This Policy covers personal information CiaraLink handles when you use the platform — whether you’re a provider, support coordinator, allied-health professional, support worker, participant, guardian or nominee.
Platform vs provider. CiaraLink operates the software platform (hosting, security, billing, product support). We are not an NDIS registered provider and do not deliver care. Where an organisation uses CiaraLink to manage its own records, that organisation is typically responsible for the care information it enters and how it meets its own regulatory and privacy obligations; we act as the software provider that stores and processes that information on their behalf, as described in our Terms of Service.
We collect information directly from you and from the people in your organisation who use CiaraLink.
We use personal information to:
We don’t sell your personal information, and we don’t use care data for advertising.
Care data is stored in our managed database (Supabase — Postgres, Auth and file storage) with access controls, encryption in transit, and row-level security so records are isolated to the people entitled to them. No system is perfectly secure, but we take reasonable steps to protect information and to limit who can access it. Tell us promptly if you believe your account has been compromised.
Data location. CiaraLink is built for Australian care teams and we are working toward full Australian data residency. Today: participant and care records at rest are stored in AWS Seoul, South Korea (ap-northeast-2). Application hosting and serverless functions run in Sydney (syd1). We plan to migrate the database to AWS Sydney (ap-southeast-2). Some providers we rely on (for example Stripe for card payments) may process limited data globally under their own privacy obligations.
We rely on trusted infrastructure and service providers to run CiaraLink, including:
These providers handle data only to deliver their service to us or to you, under their own security and privacy obligations. Some providers (for example, Stripe and AI inference) may store or process limited data outside Australia; where that happens, we take reasonable steps to ensure appropriate protections apply.
You can ask to access or correct the personal information we hold about you. If your information was entered by an organisation using CiaraLink (for example, your provider), we’ll usually direct your request to that organisation, as they control those records. Contact us and we’ll help you reach the right place.
We keep personal information for as long as it’s needed to provide the platform and to meet legal obligations. When an account is closed, we’ll delete or de-identify information we no longer need, subject to any retention obligations the organisation or the law requires. Keep your own copies of records you need to retain.
We may update this Policy as CiaraLink develops. We’ll change the “last updated” date and, for material changes, take reasonable steps to let you know.
Questions, access requests or privacy concerns? Contact us through the CiaraLink site. If you’re in Australia and aren’t satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.