← Back to CareHub

CareHub Privacy Policy

Last updated: [TODO: date — fill on publication]

DRAFT — NOT YET PUBLISHED. This document is a working draft. It is not the live privacy policy of CareHub. The terms below become effective only when this banner is removed and the publication date above is replaced with a real date.

Nardos Israel Zewde, an Australian sole trader, trading as Nardos' Studio (ABN 11 994 735 678) ("CareHub," "we," "us," or "our") is committed to protecting the privacy of everyone who uses the CareHub app and website (together, the "CareHub Platform"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the choices you have.

We handle personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and — for health information collected in NSW — the Health Records and Information Privacy Act 2002 (NSW) and its Health Privacy Principles (HPPs).

1. Who this policy applies to

This policy applies to all users of the CareHub Platform, including care providers, support workers, administrators, clients (also referred to as participants), and their authorised family members or representatives.

2. The information we collect

Depending on your role and how you use the CareHub Platform, we may collect the following categories of information.

Account information: name, email address, phone number, password (stored hashed), role (staff, admin, client, family), and organisation.

Profile information: profile photo, date of birth, address, emergency contacts, and other details you choose to add.

Client and care information: care plans, progress notes, schedules, shift records, incident reports, and other records created in the course of providing care. Some of this is sensitive information, including health information.

Documents you upload: documents you or your organisation upload to the platform, including service agreements, NDIS plans, identification documents (for compliance), clinical reports, and supporting evidence for incident reports.

Photos and media: photos taken in-app or uploaded from your device's photo library, used as profile photos, evidence attached to shift records or incident reports, or as supporting documentation. We access your device camera and photo library only with your permission.

Voice and audio: short audio notes you record in the app, where you have used that feature. We access your device microphone only with your permission.

Contact information: emergency contacts you add to a profile and, where you have granted permission, entries selected from your device's contacts.

Location information: your device's approximate or precise location, used only for shift check-in or service delivery, and only while you have granted permission. We do not collect location in the background unless explicitly required for a shift you have started and you have granted background-location permission.

SMS and communications: SMS messages we send to you (for shift reminders, verification codes, or operational notifications, delivered via Twilio), in-app messages, support requests, and feedback. You can opt out of non-essential SMS at any time.

Usage information: how you use the app, including pages viewed, features used, device type, operating system, app version, and crash reports. This includes device identifiers we use solely within the app and our service providers — we do not track you across other apps or websites.

3. How we collect information

We collect information in the following ways.

- Directly from you when you register, set up your profile, or use the app.

- From your employer or care organisation if they invite you to join CareHub.

- Automatically through your use of the app, including usage analytics, crash reports, and device data.

- From third parties where you have authorised this — for example, payment processors or single sign-on providers.

4. How we use your information

We use your information to:

- Provide and operate the CareHub Platform.

- Create and manage user accounts.

- Enable care providers to schedule, deliver, and record care.

- Communicate with you about your account, updates, or support requests.

- Send operational SMS such as verification codes and shift reminders.

- Run automated extraction and summarisation over documents and communications to populate participant records (see Section 6, "Use of AI").

- Improve the app through usage analytics and crash reporting.

- Comply with our legal obligations, including record-keeping requirements under the Privacy Act, the National Disability Insurance Scheme Act 2013 (Cth), and other applicable laws.

- Detect and prevent fraud or misuse of the platform.

5. Sensitive and health information

Some information held in CareHub is health information or other sensitive information. We only collect this where it is reasonably necessary for providing care services and with appropriate consent. Access is restricted to authorised users within your care organisation based on their role.

We do not sell health information. We do not use health information for advertising, marketing personalisation, or any purpose unrelated to providing the platform and complying with our legal obligations. We do not share health information with advertising networks or data brokers.

6. Use of AI (automated processing)

We use third-party AI services to extract structured information from documents and to support certain platform features. Specifically:

- Google LLC (Gemini API) processes uploaded documents such as CVs, NDIS plans, and invoices to extract structured fields, including dates, plan numbers, line items, and named entities.

- Anthropic, PBC (Claude API) processes documents, emails, and shift notes to generate participant "knowledge facts" — atomic, attributed statements that populate the client summary view — and powers in-app chat features where available.

We have selected API tiers and configurations intended to exclude customer data from model training. We review this annually.

You may request that we attempt to exclude your records from AI-based processing where reasonably practicable. Contact privacy@carehq.au.

AI-derived summaries are intended as a starting point for human review. They are not clinical, medical, legal, or financial advice and should not be relied on without verification.

7. Who we share information with

We do not sell your personal information. We share information only in the following situations.

- Within your care organisation: information you enter is visible to authorised users in your organisation according to their role and permissions.

- Service providers (subprocessors): we use the following trusted third-party providers to operate CareHub. Each accesses information only as needed to perform its service and is bound by data-handling obligations.

- Supabase Inc. (database, authentication, file storage) — data stored in Singapore (AWS region ap-southeast-1).

- Vercel Inc. (web hosting and serverless compute) — primary execution in Sydney, Australia (region syd1); some static assets served from Vercel's global edge network.

- Twilio Inc. (SMS delivery) — United States.

- Google LLC (Gemini API for document extraction) — United States.

- Anthropic, PBC (Claude API for AI extraction and in-app chat) — United States.

- OpenStreetMap Foundation (Nominatim address lookup) — European Union. We do not send personal identifying information to Nominatim; only address query strings.

- Where required by law: we may disclose information when required by Australian law, court order, or a lawful request from a government agency, including notifications to the NDIS Quality and Safeguards Commission where applicable.

- With your consent: where you have specifically authorised us to share information.

8. Where your information is stored and overseas disclosure

The CareHub Platform is hosted in Australia (Vercel syd1, Sydney) and stores customer data in Singapore (Supabase, AWS ap-southeast-1). Some of our service providers — including Twilio, Google, and Anthropic — process limited data in the United States. OpenStreetMap Nominatim processes address queries in the European Union.

Where information is disclosed to overseas recipients, we take reasonable steps under Australian Privacy Principle 8 to ensure the recipient handles your information in accordance with the APPs, including by entering into contractual data-handling commitments.

9. How we protect your information

We take reasonable steps to protect your information from loss, misuse, unauthorised access, modification, or disclosure. These measures include:

- Encryption of data in transit (TLS); encryption at rest on supported infrastructure.

- Role-based access controls so users only see what they need to.

- Secure password requirements and the option to use SSO.

- Regular security reviews and monitoring.

- Confidentiality obligations on all staff and contractors.

No system is completely secure. If you believe your account or information has been compromised, please contact us immediately at support@carehq.au.

10. Data breaches

If a data breach occurs that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth).

11. How long we keep information

We keep personal information only for as long as it is needed for the purposes set out in this policy, or as required by law.

For NDIS participants and the records of their care, our minimum retention period reflects the National Disability Insurance Scheme Act 2013 (Cth) and the NDIS Practice Standards: records are kept for at least seven (7) years from the date of last service. For participants who are minors, records are kept until the participant reaches the age of majority plus seven years.

When information is no longer needed, we securely delete or de-identify it.

12. Your rights

You have the right to:

- Access the personal information we hold about you.

- Request that we correct information that is inaccurate or out of date.

- Withdraw consent for optional uses of your information, such as marketing communications. For sensitive or health information, we will not use your information for direct marketing without your separate, explicit consent (Australian Privacy Principle 7.4).

- Request that your account and associated data be deleted (see Section 13).

- Request that your records not be processed by our AI services (see Section 6).

- Make a complaint about how we handle your information.

NDIS participants have additional rights under the NDIS Practice Standards, including the right to choose who within your care organisation can access your information.

To make a request, email us at privacy@carehq.au. We may need to verify your identity before responding. We will acknowledge your request within 7 days and aim to substantively respond within 30 days.

If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner at www.oaic.gov.au.

13. Account and data deletion

You may request deletion of your account and associated personal information at any time by emailing privacy@carehq.au. We will:

- Acknowledge your request within 7 days.

- Complete deletion within 30 days, subject to any legal record-keeping obligations.

Records we are legally required to retain — for example, NDIS participant care records subject to Section 11's retention period, or financial records required by Australian tax law — will be retained for the minimum period required and then deleted. We will tell you which categories of information were retained and why.

An in-app account-deletion control is on our product roadmap. Until it is available, deletion is requested by email as described above.

14. Cookies

The CareHub website and app use minimal cookies necessary for authentication and platform functionality. We do not use third-party advertising cookies or cross-site tracking.

15. Children

CareHub is intended for use by care providers and the people they support. Where a client is a minor, their information is managed by their authorised representative or care organisation. The CareHub Platform is not directed at children under 13 as account holders, and we do not knowingly collect personal information directly from children under 13 without parental or guardian consent.

16. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify users through the app or by email before the changes take effect. The "Last updated" date at the top of this policy shows when it was last changed.

17. Contact us

If you have questions about this policy or how we handle your information, please contact:

Nardos Israel Zewde t/a Nardos' Studio

ABN 11 994 735 678

7 Dempster Cres, Regents Park NSW 2143

Privacy enquiries: privacy@carehq.au

Support: support@carehq.au