Where your data lives - and what we do with it.

Everything we control is stored in Australia. Specifically:

• Account + participant data lives in Sydney-region data centres (AWS ap-southeast-2 via Supabase).
• AI inference for note generation, comms drafting, budget analysis, document extraction, and plan review runs within Australian data centres (AWS Bedrock, ap-southeast-2).
• Application hostingis pinned to Vercel's Sydney region so nothing routes via the US for performance reasons.

Voice input is the one place where data leaves Australia. When you record a voice memo for a case note, the raw audio is sent to a US-based transcription provider (OpenAI Whisper) and returned as text.

• What gets sent: only the raw audio you recorded. The transcription request includes no participant names, no plan context, no NDIS numbers, no other identifiers.
• What happens after:the transcribed text is returned to the Australian inference layer, which generates the note. The audio is not retained by us; the provider states they don't retain customer audio for training.
• How we surface this in the product: the disclosure appears next to the microphone button every time you use voice input. Voice is always optional - typing is the default.

If you'd prefer not to use voice transcription for any reason, you don't have to - all tools work fine with typed input.

Your case notes, drafts, emails, voice memos, uploaded documents, and participant details are never used to train AI models - ours, our providers', or anyone else's. We have zero-retention agreements where the provider supports it (Bedrock, Whisper), and the contracts where we don't control the dial explicitly prohibit training on customer content.

We deliberately store the minimum information needed to make the tools work. Specifically:

• First and last name only. No NDIS numbers, no dates of birth, no addresses, no diagnoses, no health history.
• Goals you choose to uploadfor case-note grounding (e.g. "Maria is working on independent shopping").
• Generated content (notes, emails, reports) is stored against your account so you can find it again; you can delete it any time.

The intended flow is that you copy finished notes into your own practice management system. SRTD is not meant to be the permanent record of participant information.

We use a small, audited list of infrastructure providers to operate the service. None of them have permission to use your content for anything other than serving you.

• Supabase (Sydney) - database, authentication, file storage.
• AWS Bedrock (Sydney) - AI inference for note, email, budget, doc-analysis, plan-review generation.
• Vercel (Sydney) - application hosting and edge functions.
• Stripe (global, PCI-DSS Level 1) - payment processing. Card details never touch our servers.
• Resend (transactional email) - sends confirmation, password-reset, trial-reminder, and feedback emails. Only your email address and the email content are shared - no participant data.
• OpenAI Whisper (US) - voice-to-text transcription only. Audio in, text out. No identifiers attached. See section above.

Detailed sub-processor compliance documents (SOC 2, ISO 27001, DPAs) are available on request at support@srtd.tools.

We keep your account and the content you generate for as long as your subscription is active. If you cancel:

• Generated content (notes, emails, reports) is kept for 30 days post-cancellation in case you reactivate, then permanently deleted.
• Account data (your name, email, login) is retained for 12 months post-cancellation for billing / compliance, then permanently deleted.
• Payment records are retained as required by Australian tax law (7 years), held by Stripe.

You can request immediate deletion at any time from the account page or by emailing support@srtd.tools.

• Encryption in transit: all traffic is HTTPS (TLS 1.2+).
• Encryption at rest: data at rest in Supabase and AWS is encrypted with AES-256.
• Row-level security: Postgres RLS policies ensure users can only ever read or write their own rows.
• Least-privilege access: only the application service role can write the data needed to serve you - no broad-access admin accounts.
• Rate limiting + auth hardening: brute-force protection on signin, reCAPTCHA on signup, sensible session timeouts.
• Security headers: standard CSP, X-Content-Type-Options, Referrer-Policy headers on all routes.

If you spot a security issue, please email support@srtd.tools with the subject line "Security disclosure". We acknowledge reports within 48 hours and aim to ship a fix or mitigation within seven business days, depending on the scope. We don't run a formal bug-bounty program yet, but good-faith reporters are credited (with your permission) once a fix has shipped.

This page is a plain-English summary. The binding documents are:

• Privacy Policy - what we collect, how we use it, your rights under the Australian Privacy Principles.
• Terms of Service - cancellation, refunds, liability, AI output disclaimer.