Privacy Policy
Version 2.1 · Last updated: July 2026
1. Who we are and what this covers
HeyVox is a voicemail and AI receptionist service operated by Gabriel Denemark, a sole trader in Perth, Western Australia, trading as HeyVox (referred to as "HeyVox", "we", "us"). This policy covers the HeyVox Android application, the HeyVox web portal at heyvoxapp.com/app, the HeyVox backend service, and the heyvoxapp.com website. The portal provides access to the same inbox described below using your Google sign-in; no additional categories of information are collected through it.
Although some small businesses are exempt from parts of the Privacy Act 1988 (Cth), we have chosen to comply with the Privacy Act and all thirteen Australian Privacy Principles (APPs) in full, and this policy is written and operated on that basis. We also participate in the Notifiable Data Breaches scheme (see section 12).
2. The information we collect
2.1 Your account
- Google sign-in details: your name, email address and Google account identifier, received from Google when you sign in. We never see your Google password.
- Business details you provide: your business name and any greeting text or receptionist menu options you configure.
2.2 Phone numbers and telephony data
- Your mobile number(s), including which SIM they belong to, used to route calls and personalise your service.
- The dedicated HeyVox number(s) we provision for you.
- Call event data for calls that reach your HeyVox number: caller number, time, duration and routing outcome (for example, which receptionist option the caller chose).
2.3 Voicemail content (including other people's personal information)
- Recordings: the audio of messages callers leave on your HeyVox number.
- Transcripts: automatic text versions of those recordings.
- AI metadata: machine-generated summaries, suggested replies, urgency flags, spam assessments and category tags derived from each message.
- Your annotations: the status, private notes, reminders, tags and flags you (or an invited member) attach to messages.
Voicemail content necessarily includes the personal information of the people who call you (their voice, number, and whatever they choose to say). Section 6 explains how callers are notified and what your responsibilities are.
2.4 Shared access
If you invite someone to help manage your inbox, we collect their email address, the permissions you grant them, when they join, and a record of the changes they make (so actions in a shared inbox are attributable).
2.5 Payments
Subscriptions are processed entirely by Google Play. We receive confirmation of your plan and a purchase token to verify your subscription. We never receive or store your card or bank details.
2.6 Device permissions — what stays on your phone
The app requests several Android permissions. Most of the information they access is processed on your device only and never reaches our servers:
| Permission | Used for | Where it goes |
|---|---|---|
| Phone state / numbers / call log | Detecting your SIMs and missed calls so the app can guide setup and match messages | On device only |
| Contacts | Showing a caller's name from your address book against their message | On device only |
| Microphone | Recording your voicemail greeting when you choose to record one | Greeting uploaded — nothing else is recorded |
| Calendar | Creating an event when a caller mentions an appointment and you tap to add it | On device only |
| Biometrics / app-lock PIN | Optionally locking the app | On device only — the PIN never leaves your phone |
| Notifications | Alerting you to new voicemails | Push token stored to deliver alerts |
2.7 Analytics and the website
We use Google Analytics on heyvoxapp.com and basic diagnostics in the app to understand usage and fix problems. Analytics is configured with IP anonymisation, and we do not feed voicemail content into analytics. Our website does not use advertising trackers.
3. How we collect information
Directly from you (sign-up, configuration, support requests); automatically when callers interact with your HeyVox number; from Google (sign-in and billing confirmations); and from our carrier partner when calls are routed. Where it is practicable to deal with us anonymously — for example, general website enquiries — you may do so; however, the HeyVox service itself cannot be provided anonymously, because routing your calls requires your phone number and account (APP 2).
4. Why we collect it (purposes)
- To deliver the service: answering diverted calls, recording, transcribing, categorising and delivering messages; operating your receptionist menu; syncing shared inboxes.
- To operate your account: verifying subscriptions, provisioning numbers, providing support.
- To keep the service safe: spam detection, abuse prevention, security monitoring.
- To improve HeyVox: aggregate, de-identified usage analysis.
We use and disclose personal information only for these purposes, closely related purposes you would reasonably expect, or as otherwise permitted by law (APP 6). We do not sell personal information. We do not use your voicemail content for advertising or to train third-party AI models.
5. AI processing
Transcription, summaries, suggested replies, spam scoring and categorisation are performed by machine-learning models running on our infrastructure provider (Cloudflare Workers AI). Your recordings and transcripts are processed to deliver these features for you, and are not used by us to train models. AI output can be wrong: transcripts and suggestions are aids, not records of truth, and you should verify them before relying on or sending them.
6. Call recording and notice to callers
Voicemail works because callers knowingly leave a recorded message. HeyVox is designed so that callers are on notice:
- Callers reaching your HeyVox number hear a greeting (yours or a generated one) that identifies the mailbox and invites them to leave a message — the ordinary and universally understood signal that what follows is recorded.
- Receptionist menu interactions likewise culminate in an invitation to leave a message.
Your responsibilities: you must not configure a greeting that hides the fact that callers are leaving a recorded message, and you must handle callers' messages lawfully — including under the Telecommunications (Interception and Access) Act 1979 (Cth) and the surveillance devices legislation of your state or territory (in Western Australia, the Surveillance Devices Act 1998 (WA)). Do not republish or share callers' messages beyond your business purposes without their consent. If a caller asks you to delete their message, you can do so in the app, and we will action deletion requests made directly to us.
7. Who we disclose information to
We disclose personal information only to the service providers required to run HeyVox, each engaged for a defined function:
| Provider | Function | Data involved |
|---|---|---|
| Cloudflare, Inc. | Hosting, storage, databases and AI processing | Recordings, transcripts, account and configuration data |
| Telnyx LLC | Carrier services for your HeyVox number | Call events, caller numbers, call audio in transit |
| Google LLC | Sign-in, Play billing, push notifications, analytics | Account identifiers, purchase tokens, push tokens, anonymised analytics |
People you invite to your inbox (shared access) can see your messages to the extent of the permissions you grant. We may also disclose information where required or authorised by law — for example, in response to a valid warrant or court order — and we will disclose no more than the law requires.
8. Overseas disclosure (APP 8)
Our providers process data on infrastructure located outside Australia, principally in the United States and, in Cloudflare's case, across its global network including the European Union. Before engaging each provider we assessed their security practices, and we contract with them on terms that restrict use of your data to providing services to us. By using HeyVox you consent to this overseas processing as an inherent part of how the service is delivered.
9. Security
- Data is encrypted in transit (TLS) between your device, our servers, and our providers.
- Recordings and data are stored with access controls; access to your inbox requires your authenticated account or a member you have explicitly invited.
- Backend endpoints that read or change your data require verified sign-in tokens.
- The optional app lock (PIN or biometric) protects the app on your device; those credentials never leave your phone.
No system is impenetrable, but we design HeyVox so that the sensitive material — your callers' voices and words — is protected by default (APP 11).
10. Retention and deletion
- Audio recordings: deleted 30 days after they are received, in all cases.
- Your voicemail log (transcripts, AI summaries, caller numbers, tags, notes, statuses): retained for the period you select in the app — 30 days, 3, 6 or 12 months (default 12) — so you can keep business records and export them as a spreadsheet at any time. Choosing a shorter period deletes older log entries on our next daily cleanup. This log exists solely for your record keeping; we do not use it for any other purpose.
- Account, configuration and membership data: retained while your account is active.
- On cancellation or deletion request: your HeyVox number is released and your account data — including your entire voicemail log — is deleted from active systems within 30 days, and from backups in the ordinary backup cycle thereafter — except records we must keep (for example, transaction records for tax law) and information needed to resolve a dispute.
11. Your rights: access, correction and deletion
You may at any time:
- Access the personal information we hold about you (much of it is visible directly in the app);
- Correct information that is inaccurate or out of date;
- Delete individual messages in the app, or request deletion of your entire account and data;
- Export your voicemail log yourself at any time — Settings offers a spreadsheet export of any period within your retention setting.
Requests go to [email protected] (or [email protected]). We will verify you control the account, respond within 30 days, and will not charge for making a request (APPs 12–13). If we cannot grant a request, we will tell you why in writing.
12. Data breaches
We participate in the Notifiable Data Breaches scheme. If a data breach occurs that is likely to result in serious harm, we will notify affected users and the Office of the Australian Information Commissioner (OAIC) as required by Part IIIC of the Privacy Act.
13. Direct marketing, identifiers and children
- Marketing (APP 7): we may email you about HeyVox features relevant to your account. Every such email includes an unsubscribe, honoured immediately. We comply with the Spam Act 2003 (Cth) and never use your voicemail content for marketing.
- Government identifiers (APP 9): we do not collect or use government-related identifiers such as TFNs, Medicare or licence numbers.
- Children: HeyVox is a business tool for users 18 and over, and is not directed at children. We do not knowingly collect children's information; note that callers to your number may be of any age, and their messages are handled as described above.
14. Complaints
If you believe we have mishandled your personal information, contact [email protected] with the details. We will acknowledge your complaint within 7 days and aim to resolve it within 30. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner: oaic.gov.au · 1300 363 992.
15. Changes to this policy
We will update this page when our practices change, note the date and version above, and — for material changes — tell you in the app or by email before they take effect.
16. Contact
HeyVox (Gabriel Denemark, sole trader) · Perth, Western Australia
Privacy: [email protected] · General: [email protected]