Effective date: 7 June 2026
Publisher: Architectia
Contact: hello@architectia.com.au
Website: https://architectia.com.au/ndis
1. Who This Policy Applies To
This policy applies to authorised users of NDIS Shift Notes, including support workers, coordinators, administrators, and provider staff who use the app to capture, review, or manage support documentation.
NDIS Shift Notes is intended for workplace use by authorised adults. It is not intended for use by children.
2. Information We Collect
We collect information needed to provide the app and support documentation workflows.
Account And Authentication Information
- Name and email address.
- Firebase user identifier and backend user identifier.
- Role, access level, account status, and security events.
- Authentication and session tokens.
Shift Documentation Information
- Participant names and support context entered by authorised users.
- Shift session details, text notes, and voice recordings.
- Transcripts generated from voice recordings.
- AI-assisted report drafts and final report content.
- Review, approval, sharing, and export status.
Device, Diagnostic, And Support Information
- Device platform, app version, and request identifiers.
- Error, crash, diagnostic, and performance information if enabled.
- Support messages and related request metadata.
3. Sensitive Information And Participant Data
Users may enter sensitive support-related information. Users must only enter participant information where authorised by their organisation, participant consent process, provider policy, or applicable law.
Users and providers should not use the app for information they are not authorised to collect, record, process, upload, review, export, or share.
Users should minimise unnecessary personal information, NDIS numbers, health details, incident details, risk notes, and audio content. Do not email sensitive participant data to support unless requested through an approved secure process.
4. How We Use Information
We use information to:
- authenticate users and maintain secure sessions;
- provide app functionality;
- capture, store, and organise shift notes;
- create transcripts from voice recordings;
- help draft structured reports for review;
- support approval, export, and sharing workflows;
- enforce access control and protect participant information;
- troubleshoot issues and improve reliability;
- respond to support, privacy, and account requests; and
- meet legal, security, audit, and recordkeeping obligations.
5. AI And Automated Assistance
The app may use AI-assisted tools to help draft structured shift reports. Generated reports are drafts only.
Users must review, edit, and approve generated reports before relying on, exporting, or sharing them. AI must not be treated as a clinical, legal, compliance, safeguarding, or NDIS decision-maker.
6. Authentication
NDIS Shift Notes uses Firebase Authentication for email/password sign-in and Google sign-in. Passwords are handled by Firebase Authentication. NDIS Shift Notes does not receive or store user passwords.
After Firebase Authentication succeeds, the app sends a Firebase ID token to the backend to create a secure app session.
7. Voice Notes And Transcription
The app requests microphone permission only when a user chooses to record a voice note. Voice recordings may be uploaded to backend services. Audio may be processed by speech-to-text providers to generate transcripts.
Transcripts may be stored and used to prepare draft reports. Users are responsible for ensuring that recording is lawful, authorised, appropriate, and consistent with their organisation's policies and consent processes.
8. How Information Is Shared
We do not sell user data.
Information may be processed by service providers that help us operate the app, including:
- Firebase / Google for authentication;
- Microsoft Azure App Service for backend hosting;
- Microsoft Azure SQL for database storage;
- Microsoft Azure Speech or another speech-to-text provider for transcription;
- OpenAI or another AI provider for AI-assisted report drafting if AI report generation is enabled; and
- diagnostic, crash, support, or analytics providers only if added or enabled.
Information may also be disclosed where required by law, regulation, provider policy, security investigation, dispute resolution process, or authorised organisational process.
9. Storage, Security, And Access Controls
We use technical and organisational measures intended to protect information against unauthorised access, loss, misuse, or alteration. The mobile app stores authentication tokens using secure device storage. Backend services use HTTPS, secure API access, role-based access controls, and audit/security logging.
No system can guarantee absolute security. Users should protect their device, passcode, account credentials, and any exported reports.
10. Data Retention
Retention periods vary depending on provider documentation obligations, legal requirements, account status, backups, and security or audit needs.
Some information may be retained even after account closure if required for legal, compliance, audit, dispute, backup, security, or provider documentation reasons.
11. Data Deletion And Account Closure
Users or organisations may request account closure, deactivation, correction, or deletion where applicable by emailing hello@architectia.com.au or visiting /ndis/data-deletion.
We may need to verify your identity and authority before acting on a request. Some information may need to be retained where required for legal, compliance, audit, dispute resolution, provider documentation, backup, or security obligations.
12. International Processing
Information may be processed in Australia and overseas. Some service providers may process information in countries including Canada and the United States.
The production database may be hosted in Australia, but authentication, backend hosting, transcription, AI processing, support, diagnostics, or backups may involve other locations depending on configuration. We do not represent that all information remains in Australia.
We will update this policy if our hosting or service-provider configuration materially changes.
13. Your Responsibilities
Users must only enter, record, upload, review, export, or share information they are authorised to handle. Users must review generated reports before relying on them, approving them, exporting them, or sharing them outside the app.
Users must not enter unnecessary participant identifiers or sensitive information where a less identifying description is sufficient.
14. Changes To This Policy
We may update this Privacy Policy from time to time. The updated version will be posted at the Privacy Policy URL with a new effective date.
15. Contact
For privacy questions, support requests, or data deletion requests, contact hello@architectia.com.au.