Privacy Policy
Last updated:
1. Introduction
Shift Link ("we", "our", "us") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, store, disclose, and safeguard your information when you use our Shift Link operations platform and website (collectively, the "Platform").
We are bound by the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), the Notifiable Data Breaches (NDB) scheme, and other applicable Australian privacy laws.
Shift Link is designed for use by NDIS providers, support workers, and participants. We understand the sensitive nature of disability care information and treat all personal data with the highest standard of care.
2. What Information We Collect
2.1 Information You Provide
- Account information: name, email address, phone number, company name, ABN, NDIS registration number
- Profile information: avatar image, contact details, emergency contact information, bank account details (BSB, account number), superannuation fund details, tax file number, ABN
- Participant information: name, date of birth, address, NDIS number, NDIS plan details (plan end date, funding amounts, support items), care needs, medications, meal preferences, emergency contacts
- Employment information: employment type, start date, certifications (First Aid, CPR, WWCC, Police Check, NDIS Worker Screening, Manual Handling), skill tags, languages spoken, work availability, leave requests
- Communication data: messages sent through the Platform, shift notes, incident reports, staff reviews, support inquiries
2.2 Information Collected Automatically
- Usage data: pages visited, features used, time spent on the Platform, click patterns
- Device information: browser type, operating system, device type, IP address
- Location data: GPS coordinates collected during active shifts (staff only), travel route data, geofence verification data
2.3 Information from Third Parties
- NDIS-related data: We may receive information from the NDIS Commission or plan managers as necessary for Platform operation
- Payment information: We do not store credit card details. Payment processing is handled by our third-party payment providers
3. How We Collect Your Information
We collect information when you:
- Register for an account or sign up for a trial
- Use the Platform to manage shifts, clients, or staff
- Upload documents, certifications, or profile information
- Enable GPS tracking during shifts
- Communicate with other Platform users
- Contact our support team
- Subscribe to our newsletter or marketing communications
- Visit our website
4. How We Use Your Information
We use your information to:
- Provide and maintain the Platform: operate accounts, process shifts, generate invoices, manage compliance, facilitate communication between users
- Verify attendance and location: use GPS data to validate staff attendance at participant locations, calculate travel distances for reimbursement
- Generate reports and invoices: create NDIS-compliant invoices, staff payment statements, care reports
- Manage compliance: track certifications, NDIS Worker Screening, insurance, and other compliance requirements with automated expiry alerts
- Improve our Platform: analyse usage patterns to enhance features, user experience, and performance
- Communicate with you: send service notifications, account updates, support responses, and (with consent) marketing communications
- Maintain security: detect and prevent fraud, unauthorised access, and other security incidents
- Comply with legal obligations: meet our obligations under Australian privacy law, NDIS Quality and Safeguards Commission requirements, and other applicable regulations
5. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), our legal basis for collecting and using your information depends on the specific data and the context in which we collect it. We typically process your information where:
- You have given us consent
- Processing is necessary for the performance of a contract with you
- Processing is necessary for compliance with a legal obligation
- Processing is necessary for our legitimate interests (e.g., improving our service)
6. Who We Share Your Information With
We may share your information with:
- Other Platform users (within your organisation): as necessary for Platform functionality (e.g., admins can view staff compliance data; staff can view assigned client care plans)
- Service providers: third-party vendors who help us operate the Platform, including:
- Supabase Inc. (cloud infrastructure and database — hosted in Sydney, Australia)
- OpenAI LLC (AI-powered features — incident report expansion, care summaries, transcription)
- Sentry (error monitoring)
- Vercel Inc. (application hosting)
- NDIS Commission or regulatory bodies: where required by law or to comply with NDIS Quality and Safeguards Commission requirements
- Plan managers or nominees: with your consent or as authorised by the participant
- Professional advisors: lawyers, accountants, insurers where necessary
We do not sell your personal information to third parties. We do not use your data for advertising targeting.
7. Data Storage and Security
7.1 Where We Store Your Data
All data is stored on servers located in Sydney, Australia (AWS ap-southeast-2 region via Supabase). We maintain Australian data sovereignty.
7.2 Security Measures
We implement industry-standard security measures including:
- Encryption in transit (TLS 1.3)
- Encryption at rest
- Row-Level Security (RLS) for multi-tenant data isolation
- JWT-based authentication with short-lived tokens
- Role-based access control
- Complete audit logging of authentication events
- Regular security assessments and monitoring via Sentry
- Access controls and authentication for all data access
7.3 Data Breach Notification
If we experience a data breach that is likely to result in serious harm to any individual, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by the Notifiable Data Breaches scheme.
8. Data Retention
We retain your personal information for as long as your account is active or as needed to provide the Platform. After account closure:
- Operational data is retained for 7 years to meet NDIS record-keeping requirements under the National Disability Insurance Scheme Act 2013
- GPS location data is retained for 12 months from collection
- Audit logs are retained for 7 years
- Backup data is retained for 90 days
After the retention period, data is securely deleted or de-identified.
9. Your Rights
Under Australian privacy law, you have the right to:
- Access your personal information held by us
- Correct inaccurate or incomplete information
- Delete your personal information (subject to legal retention obligations)
- Object to processing of your information
- Restrict processing of your information
- Data portability — receive your information in a structured, commonly used format
- Withdraw consent at any time (where processing is based on consent)
- Complain to the Office of the Australian Information Commissioner (OAIC)
To exercise any of these rights, contact us at privacy@shiftlink.com.au or using the details in Section 13.
10. Cookies and Tracking
Our website uses cookies and similar technologies to:
- Maintain your session and login state
- Analyse website usage and performance
- Remember your preferences
You can control cookie settings through your browser. Disabling cookies may affect Platform functionality.
We use the following types of cookies:
- Essential cookies: required for Platform operation
- Analytics cookies: to understand how the Platform is used (Google Analytics or similar)
- Preference cookies: to remember your settings
11. Children's Privacy
The Platform is not intended for children under 16. We do not knowingly collect information from children. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or a prominent notice on the Platform. Continued use of the Platform after changes constitutes acceptance of the updated policy.
13. Contact Us
For questions, concerns, or requests regarding this Privacy Policy or our data practices:
You may also contact the regulator:
Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
