Privacy Policy

Last updated: May 2026

Parkway (operated by Parcare Lifestyle Pty Ltd, ABN 94 666 356 430) provides operating software for NDIS support providers. This policy explains how we collect, store, use, and share personal information through the website at parkways.com.au, the worker mobile app (Parkway Workers), and any related services (the “Service”).

We comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the NDIS Quality and Safeguards Commission's requirements for handling participant information.

1. What we collect

1.1 From provider organisations + admin staff

• Name, email, phone, role, employer organisation
• Authentication credentials (hashed; we never see your password)
• Audit log of actions taken in the platform (super-admin viewable only)

1.2 From support workers

• Identity, contact, and emergency contact
• Compliance documents (Blue Card, NDIS Worker Screening, First Aid, CPR, driver's licence, insurance)
• Tax File Number, super fund details, bank account details (payroll)
• Self-declared skills, cultural background (optional), availability
• Geo-location at clock-in/clock-out (Electronic Visit Verification)
• Photo for Worker ID badge (optional)

1.3 From NDIS participants (entered by your provider)

• Identity, contact, NDIS number, plan funding, supports + goals
• Care plan, behaviour support plan, risk assessment
• Medications and clinical observations
• Shift completion notes
• Incidents and feedback

1.4 Automatic technical data

• Browser/device user agent, IP address (request logs only)
• App crash reports and performance metrics
• Web Push subscription endpoints (so we can notify your device)

2. How we use it

• To run your provider organisation's operations (rostering, billing, compliance, payroll)
• To deliver notifications you've opted into (shift invites, credential reminders)
• To produce audit-ready records for the NDIS Quality and Safeguards Commission
• To improve the Service (aggregated, de-identified usage analytics)

We do not sell personal information. We do not use participant or worker data for advertising.

3. Where it's stored

Personal information is stored in databases hosted in Sydney, Australia (Supabase, region ap-southeast-2). Files (photos, certificates, signed PDFs) are stored in the same region.

Some sub-processors may process data outside Australia in the course of delivering services to you (e.g. AI text processing via Anthropic in the US, email delivery via Resend in the EU). We only share the minimum necessary information with each.

4. Sub-processors we use

• Supabase: primary database + authentication + storage (AU)
• Vercel: application hosting (AU edge, US for some functions)
• Anthropic: AI text generation (US). Inputs and outputs are not used to train models.
• Resend: transactional email delivery (EU)
• DocuSeal: eSignature for contracts and consent forms (US)
• Twilio: SMS delivery for shift invites (AU)

5. AI features

When you use AI-augmented features (note clean-up, goal-alignment scan, worker chatbot), the relevant data is sent to Anthropic's Claude API for processing. Anthropic does not train its models on the data sent through their API. We do not send AI providers data unrelated to the feature you're using (e.g. the chatbot only sees your own profile + the policy library + your own next shift, not other workers' data).

6. Worker app permissions

The worker app may request these device permissions:

• Location: only at clock-in / clock-out, to confirm you arrived at the participant's address. Location is not tracked between shifts.
• Notifications: to alert you about shift invites, credential renewals, and on-call updates.
• Microphone: when you use the voice-note feature to dictate a completion note. Audio is processed locally in the browser and only the transcript is uploaded.
• Camera + Photos: when you upload an ID photo or credential scan.

You can revoke any of these in your device settings at any time.

7. Push notifications

We send push notifications via the Web Push standard (or Apple Push Notification service when using the iOS app). You can disable these by revoking notification permission in your browser or device settings.

8. How long we keep it

• Active worker + participant records: kept for the duration of engagement + 7 years after (NDIS audit retention requirement)
• Shift notes + clinical records: 7 years (NDIS standard)
• Audit logs: 7 years
• Web Push subscriptions: deleted when you unsubscribe or after 90 days of inactivity

9. Your rights

You can ask us to:

• Access the personal information we hold about you
• Correct anything that's inaccurate
• Delete your data (subject to NDIS retention obligations)
• Export your data in a portable format

Requests go to nicholas@parcaresupports.com. We respond within 30 days.

10. Security

• All data in transit is TLS-encrypted
• Data at rest is encrypted by Supabase (AES-256)
• Row-level security restricts every query to the requesting org
• Service-role keys are scoped to specific server-side functions only
• Two-factor authentication is available (TOTP)

11. Children

The platform is for adult workers and NDIS providers. Information about NDIS participants who are minors is entered by their support provider under their professional and legal duty of care.

12. Changes to this policy

We'll post material changes here with a new “Last updated” date and email registered users at least 7 days before they take effect.

13. Contact

Parcare Lifestyle Pty Ltd
ABN 94 666 356 430
Unit 5/5-7 Cairns Street, Loganholme QLD 4129
Email: nicholas@parcaresupports.com
Phone: 0468 053 402

If you're not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.