CC-LEGAL-PRIV-001 · Version 0.9-draft · 4 June 2026
Privacy Policy
Issued by AAR GEE PTY LTD (ABN 56 682 972 685) trading as Compliance Care.
1. About this Privacy Policy
This Privacy Policy explains how AAR GEE PTY LTD (ABN 56 682 972 685) trading as Compliance Care ("Compliance Care", "we", "us", "our") collects, holds, uses, and discloses Personal Information. It applies to:
- visitors to
compliancecare.com.auand any subdomain we operate; - people who sign up to receive content from us or who contact us;
- our consultancy customers (NDIS providers) and their representatives;
- in due course, users of our Pocket Progressive Web App, our Scale SaaS, and the Auditor Invite feature; and
- people whose Personal Information is provided to us by an NDIS-provider customer in the course of an engagement (including workers, and, with consent, NDIS participants).
We are bound by the Privacy Act 1988 (Cth) (the "Privacy Act") and the Australian Privacy Principles set out in Schedule 1 of that Act (the "APPs"). Where we handle health information, we are also bound by the heightened protections of the Privacy Act for sensitive information, and by Part IIIC (Notifiable Data Breaches) where applicable.
This Policy is APP 1 compliant. It is reviewed annually and on any material change to our service offering or data-handling practices.
2. Personal Information we collect (APP 3)
The kinds of Personal Information we collect depend on the relationship you have with us.
2.1 If you visit our website
- IP address, device, browser, operating system, referring URL, pages requested, timestamps.
- We do not currently use third-party advertising trackers. Our analytics are server-side and do not set persistent identifiers (see clause 12).
2.2 If you contact us or sign up for content
- Name; email address; phone number (optional); organisation name; role; NDIS provider registration status (if you choose to tell us); message content.
- If you book a discovery call, the scheduling-tool data necessary to confirm the meeting (calendar event details only).
2.3 If you become a consultancy customer
About the customer organisation and its representatives: organisation legal name, ABN, address, registered office, NDIS registration status, service mix, contact people, signatory details, banking/billing details to the extent necessary to invoice.
About workers (provided by the customer organisation to enable Sprint delivery, with the worker's consent obtained by the customer): worker name, role, qualification and certification status, expiry dates, training records as required to populate the Customer's compliance registers.
About NDIS participants (provided by the customer organisation only if and as required for a specific deliverable, with the participant's consent obtained by the customer): such information is sensitive information (and may be health information) under the Privacy Act and is subject to the additional protections in clause 8.
2.4 If you use the Pocket PWA or Scale SaaS — [forward-looking — not yet live]
When the Pocket and Scale products are live, additional Personal Information will be collected as necessary to operate the relevant tier (for example, named worker accounts, role assignments, activity logs, uploaded documents). This Policy will be updated to reflect the actual data collection on the date of public release.
2.5 If you are an Approved Quality Auditor receiving an Auditor Invite — [forward-looking — not yet live]
When Auditor Invite is live, we will collect your name, professional email, and the customer-organisation context required to provision your read-only, time-bound seat. We will not market to you, and we will not contact you for the purposes of Quality Auditor referrals (see the Impartiality Statement at /trust, §3 clause 4 and §6).
2.6 Information we do not collect
We do not collect Tax File Numbers, Medicare numbers, drivers licence numbers, or other Commonwealth Government identifiers (APP 9), and we do not require them to provide the Services.
3. How we collect Personal Information (APP 3 and APP 5)
We collect Personal Information directly from you wherever practicable. We may collect it from a third party (for example, a customer organisation providing worker certification information) only where:
(a) it is unreasonable or impracticable to collect it directly from the individual; and
(b) the customer organisation has authority to provide the information for the purposes of the Services.
When we collect Personal Information about you, we take reasonable steps to notify you, or otherwise ensure you are aware, of the matters required by APP 5 (including this Policy's location and the kinds of recipients of the information).
4. Why we collect Personal Information (APP 6)
We collect, hold, use, and disclose Personal Information for the following primary purposes:
- to respond to your enquiry and to provide the consultancy services you have engaged us to provide;
- to operate, secure, and improve our website and (when live) our products;
- to send you content you have asked to receive;
- to invoice you and to receive payment;
- to meet our legal and regulatory obligations, including under the Privacy Act, the A New Tax System (Goods and Services Tax) Act 1999 (Cth), the Corporations Act 2001 (Cth), and any obligation owed by our principal under ISO/IEC 17065; and
- to maintain the records required to administer the Impartiality Statement (including the client-quarantine register, which is permanent — see clause 11 below).
We do not use Personal Information for a secondary purpose unless that purpose is directly related to a primary purpose and you would reasonably expect us to use the information for that secondary purpose, or you have consented.
5. Direct marketing (APP 7)
We only send marketing communications to you if you have opted in. Every marketing communication includes a clear and easily-actioned opt-out. We do not sell Personal Information.
6. Disclosure of Personal Information (APP 6)
We disclose Personal Information only as set out below.
6.1 To our sub-processors
We use a limited number of carefully-chosen service providers (each a "sub-processor") to deliver our services. The current sub-processor list is maintained at compliancecare.com.au/trust-center/sub-processors and in the internal sub-processor register (CC-LEGAL-SUBP-001). The list is updated within fourteen (14) days of any change. The current expected list is:
- Vercel Inc. — hosting of the public marketing website (region: Sydney
syd1). - Fly.io — hosting of the application surface (region: Sydney, when live).
- Supabase — application database and authentication (region: Sydney, when live).
- Anthropic, PBC — generative AI for draft production (subject to the AI Handling Memo, CC-LEGAL-AI-001, and the Anthropic DPA, CC-LEGAL-DPA-AI-001).
- Amazon Web Services (Textract) — optical character recognition for documents the customer uploads (region: Sydney, when live).
- Stripe Payments Australia Pty Ltd — payment processing.
- Twilio Inc. — transactional messaging (when live).
- DocuSign, Inc. or Adobe Inc. (Acrobat Sign) — electronic signature for engagement letters.
- A managed email-delivery provider for transactional and (opt-in) marketing email.
Where a sub-processor is located outside Australia, the disclosure is governed by APP 8 (see clause 7 below).
6.2 To Approved Quality Auditors selected by the customer
When a customer uses the Auditor Invite feature (when live), the Personal Information necessary to provision the read-only seat is disclosed to the Quality Auditor the customer has selected from the JAS-ANZ-accredited list. We do not introduce or refer Quality Auditors (Impartiality Statement §3 clause 4 and §6).
6.3 To the NDIS Quality and Safeguards Commission
Where required by law, regulation, or the directions of the Commission, including in response to a notice under the National Disability Insurance Scheme Act 2013 (Cth).
6.4 To advisers and successors
To our professional advisers (legal, accounting, insurance) under obligations of confidence; and to a successor of substantially the whole of our business on a sale or restructure, subject to that successor agreeing to be bound by this Policy or a policy no less protective.
6.5 Where required by law
Where required or authorised by Australian law, by court order, or by a regulator with jurisdiction over us.
7. Cross-border disclosure (APP 8)
Our Australian data-residency posture is mandatory:
- All Personal Information processed by us in the course of providing consultancy services and (when live) our products is stored in Australian-resident infrastructure (currently Sydney regions of Vercel, Fly.io, and Supabase). We do not transfer Customer Personal Information overseas for storage.
A limited subset of Personal Information is processed (not stored at rest) overseas where necessary to deliver the Service:
- Anthropic, PBC (United States). Prompts containing minimised, non-identifying excerpts of customer documents may be processed by Anthropic's API to produce drafts. Anthropic does not use this data to train or fine-tune models. This disclosure is permitted under APP 8 on the bases set out in our AI Handling Memo (CC-LEGAL-AI-001) and the Anthropic DPA (CC-LEGAL-DPA-AI-001). We take the steps reasonably required by APP 8.1 to ensure Anthropic does not breach the APPs in respect of that information, including by contractual binding.
Where APP 8.1 applies, we take reasonable steps to ensure overseas recipients comply with the APPs, including by contractual binding under our Data Processing Addendum (CC-LEGAL-DPA-PC-001).
8. Health information and sensitive information
Health information about NDIS participants is "sensitive information" under the Privacy Act and is subject to additional protections under APP 3.3 and APP 6.
- We collect health information only when reasonably necessary to deliver a specific engagement (for example, a participant case file referenced for a worked example in a Customer's incident-management procedure).
- We obtain or rely on the customer's confirmation of participant consent before we hold the information.
- We minimise: where reasonably practicable, we work from redacted or de-identified copies.
- We retain health information only for as long as required to complete the engagement and to meet legal record-keeping obligations, and then we delete it under the retention and deletion schedule (CC-LEGAL-RET-001).
9. Quality of Personal Information (APP 10)
We take reasonable steps to ensure the Personal Information we hold is accurate, complete, and up to date, having regard to the purpose for which it is held. Customers are encouraged to notify us promptly of any change to their contact or organisational details.
10. Security of Personal Information (APP 11)
We take reasonable steps to protect Personal Information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our current controls are described in the Trust Center at compliancecare.com.au/trust-center and include:
- TLS in transit for all customer-facing traffic;
- encryption at rest on the production database;
- role-based access control;
- access logging and immutable audit trails on customer data;
- multi-factor authentication on all administrative accounts;
- the principle of least privilege for production access;
- a documented incident-response process; and
- annual review of these controls.
Notifiable data breach response
We comply with Part IIIC of the Privacy Act (Notifiable Data Breaches). On becoming aware of an Eligible Data Breach affecting Personal Information:
- we notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable as required by the scheme;
- we notify customer organisations whose Personal Information is affected without undue delay, and in any case within twenty-four (24) hours of becoming aware of the breach (see also the engagement letter, clause 8.4); and
- we record the breach and our response in our internal incident register.
11. Access, correction, and deletion (APP 12 and APP 13)
You may ask to access the Personal Information we hold about you, and to correct it if it is inaccurate or out of date, by writing to privacy@compliancecare.com.au. We respond within thirty (30) days. Where we hold health information, we may take a reasonable additional period if necessary to consider the request safely.
You may also request deletion of Personal Information that is not subject to a legal retention obligation. Some Personal Information is retained under our retention and deletion schedule (CC-LEGAL-RET-001) — including the client-quarantine register entries, which are retained permanently under the Impartiality Statement (CC-LEGAL-IMP-001, §7).
12. Cookies and analytics
We use only the cookies and storage strictly necessary to operate the website and to remember user preferences. We do not use third-party advertising cookies. Our analytics are server-side and do not set persistent identifiers. When this changes, the Trust Center page on cookies will be updated and this clause will be revised.
13. Artificial intelligence and automated decision-making
We use generative AI tools, in particular models supplied by Anthropic, to assist in draft production. The detailed position is set out in the AI Handling Memo (CC-LEGAL-AI-001), summarised as:
- All AI-generated content is reviewed by a competent human reviewer before being delivered to a customer or published.
- We do not use Personal Information to train or fine-tune AI models.
- We do not make decisions about you on the basis of automated processing alone where the decision has a significant effect on you.
14. Complaints
If you believe we have handled your Personal Information in a way that is inconsistent with the APPs or this Policy, you may complain to us by writing to privacy@compliancecare.com.au. We will acknowledge your complaint within two (2) business days and respond substantively within thirty (30) days.
If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner at oaic.gov.au or 1300 363 992.
15. Children
We do not knowingly collect Personal Information directly from individuals under fifteen (15) years of age, except where that information is provided by a customer organisation in connection with the provision of NDIS-related Services with the consent of a parent or guardian.
16. Changes to this Policy
We may update this Policy from time to time. The version, effective date, and change log are recorded in the header. Material changes are notified by:
- prominent notice on
compliancecare.com.au/privacyfor a period of not less than thirty (30) days; and - direct email to customers and to subscribers who have opted in to our marketing list.
17. Contact
AAR GEE PTY LTD (ABN 56 682 972 685) trading as Compliance Care
Privacy contact: privacy@compliancecare.com.au
General contact: contact@compliancecare.com.au
Trust Center: https://compliancecare.com.au/trust-center
Impartiality Statement: https://compliancecare.com.au/trust
