Privacy Policy

When an NDIS participant registers or uses the Platform we may collect:

• Full name, email address, phone number, and suburb/region;
• NDIS number and plan information (if voluntarily provided in enquiries);
• Health, disability, and support-need information shared in enquiries or messages;
• Bookings history, reviews submitted, and provider interactions;
• Profile photo (optional).

When an NDIS service provider registers or uses the Platform we may collect:

• Full name, business name, ABN, email address, and phone number;
• Business address, service areas, and service categories;
• Registration number (NDIS registered providers), NDIS Worker Screening Check status, police check details, and Working With Children Check numbers;
• Professional qualifications, accreditations, and certifications;
• Bank account or payment details (for invoice payment settings — stored by Stripe where applicable);
• Profile photos, logo, and gallery images;
• Subscription payment history;
• Client records, progress notes, invoices, and service agreements managed within the Platform.

Sensitive information under the Privacy Act includes health information, disability information, and government identifiers. We collect sensitive information only where:

• You have consented; or
• Collection is required or authorised by law.

Examples of sensitive information we may collect include NDIS numbers, disability or health details shared in enquiries, worker screening check numbers, and professional registration information. We do not require participants to provide sensitive information to use the Platform — provision is voluntary.

When you use the Platform we automatically collect:

• IP address, browser type and version, operating system;
• Pages visited, time and duration of visits, and navigation paths;
• Referring URLs and search terms used to find the Platform;
• Session and authentication tokens (stored in browser local storage and cookies).

We may receive information from third parties including:

• Google (if you import Google Reviews via our integrations feature);
• Xero (if you connect your Xero account via our accounting integration);
• Stripe (payment confirmation events sent via webhook).

We use your personal information to:

• Create, maintain, and authenticate your account;
• Display provider profiles to participants searching for NDIS services;
• Facilitate enquiries, bookings, and direct messaging between participants and providers;
• Process subscription payments and manage billing;
• Send transactional emails — account creation, enquiry notifications, invoice delivery, booking confirmations, trial reminders, and subscription receipts;
• Generate invoices, service agreements, progress notes, and other NDIS practice management documents;
• Detect and prevent fraud, spam, and misuse of the Platform;
• Respond to your support requests;
• Comply with our legal obligations under the Privacy Act, NDIS Quality and Safeguards framework, and other applicable law.

We use aggregated, de-identified analytics data to understand how the Platform is used and to improve its features, performance, and user experience. We will not use de-identified data in a way that could reasonably identify you.

We may contact you with information about new features, platform updates, or promotional offers related to Seekara services. You may opt out of marketing communications at any time by clicking "unsubscribe" in any email or by contacting us at support@seekara.com.au. Opting out of marketing does not affect transactional communications required to deliver the service.

Sensitive information is never used for direct marketing purposes.

We will not use or disclose personal information for a purpose other than the primary purpose of collection unless:

• You have consented to the secondary use;
• You would reasonably expect us to use the information for that secondary purpose and it is related to the primary purpose;
• We are required or authorised by law; or
• The secondary use is necessary to lessen or prevent a serious threat to life, health, or safety.

Provider information — business name, services, location, contact details, qualifications, reviews, and photos — is visible to participants and other users as part of the Platform's core function. Providers control what information is published on their public profile.

Enquiry and message content is shared with the specific provider or participant you are communicating with. Sensitive information you include in a message is disclosed to the recipient of that message.

We engage the following categories of third-party service providers who may have access to personal information only to the extent necessary to perform services on our behalf:

• Cloud infrastructure — Supabase (Amazon Web Services, Sydney region — see Section 7);
• Email delivery — Resend Inc (see Section 7);
• Payment processing — Stripe Inc (see Section 7);
• Accounting integration — Xero (if you connect your Xero account).

We take reasonable steps to ensure these service providers are bound by confidentiality obligations or equivalent privacy protections.

We may disclose personal information to government agencies, courts, or law enforcement bodies where required by law or where disclosure is necessary to:

• Comply with a legal obligation or court order;
• Investigate suspected fraud, misconduct, or a serious threat to safety;
• Respond to a request by the NDIS Commission, OAIC, or other regulatory authority with jurisdiction;
• Protect the rights, property, or safety of Seekara, our users, or the public.

If Seekara is involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.

Seekara does not sell, rent, trade, or otherwise disclose your personal information to third parties for their own commercial or marketing purposes.

Personal information is stored on Supabase's infrastructure hosted on Amazon Web Services in the Sydney, Australia region (ap-southeast-2). Primary data storage therefore remains in Australia.

Certain data is processed by overseas service providers as described in Section 7.

We implement the following technical and organisational security measures:

• Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher;
• Encryption at rest — database and storage volumes are encrypted at rest by the cloud provider;
• Row-Level Security (RLS) — database-level policies ensure each user can only access data they are authorised to view or modify;
• Access controls — administrative access requires multi-factor authentication;
• Audit logging — changes to critical records are logged with user ID, timestamp, and action type;
• Private storage — uploaded documents (client files, agreements) are stored in a private bucket accessible only to the owning provider via time-limited signed URLs.

No method of transmission over the internet or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security.

We retain personal information for as long as your account is active and for a reasonable period afterwards to resolve disputes, enforce agreements, or comply with legal obligations, including:

• Financial records (invoices, subscription payments) — 7 years, as required under Australian tax law;
• Provider compliance records — for the duration of the provider relationship plus 3 years;
• Account and profile data — deleted or de-identified within 90 days of account closure, subject to legal retention requirements;
• Audit logs — 2 years from creation.

When information is no longer required, we delete or de-identify it in a secure manner.

You have the right to request access to the personal information Seekara holds about you. We will respond within 30 days. We may charge a reasonable fee for access in complex cases. We will notify you of any fee before proceeding. In limited circumstances we may decline access — for example where access would unreasonably impact another person's privacy — and will explain our reasons.

If the personal information we hold is inaccurate, incomplete, or out of date, you have the right to request correction. You can update most profile information directly through your account settings. For other corrections, contact us at privacy@seekara.com.au. We will respond within 30 days. If we decline to make a correction, we will explain why and advise how you may dispute that decision.

Where lawful and practicable, you may interact with us anonymously or using a pseudonym — for example when browsing public provider profiles without creating an account. Creating an account to enquire or book requires identification to facilitate the service.

You may request deletion of your account and personal information by contacting us at support@seekara.com.au. We will process deletion within 30 days, subject to our legal retention obligations (see Section 6.3). Some information (e.g. your name on reviews you submitted, audit log entries) may be retained in de-identified form.

You may opt out of marketing emails at any time using the unsubscribe link in any email or by contacting support@seekara.com.au. Transactional emails (invoices, booking confirmations, account security) are not affected.

If you believe we have handled your personal information in a way that does not comply with the Australian Privacy Principles, you may lodge a complaint with our Privacy Officer. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. We will keep you informed of the progress of your complaint.

If you are not satisfied with our response, or if we fail to respond within 30 days, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Complaints about NDIS provider conduct (including privacy and dignity concerns) may also be made to the NDIS Quality and Safeguards Commission: