Privacy Policy

Who We Are

This Privacy Policy is issued by Nominal Vault, a sole trader operated by Vansh Batra (ABN 62 703 634 359), trading in New South Wales, Australia. In this policy, "we", "us" and "our" refer to Nominal Vault. "You" refers to any individual whose personal information we collect, including:

• Visitors to our website at nominalvault.com.au and any associated subdomains, funnels or applications;
• Prospective clients who enquire about our services;
• Active and former clients;
• End-customers, leads, patients or contacts of our clients whose personal information we process on the client's behalf in the course of delivering our services.

We are committed to handling your personal information responsibly, transparently, and in accordance with Australian law.

Scope of This Policy

This policy covers all personal information we collect through our website, our marketing channels, our service-delivery infrastructure, and any direct communication with you. It does not cover:

• Third-party websites we link to (each operates under its own privacy policy);
• The internal privacy practices of our clients in their own dealings with their own customers (our clients are independent data controllers responsible for their own compliance).

Information We Collect

3.1 Information you provide to us directly

• Identity and contact details — full name, business name, email address, mobile/phone number, postal address, ABN.
• Business and operational information — industry, suburb of operation, business size, current marketing setup, booking software, customer-service workflows, or any other details you provide when enquiring or onboarding.
• Financial / billing information — payment is processed directly by our payment processor (Stripe). We receive transaction confirmations only and do not store your full payment-card details on our systems.
• Communications — emails, SMS messages, web-chat messages, call notes, recorded calls (where lawful and disclosed), and any documents or files you exchange with us.
• Marketing preferences and consents — your express opt-in to receive communications, and any subsequent opt-outs.

3.2 Information we collect automatically

• Device and browsing data — IP address (truncated for analytics), browser type, operating system, device type, referral source, pages viewed, time on page, and approximate city-level location.
• Cookies and similar technologies — see Section 09 below.
• Tracking pixels and event tags — we may use server-side conversion tags (e.g. for Meta, Google) where you have consented; we do not currently run programmatic ad re-targeting against individuals.

3.3 Information we handle on behalf of clients

When we deliver services to a paying client (the "data controller"), we process the personal information of that client's customers, leads, patients, or contacts strictly to deliver the contracted services. In this scenario, we act as a data processor under the client's lawful authority. Examples of such information include:

• Names, mobile numbers, and email addresses of the client's customers;
• Appointment details, job records, transaction history;
• Opt-out and consent records;
• Conversation history with the AI agent or human staff.

3.4 Sensitive information

We do not actively seek to collect "sensitive information" as defined in the Privacy Act (e.g. health, racial, religious, political or biometric data). Where such information is incidentally provided to us by a client (for example, a dental client's appointment notes), we will treat it with the heightened protections required under APP 3.

How We Use Your Information

We use personal information for the purposes for which it was collected, related secondary purposes you would reasonably expect, and for any purpose to which you have consented. Specifically:

• To respond to enquiries and provide quotes, proposals and consultations;
• To deliver, configure, run and maintain the services you have engaged us for;
• To process payments and issue tax-compliant invoices and receipts;
• To send service-related communications — onboarding, build status, performance reports, billing notices, system alerts and incident notifications. These are necessary operational communications and are not "marketing";
• With your express or inferred consent, to send occasional product updates, case studies, or relevant offers — every such message includes a free, easy opt-out;
• To improve our services, develop new features, and produce internal training material (always using anonymised or aggregated data);
• To detect, investigate and prevent fraud, abuse, security incidents, or breach of our Terms of Service;
• To comply with our legal, tax, regulatory and reporting obligations under Australian law.

Legal Basis for Handling Personal Information

Under the Privacy Act 1988 (Cth), we collect, use and disclose personal information on one or more of the following bases:

• Performance of a contract — to deliver the services you have purchased;
• Express consent — for marketing communications and for any uses outside the original purpose of collection;
• Legitimate operational interest — for security, fraud prevention, and improving our services, balanced against your reasonable expectations;
• Legal obligation — for tax records, ATO compliance, court orders, and regulatory requests.

Who We Share Your Information With

We do not sell, rent, or trade personal information. We disclose personal information only to the limited categories of trusted recipients listed below, and only to the extent strictly necessary to operate the business and deliver services. Each provider is bound by their own privacy and security obligations.

6.1 Sub-processors

6.2 Other disclosures

We may disclose personal information where:

• Required or authorised by Australian law (including a court order, lawful subpoena, regulator request, or notification under the Notifiable Data Breaches Scheme);
• Necessary to enforce our Terms of Service, protect our legal rights, or prevent fraud or harm;
• The information is first de-identified or aggregated such that an individual cannot be reasonably identified;
• You have given us express prior consent to the specific disclosure.

Cross-Border Data Transfers

Several of our sub-processors store and process personal information on servers located outside Australia, primarily in the United States and the European Union. By engaging our services or using our website, you acknowledge and consent to this overseas disclosure.

We choose providers that maintain robust security and operate under privacy frameworks comparable to Australian standards. However, you should be aware that overseas recipients may not be bound by privacy laws as stringent as those in Australia, and you may have limited recourse against them under Australian law in the unlikely event of a breach.

How Long We Keep Your Information

We retain personal information only as long as necessary for the purposes for which it was collected, or as required by Australian law. Our standard retention periods are:

• Active client records — for the duration of the engagement plus seven (7) years thereafter, to satisfy Australian Taxation Office record-keeping requirements;
• Prospect and enquiry data — up to twenty-four (24) months from last meaningful contact, after which we de-identify or delete;
• End-customer data processed on behalf of a client — deleted from our systems within thirty (30) days of the client's contract ending, unless the client requests earlier deletion or instructs us otherwise in writing;
• Marketing and consent records — retained while you remain on our list and for two (2) years after opt-out (to evidence the original consent);
• Backups and audit logs — typically purged within ninety (90) days, but security and integrity logs may be retained longer where lawful.

Cookies and Tracking Technologies

Our website uses cookies and similar technologies. The categories we use are:

• Strictly necessary — required for the site to function (session, security, form submission). These cannot be disabled;
• Analytics — to understand how the site is used in aggregate (e.g. Google Analytics, Microsoft Clarity). All data is de-identified before analysis;
• Functional — to remember preferences and improve usability;
• Conversion measurement — server-side or first-party tags to measure marketing performance, where you have consented.

You can control cookies through your browser settings. Disabling certain cookies may affect site functionality.

Direct Marketing & Spam Act Compliance

We comply strictly with the Spam Act 2003 (Cth), the Do Not Call Register Act 2006 (Cth) and ACMA's Telecommunications (Reducing Scam Calls and Scam SMs) Industry Code. Every marketing message we send (or send on behalf of a client where we are responsible for compliance configuration) includes:

• Clear identification of the sender;
• A free, easy opt-out — typically "Reply STOP";
• A genuine consent basis (express opt-in, or inferred consent from an existing customer relationship within the legally permissible scope);
• Compliant sending hours, restricted to legally permissible windows under the Spam Act and ACMA codes.

If you wish to stop receiving any marketing communication from us:

• Reply STOP to any SMS;
• Click the unsubscribe link in any marketing email;
• Email [email protected] with "Unsubscribe" in the subject line.

We action all opt-outs within five (5) business days, and the vast majority within minutes.

How We Protect Your Information

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure, in line with Australian Privacy Principle 11. Our safeguards include:

• Multi-factor authentication on every business-critical account;
• Encrypted password storage using a reputable password manager;
• Encryption in transit (TLS 1.2+) and at rest where supported by sub-processors;
• Least-privilege access — staff and contractors are granted only the access required to perform their role;
• Regular review and pruning of access lists;
• Internal security training and incident-response procedures.

Notifiable Data Breaches

If a data breach occurs that is likely to result in serious harm to any individual, and we cannot remediate the harm before serious harm occurs, we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable;
• Notify affected individuals directly where required by the Notifiable Data Breaches Scheme;
• Provide a description of the breach, the kinds of information involved, and the steps individuals should take to protect themselves.

Your Rights

Under the Australian Privacy Principles, you have the following rights in relation to the personal information we hold about you:

• Access — request a copy of the personal information we hold about you;
• Correction — request that we correct any information that is inaccurate, out of date, incomplete, irrelevant or misleading;
• Withdrawal of consent — for direct marketing or any other consent-based processing, at any time;
• Deletion / anonymisation — subject to our overriding legal record-keeping obligations (e.g. ATO requirements);
• Complaint — lodge a complaint with us, and if unresolved, with the OAIC.

To exercise any of these rights, please contact us using the details in Section 18. We will verify your identity (to prevent fraudulent requests) and respond within thirty (30) days. There is no fee for an access request, although we may charge a reasonable cost-recovery fee for unusually large or repeated requests.

Children's Privacy

Our services are intended for Australian businesses and adult business operators. We do not knowingly collect personal information from any individual under the age of sixteen (16). If you believe a minor has provided personal information to us, please contact us and we will delete it as soon as practicable.

Third-Party Websites and Links

Our website and communications may contain links to third-party websites, applications or services. Those third parties operate under their own privacy policies. We are not responsible for the privacy practices, content, or security of any third-party site, and we encourage you to read each provider's privacy policy before submitting any personal information.

AI and Automated Processing

Some of our services use Large Language Models (LLMs) and other AI technologies — for example, AI conversation agents, AI review-response generation, and AI voice receptionists (Elite plan). When you interact with these systems:

• Your messages and the surrounding context may be passed to a third-party AI provider (e.g. OpenAI, Anthropic) to generate a response;
• We have configured these providers to not use the data for model training under their commercial terms;
• AI-generated content may occasionally be inaccurate, incomplete or misleading. The client (or where we are the controller, Nominal Vault) bears ultimate responsibility for the accuracy of any communication sent on its behalf;
• You can request escalation to a human at any time by replying with phrases such as "speak to a person" or "human".

We do not make solely-automated decisions that produce legal effects on individuals.

Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in the law, in our services, or in the way we operate. The "Effective" date at the top of this page indicates the most recent revision. Material changes will be notified to active clients by email at least fourteen (14) days before they take effect. Continued use of our services after the effective date constitutes acceptance of the updated policy.

Contact and Complaints

For privacy enquiries, access requests, correction requests, opt-outs, or to lodge a privacy complaint with us, please contact our Privacy Officer:

If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC):

• Website: oaic.gov.au
• Phone: 1300 363 992
• Mail: GPO Box 5288, Sydney NSW 2001