Privacy policy.

Caredly is an Australian-owned company headquartered in Sydney. We build a person-centred CRM and operations platform for Australian NDIS providers and their authorised staff. This policy is issued by Caredly (referred to in this document as “Caredly”, “we”, “us”, or “our”).

The company is currently pre-incorporation; our Australian Business Number (ABN) will be added to this policy on registration. For privacy enquiries you can reach us at privacy@caredly.com.au or via our contact form.

This policy applies to information collected through:

• our marketing website, including waitlist signups and contact-form submissions;
• the Caredly platform when accessed by customers (NDIS providers) and their authorised staff;
• data customers upload about NDIS participants, their families, and other stakeholders in the course of using the platform; and
• any related communications, support interactions, or events run by Caredly.

Where Caredly processes participant or stakeholder data on behalf of a customer, we act as a service provider to that customer. The customer is generally the entity responsible for collecting consent from participants and their families under their NDIS service agreement.

The information we collect depends on how you interact with Caredly. We group it into four categories.

From visitors and waitlist signups

• name, email address, organisation name, role/position;
• participant count band (an indicative size of your provider organisation);
• any free-text message or context you choose to provide via a form;
• technical metadata: IP address, browser and device information, referring URL, and timestamps.

From customers and their authorised staff (account holders)

• name, work email address, role within the organisation;
• phone number (optional);
• organisation name, ABN, NDIS registration details (where applicable);
• billing details — handled directly by Stripe; we do not store full card numbers on our systems;
• authentication information (hashed passwords or magic-link tokens) and two-factor authentication settings.

From customers about NDIS participants

When customers use Caredly to manage participants, they upload information that may include:

• name, NDIS number, date of birth, gender, address, photograph;
• support model (e.g. SIL), funding plan details, goals, and supports funded;
• behaviour support plan (BSP) details, behaviours of concern, and triggers/strategies;
• medication records, medical conditions, allergies, hospitalisations, and other health information;
• family, guardian, and stakeholder contact details (including support coordinators, plan managers, and clinicians);
• shift notes, behaviour observations, incident reports, voice transcripts of dictated notes, and other free-text observations recorded by support workers.

We acknowledge this is sensitive information and health information under the Privacy Act 1988 (Cth) and is treated with the highest level of protection in our systems.

Technical information

• server and application logs (request paths, status codes, timestamps, user identifiers);
• error reports and stack traces;
• performance metrics and uptime telemetry;
• aggregated usage analytics (feature usage, session duration).

We collect personal information in four ways:

1. Directly from you — when you submit a form, contact us, sign up for a waitlist, or accept an invitation to join an organisation.
2. From your authorised users — when staff at a customer organisation enter participant, stakeholder, or shift information on behalf of the customer.
3. Automatically — through cookies, server logs, error tracking, and analytics tools when you use our website or platform.
4. From third-party service providers — for example, Stripe (for payments), Supabase (for hosting and authentication), and Anthropic (for AI processing) where they process information on our behalf to deliver the service.

We use personal information to:

• provide, operate, secure, and maintain the Caredly service for your organisation;
• authenticate users, manage sessions, and apply role-based access controls;
• process subscription payments and issue invoices and receipts (via Stripe);
• send transactional and operational emails (account verification, password reset, billing notifications, security notices, important service updates);
• generate analytics, dashboards, and reports for your organisation;
• improve product features, fix bugs, and prioritise the roadmap based on aggregated usage patterns;
• comply with legal obligations under Australian law, including taxation, corporations, and privacy law;
• protect Caredly, our customers, and the participants whose data is held in our systems against fraud, abuse, or unauthorised access; and
• send marketing communications about product updates, events, and relevant sector content — only where you have consented and you can unsubscribe at any time.

Most personal information we collect about visitors and customer staff is collected with consent or as reasonably necessary for our legitimate business activities under Australian Privacy Principle (APP) 3.

Sensitive information — particularly the health information of NDIS participants — is collected only under APP 3.4: with the consent of the individual (or their authorised representative) or as required or authorised by law. In practice, the customer (the NDIS provider) is the entity that obtains this consent from the participant or their guardian under the customer’s NDIS service agreement. Caredly processes that information on the customer’s behalf as a service provider, applying the protections set out in this policy and our security programme.

We do not sell personal information. We share information only where necessary to deliver the service, comply with the law, or protect rights.

Sub-processors

We engage a small number of carefully chosen sub-processors who help us deliver the service. Each is contractually bound to confidentiality and security obligations consistent with this policy:

• Supabase — hosting, database, and authentication (Sydney region, ap-southeast-2);
• Resend — transactional and operational email delivery;
• Stripe — subscription billing and payment processing;
• Anthropic — AI processing for care assistant, voice transcription, and report narratives, limited to the data strictly necessary to fulfil the requested task.

A current list of sub-processors is maintained on our security page.

Legal obligations and protection of rights

We may disclose personal information where required by law, including to courts, regulators (such as the Office of the Australian Information Commissioner — OAIC), and the National Disability Insurance Agency (NDIA) where lawfully compelled to do so. We will, where lawful, notify the affected customer before disclosure.

Business transfers

If Caredly is involved in a merger, acquisition, or asset sale, personal information may be transferred as part of that transaction. We will provide written notice to affected customers and continue to apply the protections of this policy.

Caredly uses AI features — care assistant, voice-to-text, narrative report generation — to reduce documentation burden on support workers and supervisors. Because of the sensitivity of NDIS participant data, we apply extra controls to AI processing.

• Minimisation. Only the data strictly necessary to fulfil the requested task is sent to the AI provider. Where feasible, identifying data is excluded or de-identified before processing.
• NDIS numbers. NDIS numbers are never sent to the AI model.
• No model training.Under our commercial agreement with Anthropic, prompts and responses processed through Caredly are not used to train Anthropic’s models.
• Audit and retention. AI prompts and responses are retained within our database so that customers have a complete audit trail of AI-assisted decisions made about their participants.
• Human review. AI outputs are framed as drafts. They are not professional clinical, behavioural, medical, or legal advice and staff remain responsible for the final decision.

All customer data — including participant records, shift notes, BSPs, medication records, and stakeholder contacts — is stored in Australia, in the Sydney region (ap-southeast-2) on Supabase infrastructure. Customer data is not transferred outside Australia for storage.

Limited cross-border processing occurs only for specific operational functions:

• AI features — the minimum context required for an AI request is sent to Anthropic, which processes requests in the United States;
• Transactional email — Resend sends operational emails from infrastructure that may include the United States;
• Payments — Stripe processes billing data across its global infrastructure.

We do not transfer participant health records outside Australia for processing other than as strictly necessary to deliver these specific functions, and only under contractual safeguards consistent with APP 8.

We retain personal information for only as long as required to provide the service, satisfy legal obligations, resolve disputes, and enforce our agreements.

• Customer account and participant data— for the life of the customer’s contract, plus seven (7) years thereafter to align with NDIS record-keeping obligations, unless a longer retention period is required by law or requested by the customer in writing.
• Waitlist data — until the individual is contacted and converted, opts out, or eighteen (18) months from the date of submission, whichever is sooner.
• Marketing contact data — until the individual unsubscribes or after twenty-four (24) months of inactivity.
• Server and application logs — typically ninety (90) days, with security-relevant audit logs retained for longer periods as described in the security page.
• Backups — encrypted backups are retained as set out in our backup policy and are overwritten on the schedule described on the security page.

We maintain a documented information security programme, with technical and organisational controls including encryption in transit and at rest, role-based access control, row-level security, audit logging, vulnerability management, and incident response planning.

A full description is available on our security page.

Under the Australian Privacy Principles, you have the right to:

• request access to the personal information we hold about you;
• request correction of personal information that is inaccurate, out of date, incomplete, or misleading;
• request that we stop using your information for marketing purposes;
• make a complaint about how we handle your personal information.

To exercise any of these rights, email privacy@caredly.com.au. We aim to acknowledge requests within five (5) business days and to respond substantively within thirty (30) days. There is generally no fee for access requests, although a reasonable charge may apply where a request is unusually voluminous.

If you are not satisfied with our response, you may refer the matter to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

For participant data, the customer (the NDIS provider) is generally the first point of contact under their NDIS service agreement with the participant. We will support customers in responding to participant access and correction requests promptly.

Our website and platform use cookies and similar technologies to keep you signed in, remember your preferences, and understand how the service is used.

• Essential cookies — required for authentication, security, and session management. These cannot be disabled without the site failing to function.
• Analytics cookies — optional. We use privacy-respecting analytics to understand which features are used. You can opt out via the cookie consent banner or in your browser settings.

Most browsers allow you to refuse, delete, or block cookies through their settings. Doing so may affect parts of the service that rely on essential cookies.

Caredly’s platform is not directed at children. However, customers may record information about NDIS participants who are minors or persons with reduced capacity to consent.

The customer is responsible for obtaining lawful consent from the participant, their guardian, or their authorised representative under the customer’s NDIS service agreement. Caredly handles information about minors and other vulnerable persons with the same level of protection as adult health information, and applies the technical and organisational measures described on our security page.

Caredly complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). If we suspect that a data breach has occurred, we will:

1. contain and assess the breach as quickly as possible;
2. complete an assessment within thirty (30) days of becoming aware;
3. notify the OAIC and affected individuals where the breach is likely to result in serious harm; and
4. notify affected customers in writing and within seventy-two (72) hours of confirming a reportable breach, with the information they need to meet their own NDB obligations to participants.

Our incident response process is described in more detail on our security page.

We may update this privacy policy from time to time as our service evolves and as the regulatory landscape changes. The date of the most recent revision is shown at the top of this page.

Where a change materially reduces the protections afforded to your information, we will notify existing customers in writing (by email and via an in-app notification) at least thirty (30) days before the change takes effect. For non-material changes (clarifications, formatting, updated contact details), we may publish the revised policy without individual notification.

If you have any questions about this policy, want to exercise your rights, or wish to raise a concern, please contact us.