Last Updated:
Version | Date | Author | Status |
|---|---|---|---|
2.0 | 27 February | Joanna Thomas | Active |
Introduction and scope
This Privacy Policy explains how Enrola Pty Ltd (we, us or our) handles Personal Information in connection with:
• our AI-powered conversational sales platform (Platform), through which we process Personal Information provided to us by our business customers about their leads, prospects and contacts;
• the website located at https://getenrola.com (Website); and
• any related services, applications or communications.
Enrola provides AI-powered conversational agents that help businesses convert leads through automated sales conversations across messaging channels. The majority of Personal Information we handle is provided to us by our customers, about their customers and prospects, via our Platform. We process this information on our customers’ behalf and in accordance with our agreements with them. A smaller amount of Personal Information is collected directly from individuals who visit our Website or contact us. This policy has been prepared in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and the 13 Australian Privacy Principles (APPs). We are committed to complying with the APPs and to managing Personal Information in an open and transparent way.
Our role in handling Personal Information
We handle Personal Information in two capacities, and it is helpful to understand the distinction:
• As a processor on behalf of our customers: our customers provide us with lead and contact data so that our AI agents can conduct conversations on their behalf. In this capacity, our customers determine what information is provided, and for what purpose. Our customer agreements include data processing terms that set out each party’s obligations regarding privacy and security. Our customers are responsible for ensuring they have appropriate legal bases, consents and privacy notices in place before providing Personal Information to us.
• As a collector in our own right: we collect a limited amount of Personal Information directly from individuals who visit our Website, make enquiries, or engage with us as prospective or current customers.
The sections that follow describe what we handle in both capacities.
Types of information
Personal Information, as defined in section 6(1) of the Privacy Act, means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not, and whether recorded in a material form or not. Sensitive Information is a subset of Personal Information that includes information about matters such as racial or ethnic origin, political opinions, religious beliefs, professional or trade body membership, criminal record, health, genetic or biometric information, or sexual orientation. We do not intentionally collect Sensitive Information. If it is inadvertently provided to us (for example, if an individual discloses health or other sensitive details during a conversation with one of our AI agents), we will only use it for the primary purpose of collection, for a directly related secondary purpose, with the individual’s consent, or as required or authorised by law.
Information we collect and hold
4.1 Information received from our customers (Platform data)
The majority of Personal Information we handle is provided to us by our business customers through our Platform, API integrations or CRM connections. This typically includes:
• Contact details of leads and prospects (such as name, phone number and email address), as provided by our customers
• Contextual lead information supplied by our customers to enable relevant conversations (for example, the product or course the lead enquired about, the source of the enquiry, or prior interaction history)
• Conversation records generated when our AI agents interact with individuals on behalf of our customers
• Interaction metadata, including timestamps, message counts and response times
• Outcomes and dispositions recorded during or after conversations (for example, whether a lead was qualified, booked an appointment or requested a callback) We process this information strictly for the purpose of delivering our services to the relevant customer. We do not use customer-supplied Personal Information for our own marketing purposes or share it with other customers.
4.2 Information collected directly by us
We collect a limited amount of Personal Information directly from individuals, including:
Website visitors and enquiries
Name and contact details provided through enquiry forms
Organisation name and role
Area of product interest
Device and browser information, IP address
Cookies and website analytics data (see section 14)
Customer contacts
Business contact details of our customers and their representatives
Billing and account information
Support and correspondence records
Information we do not collect
We do not directly collect or store financial account details such as bank account or credit card numbers. Payment processing is handled by third-party payment processors who maintain their own privacy and security controls.
How we collect and receive Personal Information
We collect and receive Personal Information by lawful and fair means, in accordance with APP 3. Our methods include:
From our customers, who provide lead data and contact information via our Platform, API, CRM integrations or manual upload. This is our primary source of Personal Information.
Through our AI agents, when individuals respond to or engage in conversations. The conversation content itself becomes Personal Information that we hold on behalf of the relevant customer.
Directly from individuals, when they submit information through our Website, enquiry forms, email or other communications.
Through automated means, including cookies, web analytics tools and server logs when individuals visit our Website.
5.1 Notification at or before collection
Where we collect Personal Information directly from an individual (for example, through our Website or an enquiry form), we take reasonable steps to notify them of the matters required by APP 5, including who we are, the purposes of collection, and how to access or correct their information.
Where our AI agents collect conversation content from individuals on behalf of our customers, the responsibility for providing collection notification under APP 5 rests primarily with the customer who initiated the conversation. Our customer agreements require customers to have appropriate privacy notices in place. We support our customers in meeting this obligation, including by providing template notice language they may incorporate into their own communications.
5.2 Unsolicited information
From time to time, individuals may provide us with Personal Information that we did not request, for example by volunteering personal details during a conversation with one of our AI agents that go beyond what is needed for the conversation. Where we receive unsolicited Personal Information, we assess within a reasonable period whether we could have collected it under APP 3. If not, and the information is not contained in a Commonwealth record, we will destroy or de-identify it as soon as practicable (APP 4).
Purposes of use and disclosure
6.1 Platform data (received from customers)
We use Personal Information received from our customers for the following purposes:
To operate our AI-powered agents and conduct conversations on behalf of the customer
To generate reports, analytics and insights for the customer about their campaigns, lead quality and conversion outcomes
To improve, train and refine the performance of our AI agents, using aggregated or de-identified data where practicable
To provide technical support and troubleshoot issues related to the customer’s use of our Platform
To comply with our legal and regulatory obligations
6.2 Directly collected information
We use Personal Information collected directly by us for the following purposes:
To respond to enquiries and communicate with prospective and current customers about our products and services
To manage customer accounts, process payments and administer our contractual relationships
To send direct marketing communications (see section 9)
For internal analytics, business improvement and product development
To protect the rights, property or safety of Enrola, our customers and third parties
To comply with our legal and regulatory obligations
We will not use or disclose Personal Information for a purpose other than the primary purpose of collection, unless a related secondary purpose would be reasonably expected, the individual has consented, or we are required or authorised to do so by law (APP 6).
AI agents and automated processing
Our core service involves AI-powered conversational agents that engage with individuals on behalf of our customers across messaging channels. Here is how Personal Information is used in that context:
Our AI agents use Personal Information (such as name, expressed preferences and conversation context) to personalise conversations towards outcomes defined by our customers, such as booking an appointment or qualifying interest
Conversation data is stored and made available to the relevant customer through our Platform. Customers may use this data to follow up with leads, assess agent performance or inform their sales processes
We may use aggregated and de-identified conversation data to improve our AI models and Platform performance. Where we do so, individual identities are removed before the data is used for this purpose
Our AI agents do not make final decisions about credit, employment, insurance or other matters that could significantly affect individuals’ rights or interests. They facilitate sales conversations and qualify leads on behalf of our customers. Final decisions rest with the customer
From 10 December 2026, where we arrange for a computer program to use Personal Information to make a decision that could reasonably be expected to significantly affect the rights or interests of an individual, we will update this policy to include the information required by APPs 1.7, 1.8 and 1.9 as introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth).
Disclosure of Personal Information
8.1 Who we disclose to
We may disclose Personal Information to the following categories of recipients:
Our customers: conversation records, lead qualification outcomes and performance reports relating to their campaigns. This is the core function of our service and is governed by our customer agreements.
Service providers who assist us in operating the Platform, including cloud hosting providers, large language model providers, messaging gateway providers, CRM integration partners, payment processors and IT support services.
Professional advisors, including legal, accounting and insurance advisors, where necessary for the operation of our business.
Government agencies, regulators or law enforcement bodies, where required or authorised by law.
8.2 Safeguards
Where we disclose Personal Information to service providers, we require them to comply with obligations consistent with the APPs and this Privacy Policy. Our agreements with service providers include data processing terms addressing confidentiality, security, data retention and sub-processing.
We do not sell Personal Information to third parties. We do not share customer-supplied Personal Information between customers.
Direct marketing
We may use Personal Information that we have collected directly for direct marketing purposes, where the individual would reasonably expect to receive such communications from us (APP 7). This applies only to information we collect in our own right (for example, when a prospective customer submits an enquiry). We do not use customer-supplied lead data for our own marketing purposes.
We will not use Sensitive Information for direct marketing. Every direct marketing communication we send includes a simple and accessible way to opt out, such as an unsubscribe link. We process opt-out requests within five business days.
Cross-border disclosure of Personal Information
We are likely to disclose Personal Information to overseas recipients located in the following countries:
United States of America, where certain cloud infrastructure and service providers maintain data centres
Countries within the European Union / European Economic Area, where certain service providers or sub-processors may be located
Before disclosing Personal Information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the APPs in relation to the information, in accordance with APP 8.1. We do this by:
Entering into contractual arrangements that require the overseas recipient to handle Personal Information in accordance with the APPs
Assessing whether the recipient is subject to a law or binding scheme that provides protections at least substantially similar to the APPs, with mechanisms the individual can access to enforce those protections
Obtaining the individual’s informed consent to the overseas disclosure where appropriate, after informing them that APP 8.1 will not apply if consent is given
Data quality
We take reasonable steps to ensure that the Personal Information we use and disclose is accurate, up-to-date, complete and relevant, having regard to the purpose of use or disclosure (APP 10). For Platform data received from our customers, this includes:
Relying on our customers to provide accurate and current lead data, as required by our customer agreements
Enabling our customers to update or correct lead information through our Platform
Prompting individuals to verify details during AI agent conversations where relevant
For information we collect directly, we periodically review stored data for accuracy and correct inaccuracies when identified.
Data handling, storage, retention and disposal
In accordance with APP 1.2 and APP 11, we maintain documented internal procedures governing the handling, storage, retention and disposal of Personal Information. The following outlines those procedures.
12.1 Data classification
All Personal Information entering our systems is classified according to its sensitivity and the context in which it was received or collected. We distinguish between Platform data (received from customers about their leads and prospects), directly collected data (from website visitors, enquiries and customer contacts), and any Sensitive Information that may be inadvertently received. Access controls are aligned to these classifications.
12.2 Storage and security
We store Personal Information using technical and organisational measures designed to protect it from misuse, interference, loss, unauthorised access, modification and disclosure (APP 11). Our measures include:
Encryption of Personal Information in transit and at rest using industry-standard protocols
Role-based access controls, ensuring only authorised personnel can access Personal Information on a need-to-know basis
Logging and monitoring of access to Personal Information, with alerts for anomalous activity
Use of reputable cloud service providers who maintain recognised security certifications
Staff training on data handling, privacy obligations and information security practices
Logical separation of customer data within our Platform, so that one customer’s data is not accessible to another
12.3 Retention periods
We retain Personal Information only for as long as necessary to fulfil the purposes for which it was collected or received, or as required by law. Our standard retention periods are:
Category of information | Retention period | Disposal method |
|---|---|---|
Conversation records (Platform data) | Duration of customer contract + 12 months, or as specified in customer agreement | Destroyed or de-identified |
Lead and contact data (Platform data) | Duration of customer contract + 12 months, or as specified in customer agreement | Destroyed or de-identified |
AI model training data (aggregated/de-identified) | Retained in de-identified form only | N/A (already de-identified) |
Website analytics and cookies | 26 months from collection | Automatically purged |
Customer account and billing records | 7 years from end of relationship | Destroyed |
Enquiry and support correspondence | 3 years from resolution | Destroyed |
Contractual and legal records | 7 years from end of contract | Destroyed |
Data breach and incident records | 7 years from resolution | Destroyed |
Where a legal obligation requires us to retain information beyond these standard periods (for example, records required under taxation legislation), we will retain the information for the period required by law. Customer agreements may also specify different retention periods, in which case we follow the agreed terms.
12.4 Disposal and de-identification
When Personal Information is no longer required for any purpose for which it may be used or disclosed, and is not required to be retained by law or contract, we take reasonable steps to destroy or de-identify it (APP 11.2). Our disposal procedures include:
Secure deletion of electronic records using methods that render data unrecoverable
Secure destruction of any physical records containing Personal Information
De-identification of data where retention of non-identifiable information is needed for analytics or service improvement, performed so that re-identification is not reasonably possible
Logging of destruction or de-identification actions for audit purposes
Disposal logs are reviewed periodically to confirm compliance with our retention schedule.
12.5 Data breach response
In the event of a suspected data breach, we follow the procedures set out in the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act, including assessing whether the breach is likely to result in serious harm, notifying the OAIC and affected individuals where required, and notifying affected customers where the breach involves Platform data held on their behalf. Even where a data breach does not meet the threshold for mandatory notification, we will consider voluntary notification where doing so is in the interests of affected individuals or our customers.
Security of Personal Information
In addition to the measures outlined in section 12.2, we implement the following organisational safeguards:
A designated Privacy Officer (currently the CEO) responsible for overseeing privacy compliance and handling enquiries
Privacy impact assessments for new projects, products or systems that involve Personal Information
Contractual requirements on service providers and sub-processors to maintain appropriate security standards
Regular review of this Privacy Policy and our data handling procedures
Incident response procedures, including the Data Breach Response Plan referenced in section 12.5
Access to and correction of Personal Information
You have the right to request access to Personal Information we hold about you (APP 12) and to request correction of information that is inaccurate, out of date, incomplete, irrelevant or misleading (APP 13).
If we hold your Personal Information because it was provided to us by one of our customers (for example, as part of a conversation conducted through our Platform), we may need to refer your request to the relevant customer or direct you to them, as they determined the collection and use of that information.
To make a request, please contact our Privacy Officer using the details in section 17. We will respond within 30 days. We will not charge you for making a request, but may charge a reasonable fee for providing access where the request requires substantial effort to locate, retrieve or compile the information.
We may refuse access in certain circumstances permitted by the Privacy Act, including where providing access would pose a serious threat to life or health, would unreasonably impact the privacy of other individuals, or where the request is frivolous or vexatious. If we refuse, we will provide written reasons and information about how to make a complaint.
If we decline to correct Personal Information as requested, you may ask us to associate a statement with the information noting that you consider it to be inaccurate, out of date, incomplete, irrelevant or misleading.
Cookies and analytics
Our Website uses cookies and similar technologies to enhance your browsing experience and analyse website traffic. Cookies are small text files stored on your device when you visit a website. We use:
Essential cookies: required for the Website to function correctly
Analytics cookies: help us understand how visitors interact with our Website, such as pages visited and referral sources
Functional cookies: enable enhanced functionality and personalisation, such as remembering your preferences
You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of our Website. As a general rule, it is not possible to identify you personally from our use of cookies alone.
Complaints
If you believe we have breached the APPs or handled your Personal Information inappropriately, you may lodge a complaint with our Privacy Officer using the contact details in section 17. We will acknowledge your complaint within five business days and aim to respond within 30 days. Our process involves:
Acknowledgement of receipt and confirmation of the matters raised
Investigation by the Privacy Officer, which may include seeking further information from you
A written response setting out our findings and any steps we propose to take
If you are not satisfied with our response, you may refer the matter to the Office of the Australian Information Commissioner (OAIC):
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Post: GPO Box 5288, Sydney NSW 2001
How to contact us
If you have any queries about this Privacy Policy, wish to request access to or correction of your Personal Information, or wish to make a complaint, please contact our Privacy Officer:
Privacy Officer / CEO
Enrola Pty Ltd
Email: privacy@getenrola.com
Website: https://getenrola.com
Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. We will publish the updated policy on our Website and update the ‘Last updated’ date at the top of this document. Where changes are material, we will take reasonable steps to notify affected individuals and customers.
