Privacy Policy

Care Spend is operated by Aidan George Saunders as a sole trader, trading as Care Spend (ABN 48 583 632 219).

For privacy questions, complaints, or requests: support@care-spend.com.au

We collect the following kinds of information:

Account information

• Your name and email address
• Your password (stored encrypted)
• Your role (coordinator, participant, etc.)

Participant data you enter

• Participant names, dates of birth, NDIS numbers
• Plan periods, funding amounts, and category budgets
• Allocations and expense records
• Provider details (where you enter them)
• Notes and comments you write

Some of this is sensitive information because participation in the NDIS implies disability. We rely on your authority to record participant data on their behalf — whether under a service agreement, the NDIS Practice Standards, or as a self-managing participant.

Technical information

• Device, browser, and operating system
• IP address
• Pages visited, actions taken, errors encountered
• Login timestamps and security event logs

What we don’t collect

• Payment card details directly. When billing is enabled, payments are handled by our payment processor; we never see your card number.
• Information not relevant to providing the Service.

• Directly from you, when you sign up, enter data, or contact us
• Automatically, through usage logs and security monitoring
• From your team members, if they invite you or share access

We use personal information to:

• Provide the Service: store, display, calculate, export your data
• Authenticate you and protect against unauthorised access
• Send essential service emails (account, password reset, alerts)
• Diagnose and fix technical problems
• Improve the Service based on aggregated usage patterns
• Comply with legal obligations

We do not:

• Sell personal information to anyone, ever
• Use participant data for any purpose other than providing the Service to you
• Use sensitive information for marketing

We disclose personal information only to the third-party service providers below, when legally required (court order, regulatory request, the Notifiable Data Breaches scheme), or with your explicit consent.

Each subprocessor is bound by a data processing agreement requiring them to handle personal information consistently with the APPs and to maintain reasonable security.

Our hosting and database run in Australia. Supabase stores data in its AWS ap-southeast-2 (Sydney) region, and Vercel processes requests in its Sydney (syd1) region. Static assets — the application’s code, styles, and images, which contain no personal information — are delivered through Vercel’s global edge network.

Our email provider, Resend, operates from the United States. Emails sent via Resend contain only your email address and limited account context (no participant data). By using the Service, you acknowledge that we disclose this limited information to Resend for the purpose of sending you essential service emails.

Participant data is stored in Sydney, Australia and is not transferred to overseas recipients.

We take reasonable steps to protect personal information, including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Row-level security on every database table (tenant isolation forced even for service-level access)
• Audit logging of all data changes
• Strict secret management (no credentials in source control)
• Regular dependency updates and security audits

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at support@care-spend.com.au.

We use first-party cookies only, for authentication (your login session). We do not use third-party advertising, tracking, or analytics cookies. Our marketing site does not place tracking pixels.

Under the Privacy Act, you can request:

• Access to the personal information we hold about you (APP 12)
• Correction of inaccurate information (APP 13)

Email support@care-spend.com.au with your request. We will respond within 30 days.

If you believe we have breached the APPs, please contact us first. If you remain unsatisfied, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

If we suffer a data breach likely to result in serious harm to you, we will notify you as soon as practicable, and notify the OAIC, as required by the Notifiable Data Breaches scheme.

We keep personal information while your account is active and for as long as necessary to provide the Service, comply with legal record-keeping obligations, and resolve disputes.

Registered NDIS providers may have independent retention obligations (typically 7 years under the NDIS Practice Standards). You can export your data from Care Spend at any time using the built-in CSV and PDF export tools.

When you delete your account, we delete your data within 30 days, except where retained as required by law.

Care Spend is not directed at children under 18 as account holders. However, the participants whose plans you manage may be minors. Information about minor participants is treated as sensitive information and handled with all protections described in this Policy.

We may update this Policy. Material changes will be notified by email and posted here with a revised “last updated” date. Continued use of the Service after a notified change indicates acceptance.

For any privacy question, complaint, or request:

support@care-spend.com.au
Aidan George Saunders trading as Care Spend
ABN 48 583 632 219