Privacy Policy

Last updated: 24 May 2026

1. Introduction

KarmasAI is operated by Innovenses Pty Ltd ("KarmasAI", "we", "us", "our"), an Australian company based in Melbourne, Victoria. This policy explains how we collect, use, store, disclose, and protect personal information when you use the KarmasAI AI voice receptionist platform and our website at karmasai.com (together, the "Service").

We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where applicable, we also comply with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Information We Collect

Account information. Name, business name, email address, mobile number, industry, ABN (optional), and billing details when you create an account.

Call data. When the Service answers or places a call on your behalf it generates call recordings, transcripts, AI-generated summaries, caller phone numbers, timestamps, call duration, and interaction logs. This data may include personal information about the people calling your business (your customers).

Booking and order data. Appointment details, service requests, and order information captured by the AI agent on your behalf (for example, a customer booking a haircut or requesting a quote from a tradie).

Knowledge base content. Documents, FAQs, price lists, hours, policies, and other materials you upload to train your voice agents.

Usage data. Browser type, device identifiers, IP address, pages viewed, feature usage, and performance metrics collected automatically when you use the dashboard or website.

Support and communications. Records of your correspondence with us, including support tickets and survey responses.

3. How We Use Your Information

We use personal information to:

  • Provide, operate, secure, and improve the Service;
  • Route incoming and outgoing calls through your configured AI voice agents;
  • Generate transcripts, summaries, analytics, and insights about your call activity;
  • Train and tune your tenant's voice agents on your own knowledge base (we do not use your call recordings or transcripts to train third-party foundation models — see Section 6);
  • Send transactional communications (account, billing, security, and service updates);
  • Send marketing communications where you have opted in (you can unsubscribe at any time); and
  • Comply with our legal, tax, and regulatory obligations.

4. Call Recording and Caller Consent

KarmasAI records and transcribes calls so the AI agent can understand the caller and so you, as the business, have a record of what was said. Recording rules differ by state in Australia (and by country). As the business operator, you are the data controller for the calls handled by your agents and are responsible for ensuring each call complies with applicable recording-consent laws.

To support this, every agent ships with a configurable greeting that discloses the call is being handled by an AI assistant and may be recorded. You may adjust the wording in the agent settings, but you must not disable disclosure where the law requires it.

5. Data Storage and Security

We host the Service on managed cloud infrastructure and apply industry-standard security controls to protect personal information, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256);
  • Tenant isolation, including row-level isolation in our database;
  • Role-based access controls, least-privilege internal access, and audit logging;
  • Hashed passwords (bcrypt) and hashed API keys (SHA-256);
  • Regular dependency scanning, code review, and security monitoring.

No system is perfectly secure. If we become aware of a data breach that is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in accordance with the Notifiable Data Breaches scheme.

6. Service Providers and Sub-processors

We do not sell personal information. We share personal information with a small set of service providers who help us deliver the Service. Each is bound by contractual confidentiality and data protection obligations:

  • Ultravox — speech-to-speech voice AI used for live call audio and language understanding.
  • Anthropic — the Claude language model used for reasoning, summarisation, and certain agent behaviours. Anthropic does not use customer data submitted via the API to train its models by default.
  • Twilio — telephony provider that connects the public phone network to the Service (carriage and number management).
  • Stripe — payment processing and billing. Stripe is PCI DSS Level 1 certified and processes card data directly; we do not store full card numbers.
  • Railway — managed application and database hosting.
  • Postmark / Resend — transactional email delivery (account, billing, and security notifications).

We may also disclose personal information where required by law, court order, or regulator request, or in connection with a corporate transaction such as a merger, acquisition, or sale of assets (in which case the recipient will be bound by this policy or an equivalent one).

An up-to-date list of sub-processors is available on request from privacy@karmasai.com.

7. Cross-Border Disclosure (APP 8)

Some of our sub-processors (including Ultravox, Anthropic, Twilio, and Stripe) are based outside Australia, primarily in the United States and the European Union. When we disclose personal information to an overseas recipient, we take reasonable steps to ensure the recipient handles that information in a manner consistent with the Australian Privacy Principles, including through data processing agreements and standard contractual clauses where applicable.

8. Your Rights

Under the Australian Privacy Principles, you have the right to:

  • Request access to the personal information we hold about you (APP 12);
  • Request correction of inaccurate or out-of-date information (APP 13);
  • Request deletion of your personal information, subject to legal retention obligations;
  • Opt out of marketing communications at any time;
  • Make a complaint about how we have handled your personal information (see Section 12).

If you are in the EU/EEA or UK, GDPR additionally gives you the right to restrict or object to processing and to data portability. If you are a California resident, CCPA gives you the right to know what categories of personal information we collect and the right to delete it, subject to legal exceptions. We do not sell personal information as defined under the CCPA.

To exercise any of these rights, email privacy@karmasai.com. We will respond within 30 days. If a request relates to data captured by an agent you operate (for example, a caller asking for their data to be deleted), we will forward it to you as the data controller and assist as needed.

9. Data Retention

We retain account information for the life of your account plus 30 days after closure. Call recordings, transcripts, and call metadata are retained according to your plan's retention setting (default: 90 days) and your tenant's data retention policy, after which they are permanently deleted from active systems. Anonymised and aggregated analytics that cannot reasonably be linked to an individual may be retained indefinitely. We may retain certain records longer where required by tax, accounting, or other legal obligations.

You may request earlier deletion at any time from your dashboard or by emailing privacy@karmasai.com.

10. Cookies and Analytics

We use essential cookies for authentication and session management, and a small number of analytics cookies to understand how the website and dashboard are used. We do not use cookies for cross-site advertising. You can control cookies through your browser settings; blocking essential cookies will prevent you from signing in.

11. Children

The Service is intended for use by businesses and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us and we will delete it.

12. Complaints

If you believe we have breached the Australian Privacy Principles or mishandled your personal information, please email privacy@karmasai.com with the details. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.

If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

13. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or through the dashboard at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

14. Contact

For privacy-related questions or to exercise your rights, contact us at privacy@karmasai.com.

Innovenses Pty Ltd
Melbourne, VIC, Australia