L01/LEGAL · PRIVACY
LAST UPDATED · 30 JUNE 2026

Your data, kept honest.

Relay is built in Brisbane and operates under Australian privacy law. This policy explains exactly what we collect, why we collect it, and what we do with it. We don't sell your data. We don't use call content to train external models. Read on for the detail.

1. Who we are

Relay is operated by Relay Pty Ltd, an Australian proprietary company registered in Queensland. Our registered address is in Brisbane, Australia. Throughout this policy, “Relay,” “we,” and “us” mean Relay Pty Ltd.

We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). If you're in the EU/UK, your data is also handled in line with the GDPR's lawful-basis requirements (legitimate interest for sales and marketing; consent for product use).

2. What we collect

Demo & sales enquiries. When you book a demo or contact sales via our website, we collect your name, work email address, company name, role, weekly call volume, current CRM, current dialler/softphone, and any free-text fill-in you provide. We also record the marketing surface you submitted from (e.g. “hero,” “nav”), your IP address, and your browser user-agent string. This is the minimum needed to triage your request and prioritise onboarding.

Sign-up & checkout. When you start a subscription, we ask which CRM and phone system you use so we can confirm Relay supports your stack before taking payment. We collect your billing details to process the subscription — card data is handled directly by our payment processor, Stripe; we store only a Stripe customer reference and your subscription status, never your full card number.

Product usage (when you become a customer). Relay runs as a desktop application you install on your computer (macOS or Windows). During a call, the app captures the call audio locally from your computer's system audio. After the call ends, the recording is uploaded over an encrypted connection and transcribed (in a batch after the call — not live); the recording is deleted as soon as the transcript is stored, so we keep no call audio. We then process the transcript for AI extraction, generate structured fields and summaries, and run the post-call workflows you configured. We also store your integration credentials (encrypted at rest), your team members' identities, and audit logs of who did what.

Telemetry. We keep basic server logs (timings, error rates, request metadata) to keep the service fast, reliable, and secure, and the Relay app holds your session in your browser's local storage rather than a cookie.

Advertising (opt-in). On our marketing pages only, if you accept cookies in our banner, we load the Meta (Facebook) advertising pixel to measure our ads and reach people who've visited us. It records which pages you viewed and whether you requested a demo or created an account, and shares that with Meta. It never runs in the Relay app, never runs if you decline, and we don't sell your data. Full detail — and how to opt out — is in our Cookie Policy.

3. Why we collect it

Form data is used solely to triage your request and contact you about a demo and onboarding. Product data is used to deliver the service: transcribing calls, extracting structured fields, and firing the post-call workflows you've configured. Telemetry is used to keep the service fast and reliable.

We will not use any of this data to train external AI models, to sell to third parties, or to target you with unrelated marketing.

4. Who we share it with (and why)

Sub-processors. We share only what's necessary with these vendors, each contractually bound to handle your data lawfully:

  • Supabase (database hosting, Sydney ap-southeast-2 region). Stores all your customer data encrypted at rest.
  • Anthropic (Claude API). Receives call transcripts for extraction, outcome classification, and summary generation. Anthropic does not train on data sent through their API.
  • Deepgram (speech-to-text). Receives call audio for transcription; audio is processed and discarded, and transcripts are returned to us. We are migrating speech-to-text to self-hosted Whisper, after which audio is transcribed on our own infrastructure.
  • Stripe (payments). Processes subscription billing. We don't store full card numbers — Stripe handles card data directly.
  • Resend (transactional email). Receives the email addresses needed to send you account-related notifications.
  • Cloudflare (storage & CDN). Hosts the desktop app installer and automatic-update files, and serves static assets.
  • Fly.io / Vercel (backend and website hosting). Receive standard server logs.

CRM and integration providers. When you connect a CRM (HubSpot, Salesforce, Pipedrive, Zoho), phone system (OpenPhone, Aircall, RingCentral, Twilio, Dialpad), email (Gmail, Outlook), calendar, or one of the other tools we integrate with (Slack, Teams, DocuSign, Notion, Calendly), we share the data needed for the integrations you've enabled. Those providers' privacy policies govern what they do with that data on their side.

Legal obligation. We'll disclose data if we're served with a valid legal order. We'll let you know unless the order forbids it.

We will never sell your data.

5. Google user data (Gmail & Calendar)

When you connect a Google account to Relay, we request a deliberately narrow set of permissions (OAuth scopes). This section describes exactly what we access, why, and what we do with it. It governs our use of all data obtained through Google APIs.

What we access.

  • Gmail — send (gmail.send). We send follow-up emails from your own mailbox, only as a post-call workflow action you have configured and approved in Relay. This permission lets us send only: we do not read, search, list, download, or modify your existing email, and we cannot read or change any Gmail settings.
  • Calendar — events (calendar.events). We create and manage calendar events that you schedule as a post-call action (for example, booking a follow-up meeting).
  • Calendar — read (calendar.readonly, calendar.freebusy). We list your calendars so you can choose which one to write to, and we read your busy/free windows to suggest open times. We do not store the contents of your existing calendar events.
  • Account identity (openid, userinfo.email, userinfo.profile). We read the connected account's email address and display name so you can tell connected Google accounts apart when more than one is linked.

What we store and for how long. We store your Google OAuth tokens encrypted at rest, the connected account's email address, and a record of the actions Relay performed on your behalf (such as a reference to a draft or event we created). We do not copy or retain the contents of your mailbox or calendar. You can disconnect a Google account at any time in Settings → Integrations, which revokes our access and deletes the stored tokens.

What we never do. We do not sell Google user data, we do not transfer it to third parties except as needed to provide the features you enabled, we do not use it for advertising, and we do not use it to train any AI model — including our own or any external model.

Limited Use disclosure. Relay's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

6. Where your data lives

Primary data is stored in Supabase's Sydney (ap-southeast-2) region. Some sub-processors (Anthropic, Deepgram, Resend, Stripe, and Cloudflare) may process data in the United States or other regions during the request lifecycle. We're working to expand region selection for customers with strict data-residency requirements.

7. How long we keep it

Demo-request form submissions are kept until you become a customer or for 24 months, whichever is shorter. After that we delete the row.

Call recordings are deleted as soon as transcription completes — Relay stores no call audio. Transcripts, AI summaries, verbatim quotes, and any contact details we briefly hold are automatically purged about 72 hours after each call by an automated retention worker. We keep only a non-identifying skeleton (call outcome, labels, confidence, duration, and sync and audit logs) plus the structured values written into your CRM, which remains the system of record for your customer data. Your account and any remaining exportable data are kept while your subscription is active and for 30 days after cancellation, then deleted.

8. Your rights

Under Australian and EU/UK privacy law you can: access the personal data we hold about you, correct it, delete it, restrict its processing, object to it, and (for demo-request data) withdraw consent at any time.

To exercise any of these rights, email privacy@userelay.com.au. We'll respond within 30 days.

9. Security

Integration credentials and OAuth tokens are encrypted at rest with AES-256-GCM using per-organisation keys; account passwords are hashed with scrypt; the rest of your data is encrypted at rest by our database host. Data in transit uses TLS 1.2+. Multi-tenancy is enforced at the database row level, and every privileged action is audit-logged.

For more on how we handle data day-to-day, see our Security page.

10. Changes to this policy

We'll post any updates here and bump the “last updated” date. Material changes that affect how your data is used will be emailed to active customers at least 30 days before they take effect.

11. Contact

Privacy concerns: privacy@userelay.com.au
General contact: see our Contact page.

If you're unhappy with how we've handled your data, you have the right to complain to the Office of the Australian Information Commissioner (oaic.gov.au).