Careforms

Legal

Privacy policy

Placeholder. This text is a working draft pending lawyer review. Email support@careforms.com.au with questions until the final version is published.

Last updated: TBC before launch · Applies to: Careforms (the platform).

1. Who we are

Careforms is operated in Australia and is bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). When a disability or aged-care provider ("the Provider") uses Careforms to collect intake information from their clients, the Provider is the APP entity collecting personal information; Careforms acts as their data processor.

2. What we collect

From providers: business name, ABN, contact email, optional logo, billing details (held by Stripe, not Careforms). From clients filling out an intake link issued by a provider: identifying details, contact details, NDIS information where applicable, health-adjacent information necessary for the provider to deliver safe support, and consent declarations. We also record server-side audit metadata for every submission (IP, country/region, Cloudflare ray ID, user agent).

3. Why we collect it

So that providers can issue branded intake forms and receive a tidy record without paper or spreadsheets. So that we can deliver and bill the service. So that we have a tamper-evident audit trail for incident response. We do not sell, share, or train AI models on client-intake content.

4. Where it lives

Application data lives on Cloudflare's network. PDF audit copies are mirrored to Cloudflare R2 in the apac region. Email delivery is handled by Resend. Card details are tokenised and held by Stripe; Careforms never sees raw card numbers.

5. How long we keep it

Intake submission records are retained for 7 years (aligned with NDIS Practice Standards record-keeping). Magic-link sign-in tokens expire and are pruned. PDFs in R2 follow the same 7-year horizon and are then deleted via a nightly retention sweep.

6. Your rights

Under the Privacy Act, individuals can request access to, or correction of, the personal information held about them. Submissions are owned by the Provider — contact your Provider first. If you cannot reach them, email support@careforms.com.au.

7. Notifiable Data Breaches

Careforms operates an incident-response process aligned with the Notifiable Data Breaches scheme. In an eligible breach we will notify affected individuals and the OAIC within 30 days of becoming aware.

8. Contact

Email support@careforms.com.au.