Privacy Policy

Last updated: February 2026

1. Introduction

MyCaseNote ("we", "our", or "us") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our case note management platform.

We comply with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) and relevant NDIS privacy requirements.

2. Information We Collect

We collect the following types of information:

Account Information

  • Name and email address
  • Business name and details
  • Password (encrypted)
  • Role and permissions within your organisation

Case Note Data

  • Participant information (names, identifiers)
  • Session details and dates
  • Shift notes and goal progress notes
  • Service stream categorisation
  • Approval and amendment history

Usage Data

  • Log data (IP address, browser type, pages visited)
  • Device information
  • Analytics data to improve our service

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain our platform
  • Enable case note creation, submission, and approval workflows
  • Manage user accounts and authentication
  • Facilitate multi-business access for support workers
  • Send service-related communications
  • Respond to support requests
  • Improve and develop new features
  • Ensure platform security and prevent fraud

4. Data Storage and Security

Your data is stored securely using industry-standard encryption and security practices:

  • Data is encrypted in transit (TLS/SSL) and at rest
  • We use Supabase for database, authentication, and private document storage, hosted in Australia where available
  • Access controls ensure only authorised personnel can access data
  • Audit logs record sensitive actions such as participant record access, case note changes, document access, and permission changes
  • We maintain backup, incident response, and access review processes for production systems
  • Multi-tenant architecture ensures complete data isolation between businesses

5. Data Sharing and Disclosure

We do not sell your personal information. We may share data only in the following circumstances:

  • Within your organisation: Data is shared between users of the same business according to their roles and permissions
  • Service providers: We use trusted third-party services for hosting, authentication, storage, payments, email, support, and operational logging. We maintain a subprocessor list and require appropriate confidentiality and security commitments from providers that handle customer data
  • Support access: Our team accesses customer data only when needed to provide support, investigate security issues, comply with law, or maintain the Service. Support access is limited and logged
  • Legal requirements: When required by law, court order, or to protect our legal rights
  • Business transfers: In connection with a merger, acquisition, or sale of assets

6. Your Rights

You have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your data (subject to legal retention requirements)
  • Export your data in a portable format
  • Withdraw consent for optional data processing
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

7. Data Retention

We retain case note data for as long as your account is active and as required by NDIS record-keeping requirements. Upon account termination, data may be retained for up to 7 years or longer where your organisation requests a legal hold or where retention is required by law. You may request export, deletion, or de-identification of data, subject to legal and regulatory retention requirements.

8. Cookies and Tracking

We use essential cookies to maintain your session and preferences. We may use analytics cookies to understand how our platform is used. You can control cookie settings through your browser preferences.

9. Data Breaches

If we become aware of a suspected data breach, we will investigate promptly, take steps to contain and remediate the issue, and notify affected organisations and regulators where required by the Privacy Act 1988 (Cth), the Notifiable Data Breaches scheme, or other applicable obligations.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Continued use of the platform after changes constitutes acceptance of the updated policy.