Customer privacy tiers and voice PINs (staff guide)
Summary
Section titled “Summary”Every customer chooses a privacy tier that controls what your AI receptionist will say about their account when someone phones. Four tiers, ordered from most exposed to most protected: Open Access (FULL), PIN Required (PIN), Limited Info (RESTRICTED), and Zero Disclosure (BLOCKED). Customers manage their own choice from the customer portal, but as the garage you need to understand the tiers because:
- Customers will ask you which one to pick.
- The chosen tier changes what your AI is allowed to say on a live call.
- You can set or reset a customer’s voice PIN from their record on the staff side.
- An Owner PIN lets you verify on behalf of any customer when they cannot reach the portal.
- BLOCKED-tier customers are invisible to the AI but visible to staff in the unified inbox - knowing this prevents confused “where’s my customer’s record?” moments.
This article is the staff-side companion to Customer portal privacy and security settings, which covers the customer-facing controls in detail.
Prerequisites
Section titled “Prerequisites”- You are signed in as a user with the
customers.managecapability for setting or resetting a customer’s PIN. - You are signed in as the owner to set or change the Owner PIN.
- Your organisation has the voice AI live (or in test) - the tiers do not affect WhatsApp, SMS, portal messaging, or in-person staff conversations.
The four tiers - what your AI does
Section titled “The four tiers - what your AI does”| Tier | Customer-facing label | What your AI tells callers |
|---|---|---|
FULL | Open Access | Confirms the caller is a customer, looks up vehicles, bookings and account details when asked. Default for new customers. |
PIN | PIN Required | Confirms the caller has an account but blocks all detail until they say their voice PIN. After PIN, the AI behaves as FULL. |
RESTRICTED | Limited Info | Confirms the customer exists, can speak about vehicle status and current bookings, refuses to discuss invoices, account totals, contact details, or anything financial. |
BLOCKED | Zero Disclosure | Treats the call as if the customer does not exist. Will not confirm or deny they are a customer, even if pressed. Logs every attempt as a suspicious-access event for review. |
Customers can change their tier from the Privacy and security page in their portal at any time. Raising security takes effect immediately; lowering security requires SMS or email verification and a cooling-off period (4 hours; 48 hours if downgrading from BLOCKED).
What customers see vs what staff see
Section titled “What customers see vs what staff see”| Surface | Effect of customer tier |
|---|---|
| Voice AI receptionist | Behaves per the tier as above. |
Customer-search lookups (the staff /customers page) | BLOCKED-tier customers are excluded from search results when searched by phone, name, or registration. Their vehicles are also excluded. |
Unified inbox at /communications/inbox | BLOCKED-tier customers’ inbound voice calls do show up here under their record with a “Privacy: BLOCKED” badge. The privacy tier hides from the AI, not from staff in the inbox - this is intentional so staff can spot harassment-pattern calls. |
| Customer detail page | Visible if you go directly via the customer ID. The tier and PIN status appear in the privacy section. |
Voice call log at /voice/calls | Visible. BLOCKED-tier suspicious-access events are flagged. |
Set or reset a customer’s voice PIN
Section titled “Set or reset a customer’s voice PIN”A customer who has chosen the PIN Required tier needs a voice PIN. They can set their own from the portal, but you can also set one for them at the counter or over the phone (after identifying them in person).
- Open the customer’s detail page at
/customers/[id]. - Find the Voice PIN management card.
- Click Set Voice PIN (or Reset PIN if one already exists).
- Enter a 4 - 6 digit PIN. Sequential digits (1234) and repeated digits (1111) are rejected.
- Click Save. The PIN is hashed before storage; you cannot see the PIN again afterwards.
- Tell the customer their PIN. Add a note in the audit field to record why you set it.
Clear a PIN lockout
Section titled “Clear a PIN lockout”If a customer fails their PIN three times in a row, the AI locks them out for 24 hours. To clear it sooner:
- Open the customer’s detail page.
- On the Voice PIN management card, click Clear lockout.
- The lockout clears immediately. The next call attempt re-enters the normal PIN flow.
Set the Owner PIN (per-organisation master override)
Section titled “Set the Owner PIN (per-organisation master override)”The Owner PIN is a single master PIN that lets the owner (or any staff member who knows it) verify on a customer’s behalf when called - useful when you want to call a customer on their PIN-protected line and need to read back their booking details.
- Navigate to Settings > Voice AI > Persona (or the recording / call-handling page).
- Find the Owner PIN section.
- Click Set Owner PIN and enter a 4 - 6 digit PIN.
- Click Save. The PIN is hashed; you cannot retrieve it later.
When you call from a customer’s PIN-protected number and the AI asks for their PIN, enter the Owner PIN. The AI accepts it as if it were the customer’s own PIN, and an audit log entry records that the access was via the Owner PIN.
The Owner PIN does not work at the BLOCKED tier - that is intentional. To get information about a BLOCKED-tier customer, sign in to the staff workspace directly.
Review privacy events for a customer
Section titled “Review privacy events for a customer”The customer detail page shows a Privacy audit history section (collapsed by default) recording every PIN attempt, PIN set/reset, suspicious-access flag, and tier change. Click to expand. Each row shows the actor, action, timestamp, and any context (caller phone for suspicious access, your name for staff-side PIN sets).
Respond to a suspicious-access alert
Section titled “Respond to a suspicious-access alert”When a BLOCKED-tier customer has opted in to alerts and someone calls asking about them, two things happen:
- The customer receives a notification (SMS or push) saying “Someone called asking about your account. We told them nothing.”
- A SUSPICIOUS_ACCESS event lands in the privacy audit log on the customer’s record.
Review the audit log on the customer detail page. The event metadata includes the caller’s phone number (when not withheld), the lookup path the caller used, and the call ID so you can pull the recording from the call log. If the pattern looks malicious, talk to the customer about it.
Guidance to give customers
Section titled “Guidance to give customers”When a customer asks “which tier should I pick?”, these are the typical fits:
- Open Access - default; right for most retail customers who are happy for the AI to discuss their vehicle and booking. The AI is helpful and the customer’s own behaviour (checking vehicle status, asking about price quotes) works without friction.
- PIN Required - right for business customers, fleet managers, or anyone uncomfortable with a stranger gleaning their car make and bookings just by knowing their phone number. The PIN is a shared family-or-business secret; one PIN, multiple people can use it.
- Limited Info - right for customers who want the AI to confirm “yes, your car is ready” but not discuss invoices or contact details. A middle ground for the privacy-conscious without the friction of a PIN.
- Zero Disclosure - right for vulnerable customers (domestic abuse situations, public-figure customers, anyone who has been the subject of stalking). Encourage these customers to enable the suspicious-access alert as well.
The customer can change tier at any time from their portal. If they cannot reach the portal, you can change the tier on their behalf via support, but support must verify identity in person or via a documented process - changing a privacy tier without verifying the customer is the exact failure the cooling-off period exists to prevent.
Expected Outcome
Section titled “Expected Outcome”- Each customer’s chosen tier is reflected in how the AI handles inbound calls from any number on their record.
- You can set or reset a customer’s voice PIN from their detail page.
- The Owner PIN lets you verify on behalf of any non-BLOCKED customer when calling them yourself.
- Suspicious-access events on BLOCKED customers are recorded and surfaced on the customer detail page.
- BLOCKED-tier customers are invisible to the AI but visible to staff in the inbox and on direct customer-detail navigation.
Troubleshooting
Section titled “Troubleshooting”Problem: A customer says the AI is sharing too much about them. Cause: They are at Open Access (FULL) and have not chosen a more protected tier. Fix: Walk them through the Privacy and security page in their portal and explain the four tiers. They can raise their tier in seconds; lowering it later requires verification.
Problem: A customer says the AI will not tell them anything. Cause: They are at PIN Required and forgotten or never set their PIN, or at Zero Disclosure. Fix: For a forgotten PIN, set a new one on the customer detail page. For Zero Disclosure, the customer needs to lower their own tier from the portal (with the cooling-off period) - you cannot do this for them.
Problem: A customer’s record is missing from search. Cause: They are at Zero Disclosure (BLOCKED) - they are excluded from search results by design. Fix: Open the customer directly via the customer ID URL or via their inbound conversation in the unified inbox.
Problem: I set the Owner PIN but it is not working when I call. Cause: Most likely the customer is at Zero Disclosure (BLOCKED) - the Owner PIN does not override BLOCKED. Fix: Sign in to the staff workspace to look up the information, or ask the customer to lower their tier first.
Problem: A customer received a suspicious-access alert and is worried. Cause: Someone called the AI asking about them by name, registration, or phone number. Fix: Open the customer’s detail page, expand the Privacy audit history, find the SUSPICIOUS_ACCESS event, note the caller phone and the call recording. Talk to the customer about whether they recognise the caller. If not, recommend they keep the BLOCKED tier and consider involving the police if a pattern emerges.
Permissions
Section titled “Permissions”| Action | Required capability |
|---|---|
| Set or reset a customer’s voice PIN | customers.manage |
| Clear a customer’s PIN lockout | customers.manage |
| View the privacy audit log on a customer | customers.manage |
| Set or change the Owner PIN | voice.settings.manage (Owner role) |
| View suspicious-access events | customers.manage |
- All PIN values are stored as bcrypt hashes. Neither you nor Torqueflow support staff can recover a forgotten PIN - the only path is to reset it.
- Staff actions on PINs are recorded in the privacy audit log under
PIN_SET_BY_STAFF,PIN_RESET_BY_STAFF, andPIN_LOCKOUT_CLEAREDaction codes. - The customer-side Privacy and security page also lets customers set a portal password so they can sign in directly without waiting for an email magic link. Password and voice PIN are different credentials for different surfaces - covered in Customer portal privacy and security settings.
- A customer’s email address being changed by the staff side starts a 7-day guard window - during that window, downgrades cannot be verified via email (only via SMS) - this defends against an attacker who has compromised the customer’s email.
- For multi-location organisations, privacy tiers are organisation-wide; they do not vary per workshop site. Per-location voice settings (persona, hours, KB) are separate - see Voice AI settings per location.