Privacy Policy

Last updated: April 2026

1. Introduction

AccessMate Pty Ltd (ABN 70 695 603 877) ("AccessMate", "we", "us", "our") operates the AccessMate platform, including the website at accessmate.net and the AccessMate mobile application for iOS and Android (together, the "Platform").

We are committed to protecting your personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and our obligations under the NDIS Act 2013 (Cth). This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and your rights in relation to it.

AccessMate is designed for use within Australia. If you access the Platform from outside Australia, your information will be transferred to and processed in Australia in accordance with Australian law.

2. Who This Policy Applies To

The Platform serves three categories of users:

• Providers: NDIS-registered disability service providers who administer their organisation through the Platform
• Support workers: individuals employed or contracted by providers who use the mobile app to manage shifts, track time, and record service delivery
• Participants: NDIS participants (or their nominees, guardians, or plan managers) who use the mobile app to book support, view schedules, and communicate with their support team

Where a participant is a child (under 18) or a person with impaired decision-making capacity, we collect and manage their information with the consent of their parent, guardian, or authorised nominee. Providers are responsible for ensuring appropriate consent is obtained before entering participant information into the Platform.

3. Information We Collect

We collect the following types of personal information:

Identity and contact information

• Name, email address, phone number, and profile photo
• Date of birth (support workers, for compliance verification)

Organisation details (providers)

• Business name, ABN, NDIS registration number

Sensitive and health information

• Participant disability and support needs, as entered by the provider
• Service delivery records, shift notes, progress notes, and goal tracking data
• Compliance documents such as NDIS Worker Screening Check results, first aid certificates, and working with children checks

This information is classified as "sensitive information" and "health information" under the Privacy Act 1988. We collect it only with your consent (or the consent of your guardian or nominee) and only as necessary to provide the Platform's services. If you choose not to provide this information, certain features of the Platform may not be available to you.

Location data

• When a support worker starts an active shift, the mobile app collects GPS location data in the background to provide real-time arrival information and to record travel routes for shift records
• Location data is collected periodically (approximately every 30 seconds) while a shift is active, even when the app is not in the foreground
• Location tracking stops automatically when the shift ends
• Location data is linked to the individual support worker and the specific shift
• Support workers can review their recorded routes within the app

Photos and media

• Profile photos uploaded by users
• Compliance documents (e.g. certificates) uploaded as images
• Photos are stored securely and are only accessible to authorised users within the relevant organisation

Audio and voice data

• The app offers optional speech-to-text functionality for entering shift notes and messages
• Audio is processed on-device using the operating system's speech recognition service (Apple Speech or Google Speech Services)
• Raw audio recordings are not transmitted to or stored on AccessMate servers - only the transcribed text is saved

Usage and device data

• How you interact with the Platform, pages visited, features used
• Device type, operating system version, app version
• IP address, browser type (website only)
• Crash reports and performance data to help us identify and fix issues

4. How We Use Your Information

We use personal information for the following purposes:

• Providing the service: operating the Platform, processing bookings, managing shifts, generating timesheets and invoices, and facilitating communication between providers, support workers, and participants
• Safety and compliance: verifying support worker credentials, tracking shift attendance, recording service delivery for NDIS audit and compliance purposes
• Platform improvement: analysing usage patterns to improve features, fix bugs, and develop new functionality
• Communication: sending you notifications about your shifts, bookings, and account, and responding to support requests
• Legal obligations: complying with requirements under the Privacy Act 1988, the NDIS Act 2013, taxation law, and other applicable Australian legislation
• Security: detecting and preventing fraud, unauthorised access, and other security threats

We do not use your personal information for direct marketing. We will not send you promotional emails or messages unless you have explicitly opted in, and you may opt out at any time.

5. Data Roles and Responsibilities

For participant service data (shift notes, booking records, progress notes, compliance documents, and other information entered by providers and support workers), the provider is the data controller and AccessMate acts as a data processor. This means:

• Providers determine what participant data is entered into the Platform and are responsible for ensuring they have appropriate consent and authority to do so
• Providers are responsible for the accuracy of data they enter
• AccessMate processes this data only in accordance with these terms and at the direction of the provider
• Providers remain responsible for meeting their own obligations under the NDIS Practice Standards, the NDIS Code of Conduct, and the Privacy Act 1988

For account data (login credentials, profile information, usage data), AccessMate is the data controller.

6. How We Store and Protect Your Information

All data is stored on servers located in Australia (AWS Sydney region, ap-southeast-2). We implement the following security measures:

• Encryption in transit using TLS 1.2 or higher
• Encryption at rest using AES-256
• Role-based access controls ensuring users can only access data relevant to their role and organisation
• Audit logging of data access and modifications
• Multi-factor authentication available for all accounts
• Regular security reviews and updates

No system is completely secure. While we take reasonable steps to protect your information, we cannot guarantee absolute security. If you become aware of any security issue, please contact us immediately.

7. Data Retention

We retain personal information for the following periods:

• Service delivery records (shift notes, timesheets, invoices, booking records) - retained for a minimum of 7 years from the date of creation, in accordance with NDIS record-keeping requirements and Australian taxation law
• Account information: retained for the duration of your account and for 12 months after account closure, unless a longer retention period is required by law
• Location data: retained for 12 months from the date of collection, after which it is automatically deleted
• Crash reports and usage analytics: retained for 12 months

When information is no longer required for any purpose and no legal obligation requires its retention, we will securely delete or de-identify it in accordance with APP 11.2.

Upon termination of a provider's account, the provider may request an export of their data within 30 days. After 30 days, data will be retained only as required by law and otherwise securely deleted.

8. Sharing Your Information

We do not sell, rent, or trade your personal information. We may share information with:

• Within your organisation: support workers can see participant names, addresses, and booking details for their assigned shifts. Providers can see support worker profiles, shift records, and timesheets. Participants can see their assigned support worker's name and profile photo.
• Service providers: third-party services that help us operate the Platform, including cloud infrastructure (Amazon Web Services, Sydney), email delivery, push notifications, and error monitoring. All service providers are bound by contractual obligations to protect your data and may only process it on our instructions.
• Regulatory bodies: when required by Australian law, including requests from the National Disability Insurance Agency (NDIA), the NDIS Quality and Safeguards Commission, the Australian Taxation Office, or by court or tribunal order

9. Cross-Border Data Transfers

Your personal information is stored and processed in Australia. Some of our third-party service providers may process limited data (such as email addresses for transactional email delivery, or anonymised crash reports) in the United States. Where this occurs, we ensure that appropriate contractual protections are in place in accordance with APP 8, and we take reasonable steps to ensure the overseas recipient handles your information consistently with the APPs.

10. Your Rights

Under the Australian Privacy Principles, you have the right to:

• Access: request a copy of the personal information we hold about you (APP 12)
• Correction: request that we correct inaccurate, out-of-date, or incomplete information (APP 13)
• Deletion: request deletion of your personal information, subject to our legal obligations to retain certain records (including the 7-year NDIS record-keeping requirement)
• Withdraw consent: withdraw consent for optional data processing (such as location tracking or speech-to-text). Withdrawing consent may affect the functionality available to you. For example, if you withdraw location consent, you will not be able to use GPS tracking during shifts.

To exercise any of these rights, email us at support@accessmate.net. We will respond to your request within 30 days. We may need to verify your identity before processing your request. There is no fee for making a request.

If a provider receives a request from a participant to access, correct, or delete their data, they should process that request through the Platform or contact us for assistance.

11. Notifiable Data Breaches

In the event of a data breach that is likely to result in serious harm to any individual whose information is affected, we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
• Notify affected individuals as soon as practicable
• Take reasonable steps to contain the breach and mitigate any harm

This is in accordance with Part IIIC of the Privacy Act 1988 (the Notifiable Data Breaches scheme). We will also notify affected providers so they can meet their own notification obligations.

12. Cookies and Analytics

Our website uses cookies and analytics tools to understand how visitors use our site. Cookies are small text files stored on your device. We use:

• Essential cookies: required for the website to function (e.g. theme preference)
• Analytics cookies: help us understand how visitors interact with the website so we can improve it

You can control cookie preferences through your browser settings. Disabling cookies may affect your experience on our website but will not affect the mobile app.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email or through the Platform before the changes take effect. The "Last updated" date at the top of this policy indicates when it was last revised.

14. Complaints

If you believe we have breached the Australian Privacy Principles or handled your personal information inappropriately, you may lodge a complaint by emailing us at support@accessmate.net. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Post: GPO Box 5218, Sydney NSW 2001

15. Contact Us

If you have questions about this Privacy Policy or wish to make a privacy-related request, contact us at:

AccessMate Pty Ltd
ABN 70 695 603 877
Adelaide, South Australia
Email: support@accessmate.net