Square AI logo
Legal

Privacy Policy

How Square AI collects, uses, stores and protects your personal information — and your rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

Last updated 4 May 2026

On this page

  1. About this policy
  2. What we collect
  3. How we collect it
  4. How we use it
  5. Marketing
  6. Who we share it with
  7. Where it's stored
  8. Overseas disclosure
  9. AI and automated decisions
  10. Cookies and tracking
  11. Security
  12. Notifiable data breaches
  13. Your rights
  14. Children
  15. Changes to this policy
  16. Contact

1.About this policy

Square AI is a sole-trader business (ABN 48 706 631 081) based in Penrith, New South Wales. This privacy policy explains how Square AI collects, uses, stores and discloses your personal information, and how you can access or correct it.

We follow the Privacy Act 1988 (Cth) as amended (including by the Privacy and Other Legislation Amendment Act 2024) and the 13 Australian Privacy Principles (APPs). While Square AI is below the $3 million annual turnover threshold that triggers mandatory APP coverage, we comply voluntarily because most of our clients (lawyers, accountants, AML/CTF reporting entities) need their suppliers to be APP-compliant.

In this policy, "we", "us" and "our" mean Square AI. "You" means you — the visitor, prospect, client, or end-user of an AI agent we've built.

2.What personal information we collect

We collect the personal information you give us directly when you submit a form, email, call us, engage us as a client, or interact with an AI agent we've built for one of our clients. The information typically includes:

  • Identifiers: name, business name, ABN, email address, phone number
  • Conversation content: what you write in a contact form, what you say to one of our AI agents during a call or chat
  • Operational data: appointment preferences, the type of business you run, what you'd like AI to take off your plate
  • Technical data: IP address, browser type, pages visited (via standard server logs and any cookies)
  • Transaction data: for clients — invoice details, payment records, project notes

We don't deliberately collect sensitive information as defined by the Privacy Act (race, political views, religion, health, sexual orientation, biometric data, etc.). If you volunteer it in a free-text field, we treat it with the same care as the rest and only retain it where it's directly relevant to delivering the service.

3.How we collect it

We collect personal information in the following ways:

  • Directly from you, when you fill in a form on squareai.com.au, email us, call us, or speak to one of our AI agents
  • Through our website's standard server logs (IP, request headers, page views)
  • From third-party tools you authorise us to integrate with (e.g. ServiceM8, Tradify, Xero, Property Tree, LEAP) when delivering a build for you
  • From publicly available sources where relevant (e.g. ABN Lookup, ASIC) for client onboarding and AML/CTF customer due diligence workflows

We don't buy lists. We don't scrape. We don't track you across other websites.

4.How we use it

We use your personal information to:

  • Respond to your enquiry and book your free audit call
  • Deliver the service you've engaged us for — assessment, build, retainer, or training
  • Issue invoices and meet our tax and record-keeping obligations
  • Send transactional follow-ups (project updates, expiry notices, training reminders)
  • Improve our services and tune the AI agents we ship
  • Meet our legal obligations — including, for AML/CTF clients, the 7-year records-retention obligation under sections 107-116 of the AML/CTF Act 2006

For our clients' AI agents (e.g. an AI receptionist we've built and operate for a tradie business), we process end-user calls and chats on behalf of that client. The client is the data controller. We are the implementation partner. The client's privacy policy applies to those interactions, supplemented by ours.

5.Marketing

We may occasionally email you about new services, deadline reminders, or guidance updates if you've enquired with us before. Every marketing email has an unsubscribe link, or you can reply with the word STOP. We don't sell or rent our list, ever.

We comply with the Spam Act 2003 (Cth) — meaning every direct marketing message identifies us, our contact details, and includes a working unsubscribe option.

6.Who we share it with

We share personal information only with parties that help us run the service, and only to the extent reasonably required:

  • Hosting and email infrastructure — Hostinger (web hosting), Google Workspace (email)
  • Form submission processing — Web3Forms (for contact form delivery)
  • AI model providers — Anthropic (Claude), OpenAI (GPT) and similar, for inference where the workflow requires it
  • Telephony and SMS — for AI voice receptionist services (provider varies by client setup; disclosed at engagement)
  • Practice software integration partners — Xero, MYOB, ServiceM8, Tradify, Property Tree, LEAP, Actionstep, etc., where you've authorised us to connect
  • Professional advisors — accountant, lawyer, insurer where the matter requires it
  • Government or regulators — where the law compels us (e.g. AUSTRAC, ATO, OAIC, courts)

We do not sell your personal information to anyone, for any purpose.

7.Where your data is stored

Where the use case requires Australian-region hosting — AML/CTF, healthcare, legal — we host the production data on Australian infrastructure and we'll show you exactly where it sits before any production data is sent.

For lower-stakes builds, some processing may occur outside Australia — for example, AI model inference may run in data centres located in the United States or Europe depending on the model used. We will be explicit about this in your engagement scope so you can make the call.

We retain personal information only as long as we reasonably need it. For most marketing leads, that's 24 months from last contact. For clients, that's 7 years after the engagement ends — to meet ATO record-keeping obligations and (for AML/CTF clients) AML/CTF Act records-retention obligations.

8.Overseas disclosure

Some of the third parties we use have parent companies or data centres outside Australia. The most likely overseas destinations are:

  • United States — for AI model inference (Anthropic, OpenAI), email infrastructure (Google), and some integration partners
  • Lithuania / European Union — for some hosting infrastructure (Hostinger)
  • Singapore — for content delivery and edge caching

Under APP 8, we take reasonable steps to ensure overseas recipients handle your information consistently with the APPs. In practice, this means we use providers with published privacy programs equivalent to or stronger than Australian standards. For AML/CTF and other regulated workflows, we keep production personal data within Australian-region infrastructure by default.

9.AI and automated decisions

Square AI builds and operates AI agents — software that holds conversations and takes actions like booking appointments, qualifying leads, drafting compliance documents and triggering reminders.

Where you interact with one of our AI agents (or an AI agent we've built for one of our clients), please be aware that:

  • The conversation may be transcribed and stored for service delivery, quality control and AI tuning
  • The AI may use your information to draft responses, schedule actions, or route your enquiry to the right team
  • Our AI agents do not make final decisions on matters that significantly affect your rights or interests — those decisions are reviewed by a human (the business owner, the lawyer, the accountant, the receptionist who reviews the booking)
  • From 10 December 2026, the Privacy Act will require additional disclosure where AI is used to make significantly impactful decisions about an individual. We are designing our workflows now so this is a non-issue at switch-on, and we'll add specific disclosures here before that date

If you'd prefer not to interact with an AI agent, you can ask to speak to a human at any point. The AI is told to honour the request straight away.

10.Cookies and tracking

This website uses minimal cookies — typically a basic session cookie for the contact form, and standard analytics where they're running on the page (we do not run advertising trackers, retargeting pixels or third-party social tracking by default).

You can disable cookies in your browser settings. The site will continue to work without them; the contact form may need an extra step to clear automated abuse checks.

11.Security

We follow reasonable steps under APP 11 to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure:

  • TLS encryption in transit for the website and all integrations
  • Encrypted storage at rest where the platform supports it
  • Access controls limited to people who need the information for their role
  • Multi-factor authentication on all administrative accounts
  • Prompt removal of data we no longer need
  • Regular review of third-party providers' security posture

Honest caveat: no system is unhackable. If you believe your information held by Square AI has been exposed in any way, contact us immediately at info@squareai.com.au and we'll investigate within one business day.

12.Notifiable data breaches

If we become aware of a data breach that's likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required under Part IIIC of the Privacy Act 1988 — the Notifiable Data Breaches scheme. Assessment of whether a breach is "notifiable" will be completed within 30 days; eligible notifications go out as soon as reasonably practicable.

13.Your rights

Under the Privacy Act and APPs, you have the right to:

  • Access the personal information we hold about you
  • Correct it if it's inaccurate, out of date, incomplete, irrelevant or misleading
  • Withdraw consent for marketing communications
  • Make a complaint about how we've handled your information
  • De-identify requests where we can act on them without breaking another legal obligation (e.g. AML/CTF retention)

To make any of these requests, email info@squareai.com.au with the subject line "Privacy request". We'll acknowledge within 5 business days and substantively respond within 30 days. If we decline a request, we'll tell you why and what your options are.

If you're not satisfied with our response, you can complain to the OAIC at oaic.gov.au or by phone on 1300 363 992. The Privacy and Other Legislation Amendment Act 2024 also introduced a statutory tort for serious invasions of privacy — meaning, in some circumstances, individuals can take direct court action.

14.Children

Our services aren't directed at children. We don't knowingly collect personal information from anyone under 16. If you think a child has given us information through one of our forms or AI agents, contact us and we'll delete it.

15.Changes to this policy

We may update this policy from time to time. The "last updated" date at the top of the page reflects any change. For material changes affecting how we use the personal information of active clients, we'll let those clients know directly by email.

16.Contact

For privacy questions, requests or complaints, contact:

Square AI — privacy contact

Email: info@squareai.com.au
Phone: 0466 887 485
Address: Penrith, NSW, Australia
ABN: 48 706 631 081