CourseAdvisor

Privacy

Privacy policy

Last updated: 18 May 2026

CourseAdvisor.ai ("CourseAdvisor", "we", "us", "our") is a trading name of ScaleHQ Ltd. This policy explains how we handle personal information collected through the website at courseadvisor.ai and through the AI voice enrolment services we provide to education-provider clients.

We treat personal information seriously and apply appropriate technical and organisational measures to protect it. Where this policy describes practices that are governed by a separate services agreement with one of our clients, those contractual terms take precedence in the event of conflict.

1. Who we are

The operating entity is:

ScaleHQ Ltd
c/o Hugge, 12–14 Gladstonos, Paphos 8046, Cyprus
Email: hello@courseadvisor.ai

2. Scope of this policy

This policy covers two distinct categories of personal information:

  • Website data, information collected when you visit or interact with courseadvisor.ai. We are the data controller for this information.
  • Service data, personal information that flows through our AI voice enrolment service on behalf of an education-provider client. The client is the data controller; we act as a data processor under the client's services agreement. We process this data only for the purposes the client instructs and the services agreement allows.

3. Information we collect through the website

3.1 Server log data

Like most websites, our hosting infrastructure automatically records a limited set of technical request data for each request, including the requesting IP address, the file requested, the date and time of the request, the response status, the URL that referred you, and your operating system and browser type. Where you are in the European Union or United Kingdom, we treat the IP address (and any combination of these fields that can identify you) as personal data and rely on legitimate interest under Article 6(1)(f) of the GDPR / UK GDPR as the lawful basis for processing. We use this data only to identify unauthorised access attempts, monitor service health, and produce aggregate statistics. We do not link IP addresses to a user profile.

3.2 Contact form submissions

When you submit our contact form we collect the information you give us, typically your name, work email, organisation, role, an indicative monthly lead volume, and the content of your message. We use that information only to respond to your enquiry and follow up on a possible engagement. We do not sell, rent, or share contact-form submissions with any third party for marketing purposes.

Submissions are delivered via our transactional email provider (currently Brevo) and routed to a CourseAdvisor inbox.

3.3 Cookies and tracking technologies

The CourseAdvisor.ai website uses cookies and similar tracking technologies for site functionality, analytics, and advertising. We currently run, or may run, the following categories:

  • Essential cookies, site session, security, and form-state cookies. Required for the Site to function.
  • Analytics, Google Analytics (GA4) and Google Tag Manager. These measure aggregate traffic and behaviour on the Site so we can improve it. Typical cookies include _ga, _gid, and _gat.
  • Advertising and conversion tracking, Google Ads, the LinkedIn Insight Tag, and the Meta Pixel. These let us measure the performance of paid advertising campaigns, track conversions back to a referring ad, and build remarketing audiences. The named platforms set their own cookies and may transfer page-view, device, and identifier data to those platforms under their own privacy policies.

If you are in the European Union, United Kingdom, or another jurisdiction that requires prior consent for non-essential tracking, you will see a consent banner before any analytics or advertising tag fires, and no non-essential tag will load until you accept. You can decline non-essential tracking and continue to use the Site, and you can change your choice at any time via the cookie preferences link in the footer. We rely on consent under Article 6(1)(a) GDPR / UK GDPR where the law requires it, and on legitimate interest under Article 6(1)(f) GDPR for site analytics in jurisdictions where consent is not legally required.

To opt out at any time: most browsers let you refuse or clear cookies; you can also use each platform's own opt-out tools, such as Google Ads Settings (adssettings.google.com), LinkedIn ad preferences, Facebook / Instagram ad preferences, or the industry opt-outs at optout.networkadvertising.org and youradchoices.com. Disabling cookies may affect Site functionality.

4. Information we process through the AI voice service

When an education-provider client engages our Rapid Lead Response, Lead Reactivation, Parent Engagement, or Direct Message services, we process personal information that the client provides or that is generated during a conversation. This may include:

  • Lead and prospect details supplied by the client, typically name, phone number, email, course interest, enquiry timestamp, and any source or campaign metadata.
  • Voice call recordings of conversations placed by or received by the AI agent. Each call is recorded for compliance, training, and quality-assurance purposes.
  • Call transcripts generated from those recordings using speech-to-text.
  • SMS message threads between the AI agent and the lead.
  • Outcome data, appointments booked, warm transfers, do-not-call requests, qualification reasons, and similar.

At the start of every recorded call, whether inbound or outbound and irrespective of the jurisdiction the call is placed to or from, the agent identifies itself as an AI voice agent and discloses that the call is being recorded. We apply this universal disclosure standard so that the agent meets the strictest applicable requirement on every call, including all-party consent regimes in New South Wales, Victoria, Western Australia, the Australian Capital Territory, Tasmania, the United States states that require all-party consent, and equivalent jurisdictions overseas. Do Not Call and Do Not Email requests captured during any conversation are processed same-day and reflected back to the client's CRM and suppression list.

5. How we use information

  • To respond to your enquiry and discuss a possible engagement.
  • To deliver the contracted service on behalf of an education-provider client.
  • To produce campaign reporting and operational analytics for the client.
  • To monitor service quality, compliance, and security.
  • To train and improve our agent, anonymised or aggregated where possible. We do not use one client's service data to train models that we sell to another client.
  • To comply with our legal and regulatory obligations.

We will not sell, rent, or trade personal information. We will only disclose personal information where required by law, where necessary to enforce our terms, or where you have given consent.

6. Regulatory frameworks

Our handling practices are designed to meet the regulations that apply in the markets where we operate:

  • Cyprus and European Union, the General Data Protection Regulation (Regulation (EU) 2016/679) and Cyprus Law 125(I)/2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data, which together govern processing by ScaleHQ Ltd as a Cyprus-incorporated controller.
  • United Kingdom, the UK GDPR and the Data Protection Act 2018.
  • Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles, the Notifiable Data Breaches scheme, the Spam Act 2003, the Do Not Call Register Act 2006, and the call-recording consent rules applicable in each state.
  • United States, applicable state privacy laws (including the CCPA / CPRA in California, the VCDPA in Virginia, the CPA in Colorado, the CTDPA in Connecticut, and other US state laws as they come into force) and the Telephone Consumer Protection Act (TCPA) for voice and SMS contact.

Where you are in the European Union or United Kingdom, our legal bases for processing are typically contract performance under Article 6(1)(b), legitimate interest under Article 6(1)(f), legal obligation under Article 6(1)(c), or consent under Article 6(1)(a).

Where a client operates under a sector regulator (for example, TEQSA or ASQA in Australia), we build the compliance framework around the client's jurisdiction and bake call scoring, recording retention, and audit trail into delivery.

6.1 California privacy rights (CCPA / CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act and the California Privacy Rights Act:

  • Right to know the categories and specific pieces of personal information we collect about you, the sources, and the business purposes for collection.
  • Right to delete personal information we hold about you, subject to legal retention obligations.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information, and to limit use of sensitive personal information.
  • Right to non-discrimination for exercising any of these rights.

Categories we collect through the website: identifiers (name, email, IP address), professional or employment information (organisation, role), internet or network activity (browsing on the Site), and inferences drawn from the above.

Categories we collect through the AI voice service on behalf of clients: identifiers, audio recordings, communications content, and outcome data.

Sources: directly from you, from our education-provider clients, and through automated browsing technology on the Site.

Business purposes: respond to enquiries, deliver the contracted service, security, analytics, and compliance.

We do not sell personal information for monetary consideration. To the extent that operating the LinkedIn Insight Tag, Google Ads, or Meta Pixel on the website constitutes "sharing" for cross-context behavioural advertising under the CPRA, you may opt out via the cookie preferences link in the footer or by contacting hello@courseadvisor.ai. You may use an authorised agent to exercise any California right; we will require proof of authorisation and verify your identity before responding.

7. Sub-processors

We use a small set of trusted providers to deliver the service:

  • Cloud infrastructure, Amazon Web Services (AWS) and Google Cloud Platform (GCP).
  • Telephony, managed voice carriage and SIP services.
  • Speech-to-text, for converting call audio to transcripts.
  • Large language model providers, for conversation generation and analysis.
  • SMS providers, for outbound and inbound text messaging.
  • Transactional email, Brevo, for website contact-form delivery.
  • Hosting, Vercel, for the courseadvisor.ai website.
  • Analytics and advertising platforms, Google (Analytics, Tag Manager, Ads), LinkedIn (Insight Tag), and Meta (Pixel), for the purposes described in section 3.3.

A current sub-processor list, naming each provider and region, is available to clients and prospective clients on request and forms part of the services agreement. We commit equivalent confidentiality and security obligations on each sub-processor through contract.

8. Data retention

Website data. Contact-form submissions are retained for 24 months from your last interaction with us, after which they are archived for a further 12 months for audit and dispute-handling and then deleted, except where an active commercial conversation extends the retention period. Server logs are retained for 90 days for security and diagnostics, after which they are deleted or fully anonymised.

Service data. Call recordings, transcripts, SMS threads, and outcome data are retained for the period set in the client services agreement, typically aligned to the client's own retention obligations (for example, ASQA or TEQSA audit windows, which can extend to seven years). On termination of an engagement, we return or delete service data per the client's instructions, retaining only what we are legally required to retain.

9. International transfers

Our infrastructure may store and process personal information in regions outside the country where it was collected, typically Australia, the United States, or the European Union, depending on the client and the workload. Where personal information is transferred internationally we rely on appropriate transfer mechanisms, including the European Commission's Standard Contractual Clauses for transfers out of the EU and EEA, the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs for transfers out of the United Kingdom, and the Australian Privacy Principle 8 safeguards for transfers out of Australia. We apply technical safeguards including encryption in transit and at rest.

10. Security

Personal information transmitted to and from our website is encrypted in transit using TLS (HTTPS). Service-data storage uses encryption at rest and access controls scoped to least-privilege principles. We monitor for unauthorised access and run periodic security reviews. No system is impenetrable, so please raise any security concern to hello@courseadvisor.ai.

11. Your rights

Subject to applicable law, you have the right to:

  • Request access to the personal information we hold about you.
  • Request correction of inaccurate or incomplete information.
  • Request deletion of your information where there is no overriding legal basis to retain it.
  • Restrict or object to certain processing.
  • Request a portable copy of your information.
  • Withdraw consent at any time where processing relies on consent.
  • Lodge a complaint with the relevant supervisory authority. In Cyprus, the Office of the Commissioner for Personal Data Protection. In other EU member states, your national data-protection authority. In the United Kingdom, the Information Commissioner's Office (ICO). In Australia, the Office of the Australian Information Commissioner (OAIC).

Where your personal information is processed as service data on behalf of an education-provider client, please direct your request to the client. We will support the client in responding under the terms of the services agreement.

To exercise any of these rights with respect to website data, contact hello@courseadvisor.ai. Under the GDPR and UK GDPR, we will respond within one month of receipt, extendable by up to a further two months for complex or numerous requests with notice to you. In other jurisdictions, we will respond within 30 days or sooner where required by law.

12. Children

The CourseAdvisor.ai website is directed at education-provider clients and their staff, not at children. We do not knowingly collect personal information from anyone under 13 through the website. Where our service interacts with prospective students through a client's enquiry pool, the legal basis and age-related safeguards are the responsibility of the client as data controller, and we apply the safeguards set out in the services agreement.

13. Links to other websites

The website may link to third-party websites. We are not responsible for the privacy practices of those sites. Please review each site's privacy policy before submitting information.

14. Changes to this policy

We may revise this policy from time to time. The most current version always lives at /privacy on this website, with the "Last updated" date refreshed accordingly. Continued use of the website signifies acceptance of the current policy.

15. Contact

For any privacy-related question or to exercise a right under this policy:

ScaleHQ Ltd (trading as CourseAdvisor.ai)
c/o Hugge, 12–14 Gladstonos, Paphos 8046, Cyprus
hello@courseadvisor.ai