Privacy Policy

Because privacy policies are usually impenetrable, here's what matters in plain English:

• We collect the minimum information needed to run the service: your email, name, role, and billing details.
• Content you create using SRTD Tools is yours. We don't use it to train AI models, we don't sell it, and we don't share it with third parties except the infrastructure providers listed below.
• Your account and participant data stay in Australia. AI processing runs within Australia.
• For participants, we store first and last name only. No NDIS numbers, dates of birth, addresses, diagnoses, or health information.
• You can delete your account and all associated data at any time from your account settings.
• If we ever have a security incident affecting your data, we'll notify you within 72 hours of confirming impact.

The rest of this document covers the full detail.

This Privacy Policy explains how SRTD Tools (srtd.tools) collects, uses, stores, and discloses personal information. We are bound by the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

SRTD Tools is a software-as-a-service product for NDIS workers. It helps you draft case notes, communications, and other NDIS documentation. Finished outputs are copied into your own practice management system; SRTD Tools is not itself a record-keeping system for participants.

From you, the user

• Name and email address (used for account login and billing).
• Your professional role (e.g. Support Coordinator, Support Worker).
• Organisation name, if you choose to provide one.
• Password (hashed - we never see the plain text) or Google account identifier if you sign in with Google.
• Billing information - collected and processed by our payment provider. Credit card details never touch our servers.

About participants (very limited)

Because SRTD is a drafting tool, it stores the minimum information required to produce a document:

• First and last name of each participant you add.
• The content of case notes, communications, or other documents you generate through the service.

SRTD does not ask for NDIS participant numbers, dates of birth, addresses, diagnoses, health information, or other identifying details. If you include such content in a draft you generate, it will be stored as part of your output, but we neither ask for it nor recommend including it.

Collected automatically

• Usage data: which tools you use, how often, timestamps of actions, and counts for billing and operational purposes.
• Technical data: IP address, browser type, device type, and approximate location (inferred from IP) when you sign in or use the service.
• Session data: to enforce our one-person-per-account rule and detect unusual access patterns, we track active sessions per user. You can see and revoke your active sessions at any time from your account settings.

What we do NOT collect

• NDIS participant numbers.
• Participant dates of birth, addresses, or geographic location.
• Participant diagnoses or health information.
• Any identifying information about participants beyond first and last name.
• Location-tracking data of any kind.

• To operate the service (authenticate you, run your subscription, generate documents).
• To process billing through our payment provider.
• To send transactional emails (sign-up confirmation, receipts, password reset, security alerts).
• To monitor and improve service reliability. Improvement uses aggregated, de-identified usage data only - we do not review individual user content for product improvement.
• To prevent abuse, fraud, and automated misuse of the service.
• To comply with legal obligations.

We do not sell your data. We do not use your content to train AI models. We do not share your content with third parties beyond the service providers listed below.

Account and participant data stays in Australia. AI processing runs within Australia. The one exception is voice transcription, which is handled by a separate US-based provider.

• Account data, participant names, generated content: stored in Sydney-region infrastructure.
• AI inference: runs within Australian data centres.
• Voice transcription (optional): if you use the voice input feature, the audio recording is sent to a US-based transcription provider and returned as text. We only send the raw audio you record - never participant names or other context. We disclose this in the app next to the microphone button, and voice input is always optional.
• Payments: processed by a PCI-DSS certified global payment provider.
• Email delivery: transactional emails are sent through a reputable email service. Only your email address and the content of the email itself are shared - no participant data.

A current, detailed list of sub-processors - including specific providers and their compliance credentials - is available on request at support@srtd.tools.

We share your information with infrastructure providers (as described above) strictly to operate the service. Each provider is bound by their own privacy and security obligations. We do not share your information with anyone else, except:

• When you direct us to (for example, when you explicitly share it with someone).
• When required by Australian law, court order, or valid regulatory request.
• In connection with a business transfer (merger, acquisition, sale of assets), in which case we will notify you before any information is transferred and becomes subject to a different privacy policy.

We retain your data for as long as your account is active. When you delete your account from your account settings, all associated data - profile, subscription, participants, case notes, drafted communications, session history - is permanently deleted immediately. This is irreversible.

If you cancel your subscription without deleting your account, your content remains until you delete the account or we delete it after a prolonged period of inactivity (with prior notice by email).

We may retain minimal records beyond this period where required by law (for example, Australian Taxation Office record-keeping requirements for invoices). These records contain transaction metadata - not the content of your case notes or participant records.

Under Australian privacy law you have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate information (most information is editable from account settings; contact us for anything not directly editable).
• Request deletion of your account and data (self-service via account settings, or by contacting us).
• Request a copy of your data in machine-readable format.
• Complain about how we have handled your personal information.

To exercise any of these rights, email support@srtd.tools. We will respond to any verified request within 30 days.

If you're not satisfied with our response, you can complain to the Office of the Australian Information Commissioner:

• GPO Box 5218, Sydney NSW 2001
• oaic.gov.au
• 1300 363 992

We implement appropriate technical and organisational measures to protect your data:

• Encryption in transit: all connections to SRTD Tools use TLS 1.2 or higher.
• Encryption at rest: stored data is encrypted using AES-256.
• Row-level security:every database table enforces row-level security so the database itself refuses access to other users' data, even if there were a bug in application code.
• Session controls: we limit concurrent sessions per account and automatically sign out idle sessions after 12 hours.
• Payment data isolation: credit card details never touch our servers - handled entirely by our PCI-DSS certified payment provider.
• Minimum necessary data: we collect and store only what the service needs to function.

Despite these measures, no online service can guarantee absolute security. If a security incident occurs that is likely to result in serious harm, we will notify you within 72 hours of confirming impact, as required under the Privacy Act's Notifiable Data Breaches Scheme.

Voice transcription

If you use the voice input feature, your audio recording is sent to a US-based transcription provider. We have considered this trade-off carefully: the chosen provider offers the best accuracy for Australian accents and professional terminology. We disclose this wherever voice input is offered, and using voice input is always optional - you can type instead.

The transcription provider's API terms prohibit using API inputs to train their models. We do not send participant names or identifying information alongside audio - only the raw audio and a technical user identifier.

AI content generation

All AI-generated content (case notes, emails, reports) is produced within Australia. Our AI provider does not use your inputs to train AI models.

Generated content should always be reviewed by you before use. AI output may contain errors, omissions, or language that needs adjustment for your specific context. You are responsible for the final content you use in your professional work.

Nothing in this Privacy Policy limits, excludes, or modifies any right or guarantee you have under the Australian Consumer Law or any other law that cannot lawfully be excluded.

We may update this policy from time to time. For material changes (new categories of data collected, new sub-processors receiving participant data, changes to Australian residency, changes to breach notification), we'll notify you by email at least 30 days before the changes take effect. Minor changes (clarifications, improved wording) will simply be posted here with an updated date.

Privacy queries and complaints: support@srtd.tools