DRAFT — This document is under legal review
Privacy Policy
Last updated: 14 March 2026
Effective date: [TBD — set when published]
1. Introduction
AliceHQ.AI Limited ("AliceHQ", "we", "us", "our") is committed to protecting the privacy of individuals whose personal information we collect and process. This Privacy Policy explains how we collect, use, store, and disclose personal information in connection with the AliceHQ platform and related services ("Service").
This policy applies to:
- Customers: Businesses and individuals who subscribe to the Service
- End Users: Individuals who interact with the Service through customer-configured channels (voice calls, SMS, web chat, social messaging)
- Website Visitors: Individuals who visit alicehq.ai
We comply with the New Zealand Privacy Act 2020 and the Information Privacy Principles ("IPPs") set out in that Act.
2. Who We Are
AliceHQ.AI Limited
New Zealand Company
NZBN: [TBD]
Email: privacy@alicehq.ai
Website: alicehq.ai
Our Privacy Officer can be contacted at privacy@alicehq.ai.
3. Information We Collect
3.1 Customer Information
When you create an account and subscribe to the Service, we collect:
- Name, email address, phone number
- Business name and address
- Billing information (processed by Stripe — we do not store full payment card numbers)
- Account preferences and configuration settings
3.2 End User Information
When End Users interact with the Service through your configured channels, we may collect:
- Name, phone number, email address (as provided during conversation)
- Conversation content (voice recordings, transcripts, chat messages)
- Booking details, appointment information, and other transactional data
- IP address and device information (for web chat interactions)
3.3 Automatically Collected Information
When you use the Service or visit our website, we automatically collect:
- Usage data (pages visited, features used, actions taken)
- Device information (browser type, operating system)
- IP address and approximate location
- Cookies and similar tracking technologies (see Section 9)
3.4 Information from Third-Party Integrations
When you connect third-party services (e.g., Google Calendar, CRM systems), we access information from those services as necessary to provide the Service, in accordance with the permissions you grant.
4. How We Use Information
We use personal information for the following purposes:
| Purpose | Lawful Basis (IPP) |
|---|---|
| Providing and operating the Service | Directly related to the purpose of collection (IPP 10) |
| Processing conversations and executing actions | Directly related to the purpose of collection (IPP 10) |
| Billing and account management | Directly related to the purpose of collection (IPP 10) |
| Customer support | Directly related to the purpose of collection (IPP 10) |
| Service improvement and analytics | Legitimate interest, with de-identified data where possible |
| Security and fraud prevention | Legal obligation and legitimate interest |
| Communicating service updates | Directly related to customer relationship (IPP 10) |
| Complying with legal obligations | Legal obligation (IPP 10(d)) |
We do not use personal information for:
- Selling to third parties
- Advertising or marketing to End Users
- Training AI models on identifiable customer or End User data
- Profiling individuals for automated decision-making that produces legal effects
5. AI Processing
5.1 How AI Processes Data
The Service uses third-party AI language models to process conversations and generate responses. When a conversation occurs:
- The conversation content is sent to an AI model provider for processing
- The AI generates a response and may trigger actions (e.g., creating a booking)
- A receipt (audit log) of the action is created and stored
5.2 AI Model Providers
We use the following AI model providers as sub-processors:
- Google (Gemini) — Primary conversation processing
- OpenAI — Alternative conversation processing
- Anthropic (Claude) — Alternative conversation processing
- Groq — Low-latency processing
Each provider has their own data processing commitments. We have reviewed their terms to ensure compatibility with the New Zealand Privacy Act 2020.
5.3 AI Data Retention by Providers
We configure our AI provider accounts to not retain conversation data for model training purposes. Conversations are processed transiently. Refer to each provider's privacy documentation for their specific data handling practices.
5.4 Voice Processing
For voice conversations, we use:
- Twilio for telephony (call routing, recording)
- AI speech-to-text for transcription
- AI text-to-speech for response generation (via ElevenLabs or equivalent)
Voice recordings and transcripts are stored as part of the conversation record and are subject to the same retention policies as other Customer Data.
6. Information Sharing and Disclosure
We share personal information with:
6.1 Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure hosting, data storage | United States (us-central1) |
| Firebase (Google) | Database, authentication | United States |
| Stripe | Payment processing | United States |
| Twilio | Voice calls, SMS | United States |
| Google (Gemini API) | AI conversation processing | United States |
| OpenAI | AI conversation processing | United States |
| Anthropic | AI conversation processing | United States |
| Groq | AI conversation processing | United States |
| ElevenLabs | Text-to-speech | United States |
| Resend | Transactional email | United States |
6.2 At Customer Direction
We share End User information with the Customer whose channels the End User interacted with, and with third-party services the Customer has connected (e.g., CRM, calendar).
6.3 Legal Requirements
We may disclose personal information if required by law, regulation, legal process, or governmental request, including to New Zealand regulatory authorities.
6.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal information may be transferred to the successor entity, subject to the same privacy protections.
7. Cross-Border Data Transfers
Our primary infrastructure is hosted on Google Cloud Platform in the United States (us-central1 region). This means personal information collected from New Zealand individuals is transferred to and processed in the United States.
Under the New Zealand Privacy Act 2020 (IPP 12), we ensure that personal information sent overseas is subject to comparable privacy protections by:
- Using service providers that offer contractual commitments to data protection standards
- Ensuring sub-processors are bound by their own privacy frameworks (e.g., Google's data processing terms, Stripe's DPA)
- Maintaining oversight of sub-processor compliance
Note: By using the Service, you acknowledge that your data (and your End Users' data) will be processed in the United States. We are evaluating GCP's Australia (sydney) region for future data residency options.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Customer account data | Duration of subscription + 30 days |
| Conversation records (transcripts, recordings) | Duration of subscription + 30 days, or as configured by Customer |
| Billing records | 7 years (NZ tax requirements) |
| Website analytics | 26 months (anonymised) |
| Support correspondence | 2 years after resolution |
| Waitlist/marketing signups | Until unsubscribe + 30 days |
After the retention period, data is permanently deleted from our systems and backups within 90 days.
Customers can request earlier deletion of their data at any time (see Section 10).
9. Cookies and Tracking
9.1 Cookies We Use
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Authentication | Session |
| Preferences | User settings | 1 year |
| Analytics (if enabled) | Usage metrics | 26 months |
9.2 Cookie Choices
You can control cookies through your browser settings. Disabling essential cookies may prevent you from using the Service.
We do not use third-party advertising cookies or cross-site tracking.
10. Your Rights
Under the New Zealand Privacy Act 2020, you have the right to:
10.1 Access (IPP 6)
Request access to the personal information we hold about you. We will respond within 20 working days.
10.2 Correction (IPP 7)
Request correction of inaccurate personal information. If we decline a correction request, we will attach your requested correction as a statement to the information.
10.3 Deletion
Request deletion of your personal information, subject to our legal retention obligations (e.g., tax records).
10.4 Data Portability
Export your data through the platform's export functionality, or request a data export from us.
10.5 Complaints
If you are not satisfied with our response, you may lodge a complaint with the New Zealand Privacy Commissioner:
- Website: privacy.org.nz
- Phone: 0800 803 909
- Email: enquiries@privacy.org.nz
10.6 End User Rights
End Users who wish to exercise their privacy rights should contact the Customer whose channels they interacted with. If you are an End User and cannot identify the Customer, contact us at privacy@alicehq.ai and we will assist.
11. Security
We implement appropriate technical and organisational measures to protect personal information, including:
- Encryption in transit (TLS 1.2+) and at rest
- Access controls and authentication (Google Cloud IAM)
- Regular security assessments
- Incident response procedures
- Employee security awareness
No system is perfectly secure. In the event of a data breach that poses a risk of harm, we will notify affected individuals and the Privacy Commissioner as required by the Privacy Act 2020.
For security concerns, contact security@alicehq.ai.
12. Children's Privacy
The Service is not directed at individuals under 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will take steps to delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify Customers of material changes via email at least 14 days in advance. The current version is always available at alicehq.ai/privacy.
14. Contact Us
For privacy-related enquiries:
AliceHQ.AI Limited
Privacy Officer
Email: privacy@alicehq.ai
Website: alicehq.ai
For general enquiries: hello@alicehq.ai
For security issues: security@alicehq.ai
See also our Terms of Service.