Privacy Policy

1. Introduction

This Privacy Policy explains how Bernard Adjei-Yeboah, trading as EchoFlow Solutions (ABN 55 441 896 015) ("we", "us", "our"), collects, uses, discloses, and protects your personal information when you use AgentPA, our AI personal assistant for real estate agents delivered via WhatsApp.

We are committed to complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By using AgentPA, you consent to the practices described in this policy.

This policy applies to all users of AgentPA, including those on the 60-day free trial and paid subscribers. It covers information collected through our WhatsApp service (via +61 468 007 577), our website (agentpa.com.au), and any related communications.

2. Information We Collect

We collect the following categories of personal information:

2.1 Account Information

• Your full name
• Mobile phone number (serves as your unique account identifier)
• Email address
• Agency or business name
• Professional role or title

2.2 Real Estate and Listing Data

• Property addresses and listing details
• Sale prices, asking prices, and price guides
• Vendor (seller) names and contact details
• Buyer names, phone numbers, enquiry notes, and inspection attendance
• Open home schedules and auction dates
• Any other property or contact information you provide to AgentPA

2.3 Communication Data

• All WhatsApp messages (text) exchanged between you and AgentPA
• Conversation history and context logs used by the AI to provide continuity
• Message timestamps and delivery status

2.4 Voice Data

• Voice notes you send via WhatsApp are transcribed using OpenAI Whisper
• Audio files are stored temporarily for a maximum of 7 days, then automatically and permanently deleted
• Text transcriptions of voice notes are stored permanently as part of your conversation history
• Voice briefings generated by OpenAI Text-to-Speech (TTS) are delivered to you via WhatsApp

2.5 Usage Data

• Message timestamps and frequency of interactions
• Features used (e.g., briefings, follow-ups, listing queries, voice notes)
• AI token consumption and processing metrics
• Subscription status and billing cycle information

2.6 Payment Data

• Payment information is processed securely by Stripe
• We never see, store, or have access to your full credit card number, CVV, or complete card details
• We retain only a record of transaction amounts, dates, and the last four digits of your card for billing reference

3. How We Use Your Information

We use your information for the following specific purposes:

3.1 AI Processing

Your messages and data are sent to Anthropic (Claude AI) for response generation. This includes generating morning briefings, follow-up reminders, listing insights, draft messages, and answering your queries. Anthropic does not use your data to train their models.

3.2 Voice Transcription

Voice notes you send are transmitted to the OpenAI Whisper API for speech-to-text transcription. The resulting text is then processed by our AI to understand and act on your instructions.

3.3 Voice Briefing Generation

When voice briefings are generated, text content is sent to OpenAI Text-to-Speech (TTS) API to create audio messages that are delivered to you via WhatsApp.

3.4 WhatsApp Message Delivery

All messages between you and AgentPA are routed through Twilio, which provides the WhatsApp Business API infrastructure. Twilio processes your phone number and message content for delivery purposes.

3.5 Payment Processing

Subscription billing is handled entirely by Stripe. We use Stripe to charge your nominated payment method AUD $149/month and to manage your subscription lifecycle.

3.6 Service Improvement

We analyse aggregate, anonymised usage patterns to improve AgentPA. This includes understanding which features are most used, average response times, and overall service performance. We never share or sell individually identifiable data for analytics or any other purpose.

3.7 Service Communications

We use your contact details to send service-related communications, including billing confirmations, subscription reminders, feature updates, and important notices about changes to the service or these policies.

4. Third-Party Services

We use the following third-party services to operate AgentPA. Each service only receives the minimum data necessary to perform its function:

Each of these services maintains their own privacy policies (linked above). We encourage you to review them. We contractually require these providers to protect your data and only use it for the purposes we specify.

5. Data Storage and Security

We take the security of your personal information seriously and implement the following measures:

• Primary data storage: All user data is stored in Supabase databases located in the Sydney, Australia region.
• Server hosting: Our application servers are hosted on DigitalOcean in Sydney, Australia.
• Encryption in transit: All data transmitted between your device, our servers, and third-party services is encrypted using TLS/SSL protocols.
• Database access controls: Database access is restricted by API keys and role-based access policies. Only authorised application services can read or write to the database.
• Voice file deletion: Audio voice note files are automatically and permanently deleted after 7 days. Only the text transcriptions are retained.
• Payment security: We never store full credit card numbers. All payment data is handled by Stripe, which is PCI DSS Level 1 certified.
• No data sales: We do not sell, rent, lease, or trade your personal information to any third party, ever.
• No AI training on your data: We do not use your messages, voice notes, listings, contacts, or any other content you provide to train any AI model — neither our own nor those of our third-party providers. Anthropic and OpenAI both confirm in their API terms that customer data submitted via their APIs is not used for model training by default, and we operate exclusively under those API terms.

While we take reasonable steps to protect your personal information using industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you promptly in the event of a data breach (see Section 9).

6. Data Retention

• Conversation logs: Kept indefinitely while your account is active, to provide continuity and context for the AI assistant. Deleted within 30 days of an account deletion request.
• Voice note audio files: Automatically and permanently deleted after 7 days. Transcriptions are retained as part of your conversation history.
• Account information: Retained while your account is active. After cancellation, data is preserved for 90 days (to allow reactivation), then permanently deleted.
• Payment records: Retained as required by Australian tax law (generally 5 years from the date of the transaction).
• Listing and contact data: Retained while your account is active and deleted in accordance with the account information schedule above.
• Aggregate analytics: De-identified, aggregate usage data may be retained indefinitely for service improvement purposes, as it cannot be used to identify any individual.

7. Australian Privacy Act 1988 Compliance

We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). Although sole traders with an annual turnover under $3 million are generally exempt from the Privacy Act, we voluntarily comply with the APPs because we believe your data deserves strong protection. Our compliance includes:

• APP 1 — Open and transparent management: This Privacy Policy clearly sets out how we handle your personal information, and is freely accessible on our website and upon request.
• APP 3 — Collection of solicited personal information: We only collect personal information that is reasonably necessary for the provision of AgentPA. We do not collect sensitive information (e.g., health, racial, or political information).
• APP 5 — Notification of collection: This policy notifies you at or before the time of collection about what we collect, why, and how it will be used.
• APP 6 — Use or disclosure: We only use or disclose your personal information for the primary purpose for which it was collected (providing the AgentPA service), or for directly related secondary purposes you would reasonably expect.
• APP 8 — Cross-border disclosure: Where we disclose personal information to overseas recipients (see Section 10), we take reasonable steps to ensure those recipients comply with the APPs or are subject to substantially similar privacy protections.
• APP 11 — Security of personal information: We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure (see Section 5).
• APP 12 — Access to personal information: You have the right to request access to the personal information we hold about you. We will respond to access requests within 30 days.
• APP 13 — Correction of personal information: You have the right to request correction of any personal information we hold about you that is inaccurate, out-of-date, incomplete, irrelevant, or misleading.

8. Your Rights

As a user of AgentPA, you have the following rights regarding your personal information:

• Right to access: You may request a copy of all personal information we hold about you. We will provide this within 30 days of your request.
• Right to correction: You may request correction of any inaccurate, out-of-date, or incomplete personal information.
• Right to deletion: You may request deletion of your personal information and all associated account data. Upon receiving a deletion request, we will permanently remove your data within 30 days, except where retention is required by law (e.g., tax records).
• Right to data portability: You may request an export of your data in a commonly used, machine-readable format.
• Right to complain: You may lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs (see Section 14).

9. Data Breach Notification

In the event of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

• Take immediate steps to contain and remediate the breach.
• Notify affected individuals as soon as practicable, and in any event within 30 days of becoming aware of the eligible data breach.
• Notify the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme established under Part IIIC of the Privacy Act 1988.
• Provide affected individuals with information about the breach, the type of information involved, and recommended steps they should take in response.

10. Cross-Border Data Transfers

While your primary data is stored in Australia (Supabase and DigitalOcean, both in Sydney), some of your data is processed by services located in the United States and other jurisdictions as part of providing the AgentPA service:

• Anthropic (Claude AI): Message content is sent to US-based servers for AI processing.
• OpenAI: Voice notes and text are sent to US-based servers for transcription and text-to-speech generation.
• Twilio: Message content and phone numbers are processed through Twilio's US and global infrastructure for WhatsApp delivery.
• Stripe: Payment data is processed through Stripe's US and global infrastructure.

In accordance with APP 8, before disclosing personal information to these overseas recipients, we take reasonable steps to ensure they are bound by enforceable obligations to protect your information in a manner substantially similar to the APPs. Each of these providers maintains comprehensive privacy and data protection policies, and we select providers that demonstrate strong commitments to data security.

11. Marketing Communications

• Service messages are the product: Morning briefings, follow-up reminders, and other proactive messages sent by AgentPA via WhatsApp are core features of the service you have subscribed to — they are not marketing communications.
• No unsolicited marketing: We will never send you unsolicited marketing or promotional messages unrelated to the AgentPA service.
• No third-party marketing: We will never share, sell, or provide your personal information to any third party for their marketing purposes.
• Service updates: We may occasionally send you important updates about new features, changes to the service, or policy updates via WhatsApp or email. You may opt out of non-essential service communications at any time.

12. Children's Privacy

AgentPA is a professional business tool designed exclusively for real estate agents and business professionals aged 18 and over. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have inadvertently collected personal information from a person under 18, we will take immediate steps to delete that information.

13. Cookies and Tracking

AgentPA operates primarily through WhatsApp and does not rely on cookies for its core functionality. Our website (agentpa.com.au) uses only essential cookies required for basic functionality:

• Essential cookies: Theme preference (light/dark mode) and basic session management. These are strictly necessary for the website to function.
• No advertising cookies: We do not use any advertising cookies, tracking pixels, or retargeting technologies.
• No analytics tracking: We do not use Google Analytics, Facebook Pixel, or any other third-party analytics tracking on our website.
• No cross-site tracking: We do not share any data with advertising networks or engage in cross-site tracking of any kind.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

• Material changes: For any material changes to how we collect, use, or share your personal information, we will notify you via WhatsApp at least 30 days before the changes take effect.
• Minor changes: Non-material changes (e.g., formatting, clarifications) may be made without advance notice but will be reflected in the "Last updated" date at the top of this page.
• Continued use: Your continued use of AgentPA after the effective date of any changes constitutes your acceptance of the updated policy.
• Objections: If you do not agree with a material change, you may cancel your subscription before the change takes effect and request deletion of your data.

15. Complaints

If you believe we have breached the Australian Privacy Principles or have a complaint about how we handle your personal information:

• Step 1 — Contact us: Lodge your complaint with us at [email protected]. We will acknowledge your complaint within 7 days and provide a substantive response within 30 days.
• Step 2 — Escalate to the OAIC: If you are not satisfied with our response, or if we fail to respond within 30 days, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:

AgentPA WhatsApp number: +61 468 007 577