← Back to DevLeads

Privacy Policy

Effective 28 April 2026

1. About this policy

This privacy policy explains how DevLeads (“DevLeads”, “we”, “us”, “our”) handles personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

DevLeads is an Australian operations partner that builds and operates AI-driven customer-communication systems for local businesses (currently focused on residential HVAC). We collect and handle personal information in two capacities:

  • On our own behalf — when you contact us through our website, request a demo, or otherwise engage with DevLeads as a prospective or current client.
  • On behalf of our business clients — when their customers interact with the AI receptionist, SMS responder, or other systems we operate for them. In that capacity, the business client is the primary entity collecting the information; DevLeads processes it as their service provider.

Entity details. DevLeads (ABN 48 266 141 131). Privacy contact: leo@devleads.com.au.

2. The kinds of personal information we collect

The personal information we collect can include:

  • Identification details — name, business name, role.
  • Contact details — email address, phone number, suburb or service area.
  • Communication content — the content of messages you send us via our forms, the content of SMS conversations handled by systems we operate for our clients, and the content of voice calls handled by AI receptionists we operate for our clients (including transcripts and audio recordings).
  • Booking and service details — appointment preferences, the nature of the service requested, and any property or job context you provide voluntarily.
  • Technical information — IP address, browser type, device type, referring URL, and pages visited; collected automatically when you use our website or dashboard.
  • Account information — for our business clients, authentication credentials (password hashes, session tokens) used to sign in to the operations dashboard at app.devleads.com.au.

We do not knowingly collect sensitive information (as defined in the Privacy Act, e.g. health information, racial origin, political opinions). If you provide such information voluntarily in a free-text message, we treat it with the same protections as the rest of your information but do not solicit or rely on it.

3. How we collect personal information

We collect personal information directly from you when you:

  • Submit a form on this website (contact, demo request, revenue-leak report).
  • Email, call, or SMS us directly.
  • Sign in to a DevLeads-operated dashboard as an authorised user.
  • Interact with an AI receptionist, SMS responder, or other automated system we operate for one of our business clients — for example, when you call or text an HVAC business whose customer-communication systems are operated by DevLeads.

We also collect technical information automatically through cookies and similar technologies — see section 8.

AI disclosure. When you interact with a system operated by DevLeads on behalf of a business client, the AI nature of the system is disclosed proactively at the start of the interaction (in the voice greeting, or in the first SMS reply). You can ask to be transferred to a human at any time.

4. Why we collect personal information

We collect and use personal information to:

  • Respond to enquiries, demonstrations, and support requests.
  • Operate the customer-communication systems our business clients have engaged us to provide — for example, answering enquiries, booking jobs, sending appointment reminders, and following up on completed services.
  • Monitor system performance, diagnose errors, and improve service quality.
  • Send service-related communications (account messages, security notices) to authorised dashboard users.
  • Comply with legal obligations, including telecommunications, consumer-law, and recording-law requirements.

We do not sell personal information. We do not use personal information for direct marketing without consent, and never transfer it to third parties for their own marketing.

5. How we hold and protect personal information

DevLeads stores customer-communication and operational data in Supabase (PostgreSQL) hosted in the AWS Sydney region. Workflow orchestration runs on a self-hosted n8n instance in Sydney (Vultr). The marketing website and the operations dashboard are hosted on Vercel with global edge delivery; application data is read from and written to the Sydney-resident database on each request.

Security measures include:

  • Encryption in transit (TLS 1.2+) for all customer-facing endpoints.
  • Encryption at rest for the database and object storage.
  • Multi-tenant isolation enforced by row-level security: each business client’s data is segregated and access-controlled by tenant identifier.
  • Authenticated, audited access for the dashboard, with elevated administrative actions logged.
  • Credential hygiene: API keys and access tokens are stored only in restricted environment-variable vaults and never in source control.

No system is perfectly secure. If we believe a notifiable data breach has occurred, we will follow the procedure set out in the Privacy Act’s Notifiable Data Breach scheme, including notification to the Office of the Australian Information Commissioner (OAIC) and to affected individuals as soon as practicable.

6. Who we disclose personal information to

We disclose personal information to a small number of carefully selected service providers who help us deliver the system. We limit the information disclosed to what each provider needs to perform its function, and we require each provider to handle personal information consistently with the APPs.

Service providers and the countries where they process information:

  • Supabase Inc. — database and authentication. Data hosted in Sydney, Australia.
  • Vercel Inc. — website and dashboard hosting. United States (with global edge presence).
  • Anthropic, PBC — AI language model provider for SMS reasoning and conversation summarisation. United States.
  • Retell AI — AI voice agent provider for inbound call handling. United States.
  • Telnyx — telecommunications provider for SMS and voice. United States (with Australian points of presence).
  • Cal.com, Inc. — appointment scheduling. European Union / United States.
  • Resend — transactional email delivery. United States.
  • Apify — public business-data collection used for our prospect outreach (does not involve customer data of our clients). European Union.
  • Cloudflare, Inc. — bot mitigation (Turnstile) on website forms. United States.
  • Sentry (Functional Software, Inc.) — error tracking and diagnostic telemetry for the website and dashboard. United States / European Union. We configure Sentry to exclude IP addresses, cookies, and form bodies from error events; only minimal diagnostic context is sent.
  • Vercel Analytics & Speed Insights — cookieless aggregated performance and usage telemetry. Edge processed and aggregated; no per-user profiles.
  • Google Analytics — aggregated website usage statistics. United States.

We also disclose personal information where required or permitted by law (for example, to law-enforcement authorities responding to a lawful request), and to professional advisers (lawyers, accountants) under confidentiality.

APP 8 (cross-border disclosure). Some of the providers above are located outside Australia. We take reasonable steps before disclosing personal information overseas — including requiring contractual data-protection commitments and selecting providers with recognised security certifications. Under the Privacy Act, DevLeads remains accountable for how overseas recipients handle personal information disclosed to them.

7. Call recording and message retention

Voice calls handled by AI receptionists we operate may be recorded for the purposes of quality assurance, training, dispute resolution, and improving service accuracy. Where calls are recorded, the caller is informed at the start of the call and may decline. Call recordings, transcripts, and SMS message bodies are retained for a bounded period and then deleted or de-identified in accordance with our retention schedule (see section 10).

8. Cookies, analytics, and error tracking

Our website uses a small number of cookies and similar technologies:

  • Strictly necessary — for example, the security tokens used to verify form submissions (Cloudflare Turnstile).
  • Analytics — Vercel Analytics and Speed Insights (cookieless, aggregated) and Google Analytics (cookie-based, anonymised). These help us understand which content is useful and where the site can be improved.
  • Error tracking — Sentry collects diagnostic information when something goes wrong (a stack trace, the route, the browser type). Sentry is configured to exclude personal information from error events.

You can disable cookies in your browser. Some site functions (including form submissions protected by Turnstile) may not work correctly if cookies are disabled.

9. Your rights

Under the APPs, you have the right to:

  • Access the personal information we hold about you.
  • Correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
  • Withdraw consent for direct marketing communications at any time. Every SMS we send on behalf of a client includes a STOP-to-opt-out instruction; you can also email us to opt out of any DevLeads communications.
  • Complain about how we have handled your personal information (see section 11).

To exercise these rights, contact us at leo@devleads.com.au. We will respond within a reasonable time (usually 30 days) and free of charge for routine requests. We may need to verify your identity before disclosing or correcting personal information.

If you are interacting with a DevLeads-operated system on behalf of one of our business clients (for example, you have called or texted an HVAC business that uses our systems), the business client is the primary contact for access and correction requests. We will assist them in fulfilling those requests promptly.

10. How long we keep personal information

We keep personal information only as long as we need it for the purposes described in this policy, or as required by law. In practice:

  • Customer-conversation records (SMS, voice transcripts, call recordings) — retained while the business relationship between DevLeads and the relevant client is active, and for a bounded period afterwards consistent with consumer-law record-keeping obligations. We progressively de-identify or delete older records.
  • Marketing-site enquiries — retained only as long as needed to respond to and follow up on the enquiry.
  • Error and diagnostic logs — retained for a short window (typically 30 to 90 days) and then deleted.
  • Account and authentication records — retained while the account is active and for a short period after closure.

When we no longer need personal information, we destroy or de-identify it in accordance with APP 11.2.

11. How to complain

If you believe DevLeads has not handled your personal information in accordance with the APPs, please contact us first at leo@devleads.com.au. Tell us what happened and what outcome you are seeking. We will acknowledge your complaint promptly and aim to provide a substantive response within 30 days.

If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC):

12. Children

DevLeads’ services are not directed at children. We do not knowingly collect personal information from anyone under 16. If you believe we have inadvertently collected information from a child, contact us and we will delete it.

13. Changes to this policy

We may update this policy from time to time to reflect changes to our systems, our service providers, or the law. The current version is always published at devleads.com.au/privacy, with the effective date shown at the top. Material changes will be communicated to current business clients in advance.

14. Contact us

For privacy questions, access or correction requests, or complaints: