Privacy Policy
PurpleCare (ABN 60 201 663 251) · NDIS registered provider · Last updated 24 November 2026 · Version 2.0
PurpleCare is an Australian registered NDIS provider operating a care delivery platform serving participants, support workers and clinicians. This Privacy Policy explains what personal information we collect, how we use it, where it is stored, and your rights under the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth), the NDIS Practice Standards, and the Notifiable Data Breaches scheme.
1. Information we collect
- Identity & contact data: name, preferred name, email, mobile phone, postal address, date of birth.
- NDIS participant data: NDIS participant number, plan dates, funding categories, support goals, plan manager and support coordinator details.
- Health and care data: primary disability, diagnoses, medications, physical and cognitive limitations, communication needs, pressure sore history, current injuries, incident reports, care notes.
- Shift and service records: shift times, GPS clock-in/clock-out, worker assigned, service notes, kilometres travelled, eMAR (medication administration) records.
- Worker & clinician data: qualifications, NDIS Worker Screening clearance, Working With Children Check, ABN, bank details, super fund, tax file number, payroll history.
- Technical data: IP address, device identifiers, browser type, server logs, consent timestamps.
2. Purpose and use
We collect personal information only for purposes related to the delivery of NDIS-funded supports and the lawful operation of our business. Specifically:
- Delivering and coordinating NDIS supports per your plan.
- Communicating about shifts, schedule changes, invoices and account matters (including by SMS — see section 5).
- Billing the NDIA, plan managers, self-managed participants or third-party funders.
- Paying workers and meeting Single Touch Payroll, super and PAYG obligations.
- Meeting regulatory obligations to the NDIS Quality and Safeguards Commission, the ATO and the Office of the Australian Information Commissioner (OAIC).
- Maintaining safety, security, fraud detection and platform improvement.
3. Storage and location
All participant, worker and clinical records are stored in Supabase PostgreSQL hosted in the Australian region (ap-southeast-1, Sydney). Data does not leave Australia for primary storage. Backups are encrypted and held in Australian-region object storage. We use Australian-region compute for the application layer.
Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Database backups are taken daily and retained for 30 days.
4. Access controls
- Role-based access: participants, support workers, coordinators, clinicians and admins each see only the records relevant to their role.
- Authentication: all access requires authenticated login. Sensitive admin actions require re-authentication.
- Audit logging: access to participant records, exports, deletions, and consent changes are logged with actor, timestamp and IP address.
- Confidentiality obligations: all workers and clinicians sign a confidentiality agreement and complete privacy induction before being granted access.
- Principle of least privilege: staff are granted the minimum access required to perform their role.
5. SMS consent
Standard message and data rates from your carrier may apply. Reply HELP for assistance, or contact support@purplecare.com.au. Opting out of SMS will not affect your access to care services but may delay operational notifications.
6. Disclosure
We disclose personal information only where necessary to deliver services — to assigned support workers and clinicians, to plan managers and the NDIA for billing, to SMS and email delivery providers (including Twilio Inc.), to our hosting (Supabase) and payments providers (Xero), and where required by Australian law.
We do not sell personal information. We do not use personal information for direct marketing without separate consent.
7. Retention periods
Per NDIS Practice Standards, ATO record-keeping rules and the Privacy Act 1988, we retain records for the following minimum periods:
| Record type | Minimum retention | Basis |
|---|---|---|
| Participant clinical & service records | 7 years from last service | NDIS Practice Standards |
| Worker employment records (incl. payroll) | 7 years | Fair Work Act / ATO |
| Incident reports | 7 years | NDIS Quality & Safeguards Rules |
| Financial & tax records | 5 years | ATO |
| Consent records | Life of relationship + 7 years | APP 11 |
| Marketing contact records | Until you unsubscribe | Spam Act 2003 |
| Server logs & technical telemetry | 90 days | Operational |
After the minimum retention period expires, records are securely destroyed unless we are required by law to retain them for longer (for example, ongoing legal proceedings).
8. Right to access, correction and deletion
You have the right to:
- Request a copy of the personal information we hold about you.
- Request correction of any information that is inaccurate, out of date, incomplete or misleading.
- Withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Request deletion of your personal information, subject to our retention obligations. Where deletion is not legally permitted (e.g. NDIS or ATO retention requirements still apply), we will restrict access and securely delete the record once the retention period ends.
To exercise any of these rights, email our Privacy Officer at support@purplecare.com.au. We will respond within 30 days. Admin staff can flag your account for deletion immediately; full erasure occurs at the end of the regulatory retention period.
9. Data breach response
PurpleCare maintains a documented Data Breach Response Plan aligned with the OAIC Notifiable Data Breaches scheme:
- Contain: within 24 hours of detection, contain the breach (isolate affected systems, revoke credentials, take systems offline if required).
- Assess: within 72 hours, assess severity, scope, individuals affected and likelihood of serious harm.
- Notify OAIC and affected individuals: where the breach is likely to result in serious harm, we will notify the OAIC within 30 days of becoming aware (the statutory maximum) and notify affected participants as soon as practicable. We aim to notify within 72 hours where feasible.
- Remediate & review: implement permanent fix, update controls, conduct post-incident review.
The full Breach Response Plan is available to staff at /var/www/purplecareos/BREACH_RESPONSE_PLAN.md. Contact the Privacy Officer for a copy.
10. Your rights as a participant
As an NDIS participant, you have additional rights under the NDIS Code of Conduct and the NDIS Quality and Safeguarding Framework:
- To be treated with dignity and respect.
- To know what information is held about you and how it is used.
- To have your information kept confidential.
- To choose who has access to your information (including family, guardians, plan managers).
- To make a complaint without fear of retribution or impact on your supports.
11. Complaints
If you are not satisfied with how we have handled your personal information, contact our Privacy Officer first. If your concern is not resolved, you may lodge a complaint with:
- Office of the Australian Information Commissioner (OAIC) — oaic.gov.au — 1300 363 992
- NDIS Quality and Safeguards Commission — ndiscommission.gov.au — 1800 035 544
12. Contact
Privacy Officer, PurpleCare
Email: support@purplecare.com.au
ABN 60 201 663 251 · Queensland, Australia