SERVEOSSign in →

Privacy Policy

Last updated: 4 May 2026

Important Notice
SERVEOS operates as a software platform used by NDIS service providers ("Providers"). Providers are the data controllers responsible for the personal information of their participants and workers entered into SERVEOS. SERVEOS acts as a data processor on behalf of Providers in accordance with this Privacy Policy.

1. About SERVEOS

SERVEOS is an NDIS operational integrity platform developed and operated in Australia. SERVEOS provides software-as-a-service (SaaS) tools to registered and unregistered NDIS providers to assist with shift management, compliance documentation, participant records, and workforce management.

SERVEOS is operated by its developer ("we", "us", "our"). Our platform is hosted in Australia using Supabase (Sydney, ap-southeast-2) and Vercel infrastructure.

This Privacy Policy applies to all users of SERVEOS including Provider administrators, support workers, and any person whose information is entered into the platform by a Provider.

2. Our Commitment to Privacy

We are committed to protecting personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Given the sensitive nature of NDIS participant data, we apply heightened standards of care to all information processed through our platform.

We recognise that NDIS participant information is sensitive health and disability-related information under the Privacy Act and handle it accordingly.

3. What Information We Collect

3.1 Provider Account Information

When a Provider signs up for SERVEOS we collect:

  • Company/organisation name and ABN
  • Administrator name and email address
  • Billing information (processed securely via Stripe — we do not store card details)
  • Company address, phone number and email

3.2 Worker Information

Providers may enter worker information including:

  • Full name, email address, phone number
  • WWCC number and expiry date
  • Police check dates
  • First aid certification expiry
  • GPS location data recorded during shift check-in and check-out
  • GPS coordinates of checklist item completions

3.3 Participant Information

Providers may enter participant information including:

  • Full name and NDIS number
  • Date of birth
  • Primary disability type
  • NDIS plan dates and funding type
  • Goals, progress notes and support records
  • Medication information and administration logs
  • Incident reports
  • Uploaded documents and photos (with consent)
  • Service agreement details

This information is entered by the Provider and is the Provider's responsibility to collect with appropriate consent from participants.

3.4 Technical Information

We automatically collect certain technical information including:

  • IP addresses and device information
  • Browser type and version
  • Session activity logs
  • Feature usage data for platform improvement

4. How We Use Your Information

We use the information collected for the following purposes:

  • Providing and operating the SERVEOS platform
  • Processing payments and managing subscriptions
  • Sending service-related notifications and updates
  • Responding to support requests
  • Improving platform features and performance
  • Complying with legal obligations
  • Detecting and preventing fraud or unauthorised access

We do not use participant data for any purpose other than providing the platform service to the Provider who entered it.

We do not sell, rent, or share personal information with third parties for marketing purposes.

5. GPS and Location Data

SERVEOS collects GPS location data from workers during shift activities including check-in, check-out, and checklist item completion. This data is collected for the purpose of verifying service delivery for NDIS compliance and audit purposes.

Workers are required to consent to location data collection before their first check-in. GPS data is:

  • Only collected during active shift activities
  • Stored securely and accessible only to the Provider
  • Not tracked continuously — only at specific shift events
  • Accuracy-verified before recording (readings worse than 200 metres are rejected)

6. Data Storage and Security

All data is stored in Australia using Supabase (Sydney, ap-southeast-2 region). We implement the following security measures:

  • Row-level security (RLS) ensuring each Provider can only access their own data
  • Encryption in transit (TLS/HTTPS) and at rest
  • Two-factor authentication (2FA) available for all accounts
  • Automatic session timeout after inactivity
  • SHA-256 file integrity verification for uploaded documents
  • Audit logs of all significant system actions
  • Locked, immutable shift records after completion

While we implement strong security measures, no system is completely impenetrable. In the event of a data breach we will notify affected Providers in accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act.

7. Third-Party Service Providers

We use the following third-party services to operate SERVEOS:

  • Supabase — database and authentication (Sydney, Australia)
  • Vercel — hosting and edge network (with Australian data routing where possible)
  • Stripe — payment processing (PCI-DSS compliant, no card data stored by us)

Each provider operates under their own privacy policy and we have data processing agreements in place where required.

8. Data Retention

We retain data for as long as a Provider account is active. Upon account cancellation:

  • Providers may request a full data export before cancellation
  • Account data is retained for 90 days after cancellation to allow recovery
  • After 90 days, data is permanently deleted from our systems
  • Backups are purged within 30 days of deletion

Providers are responsible for retaining records as required by NDIS rules (generally 7 years for financial records and 5 years for service records).

9. Your Rights

Under the Privacy Act 1988, you have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your information (subject to legal retention requirements)
  • Make a complaint about how we handle your information

To exercise these rights, contact us at the email address below. We will respond within 30 days.

Note for Participants: If you are an NDIS participant whose information has been entered by a Provider, please contact your Provider directly regarding your information. Providers are the data controllers for participant information.

10. Complaints

If you have a complaint about our handling of personal information, please contact us first. If we cannot resolve your complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Providers of material changes by email and by displaying a notice within the platform. Continued use of SERVEOS after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy enquiries, data requests, or complaints:

SERVEOS
Email: privacy@serveos.com.au
Website: serveos.com.au
Australia
© 2026 SERVEOS · Australia · Terms of Service