Privacy Policy

This Privacy Policy explains how Jaluru Trust ("jaluru", "we", "us") collects, uses, stores, and protects personal data in connection with the jaluru Platform and Services. Please read it carefully. References to the "Platform" and "Services" have the same meaning as in our Terms of Service.

1. Who We Are

Jaluru Trust (ABN 18 596 203 312) is the operator of jaluru.com and the jaluru Platform. Our registered address is 6 Scarborough Ct., Terrigal, NSW 2260, Australia.

For data protection enquiries, please contact us at privacy@jaluru.com.

2. Scope of This Policy

This Policy applies to personal data relating to two groups of people:

Platform users — HR managers, administrators, and other Authorised Users who access and use the jaluru web application on behalf of the Customer.
Talent — employees, workers, and contractors of the Customer whose personal data is processed through the Platform (e.g. via outbound survey calls or inbound sickness self-reporting calls).

Our role for Talent data. In respect of Talent personal data, jaluru acts as a data processor under UK GDPR: we process that data only on the documented instructions of the Customer (the data controller). Talent members should direct their primary data protection enquiries to the Customer (their employer or the operator of the relevant Store), who is responsible for that processing.

Our role for Platform user data. In respect of Platform users, jaluru acts as a data controller.

3. Personal Data We Collect

3a. Platform users (HR managers and administrators)

Name and work email address
Hashed password (we do not store plain-text passwords)
Role and permissions within the account
Login timestamps and session activity logs
Device type, browser, and IP address
Billing contact details (where the user is the account holder)

3b. Talent (processed on behalf of the Customer)

Name and mobile phone number
Employment details (Store, role, tenure information) as provided by the Customer
Voice recordings of AI-conducted calls
Call transcripts and AI-generated summaries of conversations
Survey responses and performance data
Sickness and absence records (including dates, duration, and self-reported symptoms)
Generated PDF reports (including SSP reports)
Preferred language for calls

3c. All users

IP address and approximate geolocation
Browser type and version
Pages accessed and features used within the Platform
Error and diagnostic logs

We do not collect special category personal data (such as health data in a medical context, biometric data, or genetic data) except to the extent that sickness and absence information is provided voluntarily by Talent through the sickness self-reporting Service. Such data is processed only on the Customer's instructions and for the purposes described in clause 4.

4. How We Use Personal Data

We use the personal data described above for the following purposes:

Purpose	Applies to
Providing and operating the Platform and Services	All
Authenticating users and maintaining account security	Platform users
Conducting AI voice calls (outbound surveys and inbound sickness reporting)	Talent
Generating call transcripts, AI summaries, and scoring via machine learning	Talent
Generating PDF reports (including SSP and attendance reports) for the Customer	Talent
Sending email notifications and reports to HR managers	Platform users
Billing, invoicing, and account management	Platform users / account holders
Diagnosing errors, monitoring performance, and improving the Platform	All (logs and usage data)
Producing aggregated, anonymised analytics to improve the Platform for all users (no individual can be identified)	All
Complying with legal obligations	All

5. Legal Basis for Processing (UK GDPR)

The Platform is used to manage employees based in the United Kingdom. Our processing activities are subject to UK GDPR and the UK Data Protection Act 2018.

Platform users

We process Platform user data on the basis of contractual necessity (to provide the Services under the Terms of Service) and, where applicable, our legitimate interests in operating and improving the Platform securely.

Talent data

As processor, jaluru processes Talent data on the Customer's instructions. The Customer (as controller) is responsible for identifying and maintaining the appropriate legal basis for that processing. Typical bases may include:

Legitimate interests — conducting HR surveys and performance conversations as part of employment management;
Legal obligation — processing sickness absence data for Statutory Sick Pay compliance;
Contract — where processing relates to the fulfilment of the employment contract.

Where sickness data or other special category data is involved, the Customer is responsible for ensuring an additional condition for processing applies (e.g. Schedule 1 of the Data Protection Act 2018 for employment and occupational medicine purposes).

6. Third Parties and Sub-Processors

To deliver the Services, jaluru engages specialist third-party technology providers to perform specific processing functions. All such providers are bound by appropriate data processing agreements and are required to process personal data only on jaluru's instructions, with appropriate security measures in place.

Jaluru does not publicly disclose its full list of sub-processors. Customers may request the current list of sub-processors by contacting privacy@jaluru.com. Prior to engaging any new sub-processor that will process Customer Data, jaluru will provide advance notice to affected Customers in accordance with the Data Processing Addendum.

We will never sell personal data to third parties. We will never use Talent Data to serve advertising.

7. International Data Transfers

Customer Data is stored primarily on cloud infrastructure located in the United Kingdom. Certain Services require processing by providers located outside the UK, including in the United States of America.

Where personal data is transferred outside the UK, jaluru ensures that appropriate safeguards are in place as required by UK GDPR, including:

Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO); or
Transfer to countries covered by an adequacy decision; or
Other legally permitted transfer mechanisms.

For further information about the safeguards in place for international transfers, please contact privacy@jaluru.com.

8. Data Retention

During the account lifetime: We retain Customer Data (including Talent Data) for the duration of the Customer's account.

Following termination: Following termination of the Customer's account, Customer Data remains accessible to the Customer for a 30-day export period. After that period, we will securely delete all Customer Data from our systems within 30 days, unless we are required to retain it for longer by applicable law (for example, financial records required for tax purposes).

Platform user data: Account information for Platform users is retained for the duration of the account. After account closure we may retain limited information (such as billing records) for as long as required by law.

Anonymised data: Aggregated, anonymised data derived from usage of the Platform may be retained indefinitely as it does not constitute personal data.

9. Your Rights Under UK GDPR

UK GDPR grants individuals a number of rights over their personal data. The rights available depend on the basis and purpose of processing.

For Talent members

Because jaluru processes Talent data as a data processor acting on the Customer's instructions, rights requests from Talent members (such as access requests, erasure requests, or objections) should be directed in the first instance to the Customer (your employer or the operator of your Store). jaluru will assist the Customer in responding to such requests in accordance with its obligations under the Data Processing Addendum.

For Platform users (HR managers and administrators)

You may exercise the following rights by contacting us at privacy@jaluru.com:

Right of access — to obtain a copy of the personal data we hold about you.
Right to rectification — to have inaccurate data corrected (you can also update most profile information directly in the Platform settings).
Right to erasure — to request deletion of your data, subject to our legal obligations.
Right to restriction — to request that we restrict processing of your data in certain circumstances.
Right to data portability — to receive your data in a commonly used machine-readable format.
Right to object — to object to processing based on legitimate interests.

We will respond to rights requests within one calendar month. We may need to verify your identity before processing a request. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO): ico.org.uk.

10. Security

jaluru implements technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:

Encryption of data in transit (TLS) and at rest
Role-based access controls and multi-factor authentication for Platform users
Identity and access management provided by a managed cloud authentication service
HMAC-SHA256 signature verification for all inbound webhook data (transcripts and call status updates)
Segregated AWS environments for development and production
Regular review of security controls and access permissions

Notwithstanding these measures, no internet transmission or electronic storage is completely secure. We cannot guarantee absolute security. In the event of a personal data breach affecting Customer or Talent data, we will notify the affected Customer without undue delay in accordance with our Data Processing Addendum obligations.

11. In-Call Disclosure

Every AI voice call conducted through the Platform begins with an automated verbal announcement informing the person called that:

the call is being conducted by an AI assistant; and
the call may be recorded and transcribed.

The Customer is responsible for ensuring that its use of the Service (including outbound calls to Talent) is consistent with applicable employment law obligations and any workplace policies relating to monitoring and recording of communications.

12. Children

The Platform is not intended for use in connection with individuals under the age of 16. Customers must not use the Platform to process the personal data of any person under 16 without the prior explicit consent of that person's parent or guardian. If jaluru becomes aware that data relating to an under-16 has been processed without appropriate consent, it will take reasonable steps to delete that data.

13. Cookies and Tracking

The jaluru web application uses only strictly necessary session cookies required for authentication and secure access to the Platform. We do not use tracking, advertising, or analytics cookies that process personal data without consent.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Where we make material changes we will notify the Customer by email at least 30 days before the changes take effect. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

The "Last updated" date at the top of this page reflects the most recent revision.

15. Contact Us

If you have any questions about this Privacy Policy, wish to exercise a data subject right, or wish to raise a data protection concern, please contact us:

Jaluru Trust
6 Scarborough Ct., Terrigal, NSW 2260, Australia
ABN 18 596 203 312
Email: privacy@jaluru.com

For UK GDPR matters you may also contact the UK Information Commissioner's Office: ico.org.uk / 0303 123 1113.