Last updated: 13 June 2026 · Version: 2.0 Entity: NOTION TECH PTY LTD (ACN 698 318 124), ABN [to be added once issued], operating the AuditCore platform ("AuditCore", "we", "us", "our"). Registered office: [registered office address], New South Wales, Australia. Privacy contact: info@auditcore.com.au

AuditCore is a software platform that helps NDIS registered providers manage compliance, documents, incidents, risk, feedback and quality records. Because our platform handles health and other sensitive information about people with disability, we hold ourselves to the highest standard under Australian law.

This Policy explains how we handle personal information under the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs).

💡 We are an APP entity. Because we provide a health service and hold health information within the meaning of the Privacy Act (sections 6, 6FA and 6FB), we are an "organisation" bound by the Australian Privacy Principles regardless of our annual turnover. We do not rely on the small-business exemption.

1. Who this Policy covers

  • **Customers** — NDIS providers (and their staff) who hold an AuditCore account.
  • **Participants / clients** — people with disability whose records our Customers store in AuditCore.
  • **Website visitors** and enquirers.

For Participant and worker information a Customer uploads, the Customer is the organisation primarily responsible for that information and its lawful basis; AuditCore handles it on the Customer's behalf and under our Data Processing Addendum. AuditCore also has its own APP obligations as a holder of health information.

2. We are a software provider, not a healthcare provider

AuditCore is a software tool. We do not provide health, clinical, medical or disability-support services, and we do not owe a clinical duty of care to any Participant. Clinical decisions, care, and NDIS obligations remain solely with the Customer (the NDIS provider). Documents and analysis produced through AuditCore are drafting aids that the Customer must review and approve.

3. Kinds of personal information we collect (APP 1.3, 3, 5)

a) Customer account information: name, business name, ACN/ABN, email, phone, role, login credentials (passwords are hashed), billing contact.

b) Participant / client information (entered by Customers): name, NDIS number, date of birth, gender, contact details, cultural background, disability/impairment, medical conditions, medications, goals, support needs, behaviour support plans, restrictive practices, and clinical risk flags (e.g. dysphagia, epilepsy, diabetes, mental health). This is "sensitive information" and "health information".

c) Worker information (entered by Customers): name, role, NDIS Worker Screening Check, WWCC, police check, training and document records.

d) Operational records: incidents, feedback/complaints, risk register, continuous-improvement, meeting and audit records.

e) Technical data: IP address, device/browser, log and usage data, and cookies (see our Cookie Policy).

4. How we hold personal information

Personal information is stored in an encrypted, access-controlled database hosted onshore in Sydney, Australia. Designated sensitive fields are encrypted at rest; all data is encrypted in transit. See our Security page for detail.

5. How we collect it

Directly from you (registration, forms, uploads), automatically (usage/logs/cookies), and from Customers who upload records about their Participants and workers. Where we collect sensitive information, we do so only with consent (or another basis permitted by APP 3) and where reasonably necessary for the compliance functions we provide.

6. Why we use it (APP 6)

  • To provide, operate, secure and support the platform.
  • To generate compliance documents and AI-assisted analysis (§8 and our AI Transparency Statement).
  • To process billing and manage accounts.
  • To send transactional/service communications.
  • To meet legal, regulatory and NDIS-related obligations.
  • To improve and troubleshoot the service.

We do not sell personal information, and we do not use Participant health information for marketing.

7. Disclosure, sub-processors and overseas recipients (APP 6, 8)

Your primary data is stored onshore in Australia (Sydney). Some sub-processors that support specific features are located overseas (including the United States). We take reasonable steps to ensure overseas recipients handle information consistently with the APPs, and under APP 8 we remain accountable for it. By using AuditCore you consent to this cross-border disclosure where relevant.

| Sub-processor | Purpose | Location | |---|---|---| | Anthropic, PBC (Claude AI) | AI document generation & analysis | United States | | Stripe | Payment processing | United States / global | | Resend / email provider | Transactional email | United States | | Google LLC (Drive API, optional) | Optional policy-document analysis | United States / global | | Managed PostgreSQL host | Primary data hosting | Sydney, Australia (onshore) |

We otherwise disclose personal information only: to a Customer's own authorised users; where required or authorised by law, a court, or a regulator (including the OAIC and the NDIS Quality and Safeguards Commission); to professional advisers under confidentiality; in a business sale under confidentiality; or with your consent.

💡 Note on AI: When AI features are used, relevant record text (which may include health information) is transmitted to our AI sub-processor to generate output. That sub-processor is contractually bound not to train its models on this data. See our AI Transparency Statement.

8. AI and automated processing

AuditCore uses AI to draft documents, summarise records and suggest content. AI output is a draft aid, not a decision. A person reviews and approves it. We do not make legally or similarly significant automated decisions about individuals without human involvement.

9. NDIS regulatory context

Our Customers are NDIS providers subject to the National Disability Insurance Scheme Act 2013 (Cth), the NDIS Practice Standards, the NDIS Code of Conduct, and the NDIS (Incident Management and Reportable Incidents) Rules 2018, including obligations around restrictive practices and reportable incidents. AuditCore is designed to support Customers' compliance with these obligations, but the Customer remains responsible for meeting them. We will cooperate reasonably with the NDIS Commission and OAIC as required by law.

10. Retention, record-keeping and destruction (APP 11)

We keep personal information only as long as needed for the purposes above or as required by law. We recognise that NDIS providers are generally required to retain certain records for 7 years, and our platform is designed to support that retention while a Customer's account is active. On account closure, we will delete or de-identify personal information within 90 days, except where longer retention is required by law (including NDIS record-keeping) or for the establishment/defence of legal claims. Customers control their Participant/worker records and may delete them at any time, and may export their data first (§11).

11. Access, correction, and your data (APP 12, 13)

You may request access to, or correction of, your personal information by contacting us at info@auditcore.com.au. We will respond within 30 days. For Participant records, direct requests to the relevant Customer (the responsible provider); we will assist them.

Data ownership & portability: As between AuditCore and the Customer, the Customer owns its data. Customers can export their complete data at any time from Account Settings as a machine-readable JSON file (with human-readable content), and individual registers as Excel/CSV and Word/PDF where those export features are provided. This supports data portability and continuity of care when a Customer stops using AuditCore.

12. Data breaches — Notifiable Data Breaches (NDB) scheme

We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. If we become aware of a data breach, we will assess it promptly. Where a breach is likely to result in serious harm and cannot be adequately remediated (an *eligible data breach*), we will notify the OAIC and affected individuals as soon as practicable, and notify affected Customers so they can meet their own obligations (including any NDIS Commission reporting). We maintain a documented Data Breach Response Plan.

13. Complaints (APP 1.4)

If you believe we have breached the APPs, contact us at info@auditcore.com.au. We will acknowledge within 5 business days and aim to resolve within 30 days. If you are not satisfied, you may complain to the Office of the Australian Information Commissioner (OAIC) — oaic.gov.au — 1300 363 992.

14. Cookies

See our separate Cookie Policy for the cookies we use, their purpose and duration, and how to manage them.

15. Children's information

Some Participants may be under 18. We handle their information with additional care and only as needed for the compliance service, consistent with the Privacy Act.

16. Changes to this Policy

We may update this Policy. Material changes will be notified via the platform or email. The "Last updated" date shows the current version.

17. Contact

Privacy — NOTION TECH PTY LTD (operating AuditCore): info@auditcore.com.au · [registered office address], NSW, Australia.

Ready to stay audit-ready?

Join Australian NDIS providers using AuditCore to manage compliance and pass every audit.

Book a Free Demo