Nexwin Technologies Privacy Policy

Important Notice — Australian Data Residency

Nexwin is not suitable for organisations or individuals that are required (by law, regulation, contract, internal policy, or sector-specific obligation) to keep all personal information, voice recordings, transcripts, or related processing data within Australia.

To deliver real-time voice intelligence, transcription, and conversational AI at the quality our Services require, certain processing — including the processing of live audio streams, generated transcripts, and AI-model inference — is performed on infrastructure located outside Australia, primarily in the United States of America. While your account configuration data, call metadata, appointment records, and customer-relationship data are stored in our Australian production database (hosted in Australia), the real-time voice and language-model processing components of the Services necessarily transit and are processed overseas.

If your organisation is subject to obligations such as (without limitation) Australian Government data sovereignty requirements, the My Health Records Act 2012, certain State or Territory health records legislation, the Hosting Certification Framework, ISM/PSPF controls, or any contractual or regulatory requirement that prohibits overseas processing or disclosure of personal or sensitive information, you should not use the Services and you should not provide any personal information to the Services. By proceeding to use the Services, you expressly confirm that no such restriction applies to you, or that you have obtained any consents required to permit such overseas processing.

Nexwin makes no representation that the Services satisfy any specific data-residency, sovereignty, or sector-specific compliance requirement, and to the maximum extent permitted by law disclaims any liability arising from a customer's use of the Services in breach of a residency or sovereignty obligation that applies to that customer.

1. Information We Collect

We collect the following categories of information:

• Account & Identification Information: name, business name, email address, billing address, ABN, role, password (stored hashed), and account preferences.
• Configuration Data: business hours, services offered, team-member details, working hours, time zones, integration credentials (e.g. calendar connections), and any free-text instructions you provide to configure your AI receptionist.
• Telephony & Messaging Data: call-forwarding numbers, SMS notification recipient numbers, caller ID, call duration, call outcomes, dial codes, and other call/SMS metadata generated by the Services.
• Call Content & Transcripts: audio recordings of calls handled by your AI receptionist, machine-generated transcripts of those calls, chat conversation logs, and any structured data extracted from a conversation (e.g. caller name, requested time slot, message left for a team member).
• Appointment & Customer Records: appointment bookings, contact records created by the AI for your callers, notes, and follow-up actions.
• Payment Information: we use a PCI-DSS compliant third-party payment processor; we do not store full card numbers on our systems. We retain payment metadata such as last-four digits, card brand, billing status, and invoice history.
• Usage & Device Data: log data, IP address, browser type, device identifiers, pages viewed, feature usage, error reports, and analytics events.
• Cookies & Similar Technologies: as described in Section 12.

Sensitive information. The Services are general-purpose business communication tools and are not designed for the collection of sensitive information (as defined in the Privacy Act), including health information. If a caller voluntarily provides sensitive information during a call or chat, that information will be processed and stored as part of the call recording and transcript on the same basis as other call content. You are responsible for ensuring that callers are appropriately notified of, and consent to, the use of an AI receptionist and to the recording and processing of their information, including any overseas processing referred to in this Policy.

2. How We Collect Information

We collect information directly from you when you sign up, configure your account, or contact us; automatically when you or your callers interact with the Services (including through inbound and outbound calls, SMS, and chat); and from third-party integrations you choose to connect (such as calendar providers).

Where it is reasonable and practicable, we collect personal information directly from the individual concerned. In the ordinary course of operating an AI receptionist, however, information about a caller is collected from the caller during the call. By configuring and forwarding calls to a Nexwin number, you represent and warrant that you have the right to do so and that any required notices and consents have been obtained from your callers.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, maintain, secure, and improve the Services;
• Configure and run your AI receptionist, answer calls and messages on your behalf, schedule appointments, send notifications, and create call summaries;
• Process payments, invoicing, refunds, and chargebacks;
• Communicate with you about your account, service updates, security alerts, billing, and product changes;
• Provide customer support, including responding to "Report a Problem" requests as described in Section 5;
• Monitor, troubleshoot, and analyse Service performance, usage patterns, and error rates in an aggregated and de-identified form;
• Detect, investigate, and prevent fraud, abuse, security incidents, and breaches of our Terms of Service;
• Comply with legal, regulatory, tax, accounting, and law-enforcement obligations.

Nexwin does not use your business data, call recordings, transcripts, or chat content to train any general-purpose or third-party AI or large language models. Your data is used to operate your AI receptionist for your business and for the limited internal purposes described in this Policy.

4. Encryption & Storage of Sensitive Configuration Data

Configuration data that we treat as sensitive — including call-forwarding numbers, SMS notification recipient numbers, integration tokens, API keys, and similar credentials — is stored in our production database with encryption at rest. All data in transit between you, your callers, the Services, and our processing partners is protected using industry-standard transport encryption (TLS 1.2 or higher).

Access to configuration data is restricted on a least-privilege basis to authorised Nexwin personnel who require access to operate, maintain, or support the Services.

5. Privacy of Your Callers and Conversation History — "Report a Problem" Consent Model

We treat your call recordings, transcripts, chat logs, and caller details as confidential to your account. As a default rule:

• Nexwin support and engineering staff do not browse, listen to, read, or otherwise access the content of your calls, transcripts, or chat history.
• Your account administrators and authorised team members can access this content from within your account dashboard, subject to your own internal access controls.

Consent-based support access. When you click the "Report a Problem" button on a specific call (or chat) record in your account, you are providing your express consent for Nexwin support and engineering personnel to access and review only that specific call or chat (including its audio recording, transcript, metadata, and associated diagnostic logs) for the limited purpose of diagnosing, reproducing, and resolving the issue you have reported. That consent is scoped to the individual call or chat you flag and does not extend to other calls, chats, or accounts.

We may retain copies of materials accessed under this consent model for the duration reasonably necessary to investigate and resolve the reported issue and to maintain support, audit, and quality records. Where appropriate, anonymised or de-identified extracts may be retained for the purpose of improving our diagnostic processes and the reliability of the Services.

Outside of "Report a Problem" requests, Nexwin will only access call or chat content where required by law, court order, or lawful regulatory process, or where strictly necessary to protect the security or integrity of the Services or the safety of any person, in each case in accordance with the APPs.

6. Data Ownership and Control

As between you and Nexwin, you retain ownership of the configuration data, call content, transcripts, and customer records associated with your account. You are the controller of personal information about your callers; Nexwin acts as your service provider in handling that information.

You are responsible for ensuring that your collection and use of caller information through the Services complies with all laws applicable to you, including providing any required notices to, and obtaining any required consents from, your callers (for example, in relation to call recording, automated call handling, and overseas processing).

7. Disclosure of Information

We may disclose personal information to:

• Service providers and processors who provide infrastructure, telephony, messaging, voice intelligence, conversational AI, hosting, analytics, customer support tooling, payment processing, fraud prevention, email delivery, and similar services that enable the Services to function. These providers are contractually required to protect personal information and to use it only for the purposes for which it is disclosed.
• Authorised users on your account, including team members and administrators you invite.
• Professional advisers such as auditors, lawyers, and accountants, under duties of confidentiality.
• Acquirers in connection with a merger, acquisition, financing, or sale of all or part of our business.
• Government, regulatory, and law-enforcement bodies where required or authorised by law, including in response to lawful requests.
• Other third parties with your consent or at your direction (for example, when you connect a calendar or video-conferencing integration).

We do not sell, rent, or trade your personal information.

8. Data Security

We implement reasonable technical and organisational measures to protect personal information against loss, misuse, unauthorised access, modification, or disclosure. These measures include:

• Encryption of data in transit (TLS 1.2+) and encryption at rest for sensitive configuration data and credentials;
• Logical access controls, role-based permissions, and authentication requirements (including multi-factor authentication for administrative access to production systems);
• Network isolation, firewalling, and continuous monitoring of our production environment;
• Regular review of our infrastructure against industry security best practices;
• Secrets management, rotation, and audit logging for sensitive credentials;
• Confidentiality and information-security obligations imposed on Nexwin personnel and contractors;
• Incident-response procedures, including procedures consistent with the Notifiable Data Breaches scheme.

No method of electronic transmission or storage is completely secure. While we take reasonable steps to protect personal information, we cannot and do not guarantee absolute security, and you provide personal information to us at your own risk.

9. International Data Transfers and Overseas Disclosures

Nexwin is based in Australia and our primary application database is hosted in Australia. To deliver the Services, however, certain components — in particular, real-time voice processing, transcription, conversational AI inference, and certain communications and analytics infrastructure — are provided by reputable overseas service providers and operate from data centres located outside Australia, primarily in the United States of America. Other supporting services (for example, email delivery, error monitoring, and customer-support tooling) may also be provided from overseas jurisdictions.

By using the Services you expressly consent, for the purposes of Australian Privacy Principle 8.1, to the disclosure of your personal information (and personal information about your callers, where you have authority to provide such consent) to overseas recipients in those jurisdictions. You acknowledge that:

• Once personal information is disclosed to an overseas recipient, Nexwin may not be in a position to ensure that the overseas recipient does not breach the APPs in relation to that information; and
• Section 16C of the Privacy Act 1988 (Cth) (which would otherwise make Nexwin accountable for certain acts and practices of overseas recipients) will not apply to disclosures made on the basis of this consent.

Where we engage overseas service providers, we use commercially reasonable efforts to engage providers that maintain a recognised level of information-security and privacy practice (including providers that operate enterprise-grade security programs, encryption controls, and contractual confidentiality and data-protection commitments).

10. Data Retention

We retain personal information only for as long as is reasonably necessary to provide the Services, comply with our legal, tax, accounting and audit obligations, resolve disputes, enforce our agreements, and protect the security and integrity of the Services.

Unless a longer retention period is required or permitted by law or is necessary for the purposes set out in this Policy:

• Account, configuration, and customer-relationship data is retained for the life of your account and for up to thirty (30) days after termination, after which it is deleted or anonymised;
• Call recordings, transcripts, and chat logs are retained for the duration of your active subscription and for a reasonable period thereafter to support billing, dispute resolution, fraud prevention, and audit;
• Records relating to issues investigated under "Report a Problem" may be retained for a longer period for support, audit, and quality-assurance purposes;
• Billing, invoicing, and tax records are retained for at least seven (7) years to comply with Australian taxation and corporate record-keeping obligations.

You may request earlier deletion of your data by contacting us as set out in Section 14, and we will action such requests where we are not required by law to retain the information.

11. Your Rights

Subject to applicable law, you have the right to:

• Request access to the personal information we hold about you;
• Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading;
• Request deletion of your personal information, subject to our legal and contractual retention obligations;
• Withdraw consent where processing is based on consent (noting this may prevent us from continuing to provide the Services);
• Make a complaint about our handling of your personal information.

To exercise these rights, please contact us using the details in Section 14. We may need to verify your identity before actioning a request and may charge a reasonable fee for access requests where permitted by law.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

12. Cookies & Analytics

Our website and application use cookies and similar technologies to authenticate users, remember preferences, measure usage, and improve the Services. You can control cookies through your browser settings; disabling cookies may impair the functionality of the Services.

13. Children's Privacy

The Services are intended for businesses and adult users. We do not knowingly collect personal information directly from children under the age of 16. If you believe we have inadvertently collected such information, please contact us so we can delete it.

14. Contact Us & Complaints

For privacy questions, access or correction requests, or complaints, please contact our Privacy Officer at:

Email: support@nexwin.com.au

Postal Address: Level 1, 457-459 Elizabeth Street, Surry Hills NSW 2010, Australia

We will acknowledge your enquiry within a reasonable period and will endeavour to respond substantively within 30 days.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated Policy on our website and update the "Last Updated" date at the top. Where changes are material, we will take reasonable steps to notify account administrators by email or in-product notice. Your continued use of the Services after the effective date of an updated Policy constitutes acceptance of the changes.

16. Governing Law

This Privacy Policy is governed by the laws of New South Wales, Australia. The courts of New South Wales have non-exclusive jurisdiction over any dispute arising out of or in connection with this Policy.