Norwood Systems – Global Privacy Notice

 

Updated – 11 December 2025

 

1. Who we are

This Privacy Notice explains how Norwood Systems (Aust) Pty Ltd (ACN 149 094 039) and its affiliates (“Norwood Systems”, “Norwood”, “we”, “us”, “our”) collect, use, disclose and protect information about individuals in connection with:

  • Our websites, including norwoodsystems.com, worldphone.io, and other websites that link to this Notice.

  • Our cloud platforms and AI voice services, including OpenSpan™ and related AI media services. 

  • Our CogVoice™ applications and services, including CogVoice Call Protect™, CogVoice Jobs Agent™, CogVoice SME Assistant™ and other CogVoice applications that link to this Notice. 

  • Our World family of consumer and small‑business apps, including World Phone, World Message, World Secure, World Wi‑Fi and, where still offered, World Voicemail (together, the “World apps”). Most World apps are currently in maintenance mode, which means they continue to function but receive limited new features.

We are headquartered in Western Australia and listed on the Australian Securities Exchange (ASX: NOR). For the purposes of the Australian Privacy Act 1988 (Cth), we are an “APP entity”. For users in the European Economic Area (EEA), the United Kingdom (UK) or Switzerland, we are a “controller” of your personal data for most processing described in this Notice.

In some situations – for example, when we provide services to a communications service provider (CSP) or enterprise who controls end‑user data – Norwood acts as a processor / service provider and processes personal information only on that customer’s instructions. In those cases, the customer’s privacy notice will prevail where it conflicts with this one.

 

2. Scope and relationship with contracts

This Privacy Notice applies to:

  • Visitors to our websites.

  • Individuals who sign up for or use our direct‑to‑business services (for example, a small business using CogVoice SME Assistant, Jobs Agent, or World apps).

  • End users whose communications or metadata are processed by our platforms, where we act as a controller.

If you (or your employer or your service provider) have a Master Services Agreement (MSA) or other contract with Norwood that includes privacy or data protection terms, those terms will govern where there is a conflict with this Notice.

Individual products (for example, certain World apps) may also present product‑specific privacy notices. If there is a conflict between this Privacy Notice and a product‑specific notice, that product‑specific notice will usually apply for that product.

 

3. Key definitions

  • Customer – An organisation or individual that has a contract with Norwood for our services (e.g. CSPs, enterprises, SMEs, or individual World app subscribers).

  • User – An individual who uses our services under a Customer’s account (for example, an employee using CogVoice Jobs Agent or an SME’s staff using CogVoice SME Assistant or World apps).

  • End Caller / Counterparty – A person who calls or is called via a telephone number or communication channel that uses our services.

  • Personal Information / Personal Data – Any information that identifies or can reasonably identify an individual, directly or indirectly (including “personal information” under the Australian Privacy Act and “personal data” under GDPR / UK GDPR).

  • Services – The websites, platforms, APIs and applications we operate, including OpenSpan, CogVoice services and the World apps.

 

4. Our services and AI features (high level)

Norwood provides:

  • OpenSpan™ – a scalable AI media services platform deployed in CSP and cloud environments, which processes voice and other media to enable inline AI and analytics. 

  • CogVoice Call Protect™ – AI‑enhanced call protection that monitors call media and metadata in real time to detect patterns associated with scams or fraud and to warn or block where appropriate. 

  • CogVoice Jobs Agent™ – an AI assistant that handles inbound and outbound calls and messages relating to job postings, candidate screening and similar use cases (network‑based and phone app‑based). 

  • CogVoice SME Assistant™ – an AI answering and routing service for small and medium businesses (SMEs) that can greet callers, take messages, make bookings and route calls to staff, 24/7. 

  • World apps – consumer and SME‑oriented apps that provide features such as:

    • Alternative local and international calling (World Phone®);

    • Voicemail and call handling (e.g. World Voicemail™ where available);

    • Secure or Wi‑Fi‑optimised calling and messaging (World Secure™, World Wi‑Fi™, World Message™).

These services typically integrate with CSP networks and/or run on cloud infrastructure (for example, Microsoft Azure), and may use third‑party AI models (such as Azure OpenAI services) under strict contractual and technical controls. 

 

5. Information we collect

5.1 Information you provide directly

We collect information you provide to us, for example when you:

  • Register for an account, start a trial or sign a contract.

  • Install or sign into a World app, CogVoice app, or web management portal.

  • Configure a CogVoice or World service (e.g. SME Assistant call flows, Jobs Agent scripts, forwarding rules in a World app).

  • Contact us for support, sales or general enquiries.

  • Participate in demos, pilots, proof‑of‑concepts or events.

This may include:

  • Identification and contact details – name, employer, role, email address, phone number, postal address.

  • Account details – username, authentication credentials, profile settings, usage preferences.

  • Business information – company name, vertical, size, billing and invoice details.

  • Configuration data – business hours, routing preferences, scripts/prompts, job descriptions, call handling rules, voicemail greetings, call forwarding rules in World apps.

  • Contact and device access permissions in World apps – for example, your phone’s contact list (to show caller names) or microphone access (for calls).

  • Content you send us – support tickets, feedback, surveys, or documents you upload or send to us.

5.2 Communications content and media

When our services are used in a call or session, we may process:

  • Call audio and media – voices and sounds from incoming and outgoing calls, voicemails, prompts, interactive voice sessions or in‑app calls that pass through OpenSpan, CogVoice services or World apps.

  • Transcripts and derived text – transcriptions, summaries, classifications, translations and other derived text generated by AI models from call audio or voicemail.

  • Caller input – keypad responses (DTMF tones), spoken commands, chat input, and selections made during automated flows (for example, within SME Assistant or Jobs Agent).

In many deployments this processing occurs inline, in real time, as part of the call path.

5.3 Network and usage metadata

We also collect data generated when our services are used, including:

  • Call metadata – calling and called numbers, call start / end times, call duration, routing information, signalling logs (SIP, RTP), quality metrics (jitter, packet loss).

  • Device and connection data – IP addresses, user agent strings, device identifiers, operating system details, network and carrier information.

  • Service usage logs – feature usage, API calls, configuration changes, login timestamps, error logs.

  • Security and fraud indicators – anomalous traffic patterns, repeated failures, suspected abuse markers.

For most of our CSP‑hosted deployments, detailed telecom logs and call records are kept within the CSP’s tenant, and Norwood does not maintain a separate long‑term telecom log store, except where specifically required by a CSP customer.

5.4 Website and cookie data

When you visit our websites or use our web interfaces, we automatically collect:

  • Log data – IP address, browser type, web pages visited, timestamps, referring/exit pages.

  • Cookie and similar technology data – see Section 11 (Cookies and tracking technologies).

5.5 Information from third parties

We may receive information about you from:

  • Customers (e.g. your employer, SME, or CSP) who provision you as a user or route calls to our services.

  • Carriers, CSPs and telecom partners who provide us with call routing and metadata information.

  • Identity, anti‑fraud and analytics providers.

  • Public sources – such as public business listings or public corporate websites, where we need business contact details.

6. How we use personal information

We use personal information for the following purposes:

  1. To provide and operate our services

    • Establish and manage accounts for CogVoice, World apps and other services.

    • Route, process and deliver calls and related communications.

    • Provide AI voice features (transcription, summarisation, translation, call handling, and similar).

    • Provide call functionality, voicemail and messaging capabilities in the World apps.

    • Generate logs and records to provide service visibility to Customers.

  2. To enable AI‑powered functionalities

    • Operate AI agents and assistants (e.g. CogVoice SME Assistant, Jobs Agent) that interact with callers.

    • Analyse call content and metadata to detect patterns indicative of fraud or scam calls (e.g. CogVoice Call Protect).

    • Provide analytics and reports to Customers about their usage and service performance.

  3. To secure our services and networks

    • Detect, investigate and prevent fraud, scams, abuse and security incidents.

    • Protect callers and Customers from malicious or unlawful activity.

    • Respond to and mitigate incidents, and maintain logs required for forensic analysis.

  4. To support and improve the services

    • Diagnose technical issues and improve reliability, performance and scalability.

    • Develop new features and enhancements based on aggregate usage patterns and feedback.

    • Run A/B tests and controlled experiments (where permitted).

  5. To comply with law and enforce our rights

    • Comply with applicable laws and assist our CSP and enterprise Customers in complying with theirs (including telecom, tax, accounting and security obligations).

    • Respond to lawful requests, court orders and lawful assistance obligations (where applicable).

    • Enforce contractual terms, acceptable use policies and protect our legal interests.

  6. To communicate with you

    • Send service and transactional messages (e.g. security alerts, outage notices, updates to terms or policies).

    • Provide customer support and respond to inquiries.

    • Send marketing communications where permitted by law (you can opt out at any time).

  7. For other purposes with your consent

    • Any other use we explain at the time of collection and for which you consent.

     

7. AI, machine learning and automated decisions

7.1 How our AI features work

Our AI features may:

  • Transcribe and analyse call audio to understand caller intent.

  • Generate responses, prompts and summaries.

  • Classify calls (for example, as likely scam, spam, sales enquiry, support request, job application).

  • Route calls or messages to specific queues, people or voicemail based on configured rules and AI inferences.

  • Detect behaviour consistent with fraud or scams and present warnings to callers.

These features are used across OpenSpan, CogVoice services and, in some cases, World apps (for example, voicemail transcription or spam detection where supported).

7.2 Training and improvement of AI models

We use different types of models:

  • Service‑specific models – models configured for a particular Customer (for example, a specific SME’s call flows or vocabularies).

  • Platform models – models used across multiple Customers (for example, generic language understanding or fraud detection patterns).

To minimise privacy risk and cross‑customer contamination:

  • We do not use your call content or voicemails to train third‑party foundation AI models for their own purposes.

  • For platform improvement, we primarily rely on aggregated, de‑identified or synthetic data and high‑level metadata. Where we need to review real call snippets (for example, to tune SME Assistant behaviour or fraud detection logic), we:

    • Limit access to authorised staff under strict confidentiality.

    • Apply minimisation and redaction where reasonably possible.

    • Use data only for Norwood’s internal improvement purposes, not for unrelated third‑party services.

(If your contract with us contains more restrictive terms, those contractual terms will apply.)

7.3 Automated decision‑making that may affect you

Some features involve automated decision‑making (“ADM”), meaning that a system uses personal information to make decisions without (or before) human review. Examples include:

  • Call Protect automatically evaluating calls against fraud/scam patterns and deciding whether to flag or block the call or present a warning to the caller. 

  • Job screening flows in Jobs Agent that automatically answer, route or qualify candidates based on their responses and configured rules. 

  • SME Assistant and some World app features routing calls, booking appointments or taking messages based on AI understanding of caller intent. 

Where these decisions significantly affect your rights or interests (for example, blocking calls that you might otherwise receive), we:

  • Design systems to reduce bias and false positives as far as reasonably possible.

  • Provide configuration options for Customers (e.g. what risk thresholds should trigger blocks or warnings).

  • Allow Customers to override decisions or review logs and outcomes.

If you are in a jurisdiction that grants specific rights regarding automated decision‑making (for example, the EU/UK and, in future, Australia under new ADM rules), you may have the right to:

  • Obtain meaningful information about the logic involved;

  • Request human review of certain decisions;

  • Contest outcomes in certain circumstances.

See Section 13 (Your rights and choices) for more detail.

 

8. Legal bases for processing (EEA/UK only)

For individuals in the EEA/UK, we must identify our legal bases under GDPR / UK GDPR. We typically rely on:

  • Performance of a contract – where processing is necessary to provide our services (e.g. routing calls, operating AI assistants, running World apps).

  • Legitimate interests – for:

    • Securing our networks and services.

    • Preventing fraud and abuse.

    • Improving our services in a proportionate way that respects your rights.

    • Direct marketing to business contacts (where permitted).

  • Consent – where required by law (for example, certain marketing communications or cookies).

  • Legal obligation – where processing is necessary to comply with applicable laws (including telecom, tax, data retention where applicable, and accounting).

Where we rely on legitimate interests, we balance those interests against your privacy rights and will not rely on this basis where the impact on you is disproportionate.

 

9. How we share personal information

We do not sell personal information for money.

We may share personal information with:

  1. Customers (your organisation or CSP)

    • We share logs, analytics and call outcomes with the Customer that controls the relevant account (e.g. SME, CSP, enterprise), in line with our contract.

  2. Service providers and subprocessors

    • Cloud hosting providers (e.g. Microsoft Azure).

    • AI infrastructure and tooling providers (e.g. Azure OpenAI services or similar).

    • Telecom carriers and routing partners (including for World apps).

    • Payment processors and billing providers.

    • Security, logging, monitoring and analytics providers.

    • Professional advisors (lawyers, auditors).

    These providers may only process personal information on our instructions and must implement appropriate safeguards.

  3. Telecom carriers and CSP partners

    • To route calls, deliver messages and comply with telecoms obligations, we exchange metadata and routing information with carriers and CSPs. In many CSP deployments, long‑term call records and telecom logs are retained by the CSP in its own tenant, not by Norwood.

  4. Corporate transactions

    • In connection with any merger, sale of assets, financing, acquisition or reorganisation, we may disclose information as part of standard due diligence and transfer processes, subject to confidentiality.

  5. Legal and safety

    • To comply with laws, regulations, court orders and lawful requests from authorities, including law enforcement and national security bodies where applicable.

    • To protect the rights, property, security or safety of Norwood, our Customers, users or the public.

Where required by law (e.g. some US jurisdictions), we treat certain types of targeted advertising or cross‑context behavioural advertising as a “share” of personal information and provide opt‑out mechanisms – see Section 13.3.

 

10. International transfers

We operate globally. Personal information may be stored and processed in:

  • Australia;

  • Other countries where our CSP Customers operate;

  • Countries where our service providers maintain data centres (for example, cloud regions in the EU, UK, US or Asia).

When transferring personal data internationally, we implement appropriate safeguards, which may include:

  • Contractual protections consistent with Australian Privacy Principle 8.

  • For EEA/UK transfers, Standard Contractual Clauses and, where applicable, additional safeguards.

  • Ensuring that service providers are subject to robust security and privacy obligations.

 

11. Cookies and tracking technologies

We use cookies and similar technologies (such as pixels, SDKs and local storage) on our websites, web apps and, where applicable, in the World apps to:

  • Run the site and keep you logged in (strictly necessary).

  • Understand usage and performance (analytics).

  • Remember your preferences (functional).

  • Support our marketing and measure campaign effectiveness (where permitted).

You can:

  • Manage cookie preferences via our on‑site cookie banner or settings (where available).

  • Configure your browser to block or delete cookies – however, some features may not work without essential cookies.

  • Opt out of certain third‑party analytics or advertising cookies via the providers’ own tools, where offered.

For more detail, see our separate Cookie Policy (where published) or contact us using the details in Section 17.

 

12. Data retention

We keep personal information only for as long as necessary for the purposes described in this Notice or as required by law. Retention periods vary by category:

  • Call content (audio) and transcripts

    • For Norwood‑hosted SME / CogVoice and World app services, we generally retain call content and transcripts for up to 24 months from the date of the communication, unless the Customer configures a shorter period or deletes the content earlier (for example, by deleting a voicemail).

    • For CSP‑hosted deployments where content is stored in the CSP’s tenant, retention is determined by the CSP and/or the enterprise Customer.

  • Telecom metadata and logs

    • Where we control retention (for example, in our own OTT / trial environments, SME‑facing services and World apps), we typically retain detailed telecom logs for no more than 30 days from the date of the communication for security, troubleshooting and capacity planning, and may retain aggregated or de‑identified metrics for up to 12 months.

    • For CSP‑hosted deployments, long‑term telecom logs and call records are stored in the CSP’s environment; Norwood does not maintain separate long‑term telecom logs, except where a specific CSP customer instructs us to do so. In those cases, retention is governed by the CSP’s or enterprise customer’s requirements and local law.

  • Account and billing records

    • We typically retain account, invoicing and payment records for 7 years after account closure to comply with tax, accounting and legal requirements.

  • Marketing and prospect data

    • We typically retain business contact and marketing data for up to 3 years after the last meaningful interaction, or until you opt out, whichever is earlier.

When information is no longer required, we take steps to irreversibly de‑identify or securely delete it.

 

13. Your rights and choices

Your rights depend on where you live. In all cases, you can:

  • Ask us whether we hold personal information about you.

  • Request access to the personal information we hold about you.

  • Ask us to correct inaccurate or incomplete information.

  • Object to certain direct marketing.

We may need to verify your identity before responding and may not be able to fulfil a request where we are legally required to keep information (for example, billing records or CSP‑mandated telecom logs) or where your request would unreasonably impact others’ privacy.

 

13.1 Australia

Under the Australian Privacy Act 1988 you generally have the right to:

  • Request access to your personal information.

  • Request corrections if your personal information is inaccurate, out‑of‑date, incomplete, irrelevant or misleading.

  • Make a complaint if you believe we have breached the Australian Privacy Principles.

See Section 17 for how to contact us and the Office of the Australian Information Commissioner (OAIC).

 

13.2 EEA/UK/Switzerland

If you are in the EEA, UK or Switzerland, you may have the following rights under GDPR / UK GDPR:

  • Right of access.

  • Right to rectification.

  • Right to erasure (in certain circumstances).

  • Right to restriction of processing.

  • Right to data portability.

  • Right to object to processing based on legitimate interests, including profiling.

  • Right to object to direct marketing at any time.

  • Rights related to automated decision‑making and profiling where such decisions produce legal or similarly significant effects.

You also have the right to lodge a complaint with your local data protection authority.

 

13.3 California and other US states with privacy laws

If you are a resident of California or another US state with a comprehensive privacy law, you may have rights to:

  • Request that we disclose the categories and specific pieces of personal information we have collected about you.

  • Request deletion of personal information we hold about you (subject to exceptions).

  • Request correction of inaccurate personal information.

  • Opt out of the “sale” or “sharing” of personal information where those terms apply to our use of analytics or advertising technologies.

  • Limit the use and disclosure of “sensitive” personal information, where applicable.

We will not discriminate against you for exercising these rights.

To exercise these rights, contact us using the details in Section 17 and specify that you are making a request under your state privacy law. Where we rely on a Customer (for example, your CSP or employer) as controller, we may redirect your request to them.

 

13.4 Exercising your rights

To exercise any of these rights:

  • Email us at privacy@norwoodsystems.com or support@norwoodsystems.com, or

  • Write to us at the postal address in Section 17.

Where we act as a processor / service provider on behalf of a Customer, we may direct you to contact that Customer directly, and will support them in responding to your request.

 

14. Children and minors

Our Services, including the World apps, are primarily designed for business and adult consumer use and are not intended for children under the age of 16.

We do not knowingly collect personal information directly from children under 16, except where:

  • A CSP or enterprise Customer uses our Services in a context that involves minors (for example, calls placed to a school or family line), and

  • The Customer is responsible for having an appropriate lawful basis and providing notices to the relevant individuals or guardians.

If you believe a child has provided personal information to us contrary to this section, please contact us and we will take appropriate steps, including deletion where required.

 

15. Security

We use technical and organisational measures designed to protect personal information from loss, misuse and unauthorised access, disclosure, alteration and destruction, including:

  • Encryption in transit and at rest for personal information under our control.

  • Network and application security measures consistent with telecom and cloud industry practices.

  • Access controls, logging and monitoring.

  • Regular security testing, including independent penetration testing and vulnerability assessments.

  • Vendor due diligence and security requirements for our subprocessors.

Despite these measures, no system can be guaranteed to be 100% secure. If we become aware of a security incident that materially affects your personal information, we will notify you and/or the relevant Customer and regulators as required by law.

16. Changes to this Privacy Notice

We may update this Privacy Notice from time to time. When we do, we will:

  • Change the “Last updated” date at the top of this page; and

  • Take additional steps where required by law (for example, providing prominent notice of material changes or seeking consent where necessary).

Your continued use of the Services after the effective date of an updated Notice will indicate that you have read and understood the changes.

 

17. How to contact us and complaints

 

Norwood Systems Pty Ltd

4 Leura Street

Nedlands WA 6009

Australia

Email: support@norwoodsystems.com

Privacy queries: privacy@norwoodsystems.com

 

Complaints – Australia

If you have concerns about how we handle your personal information, please contact us first. We will respond as soon as reasonably practicable and usually within 30 days.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

  • Website: oaic.gov.au

  • Phone (within Australia): 1300 363 992

Complaints – EEA/UK and other regions

If you are in the EEA/UK, you also have the right to lodge a complaint with your local data protection authority. We can help you identify the appropriate authority if needed.

 

— End of Norwood Systems –  Global Privacy Notice —