Privacy policy

We collect only what we need to run the Service.

• Account information: your name, email address, a hashed password, and the name of your practice or organisation.
• Content you enter: the records, register entries, and notes you create. File uploads are disabled during the beta. This content must be synthetic or de-identified data only (see section 1).
• Technical and usage data: IP address, browser type and user agent, device and log data, and timestamps of activity. We use this to operate the Service, keep it secure, and diagnose problems.
• Cookies and session data: we use a session cookie to keep you logged in. We do not use third-party advertising or tracking cookies.

Information about a person's health or disability is "sensitive information" under the Privacy Act and attracts a higher level of protection. NDIS behaviour-support records can contain sensitive information.

During the beta you must not enter real sensitive information. Before the Service is opened to real participant data (post-beta), this policy will be updated to describe how we collect sensitive information with consent and how we protect it.

We use personal information to:

• provide, maintain, and secure the Service;
• authenticate you and manage your account;
• respond to your support requests;
• improve the Service in aggregate, using de-identified data where practical; and
• comply with our legal obligations.

We do not sell personal information, and we do not use your content to train third-party AI models.

We use the following providers to run the Service. Each one processes data only to provide its service to us, under its own terms and data protection commitments.

We do not use any third-party analytics, monitoring, or error-tracking processors. If that changes, we will update this table before the new provider handles any personal information.

We pin data storage to Australian regions (Sydney) wherever the provider allows it, so your data is stored onshore. However, several of our providers are incorporated overseas, primarily in the United States, and their staff or systems may access data from overseas for support, maintenance, backups, or security purposes.

Before disclosing personal information to an overseas provider we take reasonable steps to ensure the provider handles it consistently with the APPs, principally through the data protection terms in our agreements with them. By using the Service you acknowledge that some processing may involve overseas access on this basis.

• Data is encrypted in transit using TLS.
• Passwords are stored only as salted hashes (bcrypt), never in plain text.
• Access to production data is limited to the people who need it to run the Service.
• Data is stored in Australian regions as described above.

We do not currently hold formal security certifications such as IRAP or ISO 27001. A security maturity roadmap is planned before the Service stores real participant data.

We keep personal information for as long as your account is active or as needed to provide the Service. You can ask us to delete or return your data by emailing hello@practicebinder.com.au. We may retain limited records where the law requires it. Beta data may be purged at the end of the beta period.

You can ask us for a copy of the personal information we hold about you, and ask us to correct it if it is wrong. Email hello@practicebinder.com.au. We will respond within a reasonable time and will not charge you for an access request unless the law allows it.

The federal Privacy Act is not the only law that may apply. Some states and territories have their own health privacy laws that may bind you as a provider.

New South Wales: the Health Records and Information Privacy Act 2002 (NSW) (the HRIP Act) and its Health Privacy Principles apply to the handling of health information in NSW, in addition to the federal Privacy Act. The Privacy and Personal Information Protection Act 1998 (NSW) (the PPIP Act) may also apply to some organisations.

Victoria: Practice Binder Pty Ltd is based in Victoria. The Health Records Act 2001 (Vic) and its Health Privacy Principles apply to the handling of health information in Victoria, in addition to the federal Privacy Act, and apply to us as a Victorian organisation. We handle health information consistently with that Act.

Australian Capital Territory: the Health Records (Privacy and Access) Act 1997 (ACT) and its Privacy Principles apply to the handling of health information in the ACT, in addition to the federal Privacy Act.

Queensland, Western Australia, South Australia, Tasmania, and the Northern Territory: these jurisdictions do not have separate health privacy laws that bind private-sector providers. Where they have privacy legislation (for example the Information Privacy Act 2009 (Qld), the Personal Information Protection Act 2004 (Tas), or the Information Act 2002 (NT)), it applies to that jurisdiction's public sector rather than to private practices. If you operate in one of these states or territories as a private provider, the federal Privacy Act and the Australian Privacy Principles are the main privacy laws that apply to your handling of health information.

You remain responsible for your own compliance with the privacy laws that apply to your practice, including any state or territory health privacy laws. Practice Binder acts as a tool that processes data on your instructions.

If you think we have mishandled your personal information, contact us first at hello@practicebinder.com.au. If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

We comply with the Notifiable Data Breaches scheme. If a data breach is likely to cause serious harm, we will notify affected individuals and the OAIC as required.

We may update this policy. The version number and date at the top of this page will change when we do. For paid or beta accounts we will record the policy version you accepted at signup.