have support tickets, we may retain those communications for some time to refer back to them if you contact us again, or for training and quality assurance. Generally, routine correspondence is kept for a couple of years unless you request otherwise.
  • Website Logs: Basic web server logs and analytics data are usually retained for a shorter period (maybe 12 months or less) unless we need them for security audits. We might keep security-related logs longer if they recorded a serious incident.

Once the retention period expires or we no longer need the personal information, we will take steps to erase it or anonymize it. Deletion might be done through automated scripts or through our providers’ retention settings (for instance, we might configure Google Sheets to prune old entries, or simply delete rows manually as part of maintenance).

Deletion Requests: If you are an individual (tradie or form submitter) and you request us to delete your personal information, we will take reasonable steps to comply, provided that we are not required to retain it. For tradies, this usually means closing your account and deleting your profile and any leads associated with you (except data we must keep for legal reasons). For form submitters, if you reach out to us and ask for deletion of your info from our database, we will locate and delete your form entry from our records (note: we may need details like the date of call or which tradie to find it). However, we cannot retrieve data that has already been delivered to the tradie via email or SMS – you would need to contact the tradie to have them delete their copy, since once the tradie receives your information, they become responsible for that copy. We will, upon deletion, also notify the tradie if appropriate that we have removed the data from our systems (without necessarily identifying you beyond what’s needed, unless you specifically request us to alert them).

Backup Policy: It’s worth noting that when we delete data from our active systems, it might still reside in our system backups for a short time until those backups cycle out. Our policy is that backups are only retained for disaster recovery purposes and have limited retention themselves. We will ensure that deleted data is not restored or used from backups outside the retention period.

Anonymized and Aggregated Data: In some cases, instead of complete deletion, we may retain certain information in an anonymized form. For example, we might keep aggregated stats like “total number of leads processed” or “average response time” etc., which do not identify individuals. This allows us to still analyze and report on our business performance without personal data. Anonymized data is not considered personal information and may be retained indefinitely, as it poses no privacy risk.

If you have any specific questions about our data retention practices or wish to request deletion, you can contact us (see Contact Us section). We will explain what data we have about you and what can be deleted, and then carry out the deletion as per your request and our legal obligations.

Access, Correction, and Your Rights

Under the Australian Privacy Act (and similar regulations), individuals have certain rights in relation to their personal information that we hold. We are committed to upholding these rights and facilitating your exercise of them. Key rights include:

  • Right to Access: You have the right to request access to the personal information we hold about you[37]. For tradies, this likely includes information in your account profile and any activity or transaction logs. For form submitters, this would be the details of the form submission that we have on record. Upon your request, and after verifying your identity, we will provide you with the information we have about you in a suitable format (usually electronically). There are some circumstances under which we might not be able to give full access (for example, if it unreasonably affects someone else’s privacy, or if it’s subject to legal privilege, etc.), but we will advise you of any such grounds if they apply. Generally, we aim to be transparent with you about your data. Access requests are usually handled free of charge, but if your request is unusually large or complex, we may charge a reasonable fee to cover our costs (as allowed by law)[38]. We would inform you of any fee before proceeding.
  • Right to Correction: We strive to keep personal information accurate, up-to-date, and complete. If you believe that any personal information we hold about you is incorrect, incomplete, or out-of-date, you have the right to request that we correct it[37]. For tradies, much of your information can be updated by you directly (e.g., through your account settings, you can change your email, phone, etc.). For anything you cannot change yourself, you can contact us and we will assist. For form submitters, since your data is just a snapshot of what you submitted, if you realize you made a mistake (say, typed the wrong phone number), you could contact us or the tradie to have it corrected. We can update our stored record and, if necessary, inform the tradie of the correction if they haven’t already corrected it on their end. We will promptly make the requested corrections where appropriate. If for some reason we disagree that the information is wrong, we will let you know the reason (to the extent allowed by law) and, at your request, we will associate a statement with the information noting that you contest its accuracy.
  • Right to Withdraw Consent: In cases where our processing of your personal information is based on consent (for example, marketing emails to tradies, or a form submitter’s consent to share their info), you have the right to withdraw your consent at any time. If you withdraw consent for marketing, we will stop sending you marketing communications. If a form submitter withdraws consent for us to hold their data, we will delete it from our system (though, as noted, we can’t undo the initial sharing that already happened with the tradie, which is why consent is ideally given at the time of submission). Withdrawing consent will not affect the legality of processing that occurred prior to withdrawal.
  • Right to Anonymity/Pseudonymity: The Australian Privacy Principles include a principle that, where practicable, individuals should have the option of not identifying themselves (or using a pseudonym) when dealing with a business (APP 2)[39]. In our context, due to the nature of the service, using a pseudonym as a tradie wouldn’t make sense (you need to give real contact info to use the service), and as a form submitter, if you don’t provide your real contact, the tradie can’t reach you – so anonymity would defeat the purpose. Thus, this option is not practical for the core service. However, if you just have a general inquiry about our service or site, you are free not to identify yourself (e.g., send us a message without providing a name), though we might not be able to respond if we lack contact info.
  • Right to Complain (Privacy Complaint): If you believe we have breached your privacy or not complied with the Australian Privacy Act or this Policy, you have the right to make a complaint. We take privacy complaints seriously:
  • Contact Us First: We ask that you give us the opportunity to address your concerns by contacting us directly. Send a detailed description of your complaint to our Privacy Contact (details in the next section). Include any relevant information, such as what happened, dates, who you dealt with, and what outcome you seek. We will acknowledge your complaint and investigate it. We aim to respond with the results of our investigation and any steps we will take to resolve the issue within a reasonable time (typically within 30 days). We will correct any confirmed privacy shortcomings and let you know.
  • Contacting Regulators: If you are not satisfied with our response, or if you prefer not to contact us, you have the right to escalate the matter to the Office of the Australian Information Commissioner (OAIC). The OAIC is the federal privacy regulator. They can investigate privacy complaints and enforce privacy laws. You can file a complaint with OAIC via their website (www.oaic.gov.au) or by mail. They have a form for privacy complaints and also a help line (Phone: 1300 363 992) you can call for advice[40][41]. If your issue pertains to a state-based matter, you could also contact NSW Privacy Commissioner or NSW Fair Trading if relevant. But OAIC is the primary avenue for Privacy Act issues.
  • Other Rights: If your situation falls under consumer law or other regulations, you might also have the right to pursue legal action or mediation. This falls more under Terms of Service disputes, but note that nothing in this Privacy Policy limits any legal rights or remedies you have under law.
  • Right to Prevent Direct Marketing: As noted, you have the right to opt out of direct marketing communications[42]. We will always honor unsubscribe requests. We do not do telemarketing, but if we ever did, you’d have the right to be placed on our do-not-call list. For electronic marketing, we include opt-out mechanisms (unsubscribe links). Australia also has the Do Not Call Register for phone marketing and the Spam Act for email/SMS – we comply with those rules.
  • Right to not receive Spam: We only send messages as allowed (for instance, the form SMS is triggered by an action of the individual, so it’s not unsolicited in the spam sense; tradies’ marketing emails are to existing customers or with consent). If you ever feel you received unwanted communications from us, let us know and we will rectify that (e.g., remove you from lists).
  • GDPR and Other Jurisdictions: Although our focus is Australia, if we have users in other jurisdictions like the EU or UK, they may have additional rights (like data portability or to object to processing). If those apply, we will extend those rights accordingly. For example, an EU user might ask for their data in a machine-readable format (portability); we’d provide that as feasible. Or they might object to processing – we’d assess that under GDPR standards. While not directly relevant to most of our current users, we mention it to show we strive to meet high privacy standards globally.

We will not charge you for making a request to access or correct your data, except in exceptional circumstances as allowed by law (and we would discuss it with you first).

To exercise any of these rights, or if you have any questions about your rights, please use the contact information below to reach our privacy contact person.

Cookies and Tracking

(This section can be included if relevant – since the user didn’t specifically request it, we can keep it concise or optional.)

Our website may use cookies or similar tracking technologies to enhance user experience and gather usage data. Cookies are small text files placed on your device when you visit a website. We might use cookies for purposes such as: – Keeping you logged in to your account as you navigate between pages. – Remembering your preferences (like language or form inputs). – Understanding how visitors use our site (which pages are popular, how people find us) via analytics tools. We currently do not have intensive analytics, but if we add Google Analytics or similar, those would set cookies to collect anonymous traffic data.

You can control or delete cookies through your browser settings. Most browsers allow you to refuse new cookies or delete existing ones. However, note that if you disable cookies, some features of our site (especially the account login or form functionality) may not work properly.

We do not use cookies to track you across other sites or to serve targeted advertising.

Our site may include third-party integrations (like a Google Maps link or social media share button) that could set their own cookies; we don’t control those. Please refer to those third parties’ policies (e.g., Google’s policy for any Google cookie).

By using our site without adjusting your browser’s cookie settings, we assume you consent to our use of cookies as described.

(If not needed, this section could be omitted. For completeness in a WordPress site context, it’s often included.)

Links to Other Websites

Our website might contain links to external websites or resources that we do not operate (for example, a link to Twilio’s site, or an article). This Privacy Policy applies only to Call A Roo and our own service. Once you click a third-party link, you will be subject to that third party’s privacy policy/terms. We are not responsible for the content, privacy practices, or handling of information on external sites. We recommend you review the privacy statements of any other websites you visit via links from our site. We do not endorse or make representations about third-party websites. If you find a link on our site that is concerning (phishing or broken), let us know.

Updates to This Privacy Policy

We may update or change this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. If we make significant changes, we will notify users by posting a prominent notice on our website or, if appropriate, by sending an email notification. Minor updates (e.g., clarifications) may simply be reflected by an updated “Last Updated” date at the bottom of this Policy. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information[23]. Your continued use of our services after any changes to this Policy will be deemed acceptance of those changes, so it’s important to familiarize yourself with any updates. If you do not agree with a change, you have the right to discontinue using the service and request us to delete your data.

We will not use or share your personal information in a manner that is materially inconsistent with the promises made in this Policy without obtaining your consent (unless otherwise required by law). If we were, for example, to expand our data sharing in a way that impacts you, we would seek your permission first.

For reference, we will maintain an archive or changelog of previous privacy policies (available upon request) so you can see how our privacy practices have evolved.

Last Updated: September 5, 2025.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal information, please do not hesitate to contact us. We are here to help and address any issues.

Privacy Contact Person:
Call A Roo – Privacy Officer (Sole Trader Proprietor)
Email: privacy@callaroo.com (example)
Business Address: [123 Trade St, Sydney NSW 2000, Australia] (example address)
Phone: [02 xxx xxxx] (if applicable)

Please use the subject line “Privacy Inquiry” or “Privacy Request” so we can route your message appropriately. In your communication, please provide enough information for us to identify you (if you are an existing user) and understand your request. We may need to verify your identity for certain requests (like access or deletion) to ensure we don’t disclose data to the wrong person.

We will respond to your inquiry as soon as reasonably possible, generally within 5-10 business days for general questions, and within 30 days for access/correction requests or complaints. If your issue is complex or requires further investigation, we will let you know and keep you updated on the progress.

Thank you for entrusting Call A Roo with your communications and data. We value your privacy and work hard to protect it. If you have any feedback on this Policy or our practices, we welcome it as it helps us improve.

Your use of Call A Roo indicates that you have read and understood this Privacy Policy and agree to its terms.