Privacy Policy — ProvidHQ

The short version: We only collect what we need to run the service. Your data is stored in Australia. We never sell it. We never share it without your permission unless required by law. You can access, correct or delete your data at any time. We are bound by the Privacy Act 1988 (Cth) and all 13 Australian Privacy Principles (APPs).

1. Who we are and how to contact us

ProvidHQ is operated as a sole trader business registered in Victoria, Australia. We are the data controller for all personal information collected through this website and the ProvidHQ application.

Privacy contact: privacy@providhq.com.au
Response time: Within 5 business days for all privacy-related requests
Regulator: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au

Note: We voluntarily comply with all 13 Australian Privacy Principles regardless of turnover threshold, because we handle sensitive health-adjacent data (NDIS participant records).

2. What personal information we collect

2.1 Account and identity information

When you create an account or contact us, we may collect:

Full name, job title, organisation name
Email address and phone number
Password (stored as a one-way hash — we cannot read it)
ABN (for billing purposes on paid plans)
Billing address

2.2 Service data (data you enter into ProvidHQ)

To deliver the ProvidHQ service, we store data you input, including:

NDIS participant names, NDIS numbers, dates of birth and plan details
Progress notes, session observations and support records
Invoice records and NDIS service line items
Worker screening check records, incident logs and compliance records
Voice recordings (processed immediately for transcription then deleted — not stored)

You remain the data controller for all service data. We act as a data processor on your behalf. You are responsible for ensuring you have the appropriate consent and legal authority to enter participant information into ProvidHQ.

2.3 Technical and usage data

We automatically collect limited technical data when you use our service:

IP address, browser type, operating system and device type
Pages visited, features used and session duration
Error logs and performance data
Cookie identifiers (see Section 8)

3. Why we collect personal information (APP 3, 5)

We collect and use personal information only for these stated purposes:

Providing, operating and improving the ProvidHQ service
Processing payments and managing your subscription
Responding to support requests and enquiries
Sending service-related communications (account alerts, billing, security)
Sending product updates and marketing (only with your consent — opt-out anytime)
Complying with legal obligations
Detecting, investigating and preventing fraud or abuse
Improving our AI-generated outputs (using anonymised, aggregated data only — never individual participant data)

We will not use your personal information for any secondary purpose without notifying you and, where required, obtaining your consent.

4. How AI processes your data

When you generate a progress note, relevant session observations are sent to a third-party AI API provider to generate the note text. The AI does not receive participant NDIS numbers, dates of birth or any sensitive identifying information beyond what you type into the observations field.

Our current AI providers are:

Anthropic (Claude) — US-based. Processes text inputs and returns generated note text. Data is not used to train their models. Retained briefly for safety monitoring per their policy.
Google (Gemini) — US-based. Used for voice transcription and processing. Not retained for training per API terms.

Cross-border disclosure notice (APP 8): Under APP 8 of the Privacy Act 1988, we remain responsible for how overseas recipients handle your data even after transfer. While we use contractual measures with AI providers, you should be aware that AI processing occurs on servers outside Australia. We minimise the personal information sent to these providers and do not send full participant profiles. If you have strict data sovereignty requirements, contact us at hello@providhq.com.au to discuss options.

5. Data storage and security (APP 11)

All ProvidHQ account data, participant records, notes, invoices and compliance records are stored on Australian servers (AWS Sydney region, ap-southeast-2). We take the following security measures:

HTTPS/TLS encryption for all data in transit
Encryption at rest for all database records
Bcrypt password hashing (one-way — we cannot recover your password)
Role-based access controls — staff can only access data needed for their role
Regular dependency updates and security patching
Supabase (our database provider) holds SOC 2 Type II certification

No system is 100% secure. In the event of a data breach likely to cause serious harm, we will notify affected users and the OAIC as required under the Notifiable Data Breaches (NDB) scheme under the Privacy Act. We will notify you within 30 days of becoming aware of an eligible breach, or sooner where practicable.

6. Who we share your information with (APP 6)

We do not sell your personal information. We share it only with:

AI providers (Anthropic, Google) — for generating notes and voice transcription, as described in Section 4
Stripe — US-based payment processor. Handles billing securely. We never see or store your full card details.
Supabase — our database and authentication provider. Australian-region servers. Processes data on our behalf under a data processing agreement.
Resend or SendGrid — for transactional emails (account confirmation, billing receipts). Receives your email address only.
Law enforcement or regulatory bodies — only where legally required, and only the minimum information necessary
You — you may export all your data at any time

We do not share your data with advertisers, data brokers, analytics platforms or any party not listed above.

7. Your rights (APP 12, 13)

Under the Privacy Act 1988 and Australian Privacy Principles, you have the right to:

Access — request a copy of all personal information we hold about you
Correction — request correction of inaccurate or out-of-date information
Deletion — request deletion of your account and all associated data
Portability — export all your data in a machine-readable format (CSV/JSON)
Opt-out of marketing — unsubscribe from marketing emails at any time via the unsubscribe link or by emailing us
Withdraw consent — where we rely on your consent to process data, you may withdraw it at any time
Complain — lodge a complaint with the OAIC at oaic.gov.au if you believe we have mishandled your data

To exercise any of these rights, email privacy@providhq.com.au. We will respond within 5 business days and action your request within 30 days.

8. Cookies and tracking technologies (APP 1, 5)

We use cookies and similar technologies on our website and application. While Australian law does not explicitly mandate cookie banners, under the Australian Privacy Principles we must inform individuals about how their data is collected and used — including via cookies and tracking technologies.

Cookies we use

Strictly necessary: Session authentication, login state, security tokens. Cannot be disabled without breaking the service.
Functional: User preferences (language, settings). Help the service work as you expect.
Analytics (anonymous): We use privacy-respecting analytics to understand how the service is used. No individual is identified. No data is sold or shared with advertisers.

We do not use advertising cookies, cross-site tracking pixels, social media tracking or any third-party marketing cookies.

You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent you from using the service. See our Cookie Policy for full details.

9. Automated decision-making (APP 1 — effective December 2026)

ProvidHQ uses AI to generate progress notes, invoices and compliance suggestions. These are assistive outputs only — no automated system makes decisions that legally or significantly affect you or your participants without human review.

You always review, edit and approve AI-generated content before it is used. The AI is a writing assistant, not a decision-maker.

From 10 December 2026, the Privacy and Other Legislation Amendment Act 2024 introduces new transparency requirements for automated decision-making in privacy policies. We will update this section before that date to ensure full compliance.

10. Direct marketing and the Spam Act 2003 (APP 7)

We will only send you marketing communications if you have expressly consented (e.g. by signing up to our waitlist or opting in during registration). Every marketing email includes an unsubscribe link. We will action unsubscribe requests within 5 business days.

We comply with the Spam Act 2003 (Cth), which requires that all commercial electronic messages sent from Australia must have your consent, identify the sender and include an unsubscribe mechanism.

11. Children's privacy

ProvidHQ is not directed at children under 16. We do not knowingly collect personal information from children. NDIS participants whose information is entered into ProvidHQ by providers may include children — in these cases, the provider (our customer) is responsible for ensuring they have appropriate consent and authority from parents or guardians to enter that information.

A Children's Online Privacy Code framework was introduced by the Privacy and Other Legislation Amendment Act 2024. When the Code is finalised by the OAIC, we will update our practices to comply. We will publish any updates to this policy on this page.

12. Data retention and deletion (APP 11)

We retain personal information for as long as necessary to provide the service and comply with legal obligations:

Active accounts: Data retained for the duration of your subscription
After account deletion: Personal data deleted within 30 days, except where retention is required by law (e.g. financial records under the Tax Administration Act — 5 years)
Backups: May retain data in encrypted backups for up to 90 days after deletion, after which it is permanently purged
AI provider logs: Not retained beyond the provider's standard deletion policy (typically 30 days)

13. Cross-border disclosure (APP 8)

Some of our service providers are located outside Australia, including the United States. Under APP 8, before disclosing personal information to overseas recipients, we take reasonable steps to ensure they handle it in a manner consistent with the Australian Privacy Principles.

Countries to which we may disclose personal information: United States of America (Anthropic, Google, Stripe).

Measures we rely on include contractual data processing agreements, provider privacy commitments and our practice of minimising the personal information sent to overseas providers.

14. Notifiable Data Breaches scheme

We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. If we experience a data breach that is likely to result in serious harm to any individual, we will:

Notify the OAIC as soon as practicable
Notify all affected individuals directly
Publish a statement on our website where appropriate
Take immediate steps to contain and remediate the breach

15. Changes to this policy

We may update this policy as our service evolves or as Australian privacy law changes. We will notify you of material changes by email at least 14 days before they take effect. The updated policy will be published on this page with a new "Last updated" date.

Continued use of ProvidHQ after changes take effect constitutes acceptance of the updated policy.

16. Complaints

If you believe we have mishandled your personal information, please contact us first at privacy@providhq.com.au. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Website: oaic.gov.au
Phone: 1300 363 992
Mail: GPO Box 5218, Sydney NSW 2001

From 10 June 2025, individuals also have the right to bring a statutory tort action for serious invasions of privacy under the Privacy and Other Legislation Amendment Act 2024.