AustraliaB2B onlyCloud + self-hosted

Privacy Policy

A formal description of how Whispa handles personal information across the website, demos, cloud deployments, and support for self-hosted deployments.

Last updated: 9 March 2026

About this policy

This Privacy Policy explains how Whispa Operations Pty Ltd ("Whispa", "we", "our", or "us") collects, holds, uses, and discloses personal information in connection withwhispa.net, our sales and support activities, demo environments, cloud deployments, and limited support interactions for self-hosted deployments.

We are an Australian B2B provider and this policy is intended to align with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

Contact details

Entity: Whispa Operations Pty Ltd

Email: privacy@whispa.net

Address: 20 Springthorpe Way, Castle Hill, NSW 2154, Australia

Deployment model

Cloud deployment

For the cloud service, Whispa stores customer content in AWS Australia and generally handles that content on behalf of the business customer that uses the service.

Deployment model

Self-hosted deployment

For self-hosted deployments, Whispa does not receive or store customer production data unless the customer voluntarily sends us support materials.

Scope and roles

This policy covers personal information relating to business contacts, users of our website or demo environments, users of our cloud service, and people whose information may appear in support materials sent to us.

Website, sales, support, and billing: Whispa Operations Pty Ltd decides how this information is handled and is responsible for it under this policy.
Cloud customer content: Whispa generally handles call content and related records on behalf of the relevant business customer so that we can provide the contracted service.
Customer responsibilities: Our customers are responsible for deciding what information they submit to Whispa and for providing any required notices, consents, and disclosures to call participants and other individuals, including disclosures required for recorded or regulated calls.
Self-hosted deployments: The self-hosted customer controls production data and is responsible for the privacy and compliance position for that deployment.

Information we collect

Website, sales, support, and accounts

Business contact details: Name, work email address, phone number, company name, job title, and other information you provide when you contact us, request a demo, or subscribe to updates.
Account and workspace details: User account details, login identifiers, organisation information, and administrative settings for demo, trial, or production environments.
Support and communications: Emails, support requests, meeting notes, feedback, and files you choose to send to us.
Billing and commercial records: Invoice contact details, billing addresses, payment status, bank transfer references, and related records maintained through manual invoicing and Xero. We do not currently operate a self-serve card billing flow.
Technical and usage information: IP address, device and browser information, timestamps, authentication events, product usage events, and security or diagnostic logs.

Cloud service customer content

Customer content: Call audio, transcripts, summaries, coaching reports, compliance assessments, and related call metadata processed through the cloud service.
Call audio storage: Call audio is stored only where a customer explicitly enables or requests that storage.
Transcript handling: Transcripts stored by Whispa in the cloud service are redacted.
Sensitive information: Customer content may include financial information and regulated call recordings, and may contain other sensitive information depending on how our customers use the service.
CRM data: We do not store a copy of a customer's CRM database merely because a customer uses CRM workflows or integrations, except to the extent information is separately included in customer content, exported reports, support materials, or other records intentionally provided to us.

Self-hosted deployments

For self-hosted deployments, Whispa does not receive or store customer production data. The customer controls the infrastructure, storage, retention settings, and compliance position for production use.
If a self-hosted customer voluntarily sends us logs, screenshots, sample records, or other material for support, those support materials are handled under this Privacy Policy.

How we use personal information

provide the website, demos, trials, cloud service, and customer support
set up and administer customer accounts, workspaces, and business relationships
process invoices, maintain commercial records, and manage collections
operate transcription, analysis, coaching, compliance, and reporting features requested by customers
monitor performance, investigate incidents, prevent misuse, and protect the security of our systems
communicate about product changes, service notices, support matters, and relevant business updates
improve our services using service telemetry, support learnings, and aggregated or de-identified usage information
comply with legal obligations and protect our rights, customers, and users

AI use and training

We do not use customer content to train our own models.
We do not permit third-party AI providers engaged through our service to train their general models on customer content processed for Whispa.
We may still use aggregated or de-identified service telemetry, operational metrics, and support learnings to maintain and improve the service.

Disclosure and service providers

We do not sell personal information. We may disclose personal information to service providers, professional advisers, regulators, courts, or other parties where reasonably required to operate the service, comply with law, protect rights and safety, or complete a corporate transaction.

Amazon Web Services (AWS)

cloud infrastructure and storage

AWS Bedrock

managed AI model access

Deepgram

speech processing and transcription services

ElevenLabs

voice and audio processing services

OpenRouter

model routing and AI provider access

Sentry

error monitoring and diagnostics

PostHog

product analytics and usage insights where enabled

HubSpot

sales, marketing, and customer relationship management

Xero

invoicing and accounting records

Data hosting and overseas processing

Australian storage

For cloud deployments, customer content is stored in AWS Australia. We currently focus on Australian business customers.

Overseas processing

Although we aim to keep stored customer content in Australia, some service providers may process information outside Australia, including when we use AI, analytics, error monitoring, or communications providers that operate in other jurisdictions.

Where we disclose personal information overseas, we take reasonable steps to ensure recipients protect it in a manner consistent with Australian privacy requirements.

Data retention

We retain personal information only for as long as reasonably necessary for the purpose for which it was collected, to meet legal obligations, resolve disputes, enforce agreements, and maintain appropriate business and security records. Retention for cloud customer content can be configured by agreement, customer settings, or documented instructions.

Business contact and sales records: Retained for the duration of the relationship and up to 24 months afterwards, unless a longer period is required by law or needed to manage an active dispute or request.
Billing and accounting records: Generally retained for 7 years to meet tax, accounting, and record-keeping obligations.
Support requests and support materials: Generally retained for up to 24 months after the matter is closed, unless we need to keep them longer for security, legal, or contractual reasons.
Application, access, and security logs: Generally retained for 90 days, with longer retention where reasonably required for incident response, fraud prevention, or legal compliance.
Backups: Rolling backups are typically retained for up to 35 days before deletion or overwrite.
Cloud call audio: If audio storage is enabled by the customer, the default retention period is 30 days unless a different period is configured or agreed in writing.
Cloud transcripts, summaries, coaching outputs, and call metadata: The default retention period is 12 months, but retention is configurable and may be adjusted by contract, deployment settings, or documented customer instructions.
Deletion after termination: Unless we are required to keep information by law, we aim to delete or de-identify remaining cloud customer content within 30 days after termination of the applicable service, subject to any agreed export period and residual backup retention.

Security

encryption in transit and encryption at rest for supported data stores and services
role-based access controls and least-privilege access practices
authentication safeguards, administrative controls, and environment segregation
logging and monitoring to detect misuse, faults, and security incidents
backup and recovery controls
incident response processes, including escalation and breach assessment where required

No method of transmission or storage is completely secure, but we take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure.

Access, correction, and complaints

Your options

Access: You may request access to personal information we hold about you, subject to applicable exceptions under Australian law.
Correction: You may ask us to correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
Marketing choices: You can opt out of marketing communications at any time using the unsubscribe link or by contacting us.
Complaints: You may complain to us if you think we have mishandled your personal information.

How requests work

Email privacy@whispa.net with enough detail for us to understand your request.
We may ask for information to verify your identity and authority before acting on a request.
If the request relates to cloud customer content controlled by one of our business customers, we will usually direct you to that customer first or work with them on the request.
We aim to acknowledge privacy complaints within 7 days and respond within 30 days where reasonably practicable.

Cookies and similar technologies

We do not currently use advertising cookies or third-party marketing pixels on the public website.

Necessary cookies: Our authenticated product environments use cookies and similar technologies for login, session management, security, and related functionality.
Product analytics: We may use product analytics tools such as PostHog in authenticated environments where enabled to understand feature usage and improve the service.
Changes: If we materially change our use of optional analytics or tracking technologies, we will update this policy and any consent mechanisms required by applicable law.

Children and third-party links

Children

Whispa is intended for business use and is not directed to children. We do not knowingly collect personal information directly from children.

Third-party services

Our website or service may link to third-party websites or tools. Their privacy practices are governed by their own policies, not this one.

Changes to this policy

We may update this policy from time to time to reflect changes in our services, practices, or legal obligations. We will post the updated version on this page and update the "Last updated" date above. If the change is material, we may also notify customers through the product, by email, or by another appropriate channel.

Contact us and make a complaint

Contact Whispa

Whispa Operations Pty Ltd

privacy@whispa.net

20 Springthorpe Way, Castle Hill, NSW 2154, Australia

External complaint option

Office of the Australian Information Commissioner

If you are not satisfied with our response to a privacy complaint, you may contact the OAIC.

oaic.gov.au/privacy/privacy-complaints