Your privacy is our priority.

1. Introduction

Talk Simple ("we", "us", or "our") operates the Talk Simple Compliance platform (the "Service"), a cloud-based compliance management system designed for aged care and NDIS service providers.

We are committed to protecting your privacy and handling your personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Personal Information

We collect personal information that you provide directly to us, as well as information received from third-party systems integrated by your organisation. This includes:

• Account Information: Name, email address, phone number, job title, department
• Employment Information: Position, employment dates, work location
• Credentials & Certifications: Training records, qualification details, certification expiry dates
• Authentication Data: Login credentials, password (encrypted), authentication tokens

2.2 Health and Care Information

When you use our progress notes features, we may collect:

• Progress Notes: Written observations and notes about client care
• Client Information: Names and identifiers of individuals receiving care (where relevant to compliance or progress tracking)
• Care-Related Data: Information necessary to track compliance with care standards

Important: We only collect health information where necessary to provide the Service and with appropriate consent from your organisation.

2.3 Compliance Records

• Certification Records: Copies of certificates, training completion records
• Compliance History: Dates of completion, expiry dates, renewal records
• Audit Data: Records of who made changes and when (for accountability and compliance purposes)

2.4 Usage and Technical Information

• Device Information: Browser type, device type, operating system
• Usage Data: Pages visited, features used, time spent in the application
• Log Data: IP address, access times, error logs
• Cookies and Similar Technologies: Session cookies for authentication and functionality

2.5 Feedback and Support Information

When you submit feedback or contact support:

• Support Requests: Your messages, attachments, screenshots
• User Context: Your account details, company name, role (to provide better support)

3. How We Use Your Information

We use your information for the following purposes:

3.1 Providing and Improving the Service

• Compliance Management: Track employee certifications, training, and compliance requirements
• Automated Reminders: Send notifications about expiring certifications and overdue requirements
• Progress Note Analysis: Use artificial intelligence to analyse progress notes and provide feedback to staff (with your organisation's consent)
• Reporting: Generate compliance reports and dashboards for your organisation

3.2 Communication

• Service Communications: Send you important updates about your account, compliance status, and system notifications
• Support: Respond to your inquiries and provide customer support

3.3 Security and Compliance

• Access Control: Enforce role-based permissions to ensure users only access data they're authorized to see
• Audit Trails: Maintain records of data access and changes for security and compliance purposes
• Fraud Prevention: Detect and prevent unauthorized access or misuse of the Service

3.4 Legal Obligations

• Compliance with Laws: Comply with applicable laws, regulations, and legal processes
• Regulatory Requirements: Meet aged care and NDIS regulatory requirements

4. How We Share Your Information

We do not sell your personal information. We only share your information in the following circumstances:

4.1 Third-Party Service Providers

We use trusted third-party service providers to help us operate the Service:

Important: All third-party service providers are contractually required to protect your data and use it only for the purposes we specify.

4.2 Multi-Tenant Data Isolation

Our Service is multi-tenant, meaning multiple organisations use the same platform. However:

• Your data is strictly isolated from other organisations using technical controls (Row Level Security)
• Company-specific access: Users can only access data belonging to their own organisation
• No cross-company sharing: Your data is never shared with or visible to other organisations using the Service

4.3 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Court orders or legal processes
• Requests from government authorities
• Protection of our rights, property, or safety, or that of others

4.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

5. Data Security and Storage

5.1 Security Measures

We implement industry-standard security measures to protect your information:

• Encryption: Data is encrypted in transit (TLS/SSL) and at rest
• Access Controls: Role-based access control (RBAC) and multi-factor authentication options
• Database Security: Row Level Security (RLS) policies enforce company-level data isolation
• Authentication: Secure JWT-based authentication with asymmetric key cryptography
• Monitoring: Continuous monitoring for security threats and unauthorized access

5.2 Data Storage

• Primary Storage: Your data is stored in secure PostgreSQL databases hosted by Supabase
• Geographic Location: Data is stored in Australia data centers
• Backups: Regular automated backups with Point-in-Time Recovery capability

5.3 Data Retention

We retain your information for as long as:

• Your company's account is active
• Necessary to provide the Service
• Required by law or regulatory requirements (e.g., aged care compliance records)

When your company requests that its data is deleted, we will delete your information within 90 days, except where we are required to retain it by law.

6. Your Privacy Rights

Under Australian privacy law, you have the following rights:

6.1 Access and Correction

• Access: You have the right to request access to the personal information we hold about you
• Correction: You can request correction of inaccurate or incomplete information
• Export: Where an in-system export feature does not already exist, you can request a copy of your data by contacting us at privacy@talksimple.com.au

6.2 Deletion and Restriction

• Deletion: You can request deletion of your personal information (subject to legal retention requirements)
• Restriction: You can request that we limit how we use your information

6.3 Complaints

If you have a privacy complaint:

1. Contact us at privacy@talksimple.com.au
2. We will investigate and respond within 30 days
3. If you're not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC):
   • Website: https://www.oaic.gov.au
   • Phone: 1300 363 992

6.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@talksimple.com.au with:

• Your name and contact information
• Details of your request
• Verification of your identity (for security purposes)

7. Cookies and Tracking Technologies

7.1 Essential Cookies

We use essential cookies and similar technologies to:

• Authentication: Keep you logged in to your account
• Session Management: Maintain your session state
• Security: Protect against fraud and unauthorized access

These cookies are necessary for the Service to function and cannot be disabled.

7.2 Your Choices

You can configure your browser to reject cookies, however this may affect Service functionality.

8. Artificial Intelligence and Automated Processing

8.1 AI-Assisted Progress Notes

We use artificial intelligence (AWS Bedrock Claude) to analyse progress notes and provide feedback to staff. This is an optional feature that:

• Analyses written progress notes for quality and completeness
• Provides suggestions for improvement
• Flags notes that may require manager review

Your Control:

• This feature is only active if your organisation enables it
• Human review: All AI-generated feedback is reviewed by managers before being sent to staff
• You can disable this feature by contacting your organisation's administrator

Automated Decision-Making: All Talk Simple products subscribe to the human-in-the-loop methodology. For example, there is a feature that reviews progress notes to rapidly identify issues, trends and omissions. These items are then presented to a manager for review before action is taken.

8.2 Data Used for AI

When AI analysis is enabled:

• Data Sent: Progress note content with all personal identifiers such as client and employee names replaced with generic placeholders
• Processing Location: AWS servers in Australia
• Data Retention: AI providers do not retain your data after processing (per contractual agreements)
• Purpose Limitation: Data is only used for analysis, not for training AI models

9. Data Storage Location

All data collected and processed through our Service is stored in Australia. Our service providers (Supabase, AWS, Zoho, and Formspree) store and process data within Australian data centers, ensuring compliance with Australian privacy laws and regulations.

Security Standards:

• Contractual Protections: Service providers are bound by contracts requiring appropriate data protection
• Security Standards: All providers maintain security standards compliant with Australian requirements
• Privacy Compliance: Our providers comply with the Australian Privacy Principles (APPs)

10. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately and we will delete it.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes to our practices
• Legal or regulatory requirements
• New features or services

How We Notify You:

• Material Changes: We will notify you via email or prominent notice in the Service
• Minor Changes: We will update the "Last Updated" date at the top of this policy
• Your Continued Use: Continued use of the Service after changes constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically.

12. Third-Party Links

Our Service may contain links to third-party websites or services that we do not control. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access.

13. Business Customers (Organisations)

If you are using our Service as an employee of an aged care or NDIS organisation:

• Your Employer Controls Your Data: Your employer (the organisation) is the data controller and determines how your information is used
• Our Role: We are a data processor acting on behalf of your employer
• Contact Your Employer: For questions about how your employer uses your data, please contact your organisation's privacy officer or administrator
• Our Obligations: We process your data only as instructed by your employer and in accordance with this Privacy Policy

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Response Time: We aim to respond to all privacy inquiries within 5 business days.

15. Governing Law

This Privacy Policy is governed by the laws of Australia. Any disputes arising from this policy or our privacy practices will be subject to the jurisdiction of Australian courts.