Legal · Privacy

Privacy Policy

allincode Pty Ltd · ABN 19 572 050 865 · Gold Coast, Queensland, Australia
Last updated: April 2026 · Effective immediately

Note: This policy has been drafted in good faith and reflects our genuine practices. We recommend it be reviewed by a qualified Australian lawyer. If you have questions, email paul@allincode.com.au.

Contents

Who we are
What information we collect
Ora widget & AI brain data
CRM & lead data
How we use your information
Third-party services
Cross-border transfers
Data processor role
Data retention
Security
Your rights
Cookies
Children
Changes
Contact & complaints

1. Who we are

allincode Pty Ltd (allincode, we, us) is an AI web studio based in Gold Coast, Queensland, Australia. We build custom websites, AI-powered products, and deploy conversational AI systems — including our flagship product, Ora — the Oracle — for clients.

We are the data controller for information collected through allincode.com.au. When operating Ora on behalf of clients, we act as a data processor — see Section 8.

Contact: paul@allincode.com.au · +61 416 355 322 · Gold Coast, QLD 4000, Australia

2. What information we collect

Information you provide directly

Enquiry and contact forms: Name, email, business name, phone number, and message content.
Onboarding: Business details, project information, billing name and address when you engage our services.
Payment: Processed by Stripe. We do not store card numbers or banking details.
Communications: Emails, WhatsApp messages, and other correspondence you send us.

Information collected automatically

Usage data: Pages visited, browser type, device, and general geographic region.
Technical data: IP address (anonymised where possible), referring URLs, and session identifiers.

3. Ora widget & AI brain data

Ora is a conversational AI deployed on our website and, on behalf of clients, on their websites. When you interact with any Ora widget, the following data is collected:

Conversation content: Every message you send and every Ora reply, stored as a transcript.
Contact details you share: Name, email, phone number, and business name if you provide them during conversation.
Session ID: A unique identifier to maintain conversation continuity.
Page URL: The page you were on when the conversation started.
Channel: Whether you used the web widget, embeddable widget, or WhatsApp.
AI qualification: After a conversation, an AI system may analyse the transcript to produce a lead qualification score, grade, and summary. This is stored alongside the conversation transcript.

WhatsApp: If you contact Ora via WhatsApp, your phone number, WhatsApp profile name (if shared), and all messages are processed and stored in the same way as web conversations. WhatsApp's own privacy policy also applies.

How responses are generated: Your messages are sent to Anthropic's Claude API to generate Ora's replies. Anthropic processes these messages on our behalf and does not use them to train its models. See Section 6 for Anthropic's privacy policy.

4. CRM & lead data

Conversations captured by Ora are stored in a CRM system hosted on Supabase. This CRM is accessible to allincode staff and — for Ora deployments on client websites — to the relevant client through a secure dashboard.

CRM records include: conversation transcripts, extracted contact details, qualification scores, pipeline status, notes, and timestamps.

5. How we use your information

Responding to enquiries and delivering our services
Processing payments and managing accounts
Operating Ora — generating AI responses, capturing leads, and providing CRM access to clients
Qualifying and following up sales leads (on our site and on behalf of clients)
Improving Ora's AI responses and system performance
Sending service communications (invoices, project updates, CRM credentials)
Marketing to existing clients only — with opt-out in every message
Meeting legal obligations including Australian tax record-keeping

We will not sell, rent, or trade your personal information to third parties for their own marketing.

6. Third-party services

Service	Purpose	Location	Privacy Policy
Anthropic	AI responses for Ora via Claude API	USA	anthropic.com/privacy
Supabase	Database — Ora conversations, CRM, client records	USA / AWS	supabase.com/privacy
Vercel	Website and API hosting	USA / Global CDN	vercel.com/legal/privacy-policy
Stripe	Payment processing	USA / Australia	stripe.com/au/privacy
ElevenLabs	Voice synthesis for Vox and voice features	USA	elevenlabs.io/privacy
SignalWire	WhatsApp and SMS infrastructure	USA	signalwire.com/legal/privacy-policy
Twilio	WhatsApp Business API for client deployments	USA	twilio.com/en-us/legal/privacy
Zapier	Workflow automation and integrations	USA	zapier.com/privacy

7. Cross-border data transfers

Several providers operate infrastructure in the United States. By using our services — including interacting with any Ora widget — you acknowledge your personal information may be transferred to and processed in the USA and other countries outside Australia.

We take reasonable steps to ensure overseas recipients handle personal information consistently with the Australian Privacy Principles. We enter into data processing agreements with providers where required. To raise concerns about cross-border transfers, contact paul@allincode.com.au.

8. Data processor role (Ora clients)

When we deploy Ora on behalf of a client on their website:

The client is the data controller for their website visitors' personal information.
allincode is the data processor — processing visitor data only as directed by the client and to operate Ora.
The client is responsible for having their own Privacy Policy disclosing the use of Ora and data collected through it.
The client is responsible for having a lawful basis to collect their visitors' data via Ora.

Clients requiring a formal Data Processing Agreement (DPA) should contact paul@allincode.com.au.

9. Data retention

Client business records and invoices: 7 years (Australian tax law).
Ora conversations and CRM data: Duration of client subscription plus 90 days after termination, then deleted unless law or written agreement requires longer retention.
Website enquiry data: 2 years from enquiry, or until you request deletion.
Payment records: As required by Stripe and Australian tax law (generally 7 years).
WhatsApp conversations: Same as Ora web conversations above.

Request deletion any time by emailing paul@allincode.com.au — we'll respond within 30 days, subject to legal retention requirements.

10. Security

We take reasonable technical and organisational measures to protect your personal information, including: HTTPS encryption for all data in transit, database access controls and authentication, API key protection (no credentials exposed in client-facing code), and CRM access restricted to authenticated clients and allincode staff.

No internet transmission is 100% secure. In the event of a data breach likely to cause serious harm, we will comply with the Notifiable Data Breaches (NDB) scheme — notifying the OAIC and affected individuals as required.

11. Your rights

Under the Australian Privacy Act 1988 and the Australian Privacy Principles, you have the right to:

Access the personal information we hold about you
Correct inaccurate or out-of-date information
Delete your information (subject to legal retention obligations)
Opt out of marketing communications at any time
Complain to us and, if unsatisfied, to the OAIC

Email paul@allincode.com.au with "Privacy Request" in the subject. We'll respond within 30 days.

Interacted with Ora on a client's site? Contact that business directly — they are the data controller for your information from their Ora deployment.

12. Cookies

Essential: Required for the website and CRM to function (session management). Cannot be disabled without breaking site functionality.

Functional: The Ora widget uses sessionStorage — temporary browser storage cleared when you close your tab. Not a persistent cookie, not shared across sessions.

Analytics: We do not currently use third-party analytics tools that set cookies.

No advertising or tracking cookies. We do not track you across other websites. We do not display ads on allincode.com.au.

Manage cookies through your browser settings. Check your browser's help documentation for instructions.

13. Children

Our services are for business owners and adults. We do not knowingly collect information from anyone under 18. If you believe we have done so inadvertently, contact paul@allincode.com.au and we will delete it promptly.

14. Changes to this policy

We may update this policy to reflect changes in our services, technology, or law. We will update the "Last updated" date when we do. Continued use of our website or services after changes are posted constitutes acceptance of the updated policy.

15. Contact & complaints

Email: paul@allincode.com.au
Phone: +61 416 355 322
Address: Gold Coast, Queensland, Australia

We will acknowledge requests within 5 business days and resolve them within 30 days.

If unsatisfied with our response, contact the Office of the Australian Information Commissioner (OAIC): oaic.gov.au · 1300 363 992