CFive Pty Ltd (ABN 21 680 809 385) trades as CFive AI. We provide AI phone receptionist services to automotive dealerships in Australia and New Zealand.
Registered address: Suite 170, Waterman, Tenancy 111, Camberwell Place, 793 Burke Road, Camberwell VIC 3124, Australia.
Privacy queries: privacy@cfive.com.au
Privacy Officer: Nick Foord (nick.foord@cfive.com.au)
This policy is published at cfive.ai/legal/privacy.
CFive handles Personal Information from three distinct groups of people, in very different ways. This policy is structured accordingly.
Part A covers Dealership Staff. These are the employees and contractors of the dealerships that use our Service. Their data flows through our platform and CRM.
Part B covers Website Visitors. These are people who browse cfive.ai, submit a contact form, or interact with our website.
Part C covers Callers. These are members of the public who ring a dealership and reach our AI phone receptionist. They never signed a contract with CFive, which raises different privacy considerations from the other two groups.
Read the part that applies to you. If you are a dealership employee asking about a caller's data, read Part C.
In this policy, capitalised terms have the same meanings as in our Master Services Agreement (MSA), published at cfive.ai/legal/msa. Key terms: Authorised User, Caller, Customer, DMS, Order Form, Personal Information, Service, Service Usage Data, Sub-processor, Voice Content. 'Voice Content' refers to audio recordings and transcripts of calls handled by the Service.
Where practicable, you may interact with CFive anonymously or using a pseudonym, for example when browsing cfive.ai without submitting a form. Callers can withhold their caller ID at the network level (for example by dialling a calling-line-identification block prefix or using a privacy setting on their phone). In that case, the call is still answered, recorded, and transcribed, and any details the caller chooses to give during the call are still captured. What we will not have is a phone number tied to the call, which means we may not be able to retrieve the caller's vehicle history, follow up afterwards, or honour a later deletion request based on phone number alone.
This part applies to employees, contractors, and agents of a dealership Customer who access our Service, including the dashboard at app.cfive.ai, DMS integration features, and call reporting tools.
We collect the following categories of Personal Information about Authorised Users:
We also process dealership vehicle and customer information that passes through the Service via DMS integrations. That information belongs to the Customer under MSA section 7.1. We process it to operate the Service on the Customer's behalf; we do not use it for our own purposes beyond what is described in this policy.
We use Authorised User data for the following purposes:
The legal basis for most of this processing is contractual necessity: the Customer has agreed to our MSA, and providing the Service requires us to hold and use Authorised User data. Product improvement and security monitoring are carried out on the basis of our legitimate interests in running a reliable, secure service.
We share Authorised User data with the following categories of Sub-processors to deliver the Service:
The named Sub-processors, their locations, and their roles are listed at trust.cfive.ai/sub-processors, updated at least every 30 days.
We do not sell Authorised User data. We do not share it with third parties for their own marketing purposes.
We keep Authorised User data for the duration of the MSA Term for the relevant Customer, plus a 7-day backup retention window, plus any period required by law. On termination, we delete or de-identify Authorised User data within 30 days, as set out in MSA section 10.5. We may retain data longer if a legal hold is in place, for example during an active dispute or legal claim.
We take reasonable steps to keep personal information accurate, up to date, and complete. If you believe information we hold about you is inaccurate, you can request a correction as described below.
You have the right to:
To make a request, contact privacy@cfive.com.au. We will acknowledge within 5 business days and respond within 30 calendar days. If we cannot fulfil your request, we will explain why.
If you are not satisfied with our response, you can escalate to the OAIC (Australia) or the Privacy Commissioner (New Zealand).
This part applies to anyone who visits cfive.ai, submits a contact or demo request form, or interacts with tracking tools active on the site.
We collect the following categories of Personal Information from website visitors:
From contact and demo request forms: name, email address, phone number, company name, role, and the content of your message.
From cookies and tracking technologies: IP address, device type, browser, pages visited, time on site, referral source, and click behaviour.
The specific tracking tools active on cfive.ai are described in section B.4.
Contact form submissions are routed directly into GoHighLevel (LeadConnector), our CRM platform. That data is used for sales follow-up and demo scheduling.
We use website visitor data for the following purposes:
The legal basis for processing contact form submissions is a combination of contractual necessity (we need to respond to your request) and legitimate interests (following up on commercial enquiries). Analytics and marketing tracking are carried out on the basis of our legitimate interests in measuring how cfive.ai performs as a marketing channel and in promoting our services to a relevant audience of automotive dealership decision-makers. The specific tools we use, the data they process, and how to opt out are set out in section B.4 below.
We send marketing communications only with your prior consent, in compliance with the Spam Act 2003 (Cth). You can unsubscribe from email communications using the unsubscribe link in any email we send. You can opt out of SMS messages by replying STOP.
The following tools are active on cfive.ai as of the date of this policy:
No LinkedIn Insight Tag or Hotjar is active on this site.
You can manage cookie preferences through your browser settings at any time. Disabling analytics and marketing cookies will not affect your ability to use the site.
Contact form and demo request data is kept for up to two years for sales follow-up, consistent with the Spam Act 2003 (Cth). Analytics and tracking data is retained according to the default retention settings of the relevant third-party tool (typically 24 months for GA4 and 90 days for Meta Pixel).
If you unsubscribe or request deletion, we will remove your details from our CRM promptly.
You have the right to access, correct, or request deletion of Personal Information we hold about you as a website visitor. Contact privacy@cfive.com.au. We will respond within 30 calendar days.
You can also manage cookie preferences directly through your browser or through Meta's and Google's own preference centres.
This part applies to anyone who rings a dealership that uses our Service and is connected to our AI phone receptionist. You may not have known, before the call, that the dealership uses CFive. This section explains what we collect, why, and what rights you have.
When you call a dealership that uses our Service, we collect:
Callers may volunteer sensitive personal information during a call, such as payment card details, health information, or government identifiers. The Service does not solicit this information and is not designed to receive it. CFive recommends that callers do not provide payment details over the phone, even if asked. Where sensitive information is captured in a transcript, callers can request its deletion at privacy@cfive.com.au by providing the phone number used to make the call. CFive is working on automated redaction of sensitive information from transcripts as part of ongoing service improvements.
We process caller data for the following purposes:
The primary legal basis for processing caller data is legitimate interests. The dealership has a legitimate interest in handling customer calls. You, as the caller, have a legitimate interest in achieving the purpose of your call, whether that is booking an appointment, making an enquiry, being transferred to a department, or getting information from the dealership. Processing your data is necessary to deliver that service.
Continuing the call also establishes the contractual relationship with the dealership for that service transaction, which provides an additional legal basis for the core processing.
We are required under APP 5 and applicable state surveillance device laws to notify you that a call is being recorded before the recording starts.
At the start of every call, our virtual assistant identifies itself as an automated or AI assistant. The exact phrasing varies (for example, "Hi, I'm [name], the AI receptionist for [Dealer]" or "I'm your virtual assistant from [Dealer]") and we adjust it over time as we optimise the experience. The substance of the disclosure, that you are speaking with an AI rather than a human, is consistent across all CFive-handled calls.
The dealership's IVR system also plays a notification before the call reaches our virtual assistant. CFive recommends the following IVR script: "This call may be recorded for quality and training purposes." CFive requires each Customer to maintain this IVR notification under MSA section 10.2.
The Customer is responsible for the continued operation of the IVR notification. Where the Customer removes or modifies the notification without CFive's knowledge, that is a breach of the Customer's obligations under the MSA. CFive takes reasonable steps to verify the IVR notification is in place at onboarding and at renewal, but does not monitor the dealership's phone system in real time.
The dealership is the entity responsible for caller Personal Information under the Privacy Act 1988 (Cth) and equivalent New Zealand legislation. CFive processes caller data on the dealership's behalf, under MSA section 10.2.
All call content, transcripts, and metadata are made available to the dealership through the dashboard at app.cfive.ai. The dealership's staff use this information to manage bookings and enquiries across departments, follow up with customers, and review AI performance.
CFive also processes caller data through the following categories of Sub-processors:
Named Sub-processors and their locations are listed at trust.cfive.ai/sub-processors.
We do not use Voice Content to develop, train, or fine-tune AI models unless: (a) the dealership has given prior written consent for the use of its calls for that purpose, and (b) any prior written consent required under CFive's upstream integration agreement with the relevant DMS provider has been obtained.
As of the date of this policy, calls processed through certain DMS integrations are excluded from any model training pipeline pending the required DMS provider consents. If you have questions about whether a specific call was used for model training, contact privacy@cfive.com.au.
Default retention for call audio, transcripts, caller contact data, and metadata is 30 days from the date of the call. Dealerships may configure longer or shorter retention periods through their service agreement with CFive.
Where a legal hold applies, for example if a booking is disputed or a legal claim is made, we may retain relevant call records beyond the standard retention period.
If you provide your phone number when making a deletion request, we can identify and delete your call records. Where a phone number matches more than one call record, we will identify all matching records and confirm with you before deleting. See section 6 for how to make a request.
Because the dealership is the entity responsible for caller Personal Information, your first point of contact for access, correction, or deletion requests is the dealership itself.
You can also contact CFive directly at privacy@cfive.com.au. If you provide your phone number, we can identify your call records and respond to your request within 30 calendar days.
We process Personal Information in multiple countries. The primary locations are:
Call audio and transcripts may transit through US-based infrastructure during processing.
CFive takes reasonable steps to require all overseas Sub-processors to handle Personal Information in a way consistent with the Australian Privacy Principles and, for New Zealand customers and callers, the New Zealand Information Privacy Principles. These steps include contractual safeguards covering confidentiality, security, breach notification, and restrictions on use. See MSA section 10.3 for the full description.
By using our Service or submitting a contact or demo request form, you acknowledge that your Personal Information may be processed in these countries as described in this policy.
The full Sub-processor list, including locations, is at trust.cfive.ai/sub-processors.
Where an overseas Sub-processor fails to meet these privacy standards, CFive remains responsible to the Customer for that failure under MSA section 9.4.
We apply technical and organisational measures appropriate to the risks of processing the Personal Information we hold. These include encryption at rest (AES-256), encryption in transit (TLS 1.2 or higher), multi-factor authentication for staff access, access controls limiting data access to those who need it, activity logging and anomaly monitoring, and regular vulnerability testing.
Our security documentation is at trust.cfive.ai. Our first external penetration test is scheduled for May 2026, conducted by Silverse via our compliance partner Ciphrix.
CFive imposes equivalent security obligations on all Sub-processors under MSA section 9.4.
No security measure is perfect. If we become aware of a breach affecting your Personal Information, we will notify you as described in section 8.
| Data category | Default retention | Deletion or control mechanism |
|---|---|---|
| Dealership staff account data | Duration of MSA Term | 30 days after termination or on written request |
| Call audio and transcripts | 30 days from date of call (configurable per dealership) | On written request from the caller, on termination of the dealership's MSA (subject to upstream DMS deletion windows), or earlier where required by an upstream DMS integration agreement |
| Caller contact data (name, phone, vehicle, booking details) | 30 days from date of call (configurable per dealership) | Same as above |
| Call metadata | 30 days from date of call (configurable per dealership) | Same as above |
| Website contact form data | 2 years | On unsubscribe or written request |
| Analytics and tracking data | 24 months (GA4 default), 90 days (Meta Pixel default) | Managed via third-party platform settings; opt out via browser or platform |
All retention is subject to legal holds as described in MSA section 10.5. DMS-sourced data must be deleted within 30 days of termination of the relevant upstream DMS integration, consistent with CFive's obligations to its DMS providers under MSA section 7.6.
Under the Australian Privacy Act 1988 (Cth), you have the right to:
To make a request, contact privacy@cfive.com.au. Include your name and, for caller requests, your phone number so we can identify your records. We will acknowledge your request within 5 business days and respond within 30 calendar days.
We may decline a request where the law requires or permits us to, for example where a legal hold applies or where responding would unreasonably affect the privacy of another person. If we decline, we will explain why.
If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au/privacy/privacy-complaints or by calling 1300 363 992. New Zealand residents can complain to the Privacy Commissioner at privacy.org.nz or by calling 0800 803 909.
For caller access requests: because the dealership is the entity responsible for caller Personal Information, you may find it faster to contact the dealership directly. CFive will also respond to requests made directly to us.
For individuals in New Zealand, the Privacy Act 2020 (NZ) applies in addition to the Australian Privacy Act 1988 (Cth).
CFive appoints a Privacy Officer for New Zealand purposes. Contact: Nick Foord, nick.foord@cfive.com.au.
Your rights under the New Zealand Privacy Act 2020 include the right to request access to and correction of your Personal Information, and the right to request deletion where applicable. To exercise these rights, contact nick.foord@cfive.com.au.
Cross-border transfers of New Zealand residents' data are subject to the New Zealand Information Privacy Principles. CFive requires overseas Sub-processors to maintain equivalent privacy protections through contractual data processing agreements. A copy of CFive's transfer documentation is available on request.
For New Zealand dealership customers, CFive obtains explicit consent from the Customer before using call data for product improvement purposes. New Zealand customers may withdraw this consent at any time by contacting privacy@cfive.com.au.
If you have a complaint that CFive has not resolved to your satisfaction, you can contact the Privacy Commissioner at privacy.org.nz or 0800 803 909.
If CFive becomes aware of a Security Incident affecting Personal Information, we will notify the affected dealership Customer within 72 hours of becoming aware, as required by MSA section 17.1. Our notification will describe the nature of the incident, the categories of data affected, the steps we are taking to contain it, and a contact for further information.
Where a security incident amounts to an Eligible Data Breach under the Privacy Act 1988 (Cth), CFive will assess the incident, and where notification is required by the Notifiable Data Breaches scheme, notify the OAIC and affected individuals (or their dealership where direct contact details are not held) as soon as practicable in accordance with the scheme.
For New Zealand data subjects, CFive will notify the New Zealand Privacy Commissioner within 72 hours of becoming aware of a qualifying breach involving New Zealand data subjects. Notification to affected individuals may flow through the dealership where CFive does not hold direct contact details beyond the caller's phone number.
Our Service is not directed at individuals under the age of 16. We do not knowingly collect Personal Information from children under 16. If we become aware that a child under 16 has provided us with Personal Information, we will delete it within 30 days.
If you are a parent or guardian and believe your child has provided Personal Information to CFive, contact privacy@cfive.com.au.
If we receive Personal Information we did not actively collect, for example, if someone includes a third party's details in a contact form, we will assess whether the information is relevant to our purposes. If it is not, we will delete it promptly.
We do not collect government identifiers, such as tax file numbers, driver's licence numbers, or Medicare numbers, unless required to do so by law, for example for identity verification in a legal dispute.
We may update this policy from time to time. Material changes will be notified to dealership Customers by email at least 30 days before taking effect. The current version of this policy is always at cfive.ai/legal/privacy.
Non-material changes, such as correcting a typo or updating a sub-processor location, take effect on the date posted.
For all privacy queries: privacy@cfive.com.au
CFive Pty Ltd
Suite 170, Waterman, Tenancy 111, Camberwell Place
793 Burke Road, Camberwell VIC 3124
Australia
We will respond to privacy requests within 30 calendar days.
Never Miss a Call. Never Miss a Sale.
Our AI Receptionists help automotive dealerships across Australasia capture every call - booking more services and selling more cars.
