Privacy Policy
Last updated: 11 June 2025
Welcome to SAM AI (“SAM”, “we”, “our”, or “us”). We respect your privacy and are committed to protecting your Personal Information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit samai.com.au (the “Site”) or use our real‑time call‑intelligence platform, associated applications, and services (collectively, the “Services”).
Please read this policy carefully. By accessing or using the Site or Services, you acknowledge that you have read and understood this Privacy Policy.
1 Scope
This Privacy Policy applies to all visitors, users, and others who access the Site or use our Services (“Users”). It covers information we collect online and through integrations you choose to connect (e.g., CRM, calendar, video‑conference platforms).
Because we are headquartered in Australia but serve Users globally, this Policy is designed to meet the requirements of:
- Australian Privacy Act 1988 & Australian Privacy Principles (APPs)
- EU & UK General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA/CPRA)
If local law grants you stronger rights, we will honour those rights.
2 Information We Collect
2.1 Information you provide directly
| Category | Examples |
|---|---|
| Account & Profile Data | name, business email, phone, job title, password (hashed), profile photo |
| Subscription & Billing | purchase history, cardholder name, partial payment‑card details (processed via PCI‑DSS‑compliant provider) |
| Support Communications | problem descriptions, screenshots, chat transcripts |
| Marketing Preferences | newsletter opt‑in/opt‑out status |
2.2 Information we process on your behalf ("Customer Content")
| Category | Examples |
| Call Audio & Video Streams | real‑time packet data from Google Meet, MS Teams, Zoom, etc. |
| Transcriptions & Summaries | text transcripts, speaker labels, AI‑generated call summaries, action items |
| CRM & Calendar Data | deal stage, contact information, meeting agendas |
| Custom Prompts & Notes | objectives, questions, reference documents you upload |
You are responsible for ensuring you have a lawful basis and, where required, the consent of call participants before sharing their information with us.
2.3 Information we collect automatically
| Category | Examples |
| Usage & Log Data | IP address, browser type, device IDs, pages visited, time spent, referring URLs |
| Cookies & Similar Tech | authentication tokens, preference cookies, analytics cookies (e.g., Google Analytics 4), marketing pixels (only with consent) |
| Diagnostic Data | crash reports, performance metrics |
2.4 Information from third parties
We may receive information about you from:
- Single‑sign‑on providers (e.g., Google Workspace, Microsoft Azure AD)
- Publicly available sources (professional social‑media profiles) to enrich leads when you opt‑in to marketing communications
3 Legal Bases for Processing (GDPR/UK GDPR)
We process Personal Information only when we have a valid legal basis, including:
- Contractual necessity – to provide the Services you request
- Legitimate interests – e.g., to secure our platform, prevent fraud, and improve features (balanced against your rights)
- Consent – for email marketing and optional analytics cookies
- Legal obligation – to comply with tax or regulatory requirements
4 How We Use Information
Provide & maintain Services – authenticate you, transcribe calls, deliver live insights, push outcomes to your CRM
Improve & develop new features – aggregate, de‑identified analytics help us train proprietary models and refine UX
Customer support – respond to enquiries, diagnose issues
Security & fraud prevention – monitor, detect, and prevent malicious or unauthorised activity
Marketing – send product updates or event invitations (only with your consent or as permitted by law)
We do not use Customer Content (call data, transcripts, prompts) to train third‑party foundational AI models.
5 Sharing & Disclosure
We never sell your Personal Information. We disclose it only:
Recipient
Purpose
Cloud Service Providers – AWS (data storage, encrypted at rest); Cloudflare (edge security, DDoS protection, CDN)
AI Model Providers – OpenAI & Anthropic (real‑time language processing). Data is transmitted via TLS, retained only for the duration of processing, and not used for provider model training.
Payment Processors – Stripe (billing), Xero (invoicing)
Analytics & Marketing Tools – Google Analytics 4 (IP anonymised), HubSpot (if you opt‑in)
CRM/Video Platform APIs – Salesforce, HubSpot, Zoom, Microsoft Teams (as authorised by you)
Professional Advisors & Authorities – where required for audits, compliance, or to respond to lawful requests
Business Transfers – in connection with a merger, acquisition, or sale (we will notify you)
All vendors are bound by contractual clauses to process data only on our instructions and to implement appropriate safeguards.
6 International Data Transfers
We primarily host data in Google Cloud ap‑southeast‑2 (Sydney). If we transfer Personal Information outside Australia or your region (e.g., to the United States or EU), we rely on:
Standard Contractual Clauses (SCCs) approved under GDPR
Equivalent contractual, technical, and organisational safeguards
7 Data Security
Encryption in Transit & at Rest – TLS 1.3 for data in motion; AES‑256 for stored data
Role‑based Access Controls & MFA for employees
Vulnerability Management & Pen‑Testing at least annually
Incident Response Plan aligned with ISO 27001
8 Data Retention
| Data Type | Default Retention | Rationale |
| Transcripts & call artefacts | 180 days (configurable in account settings) | allows follow‑up analysis & training |
| Account & billing data | life of account + 7 years | statutory tax obligations |
| Support tickets | 3 years | improve service & audit trail |
| Analytics logs | 12 months (pseudonymised) | usage insights & security |
You can request early deletion via the options in Section 9.
9 Your Rights & Choices
Depending on where you reside, you may have rights to:
Access – obtain a copy of Personal Information we hold about you
Correction/Rectification – update inaccurate data
Deletion/Erasure – request we delete your Personal Information
Data Portability – receive data in a structured, machine‑readable format
Object/Restrict processing – where processing is based on legitimate interests or direct marketing
Withdraw Consent – for marketing or cookies at any time
To exercise any rights, email info@samai.com.au. We will respond within 30 days or as required by law.
10 Cookies & Tracking Technologies
We use:
Essential cookies – authentication, session management
Analytics cookies – Google Analytics 4 (IP anonymised) – disabled until you opt‑in via our cookie banner
Marketing pixels – HubSpot, LinkedIn Insight Tag – only after consent
You can manage preferences through the cookie banner or your browser settings.
11 Third‑Party Links
Our Site may contain links to third‑party websites or services. We are not responsible for their privacy practices. We encourage you to review the privacy policies of every site you visit.
12 Children’s Privacy
Our Services are not directed to children under 16. We do not knowingly collect Personal Information from children. If you become aware your child has provided us with Personal Information, contact us and we will delete it.
13 Changes to This Policy
We may update this Privacy Policy from time to time. We will post the revised version on this page and, if material changes are made, notify you via email or an in‑app banner at least 14 days before they take effect.
14 Appendix A – Australian Privacy Principle (APP) Notifications
Under APP 5, we notify you that:
We collect your Personal Information to provide and improve the Services (Section 4).
If we cannot collect certain information, we may be unable to deliver some features.
You may access and correct your Personal Information as set out in Section 9.
Our full Privacy Policy is available at samai.com.au/privacy.
Thank you for trusting SAM AI with your data.
