Legal · Privacy

Privacy policy

Last updated: 30 May 2026

This policy explains how Care Claim Pty Ltd (ACN 698 073 648), trading as CareClaim, collects, uses, holds and discloses personal information when you use our software platform and website. We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

If you are an NDIS provider using CareClaim, this policy also describes how we handle personal information you enter about your participants and workers.

Who we are

Care Claim Pty Ltd ACN 698 073 648
Trading as CareClaim
Email: nick@careclaim.com.au

Information we collect

Account information you give us

When you sign up for CareClaim, we collect:

  • Name, email address and phone number
  • Business name and ABN
  • Billing details — card payments are handled by our payment provider, Stripe. We receive limited billing information (such as the card type, the last four digits and the billing name); we do not store full card numbers.
  • Information you provide when you contact support

Participant and worker data you enter

CareClaim is software you use to operate your NDIS provider business. As part of running the platform, you enter personal information about your participants and workers, which may include:

  • Names, contact details and date of birth
  • NDIS participant numbers and plan details
  • Service agreements and signed documents
  • Shift records, rosters and timesheets
  • Pay rates and payroll calculations
  • Compliance records (rest breaks, overtime, broken shifts)
  • Shift notes, including health-related observations
  • Worker credentials including NDIS Worker Screening, First Aid and other certifications
  • Incident reports
Your role and ours. Under the Privacy Act, you (as the NDIS provider) are the APP entity responsible for the personal information you enter about your participants and workers. We process this information on your behalf, in accordance with your instructions and these terms.

Information collected automatically

When you use CareClaim, we automatically collect:

  • IP address, browser type and device information
  • Pages and features you use, and timestamps of actions
  • Audit log entries for compliance purposes
  • Technical error reports

How we use information

We use personal information to:

  • Provide and operate CareClaim
  • Authenticate you and protect your account
  • Process payments and manage subscriptions
  • Communicate with you about your account, billing and product changes
  • Respond to support requests
  • Maintain audit logs and security records
  • Improve our service
  • Comply with legal obligations

We do not sell personal information. We do not use personal information for advertising. We do not share personal information with third parties for marketing purposes. We do not use customer data to train AI models.

Where information is stored

All personal information processed by CareClaim is stored in Australia:

  • Our PostgreSQL database is hosted in Sydney
  • Our application servers run in the Sydney region
  • File storage (signed documents and uploads) is hosted in Sydney

No participant data leaves Australia in the ordinary course of providing the service. This matches the data-residency expectation of the NDIA Cyber Clearance requirements and supports compliance with the NDIS Practice Standards.

How we protect information

We take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure. These steps include:

  • Encryption in transit (TLS) and at rest
  • Role-based access controls within each customer account
  • Row-level tenant isolation, so your data is structurally separated from other providers' data rather than filtered by query alone
  • Audit logging of all data-modification actions
  • Regular dependency updates and security review
  • Australian-only data hosting

Service providers we use

We use a small number of trusted service providers (sub-processors) to operate CareClaim. We require each to maintain appropriate security and confidentiality controls:

  • Neon — managed PostgreSQL hosting, Sydney region
  • Vercel — application hosting, Sydney region (syd1)
  • Vercel Blob — file storage for signed agreements and uploads
  • Resend — transactional email delivery
  • Sentry — error monitoring, hosted in Australia
  • Stripe — payment processing. Card details are handled by Stripe (PCI DSS compliant); we do not store card numbers.

We do not share personal information with any party not listed above, except:

  • With your consent
  • Where required by law (for example, by court order or regulator)
  • Where, in good faith, we believe it is necessary to protect our rights, your safety or the safety of others

If we engage additional sub-processors, we will update this list and notify customers where required.

Integrations you choose to connect

CareClaim offers optional integrations with third-party services that you can choose to connect. Today this means Xero (cloud accounting software).

If you connect your Xero account, you authorise CareClaim to send finalised pay-run and claim data — such as pay totals, bill and invoice line items, and the associated dates and account codes — to your Xero organisation, so they can be recorded there as bills and invoices.

This only happens if you connect Xero. The integration is off by default, you control when it is enabled, and you can disconnect it at any time, which stops any further data being sent. Information sent to Xero is then held and handled under Xero's own terms and privacy policy.

Cookies and analytics

The careclaim.com.au marketing site uses minimal cookies, only those required for the site to function. The application at app.careclaim.com.au uses cookies for authentication (keeping you signed in) and for security.

We do not use third-party advertising cookies or cross-site trackers.

Your rights under the Australian Privacy Principles

You have the right to:

  • Access the personal information we hold about you
  • Request correction of personal information that is inaccurate, incomplete or out of date
  • Make a complaint about how we have handled your personal information

To exercise any of these rights, contact us at nick@careclaim.com.au. We will respond within a reasonable period, typically within 30 days.

If you are an NDIS participant or worker. If your information is held in a CareClaim account managed by an NDIS provider, please contact that provider directly first — they are responsible under the Privacy Act for the personal information they enter. If you are unsure who to contact, we can help you find out.

Retention

We retain personal information for as long as your account is active, and for a reasonable period afterwards, as required to:

  • Fulfil any contractual obligations
  • Meet legal and audit requirements, including NDIS recordkeeping
  • Resolve disputes and enforce our agreements

When you cancel your CareClaim account, we provide a 90-day window during which you can export your data. After that window, we delete personal information except where retention is required by law.

Children and minors

CareClaim is a business platform and is not directed to children. However, NDIS participants may include minors, and providers may store information about them within the platform. We treat this information with the same protections as all other participant data.

Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify account holders by email at least 30 days before the change takes effect. The "Last updated" date at the top of this policy shows when it was most recently revised.

Contact and complaints

For any privacy question, request or complaint, contact us:

Care Claim Pty Ltd ACN 698 073 648
Email: nick@careclaim.com.au

If you are not satisfied with our response, you can make a complaint to the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner Website: oaic.gov.au
Phone: 1300 363 992