Skip to main content
Ella Works
Legal

Privacy Policy.

How we collect, use, store, and protect your personal information — under the Australian Privacy Act 1988 and the Australian Privacy Principles.

Last updated: 10 May 2026  ·  Version: 1.0 (DRAFT — pending legal review)

Contents
  1. About this Policy
  2. About us
  3. Definitions
  4. Information we collect
  5. How we use your information
  6. Multi-tenant data isolation
  7. Disclosure to third parties (subprocessors)
  8. Cross-border data transfers
  9. Cookies and analytics
  10. Hey Ella voice receptionist
  11. AI features (email classifier, plans-to-quote, smart estimator)
  12. Customer Portal data
  13. Trade Portal data
  14. Data retention
  15. Security
  16. Your rights under the Privacy Act
  17. Children's privacy
  18. Direct marketing
  19. Data breach notification
  20. Complaints
  21. Changes to this Policy
  22. Contact us

1. About this Policy

This Privacy Policy describes how Ella Construction Group Pty Ltd (ABN 36 676 839 286), trading as Ella Works ("we", "us", "our"), collects, uses, stores, discloses, and protects your personal information when you visit ellaworks.com.au, sign up for the Ella Works platform, use the Hey Ella voice receptionist, or otherwise interact with our services (the Services).

We are bound by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Policy explains how we comply, and what your rights are.

This Policy applies to:

  • Visitors to our marketing website at ellaworks.com.au;
  • Customers (the trades businesses) who subscribe to the Ella Works platform;
  • End-users of our Customers' portals (homeowners using a Customer's Customer Portal; sub-contractors and tradies using a Customer's Trade Portal);
  • Callers who interact with the Hey Ella voice receptionist; and
  • Anyone who otherwise contacts us by email, phone, or signup form.

If you are an end-user (homeowner or sub-contractor) of a Customer's portal, that Customer is the primary controller of your personal information. We act as a processor on the Customer's behalf. Where the Customer has its own privacy policy, that Policy governs the Customer's use of your information; this Policy governs our handling.

2. About us

  • Legal entity: Ella Construction Group Pty Ltd
  • ABN: 36 676 839 286
  • Registered address: 83 Partridge Street, Glenelg South SA 5045, Australia
  • Builder licence (parent renovation business): BLD 335908
  • Privacy contact: matt@ellaconstructiongroup.com.au
  • Phone: (08) 7228 6801

The Ella Works platform was built by Ella Construction Group ("ECG") originally to run our own renovation business. We are tenant zero on the platform; multi-tenant access for external trades businesses opens in Q4 2026. This Policy covers both phases.

3. Definitions

  • Personal information has the meaning given in section 6 of the Privacy Act 1988 (Cth) — information or an opinion about an identified individual, or an individual who is reasonably identifiable.
  • Sensitive information has the meaning given in section 6 of the Privacy Act, including health information.
  • Customer means a trades business that has subscribed to the Ella Works platform.
  • Customer Data means data uploaded to or generated within the platform by a Customer or its end-users (quotes, schedules, messages, photos, customer records).
  • End-user means a homeowner, customer, sub-contractor, tradie, or other individual using a Customer's portal.
  • Subprocessor means a third party we engage to process personal information on our behalf (for example, our hosting provider).

4. Information we collect

4.1 Information you give us directly

When you sign up, contact us, or use the Services, you may give us:

  • Identity and contact information: name, business name, email address, phone number, postal address, ABN, business type, jobs-per-month estimate, state.
  • Account credentials: a password, hashed and salted before storage. We never store passwords in plain text.
  • Project information: details of your jobs, quotes, customers, sub-contractors, suppliers, photos, and documents you upload.
  • Voice recordings and transcripts: if you or a caller use the Hey Ella receptionist, the call audio is recorded and transcribed (see §10).
  • Email content: if you connect an inbox to our AI Email Classifier, the contents of those emails are processed (see §11).
  • Payment information: when our paid platform launches, payment details (card numbers, bank details) are collected and stored by our payment subprocessor (Stripe), not by us. We hold only the metadata Stripe returns: amount, status, last-four digits, and our internal subscription identifier.

4.2 Information we collect automatically

When you visit our website or use the platform, we automatically collect:

  • Technical information: IP address, browser type and version, device type, operating system, referring URL, and pages viewed.
  • Usage data: session timestamps, feature interactions, error logs.
  • Essential cookies: a session cookie is set on login to keep you signed in. No third-party advertising cookies are set in v1 of the platform. See §9.

4.3 Information we receive from third parties

  • Google Calendar (Trade Portal): if a tradie connects their Google Calendar via OAuth, we receive an access token and a refresh token. We use these only to read availability and write scheduled job events at the tradie's request. We never share Calendar data with anyone else. Tokens are stored encrypted at rest.
  • Stripe: when payments launch, Stripe will share the metadata we need to reconcile transactions (status, amount, last-four digits).
  • Twilio: for the Hey Ella receptionist, Twilio provides the inbound call audio and metadata (caller phone number, call duration).
  • Suppliers and partners: if you authorise us to retrieve product catalogues from suppliers (for example, the Beaumont Tiles supplier pack), we receive that data on your behalf.

4.4 Sensitive information

We do not seek to collect sensitive information (as defined in the Privacy Act). If you choose to upload it (for example, a photo of an injury during a workplace incident report), we will treat it with the heightened protections required by APP 3.3 and APP 6.

5. How we use your information

We use personal information only for the purposes for which it was collected, or for closely related secondary purposes you would reasonably expect — consistent with APP 6. Specifically, we use it to:

  • Provide the Services — quote generation, scheduling, invoicing, dispatch, customer and trade portals, AI features, voice receptionist, supplier integrations;
  • Authenticate users and secure accounts;
  • Process payments and reconcile transactions;
  • Communicate with you about the Services (transactional notices, support responses, security alerts);
  • Improve the Services through aggregate usage analytics that do not identify individuals;
  • Train and tune our own AI models only on data we are explicitly permitted to use; we do not pass Customer Data to third-party AI providers for their training (see §7);
  • Comply with our legal obligations, including Australian tax and corporate law record-keeping; and
  • Send you marketing communications, where you have given us consent (see §18).

6. Multi-tenant data isolation

The Ella Works platform is multi-tenant. Each Customer's data is logically isolated by tenant identifier at the application and database layer. We use row-level security and per-tenant access scopes to enforce this.

We do not combine, aggregate, or analyse data across tenants in ways that identify any individual or any individual Customer, except:

  • To produce industry benchmarks that are aggregated and de-identified before any third party (or any other Customer) sees them;
  • For internal support, security incident investigation, and platform engineering, where access is logged and audited;
  • Where a Customer expressly opts in to a feature that requires cross-tenant data flow (for example, a future supplier-pack co-marketing programme).

7. Disclosure to third parties (subprocessors)

We share personal information only with subprocessors who help us deliver the Services, and only to the extent necessary. Each subprocessor is bound by a written agreement requiring them to handle the data consistent with this Policy and the APPs.

Our current subprocessors are:

  • Vercel Inc. (United States) — hosting + serverless functions. Hosts the marketing website and runs the contact-form endpoint. Privacy: vercel.com/legal/privacy-policy.
  • Neon Inc. (United States, with Australian regional database) — managed PostgreSQL database. Stores account, customer, and project data. Australian regional deployment in use to keep primary data within Australia. Privacy: neon.tech/privacy-policy.
  • Resend Inc. (United States) — transactional email delivery. Sends signup-form confirmations and account notifications. Privacy: resend.com/legal/privacy-policy.
  • Twilio Inc. (United States) — inbound voice infrastructure for Hey Ella. Receives inbound calls, provides recording and transcription. Privacy: twilio.com/legal/privacy.
  • OpenAI L.L.C. (United States) — AI language model API. Used by the AI Email Classifier, AI Plans-to-Quote, Smart Estimator, and Hey Ella response generation. We use OpenAI under the API terms which prohibit OpenAI from training on our submissions; we do not authorise training. Privacy: openai.com/policies/privacy-policy.
  • Stripe Inc. (United States) — payment processing. When paid platform launches, Stripe processes payments. We do not see or store full card numbers. Privacy: stripe.com/au/privacy.
  • Google LLC (United States) — Google Calendar OAuth integration (optional, Trade Portal). Tradies who choose to connect their Google Calendar grant us OAuth-scoped access. Our use of Google Calendar API data complies with the Google API Services User Data Policy, including the Limited Use requirements. Privacy: policies.google.com/privacy.

We do not sell, rent, lease, or trade personal information to anyone. Other than the subprocessors above, we may disclose personal information only:

  • To you, when you ask for a copy of it;
  • To a Customer, where you are the Customer's end-user and the disclosure is what the Customer expects (for example, to populate the Customer's quote view);
  • To a regulator, court, or law-enforcement agency, when required by law or a valid legal process;
  • To our professional advisers (lawyer, accountant, auditor) under confidentiality;
  • In connection with a sale of our business, where the acquirer agrees to be bound by this Policy or a substantially equivalent one.

An up-to-date list of subprocessors is available on request from matt@ellaconstructiongroup.com.au.

8. Cross-border data transfers

Several of our subprocessors are based outside Australia, primarily in the United States. When we disclose personal information to an overseas recipient, we comply with APP 8 by:

  • Choosing recipients who are subject to an enforceable privacy regime (for example, US providers under their own published privacy commitments) and who, by contract, are required to handle the data consistently with the APPs; or
  • Obtaining your consent before the disclosure, where the recipient is not subject to such a regime.

Our managed database is configured to keep primary tenant data in an Australian region wherever the provider supports it. Backups, however, may be replicated overseas; where they are, we apply the same protections.

Note that under APP 8, we generally remain accountable in Australia for any breach by an overseas recipient.

9. Cookies and analytics

We set only essential cookies on this website and the platform — these are first-party cookies necessary for the website to function (for example, the session cookie that keeps you signed in). We do not set third-party advertising cookies.

We do not currently run a third-party analytics tracker on the marketing website. If we add one in future (for example, the privacy-friendly Vercel Web Analytics, which does not use cookies and does not track individuals), we will update this Policy and, where required, give you a way to opt out.

You can configure your browser to block all cookies, but doing so may prevent you from signing in.

10. Hey Ella voice receptionist

Hey Ella is our AI voice receptionist that answers inbound calls on a Customer's behalf. Where the Customer is using Hey Ella:

  • Caller notice: at the start of every call, callers are informed that the call is being recorded and transcribed for the purpose of routing the enquiry.
  • Recording and transcription: the call audio is recorded by Twilio. The transcript is generated by an AI model and stored against the lead in the Customer's account.
  • AI processing: the transcript is processed by an OpenAI language model under our no-training agreement to extract intent (a quote enquiry, a service call, an existing-customer query) and entities (name, suburb, scope of work).
  • Audio retention: 90 days. Audio is automatically deleted after that, unless the Customer has separately downloaded a recording.
  • Transcript retention: for as long as the lead exists in the Customer's system, plus a reasonable wind-down period.
  • State recording laws: Australian state recording laws vary. The Customer is responsible for ensuring its use of Hey Ella complies with the recording laws of the state in which the call is received and answered. Our default caller notice is designed to satisfy two-party consent requirements where they apply.

If you are a caller and would prefer not to be recorded, please request a callback by a human at the time of the call.

11. AI features

The platform includes several AI features. In each case, the underlying language model is provided by OpenAI under terms that prohibit training on our submissions. Inputs and outputs are not used by OpenAI to train its general-purpose models.

  • AI Email Classifier: when a Customer connects an inbox, message contents are passed to OpenAI to classify the email as Action / Enquiry / Subby / Invoice / Personal. Email content is held in transit only; we retain only the classification result and a short summary, not the full message.
  • AI Plans-to-Quote: a Customer uploads a PDF (a Bunnings Kaboodle plan, an architectural set, a hand-drawn scope). The PDF is processed by OpenAI's vision model to extract line items. The resulting structured quote is the Customer's data; the PDF is retained for as long as the quote exists.
  • Smart Estimator: learns from the Customer's historical quotes (kept within the Customer's tenant only — never combined with another tenant's data) to suggest pricing. Inputs and outputs stay in the Customer's tenant.

12. Customer Portal data

The Customer Portal is the surface that our Customer's end-customers (typically homeowners) use to view live quotes, milestone progress, and pay invoices. In this context:

  • The Customer (the trades business) is the controller of the homeowner's personal information;
  • We are the processor on the Customer's behalf;
  • Homeowners should direct privacy requests to the Customer first. If the Customer is unresponsive, homeowners may contact us at matt@ellaconstructiongroup.com.au and we will work with the Customer to resolve the request.

13. Trade Portal data

The Trade Portal is the surface our Customer's sub-contractors and crew use to receive job assignments, log time, and manage availability. In this context:

  • The Customer is the controller of the tradie's personal information;
  • We are the processor;
  • Tradies should direct privacy requests to the Customer first.

14. Data retention

We retain personal information for as long as it is needed for the purpose for which it was collected, or as required by law. Specific defaults:

  • Active account data: for as long as the account is active, plus seven (7) years after termination, to comply with Australian tax record-keeping obligations.
  • Quote, invoice, payment metadata: seven (7) years after the transaction, for tax and audit purposes.
  • Hey Ella audio recordings: 90 days from the date of the call.
  • Hey Ella transcripts: as long as the related lead exists in the Customer's account.
  • Marketing consent and unsubscribe records: indefinitely, to honour your unsubscribe.
  • Backups: rolling 30 days, encrypted at rest.
  • Server logs: rolling 90 days.

You can request earlier deletion at any time. Where we are legally required to retain data (for example, tax records), we will tell you and explain why.

15. Security

We use industry-standard measures to protect personal information, including:

  • TLS encryption in transit for all web and API traffic;
  • Encryption at rest for the database and backups;
  • Hashed and salted password storage (passwords are never stored in plain text);
  • Role-based access controls and audit logs for staff access to production data;
  • Multi-factor authentication on all administrative accounts;
  • Regular dependency and security updates;
  • Security incident response procedures aligned with the Notifiable Data Breach scheme.

No system is impenetrable. If a breach occurs, we will respond and notify under the process in §19.

16. Your rights under the Privacy Act

Under the Privacy Act and the APPs you have the right to:

  • Access your personal information held by us;
  • Correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading;
  • Withdraw consent for marketing communications or for any optional processing where consent was the lawful basis;
  • Export your account data in a machine-readable format;
  • Request deletion of your personal information, subject to legal retention obligations; and
  • Make a complaint about how we have handled your personal information (see §20).

To exercise any of these rights, email matt@ellaconstructiongroup.com.au. We will respond within thirty (30) days. There is no charge for an access or correction request unless it is plainly excessive or repetitive, in which case we will tell you the reasonable cost in advance.

We may need to verify your identity before processing the request, to protect your information from someone impersonating you.

17. Children's privacy

The Services are intended for AU-registered businesses and adults acting in the course of operating those businesses. We do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, contact us and we will delete it.

18. Direct marketing

We may send you marketing communications about our Services where you have signed up to receive them, or where you are an existing Customer and we are reasonably permitted to do so under the Privacy Act and the Spam Act 2003.

Every marketing email contains an unsubscribe link. We honour unsubscribe requests within five (5) business days.

You can also unsubscribe by emailing matt@ellaconstructiongroup.com.au with the subject line "Unsubscribe".

19. Data breach notification

We comply with the Notifiable Data Breach (NDB) scheme under Part IIIC of the Privacy Act. If we become aware of an eligible data breach (an unauthorised disclosure or loss of personal information likely to result in serious harm), we will:

  • Investigate and contain the breach;
  • Notify affected individuals as soon as practicable;
  • Notify the Office of the Australian Information Commissioner (OAIC) under the NDB scheme;
  • Provide guidance on the steps you can take to protect yourself.

20. Complaints

If you are unhappy with how we have handled your personal information, please contact us first. We take privacy complaints seriously and will respond promptly.

Step 1 — Contact us:

We will acknowledge your complaint within seven (7) days and aim to resolve it within thirty (30) days.

Step 2 — Escalate to the OAIC: if you remain unsatisfied with our response, you may complain to the Office of the Australian Information Commissioner.

  • Website: oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5288, Sydney NSW 2001

21. Changes to this Policy

We may update this Policy from time to time. The date at the top of this page reflects the most recent update. For material changes (for example, a new subprocessor, a new category of data we collect, a change to retention), we will notify Customers by email at least thirty (30) days before the change takes effect. Continued use of the Services after the effective date constitutes acceptance.

Older versions of this Policy are available on request.

22. Contact us

For any privacy question, request, or complaint:

Document status: v1.0 DRAFT, authored 10 May 2026 by the Ella Works engineering team against the Privacy Act 1988 (Cth), the Australian Privacy Principles, and the actual data flows of the platform as at the date of authoring. This Policy is subject to review and amendment by an SA-admitted commercial lawyer prior to the launch of the paid multi-tenant platform.