Privacy Policy

Last updated: 13 June 2026

CareLogging ("we", "us") provides software that helps independent NDIS support workers ("you") run their practice. This policy explains what data we collect, how we use it, and how we protect it. It complies with the Australian Privacy Principles under the Privacy Act 1988 (Cth).

1. What we collect

• Account data: your name, email, password hash.
• Participant data you enter: client names, NDIS numbers, support plans, shift notes, photos and incidents.
• Billing data: handled by Stripe; we never see or store your card.
• Usage analytics: anonymous aggregate metrics (page views, feature use) - no participant data.

2. Where it lives

All data is stored in Australia (AWS Sydney, ap-southeast-2). Backups are encrypted and stored in the same region. Data never leaves Australia.

3. How we use it

To provide and improve CareLogging. We do not:

• Sell your data to anyone, ever.
• Share participant data with third parties except sub-processors strictly necessary to run the service (AWS Sydney, Stripe for billing, our AI gateway for progress note generation).
• Use participant data to train AI models.

4. AI processing

When you generate a progress note, the activities you tick are sent to our AI gateway. We use Australian-hosted endpoints where available. Inputs are not retained for training. We do not send identifying participant data (name, NDIS number, address) to the AI.

5. Your rights

You can access, correct, export or delete your data at any time from the app. Email toby@wittonlane.com for help.

6. Data retention

While your account is active, we keep records you create. NDIS Practice Standards require 7-year retention of participant records - we retain accordingly. If you cancel, we keep your data for 90 days then permanently delete it (unless you ask us to delete sooner).

7. Security

Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Row-level security ensures one user can never see another user's data. We run automated vulnerability scans on every release.

8. Breach notification

If a notifiable data breach occurs we'll notify affected users and the OAIC within 72 hours, as required by the Notifiable Data Breaches scheme.

9. Contact

Privacy questions or complaints: toby@wittonlane.com. Unhappy with our response? Contact the OAIC: oaic.gov.au.