Privacy Policy

This Privacy Policy explains how HomeSwim Australia Pty Ltd (ABN 66 640 753 877, ACN 640 753 877), trading as PoolDesk (“we”, “us”, “our”), collects, holds, uses, and discloses personal information in connection with the PoolDesk platform and services.

This policy applies to all people whose personal information we handle, including:

• Operators — swim schools and businesses that subscribe to PoolDesk
• End Users — members of the public who interact with a PoolDesk-powered AI receptionist (typically parents or guardians enquiring about swim classes)
• Visitors — people who visit our website at pooldesk.net

We are committed to compliance with the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs), the Privacy and Other Legislation Amendment Act 2024 (Cth) (including the statutory tort for serious invasions of privacy that commenced 10 June 2025), the Surveillance Devices Act 2007 (NSW), the Telecommunications (Interception and Access) Act 1979 (Cth), and the Spam Act 2003 (Cth).

We maintain an internal privacy management program and review this policy at least annually or whenever there are material changes to our data practices or applicable law.

HomeSwim Australia Pty Ltd (ABN 66 640 753 877, ACN 640 753 877) is a company incorporated in New South Wales, Australia. PoolDesk is a registered trading name under which we provide AI-powered receptionist and customer communication software for swim schools and aquatics education businesses.

For all privacy enquiries, access and correction requests, opt-out requests, or complaints, contact our Privacy Officer:

• Email: privacy@pooldesk.net
• Post: Privacy Officer, HomeSwim Australia Pty Ltd, New South Wales, Australia

We will acknowledge your enquiry within 5 business days and aim to resolve it within 30 calendar days.

“Personal information” has the meaning given in the Privacy Act 1988 — information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether or not true and whether or not recorded in material form.

3.1 Operator Account Information

When a swim school registers for PoolDesk, we collect: full name, email address, business phone number, swim school name and address, Australian Business Number (if provided), and billing information. Billing details (card numbers) are processed and stored directly by Stripe; we hold only a payment reference token and billing address.

3.2 Conversation Data

The core function of PoolDesk is to conduct AI-powered conversations on behalf of Operators. These conversations — by voice call, web chat, WhatsApp, Facebook Messenger, Instagram DMs, or other configured channels — may contain personal information provided voluntarily by End Users, including: name, phone number, email address, details about their children’s age or swim level (as provided by a parent or guardian), and any other information an End User chooses to share. We do not ask for, and instruct the AI not to solicit, sensitive information (as defined in the Privacy Act — including health information, financial account details, or government identifiers) during AI conversations. If an End User volunteers such information, it is recorded in the conversation transcript but is not used for AI training (see section 7).

3.3 Voice Recordings

For Operators using voice (phone) services, all inbound calls handled by the PoolDesk AI are recorded. Callers receive an automated disclosure before the conversation begins (see section 8). Recordings are transcribed and the transcript is made available to the Operator in their dashboard.

3.4 Add-On Channel Data

Operators who activate WhatsApp, Facebook Messenger, or Instagram DM add-ons consent to PoolDesk receiving message data from those platforms via their respective Business APIs. Data collected through these channels is subject to the additional terms of the applicable platform (Meta Business Terms, WhatsApp Business API terms) as well as this policy. PoolDesk does not store social media profile information beyond what is necessary to route and respond to a message.

3.5 Usage and Technical Data

We collect technical information when you access the PoolDesk dashboard, including: IP addresses, browser type and version, operating system, device identifiers, pages visited, features used, session duration, and timestamps. This data is used in aggregate to understand how the platform is used and to improve the Service. It is not ordinarily used to identify individuals.

3.6 Knowledge Base Content

Operators upload class schedules, pricing, FAQs, and other business information as “knowledge base” content. This content generally does not contain personal information. If an Operator includes personal information in their knowledge base (for example, staff names), they take responsibility for ensuring this is appropriate and lawful.

3.7 Unsolicited Personal Information

If we receive personal information that we did not request and that we could not have collected under the Privacy Act, we will destroy or de-identify that information as soon as reasonably practicable, unless it would be unlawful to do so.

We collect personal information:

• Directly from Operators during signup, onboarding, and ongoing use of the platform
• Directly from End Users through AI-powered conversations (voice, chat, and messaging channels)
• Automatically through cookies, server logs, and analytics tools when you visit our website
• From third-party payment processors (Stripe) regarding billing and subscription status
• From social media platforms (Meta) when add-on messaging channels are activated
• From telephony providers in connection with inbound call handling

We collect personal information only by lawful and fair means, and only the information that is reasonably necessary for our functions and activities (data minimisation principle).

At or before the time we collect personal information (or as soon as practicable afterwards), we take reasonable steps to ensure the person is aware of:

• Our identity and contact details
• The fact and circumstances of collection
• Whether collection is required or authorised by law
• The purposes of collection, including AI Training Use
• The types of organisations to which we usually disclose personal information
• That this Privacy Policy contains information about access, correction, and complaints

For End Users interacting via voice call, this notification is delivered through the automated call disclosure (section 8). For End Users interacting via web chat, a privacy notice is displayed before or at the commencement of the conversation. For Operators, this notification is provided through this policy, which is presented during account registration.

We collect and use personal information for the following primary purposes:

• Service delivery:To provide, operate, and maintain the PoolDesk AI receptionist platform, including routing enquiries, generating AI responses, sending booking links by SMS or chat, and producing call reports.
• Account and relationship management:To create and manage Operator accounts, process payments, provide customer support, and communicate regarding your subscription.
• Reporting and analytics:To generate conversation summaries, call transcripts, usage reports, and business analytics for Operators.
• AI system improvement:To train, fine-tune, test, and evaluate our AI language models and automation systems. This is a primary disclosed purpose — see section 7 for full details.
• Security, fraud prevention, and abuse detection:To detect, investigate, and prevent fraudulent transactions, unauthorised access, misuse of the platform, or unlawful conduct.
• Legal and regulatory compliance:To comply with the Privacy Act, tax legislation, telecommunications law, court orders, and regulatory directions.
• Service improvement and product development:To understand how the platform is used, identify improvements, and develop new features and capabilities.
• Communications:To send service-essential notifications, security alerts, and (with consent) marketing and product update communications.

We will not use personal information for a secondary purpose unless that purpose is related to the primary purpose and the individual would reasonably expect us to do so, we have their consent, or we are required to by law.

This section is important. It explains how we use conversation data to improve our artificial intelligence and automation systems, and your rights in relation to that use.

7.1 What We Do and Why

PoolDesk uses conversation data — the transcripts and recordings of AI-powered conversations between our system and End Users — to train, fine-tune, evaluate, and improve our AI language models and automation systems (“AI Training Use”). This is how we build a more accurate, safer, and more useful AI receptionist over time.

AI Training Use is a primary, expressly disclosed purpose of collection under APP 3 and APP 6. It is disclosed at or before collection, meaning you are not surprised by this use — it is part of the deal from the outset. By using PoolDesk as an Operator, and by interacting with a PoolDesk AI receptionist as an End User, you acknowledge that conversation data will be used for this purpose subject to the protections described below.

7.2 De-Identification Before Training

Before conversation data is used for AI Training, we apply a de-identification process designed to remove or mask direct personal identifiers, including:

• Phone numbers and email addresses
• Full names (replaced with placeholders)
• Physical addresses
• Any sensitive information (health data, financial account details)

The substance used for training is the nature and pattern of conversations — types of enquiries swim schools receive, how questions are phrased, what kinds of responses are accurate and helpful — not individual identifiable profiles.

Once de-identified, the resulting data is no longer “personal information” within the meaning of the Privacy Act and the protections of that Act do not apply to it. However, we handle it responsibly regardless.

7.3 What We Do Not Do

• We do not use identifiable personal information in AI training datasets
• We do not sell conversation data to third parties for their own commercial purposes
• We do not use sensitive information for AI training
• We do not use voice recordings directly for training without transcription and de-identification

7.4 Third-Party AI Infrastructure

We may engage third-party AI infrastructure providers to assist with model training and inference (for example, cloud AI platforms). Any such providers are bound by data processing agreements that prohibit them from using the data for their own commercial purposes, and are required to maintain security standards equivalent to our own. A current list of our AI sub-processors is available on request from privacy@pooldesk.net.

7.5 Operator Opt-Out

Operators may opt their account out of AI Training Use at any time by emailing privacy@pooldesk.net with the subject line “AI Training Opt-Out — [your school name]”. We will confirm the opt-out within 5 business days. Going forward, no new conversations from that account will be used for AI Training.

We cannot remove de-identified data already incorporated into trained models — this is a technical constraint of machine learning. However, the data at that point is no longer personal information, and is not individually attributable.

7.6 Automated Decision-Making Disclosure

PoolDesk’s AI system makes automated decisions in real time — including recommending swim class levels, answering FAQs, and determining when to escalate a conversation to a human. These decisions are based on the content of the conversation and the Operator’s configured knowledge base. They do not involve decisions about consumer credit, insurance, employment, or other high-stakes domains.

From 10 December 2028 (as required by the Privacy and Other Legislation Amendment Act 2024), we will publish additional disclosures in this policy regarding the types of personal information used in substantially automated decisions and the nature of those decisions. Operators may review and adjust all AI conversation responses at any time through the PoolDesk dashboard.

8.1 Mandatory Call Disclosure

For all voice (phone) services, every inbound call answered by a PoolDesk AI receptionist commences with an automated disclosure in a form materially equivalent to:

“This call is handled by an AI assistant on behalf of [School Name]. This call may be recorded for quality and training purposes. By continuing this call, you agree to this recording. If you do not wish to be recorded, please hang up and contact us at [school phone/email].”

This disclosure satisfies notification obligations under the Surveillance Devices Act 2007 (NSW) (all-party consent jurisdiction), the Telecommunications (Interception and Access) Act 1979 (Cth), and equivalent state and territory laws. Callers who continue the call after this disclosure have provided implied consent to recording.

8.2 AI Identity

PoolDesk AI receptionists do not claim to be human. If a caller sincerely asks whether they are speaking with a human or a computer, the AI will disclose that it is an automated AI assistant. This is consistent with our obligations under section 18 of the Competition and Consumer Act 2010 (Cth) (prohibition on misleading and deceptive conduct).

8.3 Web Chat and Messaging Channels

For web chat, WhatsApp, Facebook Messenger, and Instagram DM channels, a disclosure that the conversation is AI-assisted is presented at the commencement of the conversation. The AI will similarly identify itself if asked.

We never sell personal information. We disclose it only in the following circumstances:

9.1 Service Providers (Sub-Processors)

We share personal information with carefully selected providers who help us operate the Service. Current categories of sub-processors include:

• Cloud hosting and databases:Supabase (database and authentication) running on Amazon Web Services (AWS) infrastructure, located in Australia and the United States.
• Payment processing:Stripe Inc. (USA). Stripe processes and stores payment card data. We do not hold card numbers.
• AI model providers:Third-party large language model providers used to power AI conversation responses. Located in the United States.
• Telephony providers:Third-party voice and telephony infrastructure providers used to deliver inbound call handling services.
• Analytics:Aggregate platform usage analytics. No individual profiling.
• Social messaging platforms:Meta Platforms (for WhatsApp, Facebook Messenger, Instagram DMs) where Operators have activated these add-on channels.

All sub-processors are bound by data processing agreements requiring them to handle personal information only on our instructions and to maintain appropriate security measures. A full current list of sub-processors is available on request.

9.2 Operators

Conversation transcripts, call recordings, and End User contact details collected through an Operator’s PoolDesk account are shared with that Operator through the PoolDesk dashboard. Operators receive personal information as data controllers in their own right and are responsible for handling it in accordance with applicable privacy law.

9.3 Legal Requirements

We may disclose personal information if required by law, court order, subpoena, or the lawful direction of a government or regulatory authority. Where permitted, we will notify the affected individual or Operator before making such a disclosure.

9.4 Business Transactions

If we are involved in a merger, acquisition, restructure, or sale of assets, personal information may be transferred to a successor entity. We will give Operators at least 30 days’ notice before such a transfer and the successor will be bound by this Privacy Policy or a substantially equivalent one.

9.5 Safety

We may disclose personal information without consent if we reasonably believe it is necessary to protect the safety or welfare of any person, or to prevent or respond to serious and imminent harm.

Some of our sub-processors and AI model providers are located outside Australia, primarily in the United States. Before transferring personal information overseas, we take reasonable steps to ensure the overseas recipient handles it in a way that is consistent with the APPs, as required by APP 8.

These steps include entering into data processing agreements that: (a) require the overseas recipient to comply with standards at least equivalent to the APPs; (b) give us the right to audit or obtain evidence of compliance; and (c) require the overseas recipient to notify us of any data breaches.

Despite these steps, Australian privacy law may not apply directly to overseas recipients, and you may have limited ability to enforce your privacy rights against an overseas entity. You acknowledge this risk by using the PoolDesk Service. HomeSwim Australia Pty Ltd remains accountable to you under Australian privacy law for the handling of your personal information, including by our overseas sub-processors.

We retain personal information only for as long as is necessary for the purposes for which it was collected or as required by law. Our standard retention periods are:

• Conversation transcripts:90 days from the date of the conversation, after which they are automatically and permanently deleted from live systems. Operators may configure a shorter retention period in their dashboard settings.
• Voice recordings:30 days from the date of the call. Transcripts derived from recordings follow the 90-day schedule above.
• Operator account data:Retained for the life of the subscription and for 7 years following account closure, to meet our obligations under tax and business record-keeping laws (including the Tax Administration Act 1953 (Cth) and the Corporations Act 2001 (Cth)).
• Billing and financial records:7 years from the date of the transaction.
• Usage and technical logs:90 days, after which they are aggregated or deleted.
• Security incident records:Retained for at least 5 years from the date of the incident in case of legal proceedings or regulatory investigation.
• De-identified AI training data:Indefinitely, as it no longer constitutes personal information and forms part of our trained AI models. It cannot be individually identified or removed.

When personal information is no longer required, we take reasonable steps to destroy it or ensure it is de-identified in a way that means it can no longer be re-identified.

Operators may request an export of their conversation data at any time through the PoolDesk dashboard or by contacting support. Data exports are provided in a machine-readable format (CSV or JSON).

If you are closing your account, we recommend exporting any data you wish to retain before your account is closed, as data is deleted in accordance with section 11 following account closure.

We implement reasonable technical and organisational security measures to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include:

• TLS/HTTPS encryption for all data in transit between users and our systems
• Encryption at rest for all stored data and backups using AES-256 or equivalent
• Role-based access controls — staff access to personal information is restricted to what is necessary for their role
• Multi-factor authentication (MFA) required for all administrative and privileged access
• Regular vulnerability assessments and penetration testing
• Security incident response procedures with defined escalation and notification timelines
• Staff privacy and security training
• Contractual security requirements imposed on all sub-processors and service providers

No system is completely secure. We cannot guarantee absolute security. If you become aware of any suspected unauthorised access to your PoolDesk account, contact us immediately at privacy@pooldesk.net.

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. If we have reasonable grounds to believe an eligible data breach has occurred — a breach likely to result in serious harm to one or more individuals — we will:

• Contain and assess the breach as quickly as possible, and within 30 calendar days
• Notify the Office of the Australian Information Commissioner (OAIC) if we confirm an eligible breach
• Notify affected individuals directly (by email or other available means) as soon as practicable
• Take remediation steps and review our security measures to prevent recurrence

If you suspect your personal information held by us has been compromised, notify us immediately at privacy@pooldesk.net. We take all reports seriously.

15.1 Access (APP 12)

You may request access to the personal information we hold about you. We will respond within 30 days. We may charge a reasonable fee for access in some circumstances. We may decline access where permitted by law (for example, where providing access would unreasonably impact another person’s privacy, or where the request relates to legal proceedings against you).

15.2 Correction (APP 13)

If you believe personal information we hold is inaccurate, out-of-date, incomplete, irrelevant, or misleading, you may request that we correct it. We will respond within 30 days. If we decline to make the correction, we will give you written reasons and note your request for correction alongside the information.

15.3 Deletion and Erasure

You may request deletion of personal information we hold about you. We will delete it unless: (a) we are required by law to retain it; (b) it is necessary for the resolution of a dispute or for the enforcement of a contract; or (c) retention is otherwise authorised by the Privacy Act. We will respond to deletion requests within 30 days and advise you of what we are able and unable to delete.

15.4 Opt-Out of AI Training

See section 7.5.

15.5 Opt-Out of Marketing

You may opt out of marketing communications at any time using the unsubscribe mechanism in any marketing email, or by contacting us at privacy@pooldesk.net. We will process opt-outs within 5 business days.

15.6 Complain to a Regulator

If you are not satisfied with our response to a privacy complaint, you may escalate to:

• Office of the Australian Information Commissioner (OAIC) — for complaints under the Privacy Act. www.oaic.gov.au or 1300 363 992.
• Australian Communications and Media Authority (ACMA) — for complaints relating to spam or telecommunications matters. www.acma.gov.au.
• Australian Competition and Consumer Commission (ACCC) — for complaints relating to misleading or deceptive conduct under the Australian Consumer Law. www.accc.gov.au.

PoolDesk is a B2B platform for swim school operators. We do not offer services directly to children and do not knowingly collect personal information directly from any person under the age of 15.

End Users of PoolDesk-powered AI receptionists are typically parents or guardians enquiring on behalf of their children. We collect personal information about the parent or guardian making the enquiry, not about the child. If a parent or guardian volunteers a child’s name or details during a conversation, this is incidental to the enquiry and is subject to the same data retention limits as all conversation data (section 11).

The OAIC is developing a Children’s Online Privacy Code under the Privacy Act as amended in 2024. We will update this policy as required to comply with any code that applies to our services.

If you believe a child’s personal information has been collected in circumstances that concern you, please contact us at privacy@pooldesk.net and we will investigate and take appropriate action promptly.

The PoolDesk website and dashboard use the following cookies and technologies:

• Essential / strictly necessary:Required for user authentication, session management, and core platform security (e.g. CSRF protection). These cannot be disabled.
• Functional:Remember your preferences within the dashboard (e.g. UI settings). Disabling these may affect your experience.
• Analytics:We use analytics tools to understand aggregate usage patterns (e.g. which features are used most). Data is aggregated and not used to identify individuals. You may opt out through your browser settings or a cookie preference tool where available.

We do not use advertising or third-party tracking cookies. You may configure your browser to refuse all cookies, but this will prevent you from logging in to PoolDesk.

We will only send you marketing or promotional communications where you have provided express consent, or where we are permitted under the Spam Act 2003 (Cth) on the basis of an existing business relationship (inferred consent). All commercial electronic messages we send will:

• Clearly identify us as the sender
• Include an easy, cost-free unsubscribe mechanism
• Not require you to create an account or provide additional information to unsubscribe

We process unsubscribe requests within 5 business days. Unsubscribing from marketing does not affect service-related communications (such as invoices, security alerts, or material changes to these policies), which we may send regardless of marketing preference.

We may update this Privacy Policy from time to time. We will:

• Update the “Last updated” date at the top of this page
• Notify registered Operators by email of any material changes at least 14 days before they take effect
• Where changes are particularly significant, seek fresh acknowledgment from Operators before they take effect

Continued use of PoolDesk after the effective date of changes constitutes acceptance of the updated policy. If you do not accept the changes, you should stop using the Service and close your account before the effective date.

To exercise your privacy rights, make a complaint, or ask any question about this policy, contact our Privacy Officer:

• Email: privacy@pooldesk.net
• Entity: HomeSwim Australia Pty Ltd (ABN 66 640 753 877, ACN 640 753 877)
• State: New South Wales, Australia

We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days. If you are dissatisfied with our response, you may escalate to the OAIC, ACMA, or ACCC as described in section 15.6.

This Privacy Policy reflects our obligations under Australian law as at 30 June 2026. It is not legal advice. Operators should obtain their own independent legal advice regarding their privacy obligations when deploying AI communication tools in connection with their businesses and their own customers.