Privacy Policy

1Australian Privacy Principles Compliance

TesseractApps is committed to complying with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). We also acknowledge and comply with the requirements introduced by the Privacy and Other Legislation Amendment Act 2024.

As an APP entity providing services to NDIS providers and participants, we take our privacy obligations seriously and have implemented comprehensive measures to protect all personal information entrusted to us.

2Information We Collect

In accordance with APP 3, we only collect personal information that is reasonably necessary for our NDIS workforce management services, by lawful and fair means, directly from individuals where practicable.

• Name
• Email address
• Phone number
• Address
• Payment information
• Employment-related information for NDIS staff (qualifications, certifications, work history)
• Other identifiable information that you provide voluntarily

We may collect sensitive information as defined under the Privacy Act 1988, including:

• Health information relevant to NDIS service delivery
• Disability status and support requirements
• Background check results for NDIS worker screening

We will only collect sensitive information with your explicit consent, unless otherwise permitted by law. Sensitive information is subject to enhanced security measures and strict access controls.

• Browser type and version
• Operating system
• Pages visited on our website
• Time and date of visits
• IP address
• Other technical data

3How We Use Your Information

In accordance with APP 6, we only use or disclose personal information for the primary purpose for which it was collected, or for secondary purposes where you would reasonably expect such use.

• Providing and managing our NDIS workforce management services
• Processing transactions and payroll
• Rostering, scheduling, and shift management
• Improving our platform and services
• Communicating with you about updates, service changes, and support
• Responding to your inquiries and providing customer support
• Analysing usage trends to enhance user experience
• Complying with NDIS Quality and Safeguards requirements
• Complying with legal and regulatory obligations

4Sharing Your Information

We do not sell, trade, or otherwise transfer your personal information to outside parties, except in the following circumstances:

• With your consent
• To trusted third parties who assist us in operating our website and services, as long as they agree to keep your information confidential and comply with Australian privacy laws
• To comply with legal requirements, such as responding to subpoenas, court orders, or other legal processes
• To protect our rights, property, or safety, and that of our users or others
• To the NDIS Quality and Safeguards Commission where required for compliance purposes

5Overseas Disclosure

TesseractApps is built on Salesforce Hyperforce infrastructure, with data hosted in Australia. However, in limited circumstances, personal information may be processed by overseas service providers who support our platform operations.

Our safeguards include:

• Contractual obligations requiring compliance with Australian privacy standards
• Data processing agreements with appropriate security and privacy clauses
• Assessment of the recipient's privacy practices and security measures
• Preference for providers in countries with comparable privacy protections

Countries where data may be processed include the United States (for certain Salesforce services). We maintain transparency about international data flows and will inform you of any significant changes.

6Data Security

In accordance with APP 11, we take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. Our security measures include:

• End-to-end encryption using AES-256 for data at rest and SSL/TLS for data in transit
• Multi-factor authentication (MFA) for all user accounts
• Role-based access controls ensuring staff only access data necessary for their role
• Regular security audits and vulnerability assessments
• Secure data destruction procedures when information is no longer required
• ISO 27001-certified infrastructure through our Salesforce platform
• Regular staff training on data protection and privacy requirements
• Incident response procedures for potential security events

7Data Breach Notification

In accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988, we have implemented a comprehensive data breach response framework.

If we experience an eligible data breach that is likely to result in serious harm, we will:

• Take immediate steps to contain the breach and limit any damage
• Assess the breach to determine if it is likely to result in serious harm
• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
• Notify affected individuals with details about the breach and recommended steps they should take
• Review and improve our security measures to prevent future breaches

8Your Rights

Under the Australian Privacy Principles, you have the following rights:

• Access (APP 12): You have the right to request access to the personal information we hold about you
• Correction (APP 13): You have the right to request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information
• Request the deletion of your personal information where it is no longer needed for the purpose for which it was collected
• Object to the processing of your data in certain circumstances
• Withdraw consent at any time where processing is based on consent
• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached

We commit to responding to access and correction requests within 30 days of receipt.

9Automated Decision-Making

Our NDIS workforce management platform may use automated processes to assist with:

• Rostering and shift allocation based on staff availability, qualifications, and participant needs
• Scheduling optimisation to match staff skills with service requirements
• Compliance checking for certifications and training requirements

These automated processes are designed to assist human decision-makers, not replace them. You have the right to request human review of any automated decision that significantly affects you.

10Data Retention

In accordance with APP 11.2, we only retain personal information for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention practices include:

• Retaining employment and payroll records as required by taxation and workplace laws (typically 7 years)
• Retaining NDIS service records as required by NDIS Quality and Safeguards Commission requirements
• Securely destroying or de-identifying personal information when it is no longer needed
• Regular review of retained data to ensure ongoing necessity

11Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our website. You can choose to disable cookies through your browser settings; however, this may affect your ability to use certain features of our site.

12Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these sites. We encourage you to read the privacy policies of any linked websites you visit.

13Geolocation Privacy

To sign in for shifts, geolocation services must be enabled on your device. You will only be able to sign in if you are within a 400-metre radius of the assigned shift location. Once signed in, your location will be tracked at every 100-metre interval to monitor your presence at the location during the shift.

We collect your geolocation data to verify your proximity to the shift location, monitor your location while on shift to ensure compliance and safety, and provide accurate attendance and shift records.

You may manage your geolocation settings through your device. Disabling location services will restrict certain features, including the ability to sign in for shifts. By using our services with geolocation enabled, you consent to the collection and use of your location data as outlined.

Your location data is encrypted and stored securely, accessible only to authorised personnel. We do not share your geolocation data with third parties without your consent, except where required by law.

Geolocation data is only retained for as long as necessary to fulfil its intended purposes. Once no longer required, it is securely deleted. You have the right to request access to, correction of, or deletion of your location data.

Our application incorporates real-time location monitoring during shifts to ensure compliance and safety.

14Complaints

If you believe we have breached your privacy, you can lodge a complaint with us by contacting our Privacy Officer below.

• Submit your complaint in writing to our Privacy Officer
• We will acknowledge your complaint within 5 business days
• We will investigate and respond within 30 days
• If unsatisfied, you may escalate to the Office of the Australian Information Commissioner (OAIC)

15Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Any changes will be posted on this page with an updated effective date. We encourage you to review this policy periodically.

16Contact Us

To exercise your privacy rights or for any enquiries about this policy, please contact our Privacy Officer: