Legal
Privacy Policy
How we collect, use and protect your information.
Last updated 17 May 2026
In plain English
The short version.
- · Your data stays in Australia. Our database lives in Supabase's Sydney (ap-southeast-2) region.
- · We process sensitive information (health, disability) on behalf of your NDIS provider organisation. They hold the lawful consent with their participants and workers.
- · We never use participant data for marketing, analytics, or AI training.
- · We use US-headquartered vendors but pick Australian regions where possible: Supabase database + files (Sydney), Resend email (Tokyo), Stripe payments (global routing), Vercel app hosting (global edge). Sentry collects scrubbed error reports. PostHog product analytics, Google Tag Manager and Meta Pixel only load on marketing pages and only when you grant the matching consent - never inside the app and never with participant or worker data.
- · We notify you and the OAIC of any eligible data breach within 30 days of assessment, in line with the Notifiable Data Breaches scheme.
- · You have rights under the Australian Privacy Principles to access, correct, and complain about your information.
- · The Privacy Act's small-business exemption does not apply to us because we handle health information. The full Act applies regardless of our size.
- · State health-records laws (NSW HRIPA, VIC HRA, ACT HRPA) apply alongside the federal Privacy Act where workers or participants are located in those states.
- · Our compliance scores are advisory, not automated decisions. Humans in your organisation make every decision affecting a worker or participant.
- · We're not a law firm. If something looks wrong, contact us and we'll fix it.
1. Kinds of information we collect
Checkbase collects personal information as defined in the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This includes information about your account-holders (admin users), and - through them and on their direction - information about workers and participants of NDIS providers using the platform.
Specifically: name, email, phone, role, employment dates and uploaded compliance documents for workers; and name, NDIS number, date of birth, contact details, service type and uploaded participant files for participants. Some of this is sensitive information within the meaning of the Privacy Act - particularly health and disability information - and we treat it accordingly under APP 3.
2. How we collect and hold it
We collect personal information directly from your authorised users when they create an account, invite team members, add workers or participants, or upload documents. We collect technical information (IP address, browser, request timestamps) automatically when you use our service for security and audit-logging purposes.
All application data is held in encrypted form in our database, hosted by Supabase in the Sydney (ap-southeast-2) region. We apply application-level Row Level Security so each provider organisation can only see its own records. Files uploaded as evidence are stored in the same Australian region.
3. Purposes - why we collect it
We collect personal information for the primary purpose of providing the Checkbase service: tracking compliance documents, supporting audit readiness, sending account and service emails, processing your subscription, and providing customer support. We also use anonymised technical logs to maintain and improve the security and reliability of the platform.
In line with APP 6, we do not use sensitive information (such as participant health or disability information) for any secondary purpose unless it is directly related to the primary purpose. We do not use participant data for marketing, third-party analytics, profile-building, or to train AI models - ours or anyone else's.
4. How we use and disclose it
We use personal information to operate the service for your provider organisation. We disclose information internally to Checkbase staff who need it to support you, and to the subprocessors listed below to the extent required for them to provide infrastructure or services to us.
We do not sell personal information. We do not share participant or worker information with marketers, data brokers, or any third party outside the listed subprocessors. Where we are required to disclose information to comply with Australian law (for example, a lawful court order), we will do so only to the extent required.
5. Overseas disclosure (APP 8)
Some of our subprocessors are incorporated overseas. Under APP 8, we are required to identify them. Routine database content stays in Sydney; however, the controlling US entity (Supabase Inc.) may access data from the United States to provide support, and email and payment data is processed by other overseas providers.
| Name | Role | Country | Data region | Scope of access |
|---|---|---|---|---|
| Supabase Inc. | Database + authentication | United States | Sydney, AU (ap-southeast-2) | All application data |
| Resend Inc. | Transactional + marketing email | United States | Tokyo, JP (ap-northeast-1) | Email content + recipient metadata |
| Stripe Inc. | Payment processing | United States | Global routing | Payment details (no participant data) |
| Vercel Inc. | Application hosting | United States | Global edge network | Application runtime (no persistent customer data) |
| PostHog Inc. | Product analytics (consent-gated) | United States | United States (us.i.posthog.com) | Page views, feature usage, account-holder email + ID. No participant or worker data. Only loads when analytics consent is granted. |
| Functional Software, Inc. (Sentry) | Error monitoring | United States | United States | Error stack traces from our application. Personal information is scrubbed before transmission (emails, phone numbers, NDIS numbers, API keys, request bodies). |
| Google LLC (Tag Manager / GA4) | Marketing analytics (consent-gated) | United States | United States | IP-truncated visit data on marketing pages only. Never loaded inside the authenticated app. Only loads when marketing consent is granted. |
| Meta Platforms, Inc. (Meta Pixel) | Advertising measurement (consent-gated) | United States | United States | Visit events on marketing pages only. Never loaded inside the authenticated app. Only loads when marketing consent is granted. |
Before sending personal information overseas, we take reasonable steps to ensure each recipient handles it consistently with the Australian Privacy Principles, including via contractual data-processing terms.
6. Retention
We hold personal information for as long as your provider organisation maintains an active subscription, plus a 30-day window after termination during which you can export your data. After that window, we delete or de-identify customer records in accordance with our retention schedule, except where law requires longer retention (for example, financial records under tax law).
7. Security and data breaches
We protect personal information with encryption at rest and in transit (TLS 1.2+), application-level Row Level Security, least-privilege staff access, and full audit logging on document views and downloads.
We have committed to the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act, sections 26WK onwards). If we become aware of a data breach that is likely to result in serious harm to affected individuals, we will assess it within 30 days, and where it is an eligible data breach, promptly notify the affected individuals and the Office of the Australian Information Commissioner (OAIC).
8. Your rights
Under APP 12 you have the right to access the personal information we hold about you. Under APP 13 you have the right to ask us to correct it if it's inaccurate, out of date, incomplete, irrelevant or misleading. and we will respond within a reasonable period - usually within 30 days.
If you have a complaint about how we've handled your information, please email us first. If we can't resolve it to your satisfaction, you can escalate to the Office of the Australian Information Commissioner at oaic.gov.au.
9. State health-records laws (HRIPA & equivalents)
Where workers or participants are located in NSW, Victoria, or the ACT, state health-records legislation may apply alongside the federal Privacy Act:
- NSW - Health Records and Information Privacy Act 2002 (HRIPA), enforced by the NSW Information and Privacy Commission. Most obligations are congruent with the APPs; HPP 11 (transborder disclosure) has stricter wording than APP 8.
- Victoria - Health Records Act 2001.
- ACT - Health Records (Privacy and Access) Act 1997.
We treat all health information consistently across jurisdictions to the higher of the applicable standards. We do not currently hold provider-licensed integrations with My Health Record.
10. Automated decisions
Checkbase generates compliance scores, expiry classifications, and SIL audit-readiness signals based on document metadata your organisation provides. These outputs are advisory - they surface what we believe needs attention, but every decision affecting a worker, participant, or organisation is made by a human in your organisation, not by Checkbase.
From 10 December 2026, the Privacy Act 1988 will require entities to disclose where automated decisions are made about individuals. We have prepared this section ahead of that date so the position is clear: our scoring is decision-support, not decision-making. If we ever change that, this section will be updated and account-holders notified by email at least 30 days in advance.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to account-holders at least 30 days before they take effect. The version date at the top of this page always reflects the latest revision.
12. Privacy Officer & contact
Our nominated Privacy Officer for the purposes of APP 1.4 receives correspondence at - including access requests under APP 12, correction requests under APP 13, and any privacy complaint.
Postal: Checkbase Pty Ltd, address available on request via the contact form.
Checkbase Pty Ltd (ABN 23 697 668 330, ACN 697 668 330). This Privacy Policy is governed by Australian law and the laws of New South Wales. If you have a complaint we can't resolve, you may escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
This policy is our good-faith attempt to be plain and correct under Australian law. Checkbase is not a law firm. If you spot something we should fix, .