Features Pricing Security Blog
Log in Get Started

Privacy Policy

Last updated: April 2026

This privacy policy is a draft and is subject to review by an Australian lawyer before publication.

1. About This Policy

This Privacy Policy explains how Tendaroo Pty Ltd ("we", "us", "our") collects, uses, discloses, and protects personal information through the Tendaroo platform ("Platform"). This policy complies with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. What Personal Information We Collect

2.1 Participant Information

  • Name, date of birth, gender, contact details
  • NDIS number and plan details
  • Primary and secondary disabilities (encrypted at rest)
  • Cultural considerations (encrypted at rest)
  • Communication preferences and emergency contact details

2.2 Worker Information

  • Name, contact details, employment details
  • Qualifications and clearances (NDIS Worker Screening, WWC, First Aid, CPR)
  • Availability, shift records, and clock-in/out geolocation (when consented)

2.3 Administrative and Portal Users

  • Name, email, role, and authentication credentials (hashed, never stored in plaintext)
  • Login history and IP addresses

3. How We Collect Personal Information (APP 3)

We collect personal information directly from individuals when they register or are enrolled, from NDIS plans and plan managers, from worker clearance databases (with consent), from the mobile app during shift execution, and from nominees via the family portal.

4. Why We Collect Personal Information (APP 6)

We collect personal information to provide NDIS service delivery management, generate invoices and PACE claims, meet regulatory obligations (NDIS Practice Standards, incident reporting), facilitate communication between providers, workers, and families, and maintain audit logs for compliance.

5. Disclosure of Personal Information (APP 6)

We may disclose personal information to the NDIS Quality and Safeguards Commission (incident reporting), the NDIA (claiming via PACE), authorised plan managers, subprocessors listed in our Subprocessors Register, and law enforcement where legally required.

We do not sell personal information. We do not transfer personal information outside Australia.

6. Data Security (APP 11)

We protect personal information with AES-256 encryption at rest (AWS KMS), TLS 1.2+ encryption in transit, field-level encryption for sensitive health data, multi-tenant data isolation with PostgreSQL Row-Level Security, mandatory two-factor authentication for administrative roles, and an append-only hash-chained audit log.

7. Access and Correction (APPs 12-13)

You have the right to request access to your personal information and request correction of inaccurate information. Contact privacy@tendaroo.com with your request. We will respond within 30 days.

8. Data Retention

We retain personal information for as long as the customer account is active, plus 30 days after termination for data export. Audit logs are retained for 7 years in compliance with Australian record-keeping requirements.

9. Notifiable Data Breaches

In the event of an eligible data breach under the Notifiable Data Breaches scheme (Privacy Act Part IIIC), we will notify the OAIC and affected individuals as required by law. We will notify customers within 24 hours of confirming a breach.

10. Complaints

If you believe your privacy has been breached, contact our Privacy Officer at privacy@tendaroo.com. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

11. Contact

Privacy Officer: privacy@tendaroo.com

Security Team: security@tendaroo.com