1.Who we are and what this policy covers
158 Lab (Flexmore Pty Ltd T/A 158 Lab, ABN 44 139 542 724) is an Australian AI consulting business based in Hobart, Tasmania. We help businesses use AI in ways that are practical, secure, and human.
This policy covers the personal information we collect through our public website at 158lab.com.au and its subdomains. It explains what we collect, why, how long we keep it, who we share it with, and the rights you have over your information.
If we promote your enquiry into our internal CRM or you become a client, that ongoing relationship is governed by your services agreement with us. This policy continues to govern the website data; the agreement governs the engagement data.
This policy does not cover information about people whose details a client has uploaded into a system we built for that client— in those cases the client is the data controller, not us, and you should refer to the client's privacy policy.
If you'd like to know how we handle your information in a specific consulting engagement, ask us directly.
2.What we collect, and why
We collect the minimum information needed to run the website, respond to enquiries, and prevent abuse. We do not sell, rent, or trade personal information. Ever.
2.1 Newsletter signups (/newsletter)
When you subscribe to our newsletter we record:
| What | Why | Legal basis (APP) |
|---|---|---|
| Email address | To send the newsletter you asked for, and the double opt-in confirmation email | APP 3.2 — collection necessary for our function (delivering the newsletter you requested) |
| IP address | Abuse prevention — detecting and rate-limiting bulk signup attempts; subscribing someone else without their consent is itself a privacy harm we want to prevent | APP 3.2 — legitimate interest in security and abuse prevention; APP 6.2(c) — use to prevent unlawful activity |
| Browser user-agent string | Same purpose as the IP — distinguishing automated abuse from genuine signups | APP 3.2 / APP 6.2(c) |
| Confirmation timestamp + status | To prove you confirmed your subscription (the double opt-in audit trail), and to know when to stop sending if you unsubscribe or your address bounces | APP 3.2 — operational record |
2.2 Contact form (/contact)
When you submit the contact form we record:
| What | Why | Legal basis (APP) |
|---|---|---|
| Your name | So we know who we're replying to | APP 3.2 |
| Email address | So we can reply | APP 3.2 |
| Your message | So we know what you wrote and can respond appropriately | APP 3.2 |
| IP address | Abuse prevention — distinguishing real enquiries from automated spam, phishing, or pretexting attempts | APP 3.2 / APP 6.2(c) |
| Browser user-agent string | Same purpose as the IP | APP 3.2 / APP 6.2(c) |
| Submission timestamp | To know when you wrote and how quickly we replied | APP 3.2 |
Where it goes after submission
After your contact form is submitted, your message is processed by an internal automated triage workflow running on our own server in Hobart, Tasmania. This workflow uses a small AI model (Spark, a Gemma-class model running on local infrastructure — not a third-party AI API) to classify and prioritise the enquiry, and then creates a task in our internal HQ system so a human team member can respond.
The triage model runs entirely on our infrastructure. Contact form messages are not sent to any third-party AI provider. All classification and routing happens on the same server that hosts the website itself. (Note: this commitment is specific to the contact form. The voice assistant uses a different model — see §2.7 and §3.)
If your enquiry leads to an ongoing conversation (a lead, client, or partner relationship), your contact details may be promoted from the contact-form table into our internal CRM where they are governed by the same standards as any other CRM record.
2.3 Outgoing emails we send to you
When we send you an email (newsletter, confirmation, reply to a contact form, booking confirmation from Mia) we keep a record of:
- The email address we sent to
- The type of email (e.g. newsletter confirmation, contact reply, booking confirmation)
- The timestamp
- Delivery status from our email provider (delivered, bounced, marked as spam)
We keep this so we can investigate delivery problems, comply with anti-spam rules, and stop sending to addresses that have bounced or marked us as spam.
2.4 Website analytics (Plausible)
We use a self-hosted instance of Plausible Analytics running on our own server in Hobart to understand how the website is used (which pages are popular, where visitors come from, which devices they use).
Plausible is cookieless— we don't set any tracking cookies on your browser. We don't build a profile of you across sessions or sites. The data we see is aggregated visitor counts, not individual visitor histories.
What Plausible records for each pageview:
- The page URL you visited
- The site that referred you (if any)
- Your country (derived from IP, not stored)
- Your browser type and operating system family
- A short-lived hashed identifier that resets every 24 hours (used only to deduplicate the same visitor's pageviews within a single day)
We don't share this data with anyone.
2.5 Bot protection (Cloudflare Turnstile)
The newsletter signup and contact forms use Cloudflare Turnstile to distinguish humans from bots. Turnstile may collect interaction signals (mouse movement, browser characteristics) for the bot-detection check itself. We don't see this data — it's processed by Cloudflare and we only receive the pass/fail result.
Cloudflare's privacy practices are published at cloudflare.com/privacypolicy.
2.6 What we don't ask for, and won't keep if sent
Our forms only request the fields listed above. We don't ask for, and don't intentionally collect:
- Tracking cookies
- Cross-site behavioural data
- Marketing pixels (no Meta pixel, no Google Ads tags, no LinkedIn Insight Tag)
- Sensitive information as defined by APP 1.2 (health, racial, political, religious, sexual orientation, criminal record, biometric, genetic)
- Information from children (see §8)
The contact form's message field is free text, so a visitor could in principle include any of the above in a message. The voice assistant's audio capture is similar — you could mention sensitive information mid-conversation. If you do, we'll delete the sensitive content from our records as soon as we notice it (and definitely on request — see §6). We don't process such information for any purpose.
2.7 Voice Assistant — Mia (ElevenLabs)
Our website includes a voice assistant called Mia. Mia appears as a floating widget in the bottom-right corner of every public page. Mia is the primary way to book a discovery call with us — you click the widget, speak with Mia, and she helps schedule a follow-up.
Mia is not active until you click the widget. Until then, no audio is captured, no microphone is accessed, and no voice data is sent anywhere. Clicking the widget is your explicit consent (under APP 3.6) to start a voice interaction.
When you choose to interact with Mia, the following data is processed by ElevenLabs, our voice AI provider:
| What | Why | Where it goes |
|---|---|---|
| Your voice audio | So Mia can hear and understand you | Streamed to ElevenLabs' speech-to-text service |
| Conversation transcript (your speech as text + Mia's responses) | So Mia can hold a meaningful conversation and route your booking request | Processed by ElevenLabs' conversational AI; a copy is sent back to us so we know what you discussed and can follow up |
| Your IP address and browser fingerprint | Network necessity for the WebRTC voice connection | Visible to ElevenLabs as the connection origin |
| Session metadata (timestamp, conversation length, language) | Operational logging | Held by ElevenLabs and by us for follow-up |
Booking flow (when you ask Mia to book a call)
If during your conversation Mia identifies that you want to book a discovery call, she will collect your name, email address, and your preferred time, and use them to create a calendar event on our behalf. To do this, two additional services are involved:
| Service | What it receives | Why |
|---|---|---|
| Cal.com (calendar/scheduling, US-based) | Your name, email, preferred time, and a brief booking purpose | Creates the actual calendar event and reserves the time slot in our calendar |
| Resend (email delivery, US-based) | Your email address and the booking confirmation email body | Sends you a confirmation email with the meeting details |
Both Cal.com and Resend are invoked server-side via Miaas part of the booking flow — there is no Cal.com widget embedded on the website, and you don't need to leave the conversation. Both providers are listed in our processors table in §5 with their data-handling commitments.
Legal basis for the booking flow: APP 3.6 (consent — by asking Mia to book a call, you consent to the collection of your name, email, preferred time, and booking purpose for that purpose) and APP 6.1(a) (we then use and disclose those details to Cal.com and Resend for the primary purpose for which you provided them — completing the booking you asked for).
Important things to know
- ElevenLabs is a US-based AI company. Your voice audio and transcript are processed on their infrastructure. See §7 for cross-border details.
- We do notuse voice biometrics, do not enrol your voice for identification, and do not retain your audio for any purpose beyond the immediate conversation. ElevenLabs' retention of audio data is governed by their published policy.
- We choose ElevenLabs partly because they publish a no-training-on-customer-data commitment for their conversational AI tier — see our universal AI commitments in §3.
- If you don't want to interact with Mia, simply don't click the widget. The contact form (§2.2) is a fully equivalent path that involves no third-party AI.
- If you start a conversation and change your mind, close the widget. We'll keep only what was already exchanged.
3.AI Processing & Your Data — universal commitments
This section sets out the standing commitments that apply to every AI capability on this website, current and future. Specific data flows are described in §2; this section describes the principles behind them.
3.1 Zero training, by default
We choose AI providers based partly on their data-handling commitments. Our standing rule:
- We do notopt our customer data into any AI provider's model-training programs.
- We use every AI provider under the most privacy-protective tier they offer for our use case.
- Where a provider offers a “no training on customer data” or “zero retention” mode, we use it.
This is a commitment about ourchoices, not a guarantee about a provider's internal practices — providers control their own systems. But where a provider has changed their training defaults in a way that would conflict with this commitment, we have changed providers.
3.2 Local-first for sensitive flows
Where the work can be done on our own infrastructure, we do it on our own infrastructure. The website's contact-form triage runs on a local AI model (Spark, a Gemma-class model) hosted on our own server in Hobart — no third-party AI provider sees those messages.
We use third-party AI only where the capability genuinely requires it. Today that's the voice assistant (§2.7), because high-quality conversational voice AI is not yet practical to self-host.
3.3 Capability-based disclosure
Each AI capability we add is disclosed in §2 with: what data flows where, what the third party (if any) does with it, what the legal basis is, and how to opt out. If we add a new AI capability, we will update this policy before enabling it and notify subscribers as a material change (per §11).
3.4 No automated decisions about you
We do not use AI to make decisions that have legal or significant effects on you (employment, credit, housing, etc.). The contact-form triage classifies enquiries into priority buckets but every reply is sent by a human. Mia helps you book a meeting but does not approve, deny, or alter your engagement with us — a human picks up from there.
3.5 Third-party AI providers we use today
| Provider | Capability | Data sent | User opt-out |
|---|---|---|---|
| ElevenLabs (US) | Voice assistant (Mia) — speech-to-text, conversational AI, text-to-speech | Voice audio, transcript, IP, session metadata (only when you click the widget) | Don't click the widget — use the contact form (§2.2) instead |
This list is the complete set of third-party AI providers as of the effective date. Mia may invoke other (non-AI) services as part of completing a task you've asked her to do — for example, Cal.com (calendar booking) and Resend (email confirmation) when you ask her to book a call. Those services are not AI providers but are processors of your data; full disclosure is in §5. If we add a new AI capability, we update this policy first.
4.How long we keep it
These are our retention commitments— the maximum windows we hold each type of data. The newsletter, contact-form, and outgoing-email retention windows below are enforced automatically by scheduled cleanup jobs running on our infrastructure. You can also request deletion at any time and we'll honour it within 30 days (see §6).
| Data | Retention commitment | What happens at the end |
|---|---|---|
| Newsletter subscriber records (email, IP, user-agent, signup timestamp) | Until you unsubscribe, your address hard-bounces, or you ask us to delete it | On unsubscribe we mark the record as inactive and stop sending. On a hard bounce we mark the address bounced and stop sending. On request we delete it. |
| Newsletter unconfirmed signups (where you started but never clicked the confirm link) | No more than 30 days | Deleted automatically by a daily cleanup job |
| Contact form submissions | 90 days after the conversation is resolved, unless you become an ongoing contact (e.g. a lead, client, or partner) — in which case we move your details to our internal CRM, governed separately | After 90 days: deleted automatically by a daily cleanup job. After CRM promotion: governed by the relevant client/partner agreement |
| Voice assistant conversation summaries (the transcript copy returned to us) | 90 days after the conversation is resolved, same as contact form submissions | Deleted at our next scheduled cleanup; if the conversation led to a booking, your contact details are promoted to CRM |
| Bookings created via Mia (calendar event in Cal.com + your contact details) | Calendar event retained per Cal.com's retention; our copy of the booking details retained until the meeting is held + 90 days, then deleted unless you become an ongoing contact | After retention: deleted; if you become a client, governed by the client agreement |
| Outgoing email log (delivery records, including booking confirmations) | No more than 12 months | Deleted automatically by a weekly cleanup job |
| Plausible analytics data | 24 months, aggregated only — no individual visitor record | Aggregated data preserved for trend analysis; no per-visitor data exists past 24 hours |
| Web server access logs | No more than 30 days | Cleared by log rotation |
ElevenLabs', Cal.com's, and Resend's retention of data on their side is governed by their published policies — we don't directly control it. For data we hold on our side, the commitments above apply. If you want processor-held data deleted, see §6.1 for how we forward such requests on your behalf.
These retention windows are reviewed at least annually and may be shortened if we identify we don't need the full window.
6.Your rights — how to access, correct, or delete your information
Under the Australian Privacy Principles and (where applicable) GDPR, you have the right to:
- Know what we hold about you (APP 12)
- Have it corrected if it's wrong (APP 13)
- Have it deleted (APP 11.2 — when we no longer need it for the purpose collected)
- Withdraw consent (e.g. unsubscribe from the newsletter; close the voice widget mid-conversation; cancel a Mia-booked meeting)
- Lodge a complaintwith us, and escalate to the OAIC if you're not satisfied with our response
To exercise any of these rights, email [email protected]. We'll respond within 30 daysand ask only for enough information to verify your identity (so we don't accidentally hand your data to someone else claiming to be you).
There is no charge for any of these requests.
6.1 Specific shortcuts
- Unsubscribe from the newsletter:click the unsubscribe link in any email we've sent. One click is enough — we honour the RFC 8058 one-click unsubscribe standard so most modern email clients can do it for you.
- Delete your contact form submission:email us with the email address you used. We'll find it and delete it.
- Delete your voice conversation:email us with the rough date and time of your conversation. We'll find and delete the transcript copy we hold. ElevenLabs' retention on their side is subject to their policy — we will forward your deletion request to ElevenLabs on your behalf and follow up, but we cannot guarantee the timing or completeness of their response.
- Cancel a Mia-booked meeting: click the cancellation link in your booking confirmation email, or email us. Cancelling removes the calendar event in Cal.com but does notautomatically delete the Cal.com attendee record or Resend's record of the confirmation email. If you also want those processor-held records deleted, email us — we'll forward the request to Cal.com and Resend on your behalf and follow up. We can't guarantee how quickly they action it, but we'll chase.
6.2 Complaints
If you're not happy with how we've handled your information, please tell us first — email [email protected]. We'll acknowledge within 5 business days and work to resolve it within 30.
If we can't resolve it together, you can complain to the Office of the Australian Information Commissioner (OAIC):
- Online: oaic.gov.au/privacy/privacy-complaints
- Phone: 1300 363 992
- Post: GPO Box 5288, Sydney NSW 2001
7.Cross-border data flows (APP 8)
Most of our data stays in Australia (our servers are in Hobart, Tasmania, on infrastructure we own and operate). The exceptions:
- Resend(always, for outgoing emails — newsletter, contact replies, booking confirmations) — processes your email address and the email body in the United States. We rely on Resend's published Data Processing Addendum to govern how they handle your data, and we send only what's required to deliver the email itself.
- Cloudflare(always, for traffic routing) — routes our website traffic through its global edge network for performance and DDoS protection, with Australian endpoints preferred. We rely on Cloudflare's published privacy policy and standard contractual terms; they handle routing only.
- ElevenLabs(only when you activate the voice widget) — processes your voice audio, conversation transcript, IP address, and session metadata in the United States. We rely on their published privacy policy and their conversational-AI no-training commitments. Sending data to ElevenLabs is the necessary mechanism for the voice assistant to work; if you'd rather not, the contact form (§2.2) is a fully equivalent local path.
- Cal.com (only when you ask Mia to book a call) — receives your name, email, preferred time, and a booking-purpose description in the United States to create the calendar event. We rely on their published privacy policy.
We've chosen these providers specifically for their published data-handling commitments and their fit with Australian privacy expectations.
Beyond these four providers, we do not send any visitor data to general-purpose AI providers (OpenAI, Anthropic, Google AI, etc.) for processing. Our internal contact-form triage AI runs on our own infrastructure in Hobart (see §3).
8.Children
Our website and services are aimed at businesses and adults. We don't ask for and don't intentionally collect information from anyone under 16. There is no formal age gate on our forms or the voice widget, so a child could in principle interact with us. If you believe a child has submitted information to us — yours or anyone else's — email [email protected] and we'll delete it.
9.Security
We protect your information with technical and organisational measures aligned to the principles of ISO 27001 and the Australian Privacy Principles, including:
- TLS encryption on all traffic (HTTPS only — no plain HTTP)
- Database access restricted by role and tenant isolation
- All write operations to our internal systems are audit-logged with actor, timestamp, and before/after state
- Secrets (API keys, tokens) stored in a layered vault, never in code repositories
- Regular health checks and incident response procedures
- Independent AI code review (we use a second AI model, Codex, to review code that another AI agent wrote, before it ships)
No system is perfectly secure, and we don't pretend otherwise. If we ever suffer a data breach that is likely to result in serious harm, we will notify you and the OAIC under the Notifiable Data Breaches scheme within the timeframes the scheme requires.
11.Changes to this policy
We may update this policy from time to time — usually because we add or remove a feature, or because the law changes. When we do:
- The “Effective date” at the top will be updated.
- Material changes (including any new AI capability per §3.3) will be flagged at the top of the page for at least 60 days.
- If a change materially affects how we handle data you've already given us, we'll email subscribers directly.
Past versions are kept in our internal documentation system and are available on request.
12.Contact
For anything related to this policy or your information:
Email: [email protected]
We typically respond within 2 business days for general queries and within 30 days for formal access, correction, or deletion requests.
Flexmore Pty Ltd T/A 158 LabABN 44 139 542 724
Hobart, Tasmania, Australia
This policy was drafted by Codie, the 158 Lab AI IT Manager, and reviewed independently by Codex (AI code/policy reviewer, two rounds) and Auris (158 Lab compliance specialist, two rounds) before publication.
Effective date: 23 April 2026. Get in touch if anything in this policy needs explaining.