How the compliance portal handles your personal information

The compliance portal is operated by Vital Motion Allied Health (referred to in this notice as “Vital Motion”, “we”, “us” or “our”) at 2/35 Kitchener Parade, Bankstown NSW 2200. Vital Motion is a private health service provider and is therefore covered by the Privacy Act 1988 (Cth) regardless of turnover.

The portal is a tool we use to manage internal compliance training, document sign-offs, and audit-readiness records for our staff. It does not hold any patient or participant information.

This notice covers personal information that we hold about you in connection with your use of the portal as a current or former member of Vital Motion staff.

It is separate from the “Privacy & Confidentiality Policy (Therapists)” available within the portal — that policy describes how therapists must handle participant information when delivering services. This notice is about your information when we are the holder of it.

When you use the portal, we collect and hold the following categories of personal information:

• Identity and contact details — your name, email address, and assigned role (administrator or staff).
• Account activity — the date and time of your most recent sign-in and most recent activity in the portal.
• Compliance records — which policies and training documents have been assigned to you, when they are due, when you signed off on them, and the wording of the declaration you agreed to at sign-off.
• Sign-off forensics — at the moment you complete a sign-off, we record the IP address and browser user-agent of the device you used. This information is used solely to verify that the sign-off was legitimate and not made by another person on your behalf, and to support tamper-evidence in the event of an audit. It is not used to track your location or activity outside the portal.
• AI assistant queries — if you use the in-portal AI assistant to ask questions about company policies, your queries and the assistant’s responses are stored against your account. Please do not enter personal information about yourself or others into the AI assistant unless it is necessary for your question.
• Notification preferences — your settings for which automated emails (assignment reminders, weekly digests) you wish to receive.
• Email delivery records — when we send you an automated email through the portal, we record that the email was sent, the subject line, and whether delivery succeeded. We do not retain the email content beyond what is necessary to confirm delivery.
• Audit log — a record of significant administrative actions taken in the portal, including actions you take if you are an administrator, and actions taken in respect of your account by other administrators.

We do not collect any health information, financial account details, government identifiers (such as Medicare or Tax File numbers), home addresses, dates of birth, biometric data, or information about your race, religion, political views, sexual orientation, or other sensitive categories through the portal.

We collect this information so that we can:

• Manage compliance training in an organised way and meet our obligations under the NDIS Practice Standards, AHPRA regulation, the Aged Care Quality Standards, and similar frameworks
• Assign policies and documents to the appropriate people and follow up on outstanding items
• Maintain a verifiable audit trail demonstrating who acknowledged which policy and when, suitable for review by external auditors and regulators
• Send you operational emails about new assignments, due dates, and reminders
• Respond to questions you raise through the AI assistant
• Investigate any administrative or security concerns that may arise

We do not use your information for direct marketing, sell it to anyone, or use it for any purpose unrelated to compliance management.

Most information is collected directly from you when you sign in to the portal, complete a sign-off, or use the AI assistant. Some information (such as your name, email, and role) is provided to us by your administrator at the time you are invited to the portal.

We share your personal information only with the following categories of recipient, and only to the extent necessary for the purposes set out above:

• Within Vital Motion — administrators of the portal can see your name, email, role, assignments, sign-off status, and (for sign-offs you have completed) the IP address and device used.
• External auditors and regulators — when Vital Motion is audited, we may share compliance certificates that include your sign-off records (your name, role, the policy signed, the date, and the forensic details listed above) with the auditor or regulator. We share the minimum information needed for the audit purpose.
• True North Analytics — our software development partner, who built and maintains the portal. In the course of providing technical support, True North Analytics personnel may access portal data when investigating issues, applying updates, or performing routine maintenance. True North Analytics acts on Vital Motion’s instructions and is bound by confidentiality.
• Service providers — see Section 7 below.
• Where required by law — for example, under court order or in response to a regulatory investigation.

We use a number of third-party service providers to operate the portal. The categories of service provider, what data they handle, and where they handle it, are:

• Database and authentication (Supabase) — hosts the core database and manages sign-in. Your personal information (name, email, role, sign-off records, audit log entries) is stored in a Supabase project located in Sydney, Australia (region ap-southeast-2). It does not leave Australia.
• Application hosting (Vercel) — runs the portal’s application code. When you visit the portal, your request including your IP address is processed by Vercel’s edge network, which has infrastructure in multiple countries including the United States and the European Union.
• Email delivery (Resend) — sends automated emails on our behalf. Your name and email address are processed by Resend in the United States for the purpose of delivering the email.
• AI assistant (Anthropic) — when you use the AI assistant, your queries and the relevant policy excerpts are sent to Anthropic in the United States for processing, and the response is returned. Anthropic does not retain the data for training purposes under our service agreement.
• Document indexing (Voyage AI) — when policy documents are uploaded, they are processed by Voyage AI in the United States to enable the AI assistant to find relevant excerpts. Staff personal information is not deliberately included in policy documents.

Each of these providers is contractually committed to handling personal information consistently with applicable privacy laws. By using the portal you acknowledge that some of your personal information may be disclosed to recipients outside Australia as described above.

We keep personal information only for as long as it is needed for the purposes for which it was collected, or as required by law or applicable compliance frameworks. Specifically:

• Sign-off records, audit log entries, and document versions — kept for seven (7) years from the date the record was last in effect, consistent with the retention periods expected under NDIS Practice Standards, AHPRA, and related frameworks. Sign-off records cannot be deleted through the standard administrative interface.
• User profile data of deactivated staff — kept for seven (7) years from the date of deactivation, so that sign-off records remain attributable. Deactivation is a soft-delete: your account is disabled, but historical compliance records are preserved.
• AI assistant chat history — kept for ninety (90) days from the date of the conversation.
• Email delivery records — kept for ninety (90) days from the date of sending.
• Unaccepted invitations — invitations that are not accepted are deleted one hundred and eighty (180) days after being issued.

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. These steps include:

• Encryption of data in transit (TLS) and at rest (managed by our hosting providers)
• Role-based access controls — only administrators can see organisation-wide data; non-administrators can see only their own assignments and sign-offs
• Row-level security enforced at the database level
• An append-only sign-off table protected by a SHA-256 hash chain that makes any retroactive change to a historical sign-off detectable
• A complete audit log of administrative actions
• Authentication via Supabase, supporting strong passwords and email-based magic links

The portal includes an AI assistant that helps staff find answers to policy questions. The assistant retrieves relevant excerpts from our policy library and presents an answer based on those excerpts.

The portal does not use automated processing or AI to make decisions that would significantly affect you (such as decisions about your employment, performance, or pay). All decisions of that nature are made by humans.

Subject to the Privacy Act 1988 (Cth) and the limited exemptions for employee records under section 7B(3), you have the right to:

• Be informed about how we handle your personal information — this notice itself is part of how we do that
• Request access to the personal information we hold about you
• Request correction of personal information you believe is inaccurate, out of date, or incomplete
• Make a complaint if you believe we have mishandled your personal information

To exercise any of these rights, contact us using the details in Section 13.

In the unlikely event of a data breach affecting your personal information, we will assess the breach within the 30-day period required by the Notifiable Data Breaches scheme. If the breach is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner as required by law.

If you have a question, request, or complaint about how we handle your personal information, please contact us at:

Vital Motion Allied Health
2/35 Kitchener Parade
Bankstown NSW 2200
Email: admin@vitalmotion.com.au
Phone: (02) 8790 0755

If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.

We may update this notice from time to time. The effective date at the top of the notice indicates when it was last changed. If we make a material change, we will ask you to acknowledge the updated notice on your next sign-in.