Summit Growth Systems
Book a call
Call usBook a 30-min call

SGS — Privacy Policy

Version 3.0 — Effective 1 May 2026

Summit Growth Operations Pty Ltd (ABN 29 696 460 625), trading as Summit Growth Systems ("SGS", "we", "us", "our"), is committed to protecting the privacy of personal information we handle. This Privacy Policy explains how we collect, hold, use, and disclose personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy applies to:

  • Visitors to our website (summitgrowthsystems.com.au)
  • Our clients (businesses that engage us for AI Receptionist, Automation, or Web Development services)
  • The end-customers of our clients (people who interact with our clients' businesses through services we operate on the client's behalf)

1. Who we are and how to contact us

Entity: Summit Growth Operations Pty Ltd ABN: 29 696 460 625 Trading as: Summit Growth Systems (SGS) Privacy Officer: privacy@summitgrowthsystems.com.au Postal address: PO Box 5446, Manly QLD 4179, Australia General contact: sam@summitgrowthsystems.com.au

For privacy queries, complaints, access requests, and correction requests, email privacy@summitgrowthsystems.com.au.

2. What personal information we collect

2.1 From website visitors

  • IP address, device type, browser, and approximate location (via standard analytics)
  • Pages viewed, time spent, referral source
  • Information you submit through contact forms (name, email, phone, business name, message)
  • Cookies and similar tracking technologies (see Section 9)

2.2 From our clients (businesses)

  • Business name, ABN, business address, phone, email, and website
  • Owner and authorised user names, contact details, and roles
  • Payment details (processed by Stripe — we do not store card numbers)
  • Business logo, branding, and marketing assets you provide for use in our services
  • Information you provide during onboarding, support, and ongoing service delivery

2.3 From end-customers of our clients

When a person interacts with one of our clients' businesses through services we operate (for example, calling a business that uses the SGS AI Receptionist, or replying to an SMS sent through SGS Automation), we may collect on the client's behalf:

  • Name, mobile number, email address, postal address
  • Job address or service location
  • The nature of their enquiry or service request (e.g. "burst pipe in laundry", "quote for kitchen renovation")
  • SMS and email message history with the business
  • Voice call recordings and transcripts where the SGS AI Receptionist is used
  • Booking details, appointment times, and pipeline stage
  • Customer satisfaction ratings and feedback

We act as a data processor on behalf of our clients in respect of their end-customer data. Our clients are the data controllers for their customer information and are responsible for their own privacy notices to their customers.

2.4 Information we do NOT collect

  • We do not collect or store credit card or bank account numbers (these are processed directly by Stripe)
  • We do not knowingly collect personal information from children under 16
  • We do not deploy our services for businesses operating in Restricted Sectors (see Section 11)
  • We do not generate or store voiceprints, speaker identification templates, or biometric templates derived from voice recordings

3. How we collect personal information

We collect personal information:

  • Directly from you when you visit our website, complete a form, contact us, or sign up as a client
  • From your interactions with our services (call recordings, SMS replies, form submissions, platform actions)
  • From third parties you authorise us to receive information from (e.g. integrations with your accounting software, calendar, or telephony provider)
  • Automatically through cookies, analytics tools, and platform telemetry

4. Why we collect, use, and disclose personal information

We collect, use, and disclose personal information for the following primary purposes:

  • To provide our services — operating the SGS AI Receptionist, automations, and web platforms on behalf of our clients
  • To communicate with our clients and their end-customers as configured by the client (booking confirmations, follow-ups, payment reminders, satisfaction surveys)
  • To create, update, and manage contact records in our clients' CRM sub-accounts
  • To bill clients and process payments through Stripe
  • To respond to support, sales, and general enquiries
  • To improve our services through analysis of aggregated and anonymised usage data
  • To meet our legal obligations (taxation, record-keeping, regulatory compliance)
  • For direct marketing — only to clients and prospects who have consented (see Section 6)

We do not sell personal information. We do not disclose end-customer data to other clients.

5. Voice calls answered by our AI Receptionist

When you call a business that uses the SGS AI Receptionist, your call is answered by an automated AI assistant operated on behalf of that business by Summit Growth Operations Pty Ltd.

What we collect

  • An audio recording of the call
  • A written transcript of the call
  • Your phone number (where available from the carrier)
  • Details you provide during the call: name, address or suburb, the nature of your enquiry, your preferred contact times, and any other information you choose to share

Why we collect it

  • To answer the call on behalf of the business you contacted
  • To take a message and notify the business
  • To schedule appointments where you have asked to book
  • To create or update your contact record so the business can follow up

We do not use call recordings or transcripts to train AI models.

How long we keep it

Call recordings and transcripts are stored on the business's contact record while you remain an active contact. If the business cancels its subscription with us, we provide a 30-day export window, then delete the data from active systems within 60 days and from backups within a further 90 days (see Section 15 for the full retention schedule). You can request deletion at any time by contacting us at privacy@summitgrowthsystems.com.au.

Where the data is stored

Recordings, transcripts, and contact data are stored with third-party infrastructure providers in the United States. Voice and AI processing for the AI Receptionist are delivered by third-party providers in the United States. Telephony is delivered through a carrier in the United States with Australian points of presence.

We have processor arrangements in place with these providers that prohibit them from using your data to train their AI models for general purposes and that require them to handle your data consistently with the Australian Privacy Principles to the extent reasonable. A current named list of these sub-processors is available to clients on request via privacy@summitgrowthsystems.com.au.

By continuing the call after our AI assistant identifies itself at the start of the call, you consent to:

  • Your call being recorded and transcribed for the purposes set out above
  • Your personal information being disclosed to the overseas recipients listed above
  • The cross-border disclosure of your information to the United States

You should be aware that, under section 16C of the Privacy Act 1988 (Cth), if you consent to disclosure on this basis we may not be accountable under that Act for any handling of your information by an overseas recipient that is inconsistent with the APPs.

If you don't want to be recorded

Tell the AI Receptionist at any time during the call ("don't record this", "I'd rather not be recorded", or similar). The AI will switch to message-only mode and capture only your name, contact number, and brief reason for calling — no audio or full transcript will be retained.

Sensitive information

We do not deploy the AI Receptionist for businesses that handle health, disability, mental health, aged care, allied health, or pharmacy services (see Section 11). If you happen to mention sensitive information during a call, we will not use it for any purpose other than passing your message on, and you can request its immediate deletion.

Voice biometrics

We do not create, store, or process voiceprints, speaker identification templates, or other biometric templates derived from call recordings. Our AI Receptionist performs speech-to-text and prompt-driven dialogue only.

6. Direct marketing — SMS, email, and automated messages

When the SGS Automation product is enabled by a client, we send SMS and email messages on behalf of that client to the client's contacts.

We comply with the Spam Act 2003 (Cth):

  • We will only send commercial electronic messages where the recipient has consented (express or inferred) — our clients warrant they have obtained consent for every contact in their CRM
  • Every commercial SMS includes "Reply STOP to unsubscribe" or equivalent opt-out
  • Every commercial email includes an unsubscribe link
  • Opt-out requests are honoured automatically by our platform within 5 business days (and typically within seconds)

To opt out of all messages from a business that uses our services, reply STOP to any SMS or click the unsubscribe link in any email. To raise concerns about spam, contact privacy@summitgrowthsystems.com.au or the Australian Communications and Media Authority (ACMA) at acma.gov.au.

7. Sub-processors — who we share personal information with

We use the following categories of third-party infrastructure providers to deliver our services. Each handles personal information for the limited purpose of supporting our services and is subject to processor-level confidentiality and security obligations.

CategoryCountryPurpose
Operational infrastructureUnited StatesHosting client sub-accounts, contact records, message history, workflows, and AI Receptionist call data
Telephony carrierUnited States (with Australian points of presence)Voice and SMS infrastructure, AU phone number provisioning
AI service providersUnited StatesVoice generation, transcription, and natural language processing for the AI Receptionist
Payment processorAustralia and United StatesProcessing client payments and issuing tax invoices
Email deliveryUnited StatesSending transactional and marketing emails
Domain registrar and DNSUnited StatesDomain hosting for SGS sites
Integration bridges (where engaged by a client)United StatesConnecting client accounting/job management software to our platform
Cloud storage and analyticsUnited StatesAggregated usage analytics and operational tools

A current named list of sub-processors and their privacy commitments is available to clients on request via privacy@summitgrowthsystems.com.au.

We do not sell personal information. We do not disclose end-customer data to other SGS clients.

We may also disclose personal information where required or authorised by Australian law (for example, in response to a valid subpoena, court order, or regulator request).

8. Cross-border disclosure of personal information (APP 8)

Most of our infrastructure providers are based in the United States. Some integrations may also involve providers in other countries.

When we disclose personal information to overseas recipients, we take reasonable steps to ensure they handle the information consistently with the Australian Privacy Principles. These steps include:

  • Selecting providers with documented privacy and security practices
  • Maintaining contractual arrangements with key providers covering confidentiality, data security, breach notification, and limits on use
  • Excluding sensitive information categories from the data we send to AI service providers
  • Applying our Restricted Sectors rule to prevent collection of regulated health and disability information

For end-customer voice and message data: clients consent to cross-border disclosure as part of their service agreement with us. End-customers consent through the AI Receptionist disclosure at the start of each call, the SMS/email opt-in mechanisms operated by our clients, and this Privacy Policy.

If you do not consent to cross-border disclosure, do not continue your call to a business using the SGS AI Receptionist, do not submit forms to our website, and contact us at privacy@summitgrowthsystems.com.au to discuss alternatives.

9. Cookies and analytics

Our website uses cookies and similar tracking technologies for:

  • Essential site functionality (session management, security)
  • Analytics (Google Analytics or equivalent — to understand site usage in aggregate)
  • Conversion tracking (to measure marketing effectiveness)

We do not use third-party advertising or retargeting cookies. You can disable cookies in your browser settings; some site features may not work properly if you do.

10. Automated decision-making

We use computer programs to make automated decisions or to do things substantially related to decisions in the operation of our services. Specifically:

  • AI Receptionist uses automated decision-making to: classify calls (emergency / request / general / unknown), capture caller details, determine whether to escalate, and book appointments
  • SGS Automation uses AI Intent Detection to classify customer replies as positive, negative, or neutral, and to route follow-up actions accordingly

These automated decisions are designed to support, not replace, human judgement by our clients. Material outcomes (e.g. whether to provide a service, whether to dispute a complaint) remain with our clients and their staff.

You may request human review of any automated decision that significantly affects you by contacting privacy@summitgrowthsystems.com.au.

(This section anticipates new transparency obligations under APP 1.7-1.9 of the Privacy Act 1988 (Cth) commencing 10 December 2026.)

11. Restricted sectors — health and sensitive information

We do not deploy the SGS AI Receptionist or any SGS service that handles voice or transcript data for businesses operating in:

  • NDIS-registered or unregistered disability services
  • Aged care providers
  • Healthcare clinics and medical practices
  • Allied health professions
  • Mental health services
  • Pharmacies
  • Medical specialists
  • Any business whose primary service involves the collection of health information

Our underlying CRM platform is not configured for storing health information regulated under the Privacy Act 1988 (Cth) and related legislation. SGS clients warrant in their service agreement that they do not operate in a Restricted Sector.

We may continue to provide the following services to businesses in Restricted Sectors, on a scoped basis, where the configuration does not capture health, disability, or other sensitive information:

  • SGS Web Development and SEO services
  • Generic SGS Automation features that do not capture sensitive information (e.g. generic lead follow-up SMS, basic CRM record-keeping, generic appointment reminders) where data fields are restricted to non-sensitive categories

For these scoped engagements, the Restricted Sector client warrants that they will not configure the Services to elicit or store sensitive information in any custom field, tag, opportunity record, note, or message template.

12. How we hold and protect personal information

We hold personal information primarily on our third-party operational infrastructure and in supporting third-party services described in Section 7. We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure, including:

  • Encryption in transit (TLS 1.2/1.3) and at rest (AES-256) on the underlying platform
  • Role-based access controls and multi-factor authentication for SGS staff
  • Audit logging of platform access
  • Vendor selection prioritising providers with documented security practices

No system is perfectly secure. Where a data breach occurs that is likely to result in serious harm, we will comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth) — see Section 14.

13. Your rights — access, correction, deletion

You may request:

  • Access to the personal information we hold about you
  • Correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading
  • Deletion of your personal information (subject to legal record-keeping obligations)

To make a request, email privacy@summitgrowthsystems.com.au with sufficient information for us to verify your identity. We will respond within a reasonable time and at most within 30 days. We do not charge for access or correction requests.

If you are an end-customer of an SGS client (rather than an SGS client yourself), we will route your request to the client (the data controller) within 7 business days.

We may decline a request if it is unreasonable, vexatious, would unreasonably impact others' privacy, or where we are required by law to retain the information.

14. Data breaches

If we become aware of unauthorised access, disclosure, or loss of personal information that is likely to result in serious harm to affected individuals, we will:

  1. Investigate and contain the breach
  2. Assess whether it constitutes an "eligible data breach" within 30 days
  3. Notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable, in line with the Notifiable Data Breaches scheme
  4. Where individual notification is not practicable, publish a public statement on our website

Our internal Data Breach Response Plan is operated by the Privacy Officer.

15. Retention and deletion

We retain personal information only for as long as necessary for the purposes set out in this policy, or as required by law (including a 5-year tax record-keeping period under Australian taxation law).

When we no longer need information, we take reasonable steps to delete or de-identify it. Anonymised aggregated data may be retained indefinitely for analytics.

For client data on our platform: while a client's subscription is active, we hold their data. On termination, we provide a 30-day export window during which the client may export all data via standard tools. After the export window:

  • Active data is deleted from our systems within a further 60 days
  • Backup data is deleted within a further 90 days (total 180 days from termination)

We do not hold client data hostage — data export is free, on-demand, and not contingent on payment.

16. Complaints

If you believe we have breached the APPs or your privacy:

  1. Contact us first — email privacy@summitgrowthsystems.com.au with details of your complaint. We will acknowledge within 5 business days and respond substantively within 30 days.
  2. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC):
    • Web: oaic.gov.au
    • Phone: 1300 363 992
    • Post: GPO Box 5288, Sydney NSW 2001

17. Updates to this policy

We may update this Privacy Policy from time to time. The current version is published at summitgrowthsystems.com.au/privacy with the version number and effective date at the top.

For material changes affecting our clients, we will give 30 days' written notice via email before the change takes effect.

18. Governing law

This Privacy Policy is governed by the laws of Queensland, Australia. The Privacy Act 1988 (Cth) and the Australian Privacy Principles continue to apply regardless of any choice of law.

Version 3.0. Last updated: 4 May 2026. Effective: 1 May 2026. Replaces all prior versions.

Change log:

  • v3.0 (2026-05-04) — Locked for launch. Added comprehensive AI Receptionist section, automated decision-making disclosure, voice biometrics carve-out, sub-processor categories with countries, restricted sectors, NDB commitment, expanded cross-border consent language. Updated to reflect the locked SGS AI Receptionist persona prompt v1.0.
  • v2.0 (2026-05-02) — Replaced vendor name-drops with category-based sub-processor disclosure. Strengthened data ownership and unconditional export.
  • v1.0 (2026-04-13) — Initial draft.