Privacy Policy

Last updated: 16 April 2026

1. Who we are

Nuvori Technologies Pty Ltd (ACN 664 706 576, ABN 19 664 706 576) operates Nuvori Care, software for NDIS Supported Independent Living providers. We are based in Sydney, Australia. In this policy "we", "us", and "our" refer to Nuvori Technologies Pty Ltd.

We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), and the requirements set out in the NDIS Practice Standards and NDIS Code of Conduct for how registered NDIS providers handle participant information.

2. What we collect

We collect two categories of information:

2.1 Information about our customers (NDIS providers)

  • Business information: organisation name, ABN, NDIS registration number, physical address.
  • Contact information of authorised representatives: name, email, phone, job title.
  • Billing information: subscription plan, invoices, payment details (processed by third-party payment processors).
  • Technical information: IP address, browser type, device type, usage logs and activity logs within the platform.

2.2 Information our customers enter into the platform

Our customers (NDIS providers) use Nuvori Care to store information about their staff, participants, and operations. This includes:

  • Staff records (name, role, employment type, qualifications, screening checks, rosters, payroll classification).
  • Participant records including sensitive information such as NDIS plan details, health information, support needs, incident reports, progress notes, and documents.
  • Shift, timesheet, and billing data.

For this category of information, the NDIS provider is the data controller under the APPs and we are the data processor. We process this data only on the provider's instructions and do not use it for our own purposes.

3. How we use information

We use information to:

  • Provide, operate, and maintain the Nuvori Care platform.
  • Respond to customer support requests.
  • Bill customers and process payments.
  • Detect, prevent, and address technical issues and security incidents.
  • Comply with legal obligations.
  • Improve our product — always in aggregate, anonymised form, never using participant data.

4. Where information is stored

All customer data is stored in Australia, in Supabase's Sydney (ap-southeast-2) region on infrastructure provided by Amazon Web Services (AWS). Data does not leave Australia during normal operations.

Transactional emails (e.g. account verification, password resets) may be sent via overseas email service providers, but these emails do not contain participant information.

5. Security

We take information security seriously. Measures include:

  • TLS/HTTPS encryption for all data in transit.
  • Encryption at rest for the database.
  • Row-Level Security (RLS) at the database layer, isolating data between organisations.
  • Role-based access controls within the platform.
  • Shift-based access control for worker accounts — support workers can only view participant data during their active shift.
  • Immutable audit logs for all sensitive actions.
  • Regular security reviews and dependency updates.

No system can be made 100% secure. If a data breach affects you, we will notify you and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.

6. Who we share information with

We do not sell personal information. We may share information with:

  • Service providers under confidentiality obligations (hosting, payment processing, email delivery, error monitoring).
  • Authorised users within your organisation who have been granted permission by your provider administrator.
  • Law enforcement or regulators where legally compelled (e.g. subpoena, NDIS Quality and Safeguards Commission investigation).
  • Acquirers in the event of a merger, acquisition, or asset sale, subject to continued adherence to this policy.

7. Retention

Customer account data is retained for the duration of the subscription plus the period required to comply with legal obligations. NDIS Practice Standards require certain records (e.g. incident reports, participant records) to be retained for a minimum of 7 years. When a subscription ends, provider organisations can export their data; after a defined grace period, data is securely deleted or anonymised.

8. Your rights

Under the APPs, you have the right to:

  • Access the personal information we hold about you.
  • Correct personal information that is inaccurate or out of date.
  • Complain to us about how we've handled your information, and escalate to the OAIC if you're not satisfied with our response.

If you are an NDIS participant whose information is held in Nuvori Care by your service provider, please contact your provider directly in the first instance — they are the controller of your information.

9. Changes to this policy

We may update this policy from time to time. Material changes will be notified via email to the primary contact on file and posted on this page. The "Last updated" date at the top indicates when the policy was last revised.

10. Contact

For privacy questions, complaints, or access/correction requests:

Nuvori Technologies Pty Ltd
Email: privacy@nuvori.com.au
General: hello@nuvori.com.au
Sydney, Australia
ACN 664 706 576 · ABN 19 664 706 576

If you are not satisfied with our response to a privacy complaint, you may lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.