voral.aiJoin the Waiting List

Privacy Policy

Last updated: 24 March 2026

1. Introduction

Voral Pty Ltd (ABN 81 696 276 669) ("Voral", "we", "us") provides AI-powered practice management assistants for Australian medical practices. This Privacy Policy explains how we collect, use, disclose, and protect personal information in accordance with the Australian Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs).

This policy applies to all users of our platform, including medical practice administrators, healthcare practitioners, and patients who interact with our voice assistant.

2. Definitions

  • "Voral", "we", "us" refers to Voral Pty Ltd (ABN 81 696 276 669).
  • "You", "your" refers to any individual whose personal information we collect, including practice staff, practitioners, and patients.
  • "Personal information" has the meaning given under the Privacy Act 1988 (Cth) — information or an opinion about an identified individual, or an individual who is reasonably identifiable.
  • "Sensitive information" includes health information and other categories defined under the Privacy Act that receive enhanced protections.
  • "Practice" refers to the medical practice or healthcare organisation that uses our platform.
  • "PMS" refers to the Practice Management System used by the practice (e.g. Best Practice, Cliniko, CorePlus).

3. Australian Privacy Act & the 13 APPs

We comply with all 13 Australian Privacy Principles under the Privacy Act 1988. These principles govern how we manage personal information throughout its lifecycle — from collection and use through to storage, disclosure, and destruction.

As a service handling health-adjacent scheduling data, we apply the enhanced protections the Act affords to sensitive information, even where we do not directly handle clinical health records.

4. Information We Collect

We collect the following categories of personal information:

  • Practice data: Practice name, address, contact details, practitioner names, and PMS configuration.
  • Scheduling data: Patient names, phone numbers, dates of birth, appointment types, dates, times, and practitioner preferences.
  • Call recordings: Audio recordings of calls handled by our AI assistant, stored securely in Australia. Practices control the retention period.
  • Call data: Call transcripts, call summaries, call duration, and escalation records.
  • Contact data: Name, email, practice name, location, and practice size submitted through our website contact form.
  • Authentication data: Staff email addresses and names for admin dashboard and Chrome extension access.
  • Usage data: Booking success rates and platform interaction logs.

5. How We Collect Information

We collect personal information through the following methods:

  • Directly from you: When patients call the practice and interact with our AI assistant, when practice staff register for and use the admin dashboard, and when visitors submit our website contact form.
  • From your Practice Management System: When our platform queries the PMS to search for patients, check availability, or book appointments on behalf of callers. Data exchanged is limited to scheduling information.
  • Automatically: Call metadata (duration, timestamps) and usage analytics are collected during platform operation.

6. Voice Calls, Recordings & Transcription

Our AI practice assistant, Liza, handles patient phone calls via real-time voice technology. Key details:

  • Callers are informed at the start of each call that they are speaking with an AI assistant and that the call may be recorded for quality and training purposes.
  • Call recordings (audio) are stored securely in Australia using AES-256 encryption at rest. Unlike some AI platforms that discard audio immediately, we retain recordings to give practices a complete audit trail of patient interactions for quality assurance, dispute resolution, and training purposes.
  • Retention is practice-controlled. Each practice can configure how long call recordings, transcripts, and summaries are retained. The default retention period is 3 days. Practices may extend this to meet their own clinical governance or regulatory requirements (e.g. 7 years under state health records legislation).
  • Call transcripts (text) are generated from the audio and stored alongside the call record. They are accessible to authorised practice staff via the admin dashboard.
  • Call summaries including booking outcomes, patient details, and practitioner information are stored for practice record-keeping.
  • Where a call is escalated to a human receptionist, the escalation record (reason, patient name, phone number, transcript summary) is stored and accessible to authorised practice staff.

7. SMS Communications

Our AI assistant may send SMS messages to callers for appointment confirmations and follow-up communications. SMS messages are sent via a third-party SMS delivery provider. The caller's phone number and message text are transmitted to the provider for delivery. No clinical data is included in SMS messages.

8. Health Information

Voral is a scheduling and call management tool, not a clinical system. We do not store, process, or transmit clinical health records, diagnoses, treatment plans, or Medicare claim information.

Where scheduling data or call recordings may incidentally contain health-related information (e.g. appointment type referencing a medical specialty, or a caller describing symptoms during a booking call), we treat this as sensitive information under the Privacy Act and apply the protections of the My Health Records Act 2012 (Cth) by analogy.

9. AHPRA Considerations

Our service assists with administrative scheduling only. We do not provide clinical advice, triage, or health assessments. Our AI assistant is designed to recognise medical emergencies and immediately direct callers to Triple Zero (000) or their nearest emergency department.

Practices using Voral remain solely responsible for clinical decisions and AHPRA compliance in their clinical operations.

10. How We Use Your Data

  • To facilitate appointment scheduling and management on behalf of practices.
  • To sync bookings with your Practice Management System (PMS).
  • To provide call recordings, transcripts, summaries, and escalation records to authorised practice staff.
  • To send appointment confirmation and follow-up SMS messages to callers.
  • To generate anonymised analytics and insights for practice administrators.
  • To send service communications and platform updates.

11. AI & De-Identification

We take the responsible use of AI seriously. Our commitments:

  • No patient data is used for AI model training without explicit opt-in consent from the practice. We do not train models on patient call recordings, transcripts, or personal information by default.
  • Where data is used for platform improvement (e.g. improving speech recognition accuracy), it is first de-identified by stripping names, phone numbers, dates of birth, and other personal identifiers.
  • De-identified and aggregated data may be used to improve the quality and reliability of our AI assistant across all practices. This data cannot be traced back to any individual patient or practice.
  • We do not sell, licence, or share personal information or call data with third parties for their own purposes.

12. Marketing Communications

We may send marketing communications to practice administrators who have opted in. You can opt out at any time by clicking the unsubscribe link in any marketing email or by contacting us at privacy@voral.ai.

Patient data, call recordings, and health-related information are never used for marketing purposes.

13. Information Sharing

We may share personal information with the following categories of recipients:

  • Practice staff: Authorised practice administrators and receptionists who access call records, transcripts, and escalations via the admin dashboard or Chrome extension.
  • PMS providers: Scheduling data exchanged with your PMS (Best Practice, Cliniko, CorePlus) via their official APIs or approved integration middleware.
  • Service providers: Third-party infrastructure providers who process data on our behalf under data processing agreements (see Section 14).
  • Law enforcement or regulators: Where required by law, court order, or regulatory obligation.

We do not sell personal information to third parties.

14. Third-Party Services

We use the following categories of third-party services to deliver our platform:

  • Voice infrastructure: Real-time voice communication services for AI-powered calls. Call audio is processed in real-time and recordings are stored on our own Australian infrastructure, not by the voice provider.
  • Cloud hosting: Application and database hosting on SOC 2 Type 2 certified infrastructure in Sydney, Australia.
  • Authentication: Identity and access management services with Australian data residency for admin dashboard and extension authentication.
  • SMS delivery: Third-party SMS provider for sending appointment confirmations and follow-up messages. Only the recipient's phone number and message text are shared. No clinical data is transmitted.
  • Email delivery: Transactional email service for contact form submissions. No patient data is transmitted.
  • PMS integrations: We connect to Best Practice, Cliniko, and CorePlus via their official APIs or approved integration middleware. Data exchanged is limited to scheduling information.

All third-party service providers are bound by data processing agreements that require them to protect personal information to a standard consistent with this policy and the Australian Privacy Principles.

15. Cookies & Analytics

Our website uses essential cookies required for authentication and platform functionality. We do not use third-party advertising or tracking cookies.

We may use analytics tools to understand how our website and platform are used. No patient data, call recordings, or health-related information is shared with analytics providers. You can manage cookie preferences through your browser settings.

16. Data Storage & Security

  • All data is encrypted in transit using TLS 1.2 or higher.
  • Data at rest, including call recordings, is encrypted using AES-256.
  • We maintain Australian data residency for all patient, scheduling, call recording, and transcript data. All databases and application servers are hosted in Sydney, Australia. See our Data Residency page for details.
  • Access controls follow the principle of least privilege. Each practice can only access their own data through organisation-scoped authentication.
  • PMS credentials are stored encrypted and are only decrypted at runtime for API calls.
  • We conduct regular security assessments.

17. Data Retention & Deletion

We believe practices should control how long their data is retained. Our approach:

  • Call recordings, transcripts, summaries, and escalation records are retained for a period configured by each practice. The default retention period is 3 days. Practices may adjust this to any period that meets their clinical governance, regulatory, or quality assurance requirements.
  • For practices subject to state health records legislation (e.g. NSW Health Records and Information Privacy Act 2002, VIC Health Records Act 2001), we recommend configuring retention to at least 7 years for adult patients and until age 25 for minors, in line with those requirements.
  • Patient phone number mappings are retained for the duration of the practice's subscription plus 90 days.
  • Website contact form submissions are retained for 2 years.
  • Upon practice offboarding, all practice-specific data (including call recordings, transcripts, summaries, escalations, and configuration) is permanently deleted within 90 days of subscription termination.
  • Individuals may request deletion of their personal data by contacting their practice, who will notify us. Deletion is completed within 30 days.

18. Secure Data Destruction

When data reaches the end of its retention period or is subject to a deletion request, it is permanently destroyed in a manner that prevents reconstruction or recovery:

  • Database records (call data, transcripts, recordings, patient mappings) are permanently deleted at the database level.
  • Database backups containing deleted records are rotated out within the backup retention window (30 days).
  • We do not retain copies of deleted data in any secondary system or archive.

19. Data Breach Response

We maintain a Data Breach Response Plan in compliance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). In the event of an eligible data breach that is likely to result in serious harm:

  • We will take immediate action to contain the breach and preserve evidence.
  • We will assess the scope and severity of the breach within 24 hours.
  • We will notify the Office of the Australian Information Commissioner (OAIC) as required under the NDB scheme.
  • We will notify affected individuals and practices directly, including what information was involved and recommended steps they can take.
  • We will conduct a post-incident review and implement measures to prevent recurrence.

20. Policy Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Where we make material changes, we will notify affected practices via email or through the admin dashboard. The "Last updated" date at the top of this page indicates when this policy was most recently revised.

21. Access, Correction & Complaints

Under the APPs, you have the right to access and correct personal information we hold about you. To make a request, contact us at privacy@voral.ai. We will respond within 30 days.

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us directly. If you are unsatisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

22. Contact

Voral Pty Ltd (ABN 81 696 276 669)
327 Springvale Rd, Springvale VIC 3171
Melbourne, Victoria, Australia
Email: privacy@voral.ai