Legal

Privacy Policy

Launch preview · Last updated 29 June 2026
This Policy explains how CiaraLink handles personal information, including the sensitive health information involved in care. It’s written to reflect the Australian Privacy Principles. It’s the launch-preview version and has not been reviewed by a lawyer — professional review is recommended before production use.

Contents

  1. Who this applies to
  2. What we collect
  3. Health & sensitive information
  4. How we use it
  5. Who can see it
  6. Storage & security
  7. Service providers
  8. Your rights
  9. Keeping & deleting data
  10. Cookies & local storage
  11. Changes to this Policy
  12. Contact & complaints

01 Who this applies to

This Policy covers personal information CiaraLink handles when you use the platform — whether you’re a provider, support coordinator, allied-health professional, support worker, participant, guardian or nominee.

Platform vs provider. CiaraLink operates the software platform (hosting, security, billing, product support). We are not an NDIS registered provider and do not deliver care. Where an organisation uses CiaraLink to manage its own records, that organisation is typically responsible for the care information it enters and how it meets its own regulatory and privacy obligations; we act as the software provider that stores and processes that information on their behalf, as described in our Terms of Service.

02 What we collect

  • Account details — name, email, role and organisation;
  • Care records you enter — participants, care teams, notes, shifts, documents, consent records, invoices and related details;
  • Usage information — basic technical data needed to run and secure the platform (for example, log and device information).

We collect information directly from you and from the people in your organisation who use CiaraLink.

03 Health & sensitive information

Care data is sensitive. CiaraLink is built to hold health and disability information. We only handle it to provide the platform to you and your care team, with access governed by recorded consent and role-based permissions. You’re responsible for having the appropriate consent to record and share a person’s information in CiaraLink.

04 How we use it

We use personal information to:

  • Provide, maintain and secure the platform;
  • Let the right people in a care team see the right records;
  • Support your account, billing and customer requests;
  • Improve reliability and fix problems.

We don’t sell your personal information, and we don’t use care data for advertising.

05 Who can see it

Access inside CiaraLink is controlled by row-level security and consent — users only load the records they’re permitted to see. We share information outside your care team only where it’s needed to run the service (see “Service providers”), where you ask us to, or where the law requires it.

06 Storage & security

Care data is stored in our managed database (Supabase — Postgres, Auth and file storage) with access controls, encryption in transit, and row-level security so records are isolated to the people entitled to them. No system is perfectly secure, but we take reasonable steps to protect information and to limit who can access it. Tell us promptly if you believe your account has been compromised.

Data location. CiaraLink is built for Australian care teams and we are working toward full Australian data residency. Today: participant and care records at rest are stored in AWS Seoul, South Korea (ap-northeast-2). Application hosting and serverless functions run in Sydney (syd1). We plan to migrate the database to AWS Sydney (ap-southeast-2). Some providers we rely on (for example Stripe for card payments) may process limited data globally under their own privacy obligations.

07 Service providers

We rely on trusted infrastructure and service providers to run CiaraLink, including:

  • Supabase — database, authentication and file storage;
  • Vercel — application hosting and serverless API functions;
  • Stripe — subscription billing and payment processing;
  • Anthropic (where AI features are enabled) — language-model processing for drafting assistance;
  • Xero / MYOB (tenant-initiated) — accounting integrations you connect under your own account.

These providers handle data only to deliver their service to us or to you, under their own security and privacy obligations. Some providers (for example, Stripe and AI inference) may store or process limited data outside Australia; where that happens, we take reasonable steps to ensure appropriate protections apply.

08 Your rights

You can ask to access or correct the personal information we hold about you. If your information was entered by an organisation using CiaraLink (for example, your provider), we’ll usually direct your request to that organisation, as they control those records. Contact us and we’ll help you reach the right place.

09 Keeping & deleting data

We keep personal information for as long as it’s needed to provide the platform and to meet legal obligations. When an account is closed, we’ll delete or de-identify information we no longer need, subject to any retention obligations the organisation or the law requires. Keep your own copies of records you need to retain.

10 Cookies & local storage

CiaraLink uses essential cookies and browser local storage to keep you signed in and to remember basic preferences (for example, an early-access sign-up stored in your browser). We don’t use these for advertising.

11 Changes to this Policy

We may update this Policy as CiaraLink develops. We’ll change the “last updated” date and, for material changes, take reasonable steps to let you know.

12 Contact & complaints

Questions, access requests or privacy concerns? Contact us through the CiaraLink site. If you’re in Australia and aren’t satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.