We take your privacy
seriously.

1. Who we are

This policy applies to Right Now Supports Pty Ltd (ABN 56 694 025 486), a registered NDIS provider based in Broadmeadows, Victoria. We operate under the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the NDIS Practice Standards, and the NDIS Code of Conduct.

When this policy says "we" or "us", it means Right Now Supports. When it says "you" or "your", it means any participant, family member, referrer, job applicant, or visitor whose information we hold.

2. What we collect

The information we collect depends on your relationship with us.

If you are a participant

• Name, date of birth, contact details, and address
• NDIS number, plan details, funding type, and plan dates
• Health information relevant to your supports, including diagnoses, medications, and allergies
• Goals from your NDIS plan and your progress against them
• Shift notes, incident reports, and service records
• Emergency contacts and support network details
• Communication preferences and cultural or religious needs
• Photos, only with your explicit consent

If you are a family member, guardian, or nominee

• Your name, relationship to the participant, and contact details
• Your role in decision-making and communication preferences

If you are a referrer or professional contact

• Name, organisation, role, and work contact details

If you are a job applicant or staff member

• Resume, work history, qualifications, references, and right-to-work documents
• NDIS Worker Screening Check, police check, Working With Children Check, first aid, and driver licence
• Banking and superannuation details for payroll (staff only)

If you visit our website

• Anything you submit through our forms
• Basic analytics: pages visited, how long, device type. No identifying information

3. Why we collect it

We only collect personal information where we need it to:

• Deliver your supports safely and effectively
• Meet our legal, regulatory, and NDIS obligations
• Bill the NDIS, plan manager, or participant correctly
• Respond to enquiries, referrals, and complaints
• Hire, train, and manage our staff
• Improve our services based on real feedback

If we do not need it, we do not ask for it.

4. How we use it

We use your information only for the purpose it was collected, or for a directly related purpose you would reasonably expect. For example, your goal information is used to plan your supports and measure progress. Your contact details are used to reach you, your nominee, or emergency contacts.

We never use your information for marketing without your explicit, written consent, and we do not sell or trade any information to any third party under any circumstances.

5. Who we share it with

We only share your information where necessary and with people who have a legitimate reason to see it.

• Our support workers who deliver your supports and only the information they need to do their job safely
• Your support coordinator, plan manager, or allied health professionals where relevant to delivering your plan and with your consent
• The NDIA and NDIS Quality and Safeguards Commission for reporting, audits, and compliance
• Emergency services or treating clinicians if there is an immediate risk to your safety
• Our secure software providers for case management, payroll, and record keeping, all based in Australia and bound by privacy agreements
• Our insurers, auditors, and legal advisors where strictly required

6. Storage and security

Your information is stored in secure, password-protected, Australian-based systems. We use industry-standard security measures including:

• Encryption of data in transit and at rest
• Multi-factor authentication on all staff accounts
• Role-based access, so staff can only see what they need
• Regular security reviews and software updates
• Physical security on any paper records we hold
• Signed confidentiality agreements with every staff member

We also train our staff in privacy obligations as part of their induction and ongoing development.

7. How long we keep it

We keep your information only for as long as we need it.

• Participant records: for 7 years after we stop providing supports, as required by the NDIS Practice Standards
• Incident and complaint records: for 7 years minimum
• Staff and payroll records: for 7 years after employment ends, as required by the Fair Work Act
• Enquiry form submissions: for 12 months unless they lead to a service, in which case they become participant records
• Website analytics: aggregated data is kept for 26 months maximum

Once we no longer need it and are not legally required to keep it, we securely destroy it.

8. Your rights

Under the Privacy Act, you have the right to:

• Access the personal information we hold about you
• Correct any information that is inaccurate, out of date, or incomplete
• Request deletion of information we no longer need to hold
• Withdraw consent you previously gave (for example, for use of photos)
• Be anonymous when interacting with us, where the law allows
• Make a complaint about how we handle your information

To exercise any of these rights, email privacy@rightnowsupport.com or call 0432 709 230. We will respond within 30 days. There is no charge for making a request.

9. Cookies and website data

Our website uses a small number of cookies and similar technologies to make it work properly and to understand how visitors use it. We do not use cookies for advertising or behavioural tracking.

• Essential cookies: needed for forms, accessibility features, and security
• Analytics: anonymous, aggregated data about which pages are visited and for how long

You can disable cookies in your browser at any time. Our website will still work, though some features may behave differently.

10. Data breaches

If your personal information is ever compromised in a way that is likely to cause you serious harm, we will:

• Notify you directly, as soon as we reasonably can
• Tell you what information was involved and what we are doing about it
• Notify the Office of the Australian Information Commissioner within 72 hours
• Notify the NDIS Quality and Safeguards Commission where required
• Review what happened and strengthen our systems to stop it happening again

11. Privacy of young people

We support many young people aged under 18. Where a participant cannot give informed consent themselves, we work with their parent, guardian, or nominee. Where a young person can give informed consent, we take their wishes seriously and only share information with family members where the young person agrees or where it is necessary to keep them safe.

12. Updates to this policy

We review this policy at least once a year and update it whenever our practices change. The "last updated" date at the top shows when the current version was published. If we make a substantial change, we will notify current participants and their nominees directly.

13. Contact us or make a privacy complaint

If you have a question, want to exercise one of your rights, or want to make a complaint about how we have handled your information, contact us first.

We take privacy complaints as seriously as any other complaint. We will acknowledge within 2 business days and respond properly within 14 business days. See our full complaints process for how we handle it end to end.

If you are not satisfied with our response, you can escalate to the Office of the Australian Information Commissioner at any time.

• Phone: 1300 363 992
• Website: oaic.gov.au

You can also raise concerns about how a registered NDIS provider handles your information with the NDIS Quality and Safeguards Commission on 1800 035 544.