Orane.AIOrane.AI← Back to home

Privacy Policy

Last updated: 19 March 2026

This Privacy Policy explains how Orane.AI (“we”, “us”, “our”) collects, uses, stores, and discloses personal information. It applies to all users of our platform at orane.ai and our associated services. We are committed to complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. Who We Are

Orane.AI is an Australian AI receptionist platform that enables businesses to deploy an AI-powered phone receptionist. Our platform handles inbound calls, checks calendar availability, and books appointments on behalf of subscribing businesses.

Contact: privacy@orane.ai

2. Information We Collect

We collect the following categories of personal information:

2.1 Account information

When you create an account we collect your email address and a hashed password (we never store your password in plaintext). If you sign up via Google Sign-In we receive your Google account identifier (an opaque ID, not your password). We also collect your mobile number for identity verification via SMS OTP.

2.2 Business profile information

During onboarding you provide your business name, business description, business hours, and a phone number used to route inbound calls to your AI receptionist. You also configure an AI persona prompt that describes how your receptionist should communicate.

2.3 Billing information

Subscription payments are processed by Stripe. We store only your Stripe customer ID, subscription plan, and subscription status. We never see or store your full card number; that information is held exclusively by Stripe.

2.4 Call records

For every inbound call handled by your AI receptionist we record the caller’s phone number, the dialled number, call start and end times, duration, outcome (e.g., appointment booked, missed), and any AI-generated notes (e.g., “appointment booked for 3 pm”). This data is retained for up to 2 years and then automatically deleted.

2.5 Google Calendar data

If you connect Google Calendar, we request access to read and write calendar events (OAuth scopes calendar.events and calendar.readonly). We store encrypted OAuth access and refresh tokens in our database. Calendar event data is accessed only in real time during calls to check availability or book appointments; it is not stored or analysed beyond what is necessary to respond to a caller.

2.6 Microsoft Outlook and Calendly data

If you connect Outlook Calendar or Calendly, we similarly store encrypted OAuth tokens and access your calendar solely to check availability and book appointments during live calls.

2.7 Practice management data (Cliniko)

If you connect Cliniko, we store your encrypted Cliniko API key along with your selected practitioner and appointment type identifiers. Appointment booking data accessed via Cliniko may constitute health information as defined under the Privacy Act. We treat this data with the heightened protections required for sensitive information: it is used solely to book appointments on behalf of callers and is not shared with any third party other than Cliniko itself.

2.8 Usage and technical data

We may collect server logs, error reports, and authentication event metadata to operate and improve the service. This data does not include call audio recordings.

3. How We Use Your Information

  • To create and manage your account and authenticate your identity.
  • To operate your AI receptionist — routing inbound calls, checking calendar availability, and booking appointments.
  • To process payments and manage your subscription via Stripe.
  • To verify your phone number for security purposes.
  • To send you transactional emails (e.g., payment receipts, account notices). We do not use your data for direct marketing without your consent.
  • To detect and prevent fraud, abuse, or security incidents.
  • To comply with our legal obligations.
  • To improve and develop our platform (using aggregated, anonymised data only).

We only collect information that is reasonably necessary for these purposes (APP 3). We will not use your personal information for a secondary purpose without your consent or as otherwise permitted by the APPs.

4. Google API Services — Limited Use Disclosure

Orane.AI’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

  • Google Calendar data (events, availability) is used only to provide the appointment-checking and booking feature visible in the Orane.AI platform. No other use is made of this data.
  • We do not transfer, sell, or use Google user data for advertising, credit assessment, or any purpose unrelated to the scheduling feature.
  • We do not allow any human to read your Google Calendar data, except where you have explicitly granted access for support purposes or as required by law.
  • You can revoke Orane.AI’s access to your Google Calendar at any time from your Google Account’s security settings or from the Integrations page in your Orane.AI dashboard.

5. Callers and Third Parties

When someone calls a phone number managed by Orane.AI on behalf of a business, their phone number, call duration, and AI-generated call notes are recorded in that business’s Orane.AI account. These callers are not direct users of our platform.

Businesses that use Orane.AI are responsible for informing their own clients and callers that calls may be handled by an AI system and that call metadata is recorded. The AI receptionist is designed to identify itself as an AI assistant when asked.

Caller data is processed under the legitimate interest of the subscribing business to manage their inbound communications and is subject to the same retention and security standards as all other personal information we hold.

6. Disclosure of Personal Information

We do not sell your personal information. We disclose information only in these circumstances:

  • Third-party service providers listed in Section 7 — strictly to operate the service.
  • Legal obligations — when required by Australian law or a court order.
  • Business transfers — in the event of a merger or acquisition, with prior notice to affected users.

7. Third-Party Service Providers and Cross-Border Transfers (APP 8)

Our platform relies on the following third-party providers. All are based outside Australia (primarily the United States). By using Orane.AI you consent to your personal information being transferred to and processed in these countries.

ProviderPurposeCountryPrivacy policy
RailwayBackend hosting & databaseUnited StatesPolicy
VercelFrontend hostingUnited StatesPolicy
StripePayment processingUnited StatesPolicy
TelnyxPhone calls & AI voiceUnited StatesPolicy
TwilioSMS verification (OTP)United StatesPolicy
GoogleCalendar OAuth, Places API, Sign-InUnited States / GlobalPolicy
OpenRouter / OpenAIAI prompt generationUnited StatesPolicy
Cliniko (optional)Practice management integrationAustralia / United StatesPolicy
Calendly (optional)Calendar scheduling integrationUnited StatesPolicy
Microsoft (optional)Outlook Calendar integrationUnited States / GlobalPolicy

We take reasonable steps to ensure these providers maintain appropriate privacy and security standards consistent with the APPs.

8. Security of Personal Information (APP 11)

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

  • All data in transit is encrypted using TLS (HTTPS).
  • Passwords are hashed using bcrypt and never stored in plaintext.
  • OAuth tokens (Google, Outlook, Calendly) and third-party API keys (Cliniko) are encrypted at rest in our database using AES-128 symmetric encryption.
  • Access to our systems is controlled via JWT authentication and environment-scoped API keys.
  • Our database and backend infrastructure are hosted on Railway with network-level access controls.

When personal information is no longer required we take reasonable steps to destroy or de-identify it. Call logs are automatically deleted after 2 years (see Section 9).

9. Data Retention

  • Call logs: retained for 2 years from the date of the call, then automatically deleted.
  • Calendar OAuth tokens: deleted immediately when you disconnect your calendar integration.
  • Account and business profile data: retained while your account is active and deleted when you complete account deletion.
  • Deleted-account safety record: after account deletion, we retain a minimal deletion record (including your email, an email hash, deletion timestamp, and subscription cancellation metadata) to prevent fraud and unauthorised account re-creation.
  • Billing records: Stripe retains transaction records for their own compliance purposes. We may also retain limited subscription cancellation metadata in our deletion records for operational and legal purposes.

10. Your Rights — Access, Correction and Deletion (APP 12 & 13)

You have the right to request access to the personal information we hold about you and to request corrections if it is inaccurate, out of date, incomplete, irrelevant, or misleading.

You may also request deletion of your account and associated personal data at any time from the Settings page in your Orane.AI dashboard. Account deletion will:

  • If you have an active or trialling Stripe subscription, it will be set to cancel at the end of your current billing period.
  • Delete all call logs, calendar connections, and business profile data.
  • Delete your user account and credentials.

To protect users and the platform against abuse, a minimal deleted-account safety record may be retained after deletion. This can prevent immediate re-signup or re-login (including via Google Sign-In) for a previously deleted account until the self-serve restore code flow is completed.

To request access to your data or to exercise any other privacy right, contact us at privacy@orane.ai. We will respond within 30 days.

11. Direct Marketing (APP 7)

We do not use your personal information for direct marketing without your express consent. We may send you transactional and service-related communications (e.g., subscription receipts, security notices, product updates). You may opt out of non-essential communications at any time by contacting us at privacy@orane.ai.

12. Anonymity and Pseudonymity (APP 2)

Where practicable, you may interact with us anonymously or under a pseudonym (e.g., when contacting our support team with a general enquiry). However, to use the Orane.AI platform as a subscribing business you must create an account with a valid email address.

13. Complaints

If you believe we have breached your privacy rights, please contact us at privacy@orane.ai. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5218, Sydney NSW 2001

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes to how we use Google user data, we will notify affected users by email before the change takes effect and, where required, obtain fresh consent. The “Last updated” date at the top of this page reflects the most recent revision.

HomePricingContact us