Privacy Policy

‍Operata Pty Ltd

1. ‍We respect your privacy‍
   
   1. Operata respects your right to privacy and is committed to safeguarding the privacy of our customers, their personnel, and our website visitors. We adhere to the Australian Privacy Principles contained in the Privacy Act 1988 (Cth) and, where applicable, comply with the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This policy sets out how we collect and treat your personal information.
   2. "Personal information" is information we hold which is identifiable as being about you.‍
2. Collection of personal information‍
   
   1. Operata Pty Ltd will, from time to time, receive and store personal information you enter onto our website, provided to us directly or given to us in other forms.
   2. You may provide basic information such as your name, phone number, address and email address to enable us to send information, provide updates and process your product or service order. We may collect additional information at other times, including but not limited to, when you provide feedback, when you provide information about your personal or business affairs, change your content or email preference, respond to surveys and/or promotions, provide financial or credit card information, or communicate with our customer support.
   3. Additionally, we may also collect any other information you provide while interacting with us.‍
3. ‍How we collect your personal information‍
   
   1. Operata Pty Ltd collects personal information from you in a variety of ways, including when you interact with us electronically or in person, when you access our website and when we provide our services to you. We may receive personal information from third parties. If we do, we will protect it as set out in this Privacy Policy.‍
4. Use of your personal information‍

Operata may use personal information collected from you to provide you with information, updates and our services. We may also make you aware of new and additional products, services and opportunities available to you. We may use your personal information to improve our products and services and better understand your needs.

Operata may contact you by a variety of measures including, but not limited to, telephone, email, SMS or mail.

4.1 Use of AI in our services

Our products include AI-powered features, branded collectively as Tenor AI™. These features include CX Copilot (a natural-language conversational interface), AX Copilot (Real-time Agent guidance tool), CX Insights Graph® (AI-driven anomaly detection and CX Risk Scores), Customer Journey Trace® AI summaries, the Operata MCP Server® and proprietary machine-learning models for anomaly detection and pattern analysis.

Where these features are used, Customer Data (such as application/network event logs, WebRTC metrics, agent telemetry and CCaaS platform logs) may be processed by the following third-party AI sub-processors:

Operata's own proprietary ML models run within Operata's AWS infrastructure and do not transmit Customer Data to any third-party provider.

Elements considered PII can be blocked from transmission to Operata by the Customer from their CCaaS environment, which also excludes this data from AI processing.

Detailed terms governing AI Features - including IP ownership of inputs/outputs, change-notification commitments, and EU AI Act classification - are set out in the AI Terms Addendum to the Operata End User License Agreement and Terms of Service.

4.2 Use of de-identified and aggregated Customer Data to develop Operata

We may use Customer Data that has been de-identified (so it cannot reasonably be used to identify a natural person) and/or aggregated with data from other customers to operate, analyse, benchmark and improve the Operata platform. The eight permitted business purposes for which we may use such de-identified and aggregated data are set out in clause 8(d) of the Operata End User License Agreement and are reproduced below in identical form:

• data analytics;
• performance baseline measurement and comparison;
• quality assurance;
• product and service improvement;
• new product and service development;
• customer and the associated CCaaS provider performance notifications;
• support CCaaS providers for the purpose of issue investigation and service improvement; and
• inform best practice and other knowledge articles within the platform, including to highlight performance trends.

De-identified and aggregated data does not identify any individual or any specific Customer organisation in outputs shared externally.

We do not sell de-identified or aggregated data, and we do not transfer it to third parties except as permitted under the Operata End User License Agreement (clause 8(c)(iii)).

4.3 Personal information collected through Operata personnel access to Customer accounts

Operata personnel access Customer accounts to deliver and support our services. Two access scenarios involve Operata personnel viewing or operating within a Customer's Operata account, and may incidentally involve viewing personal information contained in observability data:

4.3.1 Customer Success Management - ad-hoc access. Operata's Customer Success Management (CSM) team may access a Customer's Operata account on an ad-hoc basis for the purpose of service management activities, including but not limited to: assisting with configuration, conducting dashboard or service reviews, providing training and enablement, validating data flows, troubleshooting non-incident questions, and preparing service reports. CSM access is performed under a documented access-control process, is logged, and is restricted to personnel with a current need-to-know. This access is performed in the course of Operata's delivery of the Services under Section 8 of the Operata End User License Agreement and Terms of Service.

4.3.2 Engineering (Development) - issue resolution access. Operata's Engineering (Development) team may access a Customer's Operata account — including the Customer's tenant within the Operata Platform and any Operata-deployed component running within the Customer's CCaaS / AWS environment — only where necessary to investigate, reproduce or resolve a defect, performance issue, or support ticket affecting that Customer. Such access is granted only pursuant to prior written approval, recorded by email, from the Customer's nominated contact (typically the Customer Success Manager's primary Customer contact, or a Customer Administrator). Each approval is:

• ‍Specific — identifying the named engineer(s), the Customer environment in scope, the access type (including but not limited to read-only, configuration change, or log retrieval), and the documented business purpose (such as an incident or Support Services ticket reference); and‍
• Time-bound — stating an explicit start and end time, after which access is revoked.

Approvals are retained as part of Operata's audit records, access is actively monitored, and any activity outside an approved window is treated as a security event under Operata's incident management process. On reasonable request from the Customer, Operata will provide summary information regarding such approvals as they relate to the Customer's environment.

The contractual basis for this control is set out in clause 8(g) of the Operata End User License Agreement and Terms of Service.

All Operata personnel accessing Customer accounts under either scenario are subject to background police checks, are bound by written non-disclosure and confidentiality agreements, use multi-factor authentication, and are required to comply with Operata's Information Security, Privacy, Computer, Email and Internet policies.

4.3.3 Application during paid services and trial periods. The personnel access controls described in sections 4.3.1 and 4.3.2 apply during periods in which a Customer is receiving paid services from Operata. During any trial, free, evaluation, proof-of-concept or pilot period, Operata personnel may access the Customer's account as reasonably required to set up, configure, demonstrate, troubleshoot, support and optimise the trial, without the prior written approval otherwise described in section 4.3.2. All other safeguards described in this Policy — including confidentiality undertakings, background police checks, multi-factor authentication, and the security measures described in section 6 — continue to apply.

5. Disclosure of your personal information ‍

We may disclose your personal information to any of our employees, officers, insurers, professional advisers, agents, suppliers or subcontractors insofar as reasonably necessary for the purposes set out in this Policy. Personal information is only supplied to a third party when it is required for the delivery of our services or as permitted by this Policy.

Sub-processors and service providers we currently use to deliver the Operata service include (but are not limited to):

• Amazon Web Services (cloud infrastructure and Amazon Bedrock);
• Auth0 (authentication and identity);
• Anthropic (LLM inference, accessed exclusively via AWS Bedrock);
• OpenAI (text embeddings only - no Customer Data) and;
• our own engineering personnel.

A current list of sub-processors involved in AI Features is published in Exhibit A to the AI Terms Addendum. A consolidated list of sub-processors that Process Personal Data within Customer Data is set out in Annex 3 to Schedule 3 (Data Processing Addendum) of the EULA.

We may from time to time need to disclose personal information to comply with a legal requirement, such as a law, regulation, court order, subpoena, warrant, in the course of a legal proceeding or in response to a law enforcement agency request.

We may also use your personal information to protect the copyright, trademarks, legal rights, property or safety of Operata, https://operata.com, its customers or third parties.

Information that we collect may from time to time be stored, processed in or transferred between parties located in countries outside of Australia. Where we transfer personal data subject to GDPR or equivalent regimes, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) as set out in Schedule 3 (Data Processing Addendum) to the Operata End User License Agreement and Terms of Service.

If there is a change of control in our business or a sale or transfer of business assets, we reserve the right to transfer to the extent permissible at law our user databases, together with any personal information and non-personal information contained in those databases. This information may be disclosed to a potential purchaser under an agreement to maintain confidentiality. We would seek to only disclose information in good faith and where required by any of the above circumstances.

By providing us with personal information, you consent to the terms of this Privacy Policy and the types of disclosure covered by this Policy. Where we disclose your personal information to third parties, we will request that the third party follow this Policy regarding handling your personal information.

6. Security of your personal information

Operata is committed to ensuring that the information you provide to us is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure information and protect it from misuse, interference, loss and unauthorised access, modification and disclosure. These include encryption in transit (TLS) and at rest (AES-256 via AWS KMS), role-based access controls, two-factor authentication for production access, weekly vulnerability scanning, periodic third-party penetration testing, and a SOC 2 Type II audited control environment.

The technical and organisational measures applicable to Customer Data are described in clause 8(h) of the End User License Agreement and in Operata's "Architecture and Security" document at operata.com/security.

The transmission and exchange of information is carried out at your own risk. We cannot guarantee the security of any information that you transmit to us, or receive from us. Although we take measures to safeguard against unauthorised disclosures of information, we cannot assure you that personal information that we collect will not be disclosed in a manner that is inconsistent with this Privacy Policy.

7. Access to your personal information

You may request details of personal information that we hold about you in accordance with the provisions of the Privacy Act 1988 (Cth). A small administrative fee may be payable for the provision of information. If you would like a copy of the information which we hold about you, or believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please email us at hello@operata.com.

We reserve the right to refuse to provide you with information that we hold about you, in certain circumstances set out in the Privacy Act.

8. Complaints about privacy

If you have any complaints about our privacy practices, please feel free to send details of your complaint to 3/162 Collins Street, Melbourne, Victoria, 3000 or email privacy@operata.com. We take complaints very seriously and will respond shortly after receiving written notice of your complaint.

9. Changes to Privacy Policy

We may modify this Policy at any time, in our sole discretion. Where we make material changes (such as the introduction of new categories of processing - for example, the AI Features and account-access disclosures introduced in v2.0), we will provide reasonable advance notice via email to designated customer contacts and via prominent notice on our website. Please check back from time to time to review our Privacy Policy.

10. Website

When you visit our website. When you come to our website (https://operata.com)) we may collect certain information such as browser type, operating system, website visited immediately before coming to our site, etc. This information is used in an aggregated manner to analyse how people use our site, such that we can improve our service.

Cookies. We may from time to time use cookies on our website. Cookies are very small files which a website uses to identify you when you come back to the site and to store details about your use of the site. Most web browsers automatically accept cookies but you can choose to reject cookies by changing your browser settings. However, this may prevent you from taking full advantage of our website. Our website may from time to time use cookies to analyse website traffic and help us provide a better website visitor experience. In addition, cookies may be used to serve relevant ads to website visitors through third party services such as Google Ads. These ads may appear on this website or other websites you visit.

Third party sites. Our site may from time to time have links to other websites not owned or controlled by us. These links are meant for your convenience only. Links to third party websites do not constitute sponsorship or endorsement or approval of these websites. Please be aware that Operata is not responsible for the privacy practices of other such websites. We encourage our users to be aware, when they leave our website, to read the privacy statements of each and every website that collects personal identifiable information.