Privacy Policy
Last updated: 1 June 2026
This Privacy Policy explains how Dennis Kooij (ABN 16 273 117 835) (“Supportal”, “we”, “us”, “our”) collects, uses, stores, and protects personal information when you use the Supportal application and website (the “Service”). We are committed to handling personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
The short version
- Your data is stored privately on your own account, in a database hosted in Sydney, Australia.
- Each account is isolated — no other Supportal user can see your data.
- We never sell your data, and we don’t use advertising or tracking cookies.
- We don’t track your location or use GPS.
- You can export or delete all of your data at any time.
- You are responsible for having the right to store information about the people you support.
1. Who this policy applies to
This policy applies to people who create a Supportal account — typically sole-trader NDIS support workers — and to the personal information you enter into the Service, including information about the people you support (“participants”).
2. Information we collect
2.1 Account information
- Your name and email address.
- A password, which is hashed and stored by our authentication provider — we never see or store your plain-text password.
2.2 Business profile information
Information you enter to run your sole-trader business, such as your business/trading name, ABN, address, phone number, bank account details (BSB, account number) used on invoices, your rates, and copies of credentials you choose to upload (for example licences, insurance certificates, and qualifications).
2.3 Information about the people you support (participants)
To do your job, you may enter information about participants. This can include their name, preferred name, date of birth, contact details, address, NDIS number, plan-management details, goals, and notes about your shifts. Some of this is “sensitive information” and “health information” under the Privacy Act — for example diagnoses, medications, allergies, mobility and communication needs, mood, and incident records.
2.4 Records you create
- Shift schedules and shift notes (including incident reports).
- Invoices, expenses, kilometre logs, and service agreements.
- Photos or scans you upload (for example a participant’s photo, a signed service agreement, or a receipt).
2.5 Technical information
Standard information needed to operate a web app, such as your browser type and a locally-stored session token that keeps you signed in. We do not run third-party advertising or analytics trackers.
3. How we use your information
- To provide the Service — storing and syncing your shifts, notes, clients, invoices and related records across your devices.
- To authenticate you and keep your account secure.
- To process subscription payments (via Stripe — see below).
- To provide optional features you switch on, such as Google Calendar sync and address autocomplete.
- To respond to your support requests.
- To comply with our legal obligations.
We do not use your data, or participants’ data, for advertising, profiling, or to train any machine-learning models.
4. Where your data is stored
Your data is stored in a PostgreSQL database operated by Supabase, hosted in the AWS Sydney region (Australia). Data is encrypted in transit (TLS) and at rest (AES-256), and is protected by row-level security so that each account can only access its own data.
A copy of your data is also cached on your own device (in your browser’s local storage) so the app works offline. This local copy stays on your device until you sign out and clear your browser data, or erase your data from within the app. Because it is unencrypted on your device, you should keep your device locked and protected with a passcode.
5. Who we share your information with
We do not sell your personal information. We share it only with the service providers (“sub-processors”) needed to run Supportal, and only to the extent required:
| Provider | Purpose | Notes |
|---|---|---|
| Supabase | Database, authentication, data storage | Hosted in Sydney, Australia. |
| Vercel | Hosting and delivery of the app | Serves the application code; your records are not stored here. |
| Stripe | Subscription payment processing | Stripe handles your card details directly — we never see or store full card numbers. Stripe may process data overseas. |
| Google (optional) | Google Calendar sync | Only if you connect your Google account. You can disconnect at any time. |
| Geoapify / OpenStreetMap (optional) | Address autocomplete | If you type an address, the text is sent to look up matches. May be processed overseas. |
We may also disclose information if required by law, to enforce our terms, or to protect the rights, property, or safety of any person.
6. Overseas disclosure
Your core data is stored in Australia. However, some sub-processors listed above (for example Stripe, Google, and the address-lookup providers) may store or process limited information outside Australia. By using those optional features and by subscribing, you consent to that disclosure. We take reasonable steps to use reputable providers with appropriate safeguards.
7. Cookies and tracking
Supportal uses your browser’s local storage to keep you signed in and to cache your data for offline use. We do not use third-party advertising cookies or analytics trackers, and we do not track your physical location or use GPS.
8. How we protect your information
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Row-level security so the database refuses to return any row that isn’t yours.
- Hashed passwords managed by our authentication provider.
- Automatic on-device backups so you don’t lose work.
No system is perfectly secure, but we take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.
9. Data retention and deletion
We keep your data for as long as your account is active. You can delete individual records, export all of your data as a JSON file, or erase all of your data from within the app at any time. If you ask us to close your account, we will delete your personal information from our active systems, except where we are required to keep certain records to comply with the law (for example, tax or payment records).
10. Your rights
Under the Australian Privacy Principles you have the right to:
- Access the personal information we hold about you.
- Correct information that is inaccurate, out of date, or incomplete.
- Export your data (use the “Download backup” feature in the app any time).
- Delete your data and close your account.
- Complain if you believe we have mishandled your information (see below).
11. Data breaches
If a data breach occurs that is likely to result in serious harm, we will notify affected users and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.
12. Children’s information
Supportal is intended for use by adult support workers. The Service is not directed at children. Some participants you support may be under 18; any information you enter about them is handled as described in this policy, and you are responsible for having the appropriate consent to record it.
13. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you in the app. Continued use of the Service after a change means you accept the updated policy.
14. Contact us
If you have questions about this policy, or want to access, correct, or delete your information, contact us at contact@supportalapp.com.
If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner at oaic.gov.au.
This policy is governed by the laws of Western Australia, Australia.