1. Introduction
Captivo Labs (“we,” “us,” or “our”) operates middleware software that connects RingCentral telephony with legal practice management software. This Privacy Policy explains how we collect, use, store, and protect information when you use our RingCentral App Connect integrations (“the Service”). We are committed to handling your information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). If you have questions about this policy, please contact us at privacy@captivolabs.com.2. Who This Policy Applies To
This policy applies to:- Users — individuals who install and use the Service (lawyers, paralegals, and other legal professionals)
- Firms — law firms and legal practices whose staff use the Service
3. Information We Collect
3.1 Information you provide directly
When connecting the Service to your accounts, we collect:- Your name and email address as provided by your practice management software
- Your RingCentral account and extension identifiers
- Authentication credentials (OAuth tokens) for RingCentral and your practice management software — stored encrypted, never stored as plaintext
3.2 Information collected automatically through the Service
When the Service is active, we process the following in order to provide its core functionality:- Call metadata — phone numbers, call direction (inbound/outbound), call duration, call timestamps, and call outcome
- Call recordings — recording URLs provided by RingCentral, and optionally the recording files themselves if your configuration stores them
- AI-generated content — call transcripts and summaries generated by RingCentral’s RingSense feature, where your RingCentral account is licensed for this
- Contact information — names, phone numbers, and matter/case identifiers retrieved from your practice management software in the course of matching calls to contacts
- Call notes — notes entered by users during or after calls
- Activity log identifiers — identifiers of activity records created in your practice management software
3.3 Information we do not collect
We do not collect:- The content of calls (audio) beyond what is stored in your RingCentral account
- Financial information — payment processing is handled entirely by Stripe and we do not see or store card details
- Information about your clients beyond what is necessary to match calls to contact records in your practice management software
4. How We Use Your Information
We use the information we collect solely to provide and improve the Service. Specifically: 4.1 Providing the Service- Matching inbound and outbound calls to contact records in your practice management software
- Creating and updating call activity logs in your practice management software
- Storing call notes, recordings, and AI summaries against the correct matter file
- Authenticating your accounts with RingCentral and your practice management software
- Managing your firm’s subscription and billing (via Stripe)
- Enforcing licence validity per user
- Responding to support requests
- Monitoring for unauthorised access or abnormal usage patterns
- Maintaining audit logs of system access
- Analysing aggregated, de-identified usage patterns to improve the Service
- Diagnosing and resolving technical issues
5. Legal Basis for Processing
We process your information on the following bases:- Contractual necessity — processing necessary to deliver the Service you have subscribed to
- Legitimate interests — security monitoring, fraud prevention, and service improvement, where these do not override your privacy interests
- Legal obligation — where we are required to process or retain information by Australian law
- Consent — where you have explicitly consented, such as enabling optional features
6. How We Store and Protect Your Information
6.1 Location All data is stored on servers located in Australia (Sydney region, AWS ap-southeast-2 and Supabase). We do not transfer your data outside of Australia without your explicit consent, except as described in Section 7 (Third Parties). 6.2 Security measures We implement the following security measures:- All authentication tokens are encrypted at rest using AES-256 encryption
- All data in transit is encrypted using TLS 1.2 or higher
- Database access is restricted to application services within a private network
- Access credentials are managed using secrets management services and are not stored in source code
- Access to production systems is restricted to authorised Captivo Labs personnel
- Active data is deleted within 30 days of termination request
- Backup data is purged within 90 days
- We may retain records required by law for longer periods where legally obligated to do so
7. Third Parties We Share Information With
We do not sell your data. We share information with third parties only to the extent necessary to provide the Service:| Third Party | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe | Payment processing and subscription management | Firm name, email, billing details | USA (covered by Stripe’s data processing agreement) |
| Supabase | Database hosting | All application data | Global |
| Fly.io | Application hosting | All application data processed in transit | Global |
| Cloudflare | Edge networking and DDoS protection | Request metadata | Global edge network |
| RingCentral | Telephony platform | Call metadata as required for the integration | As per RingCentral’s privacy policy |
| Your practice/contact management software (Filevine, Smokeball, etc) | Integration target | Call logs, contact lookups as required for the integration | As per each platform’s privacy policy |
8. Legal Professional Privilege and Confidentiality
We understand that law firms handle privileged and confidential client information. With respect to this:- We process client contact information and call metadata only to the extent necessary to match calls to matter files and log activities
- We do not analyse, mine, or use client information for any purpose beyond delivering the Service
- We do not disclose client information to third parties except as described in Section 7 or as required by law
- We recommend firms review their professional obligations under applicable legal profession rules before deploying the Service and satisfy themselves that use of the Service is consistent with those obligations
9. Your Rights
Under the Australian Privacy Principles, you have the right to: 9.1 Access your information You may request a copy of the personal information we hold about you. We will respond within 30 days. 9.2 Correct your information If information we hold about you is inaccurate or incomplete, you may request a correction. We will action corrections within 30 days. 9.3 Delete your information You may request deletion of your personal information. We will delete your data within 30 days, subject to any legal retention obligations. Note that deleting your information will require termination of your account. 9.4 Restrict processing You may request that we restrict processing of your information in certain circumstances, such as where you contest the accuracy of the information. 9.5 Data portability You may request an export of your data in a machine-readable format. To exercise any of these rights, please contact us at privacy@captivolabs.com. We may need to verify your identity before actioning requests.10. Cookies and Tracking
The Service operates as a server-side API and Chrome browser extension. We do not use cookies or tracking technologies for advertising or analytics purposes. Our documentation website may use minimal analytics to understand page traffic — this is governed by a separate cookie notice on that site.11. Children’s Privacy
The Service is intended for use by legal professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors.12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service with at least 14 days notice. The date at the top of this policy reflects when it was last updated. Continued use of the Service following notification of changes constitutes acceptance of the updated policy.13. Complaints
If you believe we have not handled your personal information in accordance with the Australian Privacy Principles, you may lodge a complaint with us at privacy@captivolabs.com. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.14. Contact
For any privacy-related questions or requests: Privacy Officer Captivo Labs Email: privacy@captivolabs.com Website: captivolabs.comA few things your lawyer should pay particular attention to:
- Section 8 (Legal Professional Privilege) — this is the most legally sensitive section for your market. Law firms have strict professional conduct rules around client confidentiality and many will want contractual assurances beyond a privacy policy. A lawyer-drafted data processing agreement (DPA) as a separate document is worth considering.
- The Privacy Act threshold — if Captivo Labs has fewer than 3 employees and under $3M turnover, you may not currently be covered by the Privacy Act. However, given you’re handling data for firms that almost certainly are covered, you’d be wise to comply anyway — and your lawyer can advise on whether any small business exemption applies or is worth relying on.
- Section 7 (Third Parties) — Cloudflare — Cloudflare’s global edge network means request data may transit servers outside Australia. Your lawyer should advise on whether this requires disclosure or consent under the APPs cross-border disclosure provisions.