Privacy Policy

1. Introduction and Scope

This Privacy Policy (“Policy”) describes how Ozler Tech Pty Ltd (ABN 49 695 522 724), trading as Ozler Care Solutions (“Ozler,” “we,” “our,” or “us”), collects, holds, uses, discloses, and otherwise handles personal information in connection with its products and services, including OzlerShield, OzlerSIRS, OzlerReady, OzlerPolicy, Skill2Care, OzlerPass, OzlerScribe, and any related platforms, applications, or websites (collectively, the “Services”).

This Policy applies to all individuals whose personal information we process, including:

• Care workers, support workers, and allied health professionals whose credentials, training records, and employment information are managed through the Services (“Workers”);
• Owners, directors, managers, administrators, and other personnel of aged care providers, NDIS providers, and related organisations who access the Services (“Provider Personnel”);
• Participants, residents, consumers, and other individuals receiving care or supports whose information may be incidentally processed through incident reports, progress notes, or clinical documentation (“Care Recipients”);
• Visitors to our website, attendees at events, and individuals who contact us for sales, support, or partnership enquiries (“Prospects”);
• Employees, contractors, and agents of Ozler (“Our Staff”).

We are bound by the Australian Privacy Act 1988 (Cth) (“Privacy Act”) and the Australian Privacy Principles (“APPs”) contained therein. Where applicable, we also comply with state and territory health records legislation, the My Health Records Act 2012 (Cth), and sector-specific obligations under the National Disability Insurance Scheme Act 2013 (Cth) (“NDIS Act”), the Aged Care Act 1997 (Cth), and the Aged Care Quality and Safety Commission Act 2018 (Cth).

2. Definitions

“Personal Information” has the meaning given in section 6 of the Privacy Act and includes information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether recorded in a material form or not.

“Sensitive Information” has the meaning given in section 6 of the Privacy Act and includes health information, biometric information, criminal record information, racial or ethnic origin, and other categories specified in the Act. We treat Worker Screening Check outcomes, incident reports involving Care Recipients, and clinical documentation as Sensitive Information.

“Health Information” has the meaning given in section 6 of the Privacy Act and includes information about an individual's health, disability, or health service provision. Progress notes, clinical documentation generated by OzlerScribe, and SIRS incident reports containing health details are Health Information.

3. Information We Collect

3.1 Worker Information

Through OzlerShield, OzlerPass, and Skill2Care, we collect and process the following categories of Worker information:

• Identity information: full name, date of birth, photograph, and unique identifiers;
• Contact information: email address, phone number, and residential address;
• Employment information: employer name, role, work location, employment status, and employment history;
• Credential and screening information: NDIS Worker Screening Check number, status, and expiry date; Working With Children Check number and status; National Police Check results; professional registration numbers; First Aid certification details; visa status and work rights;
• Training records: Skill2Care module enrolments, completion status, assessment results, digital certificates, and continuing professional development history;
• OzlerPass profile data: aggregated verified credential records, sharing history, and QR code generation logs;
• Voice recordings and transcriptions: where OzlerScribe is used, audio recordings of shift summaries, AI-generated transcriptions, and structured clinical notes.

3.2 Provider and Organisation Information

• Business details: entity name, ABN/ACN, registration numbers (NDIS, aged care), business address, and service categories;
• Personnel details: name, role, email, phone number, and system access permissions of authorised users;
• Billing information: bank account or credit card details (processed by our PCI-DSS compliant payment processor; we do not store full payment card numbers);
• Compliance data: policy documents uploaded to OzlerPolicy, audit evidence packs, gap analysis results, self-assessment responses, and registration pathway information;
• Incident data: SIRS incident reports including incident descriptions, classification decisions, investigation records, corrective action plans, and timestamps.

3.3 Care Recipient Information

We minimise collection of Care Recipient personal information. However, the following may be incidentally collected through the Services:

• First name or initials (in incident reports and progress notes);
• Health information, disability information, or support needs (in incident reports, investigation records, and clinical documentation);
• Descriptions of incidents, behaviours, or events involving Care Recipients.

We do not collect Care Recipient financial information, Medicare numbers, or full addresses. Providers are responsible for ensuring their use of the Services complies with their own privacy obligations to Care Recipients.

3.4 Website and Technical Information

• Device and browser information, IP address, and approximate geolocation;
• Pages visited, features used, session duration, and click patterns;
• Cookies and similar tracking technologies (see Section 12);
• Information submitted through contact forms, demo booking requests, and live chat.

3.5 Information from Third Parties

We may receive information from:

• Government screening databases: verification of Worker Screening Check status (where programmatic verification is available);
• Registered Training Organisations (RTOs): confirmation of qualification completions;
• Employers: Worker credential submissions and employment verification;
• Referral partners: contact details of prospective Provider customers.

4. How We Collect Information

We collect personal information:

• Directly from individuals: when Workers create OzlerPass profiles, when Provider Personnel register accounts, when individuals submit contact forms or attend demos;
• From employers: when Provider Personnel upload Worker credential data into OzlerShield;
• Through automated means: when individuals use the Services (usage analytics, voice recordings via OzlerScribe);
• From third-party sources: government screening databases, RTOs, and referral partners as described in Section 3.5.

Where it is reasonable and practicable to do so, we collect personal information directly from the individual to whom it relates. Where we collect Worker information from employers, we require the employer to have provided appropriate notice to the Worker and to have any necessary consent or authority.

5. Purposes of Collection, Use, and Disclosure

5.1 Primary Purposes

• Providing the Services: processing credential verifications, generating expiry alerts, facilitating incident reporting and classification, generating policy documents, delivering training modules, enabling credential sharing, and producing clinical documentation;
• Account management: creating and managing user accounts, authenticating access, and processing billing;
• Compliance support: generating audit evidence packs, gap analysis reports, and registration pathway guidance;
• Communications: sending system notifications, expiry alerts, training reminders, and service-related announcements.

5.2 Secondary Purposes

• Product improvement: analysing de-identified and aggregated usage data to improve the Services;
• Security: detecting, preventing, and responding to security incidents, fraud, and unauthorised access;
• Legal compliance: meeting obligations under the Privacy Act, NDIS Act, Aged Care Act, tax law, and other applicable legislation;
• Marketing: with consent, sending information about new products, features, and industry updates.

5.3 AI and Automated Processing

Certain features of the Services use artificial intelligence and machine learning:

• OzlerSIRS AI Triage: analyses structured incident data to suggest a classification (Priority 1, Priority 2, or non-reportable). The AI output is a recommendation only and is never applied without explicit human review and approval by an authorised person. We do not use Care Recipient personal information to train general-purpose AI models.
• OzlerScribe: processes voice recordings to generate transcriptions and structured clinical notes. Audio recordings are processed in real-time and stored for audit trail purposes only. We do not use voice recordings to train general-purpose AI models.
• OzlerPolicy AI Update Engine: analyses regulatory text to identify affected policies and draft revisions. All drafts require human review before publication.

You have the right to request human review of any automated decision that materially affects you.

6. Disclosure of Personal Information

6.1 Categories of Recipients

We may disclose personal information to:

• Employers and Provider Personnel: Worker credential status, training completions, and compliance data are disclosed to the employing Provider through OzlerShield. Workers control the sharing of OzlerPass profiles with specific employers.
• Approved Quality Auditors: where a Provider uses OzlerReady to generate an evidence pack, the Provider (not Ozler) chooses to share that pack with their selected auditor.
• Sub-processors and service providers: we engage third-party service providers to assist with hosting (Amazon Web Services, Sydney region), email delivery, payment processing, analytics, and customer support. All sub-processors are bound by Data Processing Agreements requiring them to process personal information only on our instructions and to implement appropriate security measures.
• Registered Training Organisations: where a Worker enrols in an RTO-delivered module through Skill2Care, the RTO receives the Worker's name, contact details, and enrolment information necessary to deliver the accredited training.
• Professional advisors: our lawyers, accountants, auditors, and insurers, to the extent necessary for their professional engagement.
• Law enforcement and regulators: where required or authorised by law, including in response to lawful requests from the NDIS Quality and Safeguards Commission, the Aged Care Quality and Safety Commission, state and territory worker screening units, the Australian Information Commissioner, or law enforcement agencies.

6.2 No Sale of Personal Information

We do not sell, rent, lease, or trade personal information to any third party for their independent use, marketing, or commercial purposes. This is an absolute commitment without exception.

6.3 Cross-Border Disclosure

All primary data storage and processing occurs within Australia (AWS Sydney region, ap-southeast-2). We do not transfer personal information outside Australia except in the following limited circumstances:

• Where a sub-processor operates support infrastructure in other jurisdictions (e.g., email delivery services), we ensure contractual protections equivalent to the APPs are in place;
• Where we are required to do so by Australian law;
• Where the individual has consented after being informed that APP 8.1 will not apply.

7. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our specific retention periods are:

Upon expiry of the applicable retention period, personal information is securely destroyed or irreversibly de-identified in accordance with our Data Destruction Policy.

8. Your Rights

8.1 Access

You have the right to request access to the personal information we hold about you (APP 12). We will respond to access requests within 30 days. We may charge a reasonable fee for providing access where the request requires significant effort to fulfil. We will not charge for making the request itself.

8.2 Correction

You have the right to request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13). We will respond to correction requests within 30 days. If we refuse a correction request, we will provide written reasons and the available complaint mechanisms.

8.3 Deletion

You may request deletion of your personal information. We will comply unless we are required to retain the information by law (e.g., SIRS incident records, tax records) or the information is necessary for an ongoing legal proceeding or investigation. Where deletion is not possible, we will explain the reasons and, where appropriate, restrict processing of the information.

8.4 Portability

Workers may export their OzlerPass profile data in a structured, machine-readable format (JSON or CSV) at any time. Providers may export all data held in the Services in structured formats upon request or through the self-service export function.

8.5 Withdrawal of Consent

Where we rely on consent as the basis for processing, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent for marketing communications, use the unsubscribe link in any marketing email or contact us at privacy@ozlercare.com.au.

8.6 Complaints

If you believe we have breached the APPs or this Policy, you may lodge a complaint by contacting our Privacy Officer at privacy@ozlercare.com.au. We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days. If you are not satisfied with our response, you may escalate to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by phone at 1300 363 992.

9. Data Security

We implement technical and organisational measures to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure, including:

• Infrastructure: all data hosted on Amazon Web Services (AWS) in the Sydney region (ap-southeast-2), within IRAP-assessed infrastructure;
• Encryption: AES-256 encryption at rest for all stored data; TLS 1.2+ encryption in transit for all data transmissions;
• Access controls: role-based access control (RBAC), multi-factor authentication (MFA) for all administrative access, and principle of least privilege;
• Network security: web application firewall (WAF), intrusion detection systems, DDoS protection, and network segmentation;
• Application security: regular penetration testing, static and dynamic code analysis, dependency vulnerability scanning, and secure software development lifecycle (SSDLC);
• Employee controls: background checks, confidentiality agreements, mandatory security training, and access logging;
• Monitoring: 24/7 security monitoring, automated alerting, and audit logging with tamper-evident storage;
• Certifications: we are pursuing SOC 2 Type II certification and will make the audit report available to enterprise customers under NDA upon completion.

For detailed security measures, refer to our Security Policy.

10. Notifiable Data Breaches

In the event of an Eligible Data Breach as defined in Part IIIC of the Privacy Act, we will:

• Conduct an assessment within 30 days (or sooner where practicable) of becoming aware of grounds to suspect a breach;
• Where the assessment confirms an Eligible Data Breach, notify the OAIC and affected individuals as soon as practicable, in accordance with section 26WK of the Privacy Act;
• Provide notification content that includes a description of the breach, the kinds of information involved, and recommended steps individuals should take;
• Notify affected Providers within 24 hours of confirming a breach involving their data, to enable them to meet their own notification obligations to Workers and Care Recipients;
• Take reasonable steps to contain the breach and mitigate harm.

We maintain a Data Breach Response Plan that is tested annually through simulated breach exercises.

11. Provider Responsibilities

Where a Provider uses the Services, the Provider acts as the primary collector of Worker and Care Recipient personal information. Ozler processes this information on the Provider's behalf and in accordance with the Provider's instructions. Providers are responsible for:

• Providing appropriate privacy notices to Workers and Care Recipients before uploading their information to the Services;
• Obtaining any necessary consents, including for voice recording where OzlerScribe is used;
• Ensuring the accuracy and currency of information uploaded to the Services;
• Configuring data retention settings in accordance with their regulatory obligations;
• Responding to access and correction requests from Workers and Care Recipients in relation to information held within the Services, with our reasonable assistance;
• Complying with the APPs and any applicable state or territory health records legislation in their own right.

12. Cookies and Tracking Technologies

Our website uses cookies and similar technologies for the following purposes:

• Strictly necessary cookies: required for website functionality, authentication, and security. These cannot be disabled.
• Analytics cookies: we use privacy-focused analytics to understand website usage patterns. No personal information is transmitted to third-party analytics providers.
• Preference cookies: to remember your settings and preferences.

We do not use third-party advertising cookies or tracking pixels. We do not engage in cross-site tracking, behavioural advertising, or profiling for marketing purposes. You may control cookies through your browser settings. Disabling strictly necessary cookies may impair website functionality.

13. Children's Privacy

The Services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. Where a Care Recipient is a child, we rely on the Provider and the child's parent or guardian to manage privacy in accordance with their obligations under the Privacy Act and the NDIS Act (including the NDIS Code of Conduct).

14. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or regulatory guidance. We will:

• Publish the updated Policy on our website with a revised effective date;
• Notify registered users by email at least 14 days before material changes take effect;
• Where a change materially expands the purposes for which we use personal information, seek fresh consent where required.

Continued use of the Services after the effective date of an updated Policy constitutes acceptance of the changes.

15. Contact

For all privacy-related enquiries, requests, or complaints:

For complaints to the regulator:

• Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au · 1300 363 992
• NDIS Quality and Safeguards Commission: www.ndiscommission.gov.au · 1800 035 544