Built for Compliance from the Ground Up

The Privacy Act 1988 (Cth) governs the collection, use, storage, and disclosure of personal information by Australian businesses. The Act applies to all businesses with an annual turnover above $3 million, and to a broader range of businesses in healthcare, credit, and certain other regulated sectors. Conversation Verified Leads handles personal information in the course of verifying leads on behalf of our clients. This includes contact details, qualification responses, and conversation data. All such handling is conducted in accordance with the 13 Australian Privacy Principles (APPs).

• ✓APP 1: We maintain a clearly accessible Privacy Policy describing our information handling practices.
• ✓APP 3: We collect only the personal information reasonably necessary for lead verification purposes.
• ✓APP 5: Individuals are notified at the point of collection about who is collecting their data and for what purpose.
• ✓APP 6: Personal information is used only for the primary purpose of lead verification, or secondary purposes where the individual would reasonably expect.
• ✓APP 8: International data transfers are only made to countries with comparable privacy protections, or where express consent is obtained.
• ✓APP 11: Personal information is protected by reasonable security measures against misuse, interference, loss, and unauthorised access.
• ✓APP 12: Individuals have the right to access personal information held about them.
• ✓APP 13: Individuals can request correction of inaccurate personal information.

The Spam Act 2003 (Cth) regulates commercial electronic messages sent to Australian addresses, including email and SMS. The Act requires that commercial messages have consent, identify the sender, and provide a functional unsubscribe mechanism. CVL's outbound verification conversations via SMS and email are conducted in compliance with the Spam Act. All messages include sender identification and a clear opt-out mechanism. Opt-out requests are processed within 5 business days as required by the Act.

• ✓All outbound messages identify CVL or the sending client as the originator.
• ✓Messages are only sent to contacts who have provided consent through a form submission, enquiry, or prior business relationship.
• ✓Every message includes a functional unsubscribe or opt-out mechanism.
• ✓Opt-out requests are actioned within 5 business days.
• ✓Unsubscribed contacts are added to a suppression list to prevent further contact.
• ✓Message content does not contain misleading subject lines or sender information.
• ✓Outbound campaigns are reviewed for Spam Act compliance before activation.

The General Data Protection Regulation (GDPR) applies to the personal data of individuals in the European Economic Area (EEA). While CVL is an Australian company primarily serving Australian businesses, some clients process data about EEA-resident individuals. For these clients, CVL acts as a data processor and provides GDPR-compliant data handling.

• ✓Lawful basis for processing is documented for all verification activities involving EEA data subjects.
• ✓Data subject rights (access, rectification, erasure, portability) are supported through our client portal.
• ✓Data Processing Agreements (DPAs) are available for clients who process EEA personal data.
• ✓Data minimisation principles are applied: only necessary data is collected and retained.
• ✓International data transfers from the EEA are conducted under Standard Contractual Clauses (SCCs).
• ✓Data breach notification procedures comply with the 72-hour notification requirement where applicable.
• ✓A Data Protection Officer (DPO) is available for GDPR-related queries from EU-facing clients.

The Telephone Consumer Protection Act (TCPA) applies to US persons and governs automated calling, SMS, and fax marketing. While CVL's primary market is Australia, clients running US-targeted campaigns must ensure TCPA compliance. CVL provides configuration options to support TCPA-compliant outreach.

• ✓Prior express written consent is required before sending marketing SMS to US consumers.
• ✓CVL supports double opt-in consent flows for US campaigns to document express consent.
• ✓Do Not Call (DNC) registry checking is available for US phone number lists.
• ✓Time-of-day restrictions (8am to 9pm local recipient time) are enforced for outbound messages.
• ✓Opt-out requests via STOP keyword are processed immediately.
• ✓Clients are responsible for obtaining and documenting TCPA-compliant consent before providing US leads to CVL.
• ✓CVL does not provide legal advice on TCPA compliance. US clients should consult a telecommunications lawyer.

CVL retains lead and conversation data for the minimum period necessary to provide our service, comply with legal obligations, and resolve disputes. Data retention periods are configurable at the client account level within the bounds of our standard policy.

• ✓Conversation transcripts are retained for 24 months by default, then deleted.
• ✓Lead contact data is retained for the duration of the client relationship plus 12 months.
• ✓Clients may request early deletion of lead data at any time via the client portal.
• ✓Anonymised aggregated analytics data may be retained indefinitely for service improvement purposes.
• ✓Backup copies are retained for 90 days after deletion of primary data to support disaster recovery.
• ✓Financial and billing records are retained for 7 years to comply with Australian tax obligations.
• ✓Custom retention policies are available for enterprise clients with specific regulatory requirements.

Consent is the foundation of compliant lead verification. CVL verifies leads who have already expressed interest through your marketing channels (inbound enquiry, form submission, or prior business relationship). For outbound campaigns, appropriate consent must be in place before CVL initiates contact.

• ✓Inbound leads: consent is inferred from the act of submitting an enquiry form (implied consent).
• ✓Outbound campaigns: clients must hold prior express consent or demonstrate an existing business relationship.
• ✓CVL provides consent disclosure language for client forms to ensure compliant collection.
• ✓Consent timestamps and methods are logged and available to clients on request.
• ✓Clients are responsible for the legality of their initial consent collection. CVL provides guidance but cannot accept liability for pre-existing consent deficiencies.
• ✓Re-consent workflows are available for dormant lists where original consent may have lapsed.
• ✓Consent withdrawal requests received during CVL conversations are honoured immediately.

CVL is committed to protecting both the data of our clients and the personal information of the leads we process on their behalf. Our infrastructure is hosted in Australia, and we apply industry-standard security controls across all systems.

• ✓All data is hosted within Australian data centres (AWS Sydney and Melbourne regions).
• ✓Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
• ✓Access to client data is restricted to authorised CVL personnel on a need-to-know basis.
• ✓Annual penetration testing is conducted by an independent security firm.
• ✓Sub-processor agreements are in place with all third-party providers who access client data.
• ✓Clients can request a list of current sub-processors at any time.
• ✓A Data Breach Response Plan is in place. Clients are notified within 72 hours of any confirmed breach.
• ✓SOC 2 Type II certification is in progress. Available to enterprise clients on request.