Terms, privacy, acceptable use, BYOC, API, and AI voice policies.

1. Parties and acceptance

These Terms of Service are between [legal entity name] ABN [ABN] trading as VoxaLink, located in Sydney, New South Wales, and the customer, reseller, administrator, or other person who accepts these terms or uses the services.

If you accept these terms for a company, reseller, customer, association, or other entity, you represent that you are authorised to bind that entity. If you are not authorised, you must not submit an application or use the services for that entity.

A person may accept these terms electronically, including by ticking an acceptance checkbox, submitting an online application, signing an order form, logging in to the portal, using an API key, or continuing to use a service after notice of updated terms.

2. What the services include

• Hosted PBX, SIP, voice, extension, call-routing, voicemail, call-flow, and tenant administration services.
• DID, inbound number, voice termination, SMS, carrier edge, and related telecommunications services.
• White-labelled mobile app, reseller portal, end-user portal, account management, reporting, billing, and support services.
• AI voice agents, call screening, reservation or receptionist-style flows, transcription, summaries, sentiment, recordings, and related workflow automation.
• API services, webhooks, bearer tokens, integrations, and future developer surfaces.
• Professional services, setup, migration, number porting, configuration, or support work that we agree to provide.

3. Online applications are not automatic service activation

An online signup, order, onboarding request, or reseller-submitted customer application is a request for service. It is not automatic acceptance by VoxaLink and does not mean the service is active.

We may review the application, request more information, perform identity, credit, porting, fraud, or feasibility checks, and manually create or reject the requested service.

A service starts when we confirm acceptance, provision the service, issue credentials, connect the number or tenant, or otherwise make the service available.

4. Customer information, authority, and accuracy

You must provide accurate, current, and complete information. You must keep account, billing, technical, emergency service, contact, and authority information up to date.

You must have authority to request services, port numbers, configure caller IDs, connect carriers, create end-user accounts, and submit personal information for the people or entities affected by your request.

5. Resellers and customer relationships

If you are a reseller, you are responsible for your own customer relationship, pricing, representations, support obligations, collection notices, end-user consents, and any terms you give to your customers.

You must not make promises about VoxaLink, carriers, emergency calling, service availability, recordings, AI output, number ownership, or regulatory compliance unless those promises are expressly supported by our written documentation or order terms.

You must pass through notices, restrictions, service limitations, and acceptable use requirements to your customers and end users where relevant.

6. Telecommunications-specific terms

• Numbers are rights of use, not personal property. Number allocation, routing, porting, quarantine, and recovery depend on carrier, upstream provider, and regulatory rules.
• Porting requests require customer permission and accurate losing-carrier account details. We may ask for identity, rights-of-use, or authority evidence before actioning a port.
• You must not use false, misleading, spoofed, unauthorised, or unlawfully overstamped caller ID, sender ID, or number presentation.
• Internet-dependent voice services may be affected by power, access network, handset, firewall, carrier, upstream PBX, or third-party outages.
• Emergency calling support can vary by product, number type, access method, location data, carrier, BYOC configuration, and service design. You must tell users about applicable limitations and keep emergency address information current where required.
• You are responsible for lawful telemarketing, e-marketing, spam, Do Not Call, consent, unsubscribe, caller identification, and call-recording compliance for your own campaigns and end-user use cases.

7. BYOC and third-party providers

BYOC means Bring Your Own Carrier. If you connect a carrier, SIP provider, SMS provider, LLM, voice model, storage account, or other third-party provider, you are responsible for your agreement with that provider and for ensuring the provider is suitable for your intended use.

We may provide configuration, routing, portal, monitoring, or support tooling, but we are not responsible for third-party carrier quality, rates, outages, number availability, compliance failures, or provider data handling unless we expressly agree otherwise in writing.

8. Fees, billing, taxes, and pass-through costs

Fees may include setup fees, recurring subscriptions, number rental, inbound and outbound usage, SMS usage, AI usage, transcription, recordings, storage, API usage, support, professional services, and carrier pass-through charges.

Unless stated otherwise, prices are in Australian dollars and exclusive of GST. Usage and carrier pass-through charges may be billed after the relevant usage period.

You must pay undisputed invoices by the due date. If you dispute an invoice, you must tell us promptly and pay the undisputed portion while we investigate.

9. Customer content and data

Customer content includes call audio, call metadata, CDRs, SMS content, voicemail, recordings, transcripts, AI prompts, AI outputs, agent configuration, contact data, uploaded files, API payloads, and other material submitted to or generated through the services.

You retain ownership of your customer content. You grant us the rights needed to host, transmit, process, route, store, troubleshoot, secure, support, bill, improve, and provide the services.

We do not claim ownership of customer content. We do not use customer content to train VoxaLink-owned AI models unless you expressly agree to that use in writing.

10. AI service limitations

AI voice agents, transcripts, summaries, sentiment labels, classifications, and generated messages may be inaccurate, incomplete, delayed, or unsuitable for a particular purpose.

You are responsible for testing AI flows before production use, monitoring live behaviour, configuring escalation paths, and ensuring that AI agents do not make regulated, unsafe, deceptive, or unauthorised statements.

You must not use AI services as the sole decision-maker for legal, medical, emergency, employment, credit, financial hardship, eligibility, or similarly high-impact decisions without appropriate human review and legal approval.

11. Security and credentials

You are responsible for users, passwords, portal accounts, API keys, SIP credentials, carrier credentials, BYOC credentials, webhook secrets, devices, and local network security under your control.

You must notify us promptly of suspected unauthorised access, leaked credentials, fraudulent traffic, unexpected charges, or compromised devices.

We may suspend or rotate credentials where reasonably necessary to protect the services, other customers, upstream carriers, or the public network.

12. Suspension and termination

We may suspend or restrict a service if we reasonably believe there is fraud, abuse, security risk, unpaid fees, regulatory risk, network harm, emergency risk, unlawful use, or breach of these terms.

Either party may terminate services in accordance with the applicable order, plan, notice period, or service schedule. Termination does not remove accrued fees, usage charges, confidentiality obligations, payment obligations, or provisions that should reasonably survive.

13. Warranties, consumer law, and liability

Nothing in these terms excludes, restricts, or modifies rights that cannot be excluded under the Australian Consumer Law, telecommunications laws, or other applicable laws.

To the extent permitted by law, the services are provided without guarantees of uninterrupted availability, error-free operation, successful call completion, successful number porting, AI accuracy, spam filtering, or compatibility with every device, carrier, network, integration, or use case.

To the extent permitted by law, neither party is liable for indirect, consequential, special, exemplary, or punitive loss, loss of profit, loss of revenue, loss of goodwill, loss of data, business interruption, or third-party carrier failure.

14. Governing law and complaints

These terms are governed by the laws of New South Wales, Australia. The parties submit to the non-exclusive jurisdiction of the courts of New South Wales and Australia.

You should raise complaints with us first through [support email]. Where a telecommunications complaint is eligible for escalation to an external scheme or regulator, we will provide the relevant details in our complaints process.

1. Information we collect

• Account and contact details, including names, email addresses, phone numbers, company details, job titles, billing contacts, authorised representatives, and support contacts.
• Service and identity details, including addresses, number-porting details, emergency service location information, authority evidence, account numbers, and service configuration.
• Technical and usage information, including IP addresses, device data, browser data, authentication logs, API usage, webhook activity, CDRs, call metadata, SIP signalling metadata, routing logs, and fraud events.
• Communications content where enabled or submitted, including call recordings, voicemail, SMS bodies, transcripts, AI prompts, AI outputs, summaries, sentiment labels, call-flow scripts, and support messages.
• Billing and commercial information, including plans, rates, invoices, payment status, usage charges, reseller/customer ownership, products, and carrier pass-through costs.

2. How we use information

• To assess applications, create tenants, provision services, route calls and messages, support number porting, manage users, and provide portal access.
• To provide AI voice agents, transcription, recording playback, analytics, summaries, sentiment, dashboards, and workflow automation where enabled.
• To bill, rate, reconcile, detect fraud, investigate faults, troubleshoot quality, provide support, maintain security, and enforce terms.
• To comply with legal, regulatory, tax, accounting, telecommunications, fraud prevention, consumer protection, privacy, and law-enforcement obligations.
• To improve reliability, security, product usability, and operational performance, using de-identified or aggregated information where practical.

3. When we disclose information

• To PBX, carrier, SIP, DID, SMS, number-porting, hosting, database, object storage, monitoring, workflow, payment, and support providers needed to provide the services.
• To AI, speech-to-text, text-to-speech, language model, transcription, or analytics providers selected by us or configured by you.
• To resellers, customer administrators, end-user administrators, and authorised representatives for the account or tenant they administer.
• To regulators, emergency services, carriers, law-enforcement agencies, courts, dispute bodies, or government agencies where required or authorised by law.
• To professional advisers, insurers, auditors, and potential acquirers, but only as reasonably required and subject to appropriate confidentiality controls.

4. Overseas disclosure and third-party platforms

Some service providers and subprocessors may process or store information outside Australia, including in the United States, Singapore, the European Union, or other locations where cloud, AI, carrier, or support providers operate.

If you configure BYOC, BYO-LLM, BYO-storage, or another third-party integration, that provider may receive information directly from your service. You are responsible for reviewing that provider and giving any required notices to your users or customers.

5. Recordings, transcripts, and AI outputs

Call recording, voicemail, transcription, summaries, and sentiment features are configurable by tenant, account, product, or workflow. You are responsible for deciding whether those features are appropriate for your users and callers.

You must give call recording, AI assistance, and privacy notices where required by law or by your own policies. You must not collect sensitive information through AI agents or recordings unless it is lawful, necessary, and appropriately protected.

6. Calendar and third-party account connections

If you connect a third-party calendar account, such as Google Calendar or Microsoft Outlook, VoxaLink accesses that account only to provide the scheduling features you enable: listing your calendars, checking availability (free/busy), and creating or updating appointment events on your behalf.

We do not use calendar information for advertising and we do not sell it. Calendar information is not read by humans except with your consent, where necessary for security or abuse investigation, or where required by law. Connection credentials (OAuth tokens) are encrypted at rest and used solely to operate these features.

You can disconnect a calendar at any time in the portal, which deletes our stored connection tokens. You can also revoke VoxaLink’s access directly from your Google Account security settings or your Microsoft account permissions page.

VoxaLink’s use and transfer to any other application of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

7. Retention and deletion

We retain information for as long as needed to provide the services, meet legal and billing obligations, resolve disputes, maintain security, and enforce agreements.

Recording, transcript, CDR, API log, and workflow retention may vary by product, tenant setting, support need, or legal requirement. Where deletion is available, deletion may not remove historical billing records, fraud records, audit logs, backups, or information we must retain by law.

8. Security

We use technical and organisational controls designed to protect information, including access controls, authentication, encryption for selected secrets, hashed API token storage, signed recording URLs, network controls, monitoring, and least-privilege operational access.

No system is perfectly secure. You must secure your own users, devices, networks, credentials, BYOC providers, API keys, webhooks, and local integrations.

9. Access, correction, and complaints

You may request access to or correction of personal information we hold about you. We may need to verify your identity and may refuse or limit a request where permitted by law.

Privacy requests and complaints should be sent to [privacy email]. If you are not satisfied with our response, you may be able to complain to the Office of the Australian Information Commissioner.

10. Data breach response

If a privacy incident occurs, we will assess the incident and take steps required by applicable law, including notification to affected individuals and the OAIC where the Notifiable Data Breaches scheme applies.

1. Prohibited use

• Illegal, fraudulent, deceptive, misleading, abusive, harassing, threatening, discriminatory, exploitative, or harmful communications.
• Scam calls, phishing, smishing, robocalling without lawful consent, caller ID spoofing, unauthorised sender IDs, wangiri-style traffic, traffic pumping, short-duration abuse, or artificial inflation of usage.
• Emergency hoaxes, interference with emergency services, misuse of public safety services, or misleading callers about emergency availability.
• Unlawful telemarketing, e-marketing, SMS marketing, Do Not Call Register breaches, spam, missing unsubscribe facilities, or campaigns without adequate consent records.
• Attempting to bypass rate limits, authentication, routing controls, credit controls, channel caps, fraud controls, or security monitoring.
• Using the services to collect sensitive personal information, payment card data, health information, biometric information, or identity documents unless the collection is lawful, necessary, and approved for the specific use case.

2. AI voice and automation rules

• AI agents must not impersonate a human in a way that is deceptive or unlawful.
• AI agents must include recording, AI assistance, or privacy notices where required for the use case.
• AI agents must have safe fallback or human escalation paths for complaints, distress, emergencies, regulated advice, account cancellation, financial hardship, and high-impact decisions.
• You must test agents before production use and monitor live calls for unsafe, inaccurate, or unauthorised behaviour.

3. Enforcement

We may investigate traffic, request evidence of consent or authority, block destinations, rate-limit traffic, suspend services, rotate credentials, report abuse, or terminate services where we reasonably believe this policy has been breached.

Hosted PBX and tenant administration

• Vodia or another PBX platform may own runtime PBX features, extensions, dial plans, call queues, voice agents, voicemail, and account settings.
• VoxaLink provides the portal, provisioning, configuration, support, and management layer agreed for your service.
• You are responsible for local network readiness, devices, firewall configuration, user training, and keeping authorised contacts current.

Carrier Edge, DID, SMS, and voice termination

• Carrier Edge, DID, SMS, and voice termination features depend on upstream carriers, number providers, routing platforms, fraud controls, and supported countries or number types.
• Rates, routes, destinations, and supported countries may change where carriers, suppliers, regulation, fraud controls, or commercial conditions change.
• You must not send traffic that breaches carrier policies, destination rules, CLI requirements, spam rules, or traffic-quality obligations.

Call recordings, transcription, and analytics

• Recording and transcription features depend on upstream PBX recording, storage, processing queues, cloud storage, transcription providers, and tenant settings.
• Recordings and transcripts may be unavailable, delayed, incomplete, or skipped where recording is disabled, audio is missing, files are corrupt, calls are too short, queues fail, or providers are unavailable.
• You are responsible for recording notices, workplace policies, caller notices, and any required consent.

White-labelled mobile app and end-user portal

• White-label services may require separate app-store listings, support processes, privacy URLs, branding approvals, and customer-specific notices.
• The end-user portal and mobile app need customer-facing terms and privacy copy that are simpler and more direct than these reseller/admin terms.
• Resellers and white-label customers must not remove required legal, privacy, emergency, recording, or acceptable-use notices from their branded experience.

1. API credentials

API tokens and webhook secrets are confidential. You must store them securely, rotate them when required, and never embed them in public client-side code or repositories.

Tokens may be scoped by tenant, reseller, user, capability, product, or environment. You must not use a token outside its authorised scope.

2. Rate limits and reliability

We may apply rate limits, quotas, concurrency caps, payload limits, endpoint restrictions, or fair-use controls. We may change API behaviour where needed for security, reliability, compliance, or product evolution.

You must design integrations to tolerate retries, idempotency, delayed delivery, duplicate events, partial outages, schema changes, and token revocation.

3. Data access and API compliance

You may only access data you are authorised to access. You must not scrape, enumerate, reverse engineer, bypass access controls, or attempt to infer data from tenants, customers, or users outside your scope.

If your integration processes personal information, you must protect it, delete it when no longer needed, and comply with applicable privacy, security, marketing, spam, and telecommunications laws.

1. Customer-controlled carrier relationship

Your BYOC provider is your provider. You are responsible for contracts, rates, credit, service levels, support escalation, CLI approval, emergency calling capability, lawful use, number rights, and all information you provide to that carrier.

We may ask for carrier settings, IP addresses, SIP credentials, routing parameters, rate information, and technical contacts so we can configure VoxaLink systems.

2. BYOC limitations

• BYOC may affect call quality, emergency calling, caller ID, SMS, porting, fraud controls, lawful intercept obligations, reporting, billing accuracy, and support boundaries.
• We do not control a BYOC provider outage, rejection, fraud block, rate change, regulatory restriction, CLI rule, destination block, or porting failure.
• You remain responsible for charges caused by your carrier relationship and for traffic generated through your connected systems.

3. Security and fraud controls

We may restrict source IPs, require digest authentication, set channel caps, block suspicious destinations, or disable BYOC routing where needed to protect the network, upstream providers, or customers.

1. Roles

For account administration, billing, security, and our own business operations, VoxaLink may act as an independent controller of personal information.

For customer content processed through the services, including call audio, recordings, transcripts, SMS content, AI prompts, AI outputs, contacts, and API payloads, VoxaLink generally acts as a processor or service provider for the customer, unless the circumstances require a different role.

2. Processing instructions

We process customer content to provide, secure, support, bill, maintain, and improve the services, and as otherwise documented in these terms, an order, service setting, or written instruction.

You must ensure your instructions are lawful and that you have given all required privacy notices and obtained all required consents.

3. Subprocessors

We may use subprocessors for PBX hosting, carriers, SMS, cloud hosting, storage, databases, monitoring, workflow automation, AI, transcription, text-to-speech, support, and security.

We will use reasonable contractual, technical, and organisational controls for subprocessors according to the risk and nature of the processing.

4. Security, incident response, and deletion

We will maintain reasonable security measures for the services. If we become aware of a confirmed security incident affecting customer content, we will notify affected customers without undue delay where required by law or contract.

On termination, we will delete or return customer content in accordance with product functionality, retention settings, backup cycles, legal obligations, and reasonable operational constraints.