Privacy
Policy.

This Privacy Policy explains how TGS Media Limited and Call Genius Pro collect, use, share, store, and protect personal information. It applies to our website, our service delivery to clients across New Zealand, Australia, and the United States, and to the AI voice agents, CRM systems, and advertising operations we run on our clients’ behalf.

This Policy works alongside our Terms of Service (v2.1), Schedule F (Data Processing Addendum), and Schedule G (Authorised Sub-Processors). Where this Policy and our Terms of Service overlap, the Terms of Service prevail for clients and resellers; this Policy prevails for individuals whose personal information is processed.

TGS Media Limited ("TGS Media", "we", "us", or "our") is a New Zealand registered company operating the website https://www.tgsmedia.org and providing performance marketing, AI automation, CRM, and AI voice agent services to clients across New Zealand, Australia, and the United States. We also operate Call Genius Pro (CGP) as a subsidiary AI voice agent brand. References to "we" or "TGS Media" in this Policy include Call Genius Pro for all privacy purposes.

This Privacy Policy explains how we collect, use, share, and protect personal information, and the rights you have over your personal information. It is written to align with our Terms of Service (v2.1), including Schedule F (Data Processing Addendum) and Schedule G (Authorised Sub-Processors).

This Policy applies to personal information we handle in three distinct contexts:

A. Visitors to our website

When you visit tgsmedia.org, request a quote, book a discovery call, or correspond with us, we collect personal information about you. We are the Controller of that information.

B. Direct clients and resellers of TGS Media

When you engage us as a client (under any of our service packages) or as a Call Genius Pro reseller, we collect personal information about you and your authorised personnel to deliver our services and manage the commercial relationship. We are the Controller of that information.

C. Leads, prospects, and end customers of our clients

When you are a lead, prospect, or customer of a business that uses TGS Media services (for example, you complete a lead form on a Facebook ad we run for a client, or you receive a call from a Call Genius Pro AI voice agent on a client’s behalf), your personal information is collected and used by that client (the Controller). TGS Media acts as the Processor of that information on the client’s behalf, on documented instructions from the client.

If you are in category C and have a question about your personal information, please contact the business whose product or service you were enquiring about. They are the data controller. We will refer your request to them and assist as required by law.

We collect the following categories of personal information:

Identifiers and contact details

• First and last name.
• Email address.
• Phone number.
• Business name, role or title, and business address.
• IP address and approximate geographic location derived from it.

Commercial and engagement information

• Information about products, services, or interests you express through forms, calls, or chats.
• Information about your business, industry, monthly revenue, ad spend, and qualification criteria where you provide it as part of a discovery process.
• Billing information (Stripe collects payment card data directly; we receive only billing identifiers, last-four digits, and amounts).

Voice agent and call information

• Audio recordings of inbound and outbound calls handled by our AI voice agents.
• Transcripts and AI-generated summaries of those calls.
• Call metadata, including caller-ID, time, duration, and outcome trigger words (such as BOOKED, CONVERSATION, RECALL, REMOVE).

Lead and CRM information processed for clients

• Lead form responses captured from Facebook and Instagram lead ads and other ad platforms.
• CRM contact records, pipeline stages, notes, tags, and communication history held inside our clients’ GoHighLevel instances.

Technical and usage information

• Device information, browser type and version, operating system.
• Pages visited, time and date of visits, referring URL, time spent on pages.
• Cookies and similar tracking technologies (see clause 7).

We do not deliberately collect special categories of personal information such as health, racial or ethnic origin, religious beliefs, sexual orientation, biometric data, or government identifiers. If you provide such information voluntarily (for example, by mentioning it on a call), we will handle it under the same protections set out in this Policy and will not use it for any additional purpose.

We collect personal information in the following ways:

• Directly from you when you fill in a form on our website, request information, book a call, sign a contract, or correspond with us.
• Automatically through cookies, web analytics, and server logs when you visit our website.
• From our clients, when they grant us access to their advertising accounts, CRM, telephony, or automation platforms to deliver the services.
• From ad platforms (Meta, Google), when leads complete lead-generation forms run on behalf of our clients.
• From AI voice agents we operate on behalf of clients, through recording and transcription of inbound and outbound calls.
• From third-party service providers we engage to deliver the services (see Schedule G of our Terms of Service for the current sub-processor list).

We use personal information for the following purposes:

• To provide, deliver, and improve our services to clients and prospective clients.
• To run advertising campaigns, lead generation, AI calling, qualification, appointment booking, and CRM follow-up on behalf of our clients.
• To analyse call recordings and transcripts in order to improve agent performance, route leads accurately, and report results to clients.
• To communicate with you about your engagement with us, including service updates, billing, and support.
• To respond to your enquiries and provide customer care.
• To detect, prevent, and address fraud, abuse, security incidents, and technical issues.
• To comply with our legal, regulatory, tax, and contractual obligations.
• To market our own services to prospective clients (with appropriate opt-in or opt-out mechanisms as required by law).

Where we rely on a lawful basis under the GDPR or UK GDPR (for any data subjects in the EEA or UK), the lawful bases we typically rely on are: performance of a contract; legitimate interests (such as running and improving our services); consent (for marketing communications and certain cookies); and compliance with a legal obligation.

TGS Media and Call Genius Pro operate AI voice agents that place outbound calls and receive inbound calls on behalf of our clients. This section explains how we handle personal information in that context, because it is the highest-impact privacy operation in our business.

6.1 Recording and transcription

Calls placed or received by our AI voice agents are recorded, transcribed, and analysed. The agent will deliver a disclosure at the start of each call where required by law, including a recording disclosure in two-party consent jurisdictions.

6.2 Two-party consent jurisdictions

For calls to or from the following United States states, our agents deliver the recording disclosure as the first or near-first item in the call before any substantive conversation: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington. The same disclosure approach is applied for Australian states with similar requirements.

6.3 AI disclosure

Our agents are designed to identify themselves as virtual assistants or AI when directly asked. For calls to or from the United States, every call begins with a clear AI disclosure consistent with the Federal Communications Commission Declaratory Ruling of 8 February 2024 on AI-generated voice calls.

6.4 Use of call data

Call recordings and transcripts are used to deliver the service, analyse and improve agent performance specific to the client engagement, and (in aggregated and de-identified form only) to train internal models and prompts. Anonymised, de-identified excerpts may be used as case study material. Clients can opt out of model training and case study uses by written notice (see Terms of Service, Schedule C clause 2).

6.5 Right to end the call and to be removed from contact lists

You may at any time tell the agent to end the call, to be removed from contact lists, or to speak with a human at the client business. Our agents route such requests to the client’s CRM with a REMOVE trigger for processing within the timeframes required by applicable law.

6.6 Consent capture for outbound calls

Where calls are placed to United States wireless numbers, our clients are contractually required to have obtained prior express written consent in compliance with the Telephone Consumer Protection Act before any call is placed. If you believe you have been contacted without lawful consent, please contact us and we will investigate and assist the relevant client in remedying the issue.

We use cookies and similar tracking technologies on our website to operate the site, remember your preferences, secure your session, and understand how visitors use the site. Cookies we use fall into the following categories:

• Strictly necessary cookies, which are required for the website to function and for security.
• Preference cookies, which remember settings such as language or layout choices.
• Analytics cookies, which help us understand how visitors interact with the site so we can improve it.
• Marketing cookies (including Meta Pixel and similar), which help us measure the performance of our own advertising and may be used to retarget visitors with relevant ads.

You can control or disable cookies through your browser settings. If you disable certain cookies, some features of our website may not function correctly. Where required by law, we will request your consent before placing non-essential cookies.

We share personal information with the following categories of recipients:

• Our clients, where the personal information relates to leads, prospects, or customers we are processing data for on their behalf.
• Authorised sub-processors that help us deliver the services (see clause 9 and Schedule G of our Terms of Service).
• Professional advisers, including lawyers, accountants, and auditors, on a need-to-know basis.
• Government, regulatory, or law-enforcement authorities, where required by law or to protect our rights, property, or safety.
• A successor entity, in the event of a corporate restructure, sale, merger, or asset transfer, subject to the assignment terms in our Terms of Service.

We do not sell personal information. We do not share personal information with third parties for their own independent marketing purposes without your consent.

To deliver our services we rely on a defined list of authorised sub-processors. The current list is maintained in Schedule G of our Terms of Service and includes (without limitation):

• SynthFlow (AI voice agent platform).
• GoHighLevel / HighLevel Inc. (CRM and automation platform).
• Make / Celonis SE (automation platform).
• Twilio Inc. (telephony and messaging).
• Meta Platforms Inc. (advertising delivery and lead capture).
• OpenAI L.L.C. and Anthropic PBC (large language model APIs).
• Stripe Inc. (payment processing).
• Google LLC (cloud services and workspace).
• Cloudflare Inc. and Netlify Inc. (hosting and edge services).

We impose data protection obligations on each sub-processor substantially equivalent to those we accept, and remain liable for sub-processor performance to the same extent as for our own.

Because we operate across New Zealand, Australia, and the United States, and engage sub-processors located in those regions and in the European Union, personal information may be transferred to and processed in countries other than the country you are in. Data protection laws in those countries may differ from those in your country.

Where personal information is transferred:

• From New Zealand, under Information Privacy Principle 12 of the Privacy Act 2020, we ensure the receiving party is required to protect the data on terms substantially similar to the Privacy Act 2020, or rely on another lawful basis (such as your authorisation).
• From the European Economic Area, the United Kingdom, or Switzerland to a jurisdiction without an adequacy decision, we rely on the EU Standard Contractual Clauses (Module Two, Controller to Processor) as approved by the European Commission, supplemented where necessary by additional safeguards.
• From Australia, in compliance with Australian Privacy Principle 8, we take reasonable steps to ensure that overseas recipients handle personal information in a manner consistent with the Australian Privacy Principles.

Your continued use of our website or services after submitting personal information signifies your understanding of these international transfers.

We retain personal information for only as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements. Typical retention periods are:

• Website enquiries and unconverted leads: up to twenty-four (24) months from last contact, then deleted or de-identified.
• Active client account records: for the duration of the engagement and for seven (7) years after termination, to satisfy New Zealand tax and accounting record-keeping obligations.
• AI call recordings and transcripts: held for the duration of the client engagement and for ninety (90) days following termination, after which they are deleted or de-identified, unless retention is required by law or for the establishment, exercise, or defence of legal claims.
• Lead and CRM data processed on behalf of clients: held within the client’s CRM for the duration of the client engagement. After termination, we follow the data handling rules in clause 14 of our Terms of Service.
• Marketing contact data: until you unsubscribe or otherwise withdraw consent, then suppressed but not necessarily deleted, in order to honour your opt-out.
• TCPA consent records (for United States calling): retained for at least five (5) years as required by FCC rules.

We implement and maintain reasonable technical and organisational security measures designed to protect personal information against loss, misuse, unauthorised access, or unauthorised disclosure. These include:

• Access controls and role-based permissions across all platforms.
• Encryption in transit for data flowing between our systems and sub-processors.
• Audit logs for sensitive operations.
• Confidentiality obligations on all personnel and contractors with access to personal information.
• Regular review of sub-processor security posture.

No method of transmission over the internet or method of electronic storage is fully secure. While we strive to use commercially acceptable means to protect personal information, we cannot guarantee absolute security.

Depending on the jurisdiction in which you are located, you have a number of rights in relation to personal information we hold about you. These rights include the right to:

• Access the personal information we hold about you.
• Request correction of personal information that is inaccurate or out of date.
• Request deletion of personal information, where we are not required to retain it for legal or contractual reasons.
• Object to or restrict certain processing, including direct marketing.
• Withdraw consent, where processing is based on consent (this does not affect the lawfulness of processing before withdrawal).
• Request portability of personal information you have provided to us, where applicable.
• Lodge a complaint with a privacy supervisory authority in your jurisdiction (see clause 15).

To exercise any of these rights, contact us at info@tgsmedia.org with sufficient information for us to identify you and process your request. We will respond within the timeframes required by applicable law. If you are a lead or customer of a TGS Media client, we will refer your request to that client and assist them in responding.

If we become aware of a notifiable privacy breach affecting your personal information, we will notify you and the relevant supervisory authority without undue delay, and in any event within seventy-two (72) hours of becoming aware, where required by:

• The Privacy Act 2020 (New Zealand) and the Office of the Privacy Commissioner’s notification rules.
• The Notifiable Data Breaches scheme under the Privacy Act 1988 (Australia).
• Articles 33 and 34 of the EU and UK GDPR.
• Applicable United States federal and state breach notification laws.

Where TGS Media is acting as a Processor for one of our clients, we will notify the client (the Controller) and reasonably assist them in fulfilling their notification obligations.

15.1 New Zealand (Privacy Act 2020)

Our handling of personal information is governed by the Privacy Act 2020 and the thirteen Information Privacy Principles. You have the right to access and correct personal information we hold about you. If you are not satisfied with our response to a privacy request, you may make a complaint to the Office of the Privacy Commissioner at https://privacy.org.nz.

15.2 Australia (Privacy Act 1988)

Where we handle personal information of Australian individuals, we do so in accordance with the Australian Privacy Principles. You have the right to access and seek correction of your personal information, to opt out of direct marketing, and to make a complaint to the Office of the Australian Information Commissioner at https://www.oaic.gov.au.

15.3 European Economic Area and United Kingdom (GDPR)

If you are in the EEA or UK, the GDPR or UK GDPR may apply to our handling of your personal information. You have the rights listed in clause 13 above, including the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of alleged infringement, or with the Information Commissioner’s Office in the UK (https://ico.org.uk).

15.4 United States (California and other state privacy laws)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act gives you specific rights, including the right to know what personal information we collect, the right to delete that information, the right to correct inaccurate information, and the right to opt out of the sale or sharing of your personal information. We do not sell personal information. To exercise these rights, contact info@tgsmedia.org. Other US states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, and Utah) may grant similar rights, which we will honour where applicable.

Our website and services are not directed to children under the age of 18 and we do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and you believe a child has provided us with personal information, please contact us at info@tgsmedia.org and we will take reasonable steps to delete the information.

We may update this Privacy Policy from time to time to reflect changes in our practices, services, technologies, applicable law, or for other operational reasons. The current version is always available at https://www.tgsmedia.org/privacy-policy. We will update the Effective Date at the top of this page when we make changes.

Where the changes are material, we will provide additional notice (for example, by email to active clients or by a prominent notice on the website) before the changes take effect. Your continued use of our website or services after the Effective Date constitutes your acknowledgement of the updated Policy.

If you have any questions about this Privacy Policy or about how we handle your personal information, or if you want to exercise any of your rights, please contact us:

TGS Media Limited / Auckland, Aotearoa New Zealand / Email: info@tgsmedia.org / Web: https://www.tgsmedia.org

For privacy complaints that we have not been able to resolve to your satisfaction, you may also contact the relevant supervisory authority in your jurisdiction (see clause 15).