Privacy Policy
Effective Date: 28 April 2026
Notara Pty Ltd (ACN [insert upon incorporation])
Notara Pty Ltd (“Notara”, “we”, “us”) is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Health Information: The Platform processes health information about NDIS participants. Health information is sensitive information under the Privacy Act and is subject to heightened protections. We treat all participant information with the highest standard of care.
1.Who This Policy Applies To
This policy applies to:
- Subscribers: Businesses and individuals who create accounts on the Platform.
- Users: Individuals who access the Platform under a Subscriber's account.
- Participants: NDIS participants whose information is entered into the Platform by Subscribers or Users.
Participants are third parties whose personal and health information is processed by Notara on behalf of Subscribers. Subscribers are responsible for obtaining all necessary consents from participants before entering their information into the Platform.
2.What Information We Collect
2.1 Account Information
- Name, email address, and password (hashed)
- Organisation name and role title
- Billing information (processed and stored by Stripe — we do not store card numbers)
2.2 Platform Usage Information
- Documents generated and their content
- Participant profile information entered by users
- Files uploaded to participant profiles
- Usage logs, session data, and feature interaction data
2.3 Participant Information (Sensitive / Health Information)
- Names and identifiers entered into participant profiles
- Health and support information contained in shift notes, incident reports, and progress notes
- Any other personal information entered by users into the Platform
We collect this information because it is provided to us by users in the course of using the service. Notara processes participant information as a data processor on behalf of Subscribers.
2.4 Technical Information
- IP address, browser type, device information
- Log data relating to Platform access
- Cookies and similar tracking technologies (see clause 10)
3.How We Use Personal Information
We use personal information for the following purposes:
- Delivering and operating the Platform
- Generating AI-assisted documentation on your behalf
- Processing subscription payments and billing
- Sending transactional emails (account confirmations, password resets, incident notifications)
- Providing customer support
- Improving the Platform using de-identified, aggregated data
- Complying with our legal obligations
- Enforcing our Terms of Service
We do not use your personal information or participant information for advertising, marketing to third parties, or selling data.
4.Disclosure of Personal Information
We disclose personal information only in the following circumstances:
4.1 Service Providers (Third-Party Processors)
We share data with the following third-party service providers who process data on our behalf:
| Provider | Purpose | Data Location |
|---|---|---|
| Supabase | Database & Authentication | Sydney, Australia (ap-southeast-2) |
| Anthropic | AI document generation | United States |
| Stripe | Payment processing | United States |
| Resend | Transactional email | United States |
| Vercel | Platform hosting | United States |
4.2 Cross-Border Disclosure
Some of our service providers are located overseas, including in the United States. When personal information is disclosed to overseas recipients, we take reasonable steps to ensure those recipients handle the information in a manner consistent with the Australian Privacy Principles, including through contractual data processing agreements. You acknowledge that APP 8.1 may not apply to the extent that we have taken such reasonable steps.
4.3 AI Processing
Input content (including participant information entered into document forms) is transmitted to Anthropic’s API for AI processing. Anthropic’s API is subject to Anthropic’s Privacy Policy and data usage terms. Anthropic’s API usage terms state that API inputs are not used to train models. We recommend users avoid entering more identifying participant information than is necessary to generate the required document.
4.4 Legal Disclosure
We may disclose personal information where required by law, court order, or regulatory authority, including the NDIS Quality and Safeguards Commission, the Office of the Australian Information Commissioner (OAIC), or law enforcement.
4.5 Business Transfer
In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal information may be transferred to the acquiring entity, subject to the same protections under this Policy.
5.Data Security
We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include:
- Encryption of data at rest and in transit (TLS/HTTPS)
- Database hosted in Australia (Supabase Sydney region ap-southeast-2)
- Row-level security (RLS) enforced at the database level
- Access controls — members can only access their own organisation's data
- Password hashing via Supabase Auth (bcrypt)
- Email-confirmed account deletion with type-to-confirm safeguard
- Regular review of third-party service provider security posture
No security system is impenetrable. We cannot guarantee the absolute security of information transmitted to us. You use the Platform at your own risk and are responsible for maintaining the security of your login credentials.
6.Data Retention
We retain personal information for the following periods:
- Account and subscription data: for the duration of your subscription plus 7 years (for tax and legal purposes)
- Generated documents and participant profiles: for the duration of your account, plus 30 days after account deletion
- Billing records: 7 years as required by Australian tax law
- Usage logs: 90 days
After these periods, data is permanently deleted or de-identified. You may request early deletion of your personal information, subject to our legal retention obligations.
7.Access and Correction
Under the Privacy Act, you have the right to:
- Request access to personal information we hold about you
- Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading
To exercise these rights, contact us at saka.asif0@gmail.com. We will respond within 30 days. We may charge a reasonable fee for access requests where permitted.
For requests relating to participant information, we note that Notara processes this information on behalf of Subscribers. Requests from participants should in the first instance be directed to the relevant NDIS provider (Subscriber).
8.Notifiable Data Breaches
We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If we become aware of a data breach that is likely to result in serious harm to any individual, we will:
- Conduct an assessment within 30 days of becoming aware of the suspected breach
- If the breach is assessed as eligible, notify the OAIC and affected individuals as soon as practicable
- Provide notification containing a description of the breach, the types of information involved, recommended steps individuals should take, and our contact details
To report a suspected security issue or data breach, contact us immediately at saka.asif0@gmail.com.
9.Complaints
If you believe we have mishandled your personal information, you may lodge a complaint with us at saka.asif0@gmail.com. We will respond within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Website: www.oaic.gov.au
- Phone: 1300 363 992
- Post: GPO Box 5218, Sydney NSW 2001
10.Cookies
The Platform uses session cookies for authentication purposes. These are essential to the operation of the Platform and cannot be disabled without impairing functionality. We do not use tracking cookies, advertising cookies, or third-party analytics cookies without disclosure.
11.Children
The Platform is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. Participant profiles may contain information relating to NDIS participants who are minors — this information is entered by Subscribers who are responsible for ensuring appropriate parental or guardian consent has been obtained.
12.Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or prominent in-platform notice at least 14 days before changes take effect. Continued use after the notice period constitutes acceptance.
13.Contact
Privacy Officer: Asif Saka
- Email: saka.asif0@gmail.com
- Website: app.notara.com.au/privacy
© 2026 Notara Pty Ltd. All rights reserved.
Back to sign in →