Privacy Policy
Last updated: 17 May 2026 · Effective: 17 May 2026
1. Who this policy applies to
This Privacy Policy explains how DocCheck ("we", "us", "our") collects, uses and protects personal information through the DocCheck platform (doccheck.com.au).
This policy applies to:
- Organisations who subscribe to DocCheck to track their workers' compliance documents (the "Organisation")
- Workers employed by those Organisations who use DocCheck to upload, view or manage their own compliance documents
- Administrators within an Organisation who manage worker records
This policy operates under the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
2. What information we collect
Account information
- Full name, email address, phone number (if provided)
- Role title (e.g. Support Worker, Driver, Administrator)
- Password (stored only as a salted cryptographic hash — we never see your actual password)
- Account status (active, inactive, invitation accepted)
Compliance documents
The documents you upload — which may include sensitive personal information such as:
- Worker screening checks (e.g. NDIS Worker Screening Check, Working with Children Check, National Police Check)
- Industry licences (e.g. driver's licence, White Card, Heavy Vehicle Licence, High Risk Work Licence)
- Training and certification records (e.g. First Aid, CPR, Manual Handling, Standard 11, industry-specific inductions)
- Vehicle and equipment compliance (registration, insurance, roadworthy certificates)
- Health and vaccination records (where required by your Organisation)
- Right to work and visa documentation
- Tax and banking information (where uploaded to the Forms Hub)
- Any other documents your Organisation requires
This data is treated as sensitive information under the Privacy Act and is given the highest level of protection.
Billing information (Organisations only)
When an Organisation subscribes to a paid plan, billing details (business name, billing address, ABN where provided, payment card) are collected and processed by our payment processor Stripe Payments Australia Pty Ltd. DocCheck never stores or has access to your full payment card details — only a tokenised reference plus the last 4 digits and card brand for display purposes.
Usage and activity data
- Login times and IP addresses (for security)
- Document upload, approval, and rejection events (audit trail)
- Email delivery status (whether reminders were sent successfully)
3. How we use your information
We use personal information for the following purposes:
- Compliance tracking — the core function of the service
- Sending reminders to you and your Administrator when documents approach expiry (30, 14 and 7 days before, plus on the expiry day)
- Generating audit reports for your Organisation's NDIS Quality & Safeguards Commission audits or equivalent regulatory reviews
- Security and fraud prevention — detecting unauthorised access, abuse, or breaches
- Service operation — running the platform, fixing bugs, providing support
We do not use your data to:
- Sell to advertisers or data brokers
- Train AI models
- Build profiles for marketing
- Make automated decisions that legally affect you
4. Who can see your information
Inside your Organisation
- You can see your own profile and your own documents at all times
- Administrators of your Organisation can see your profile and all of your uploaded documents
- Other workers in your Organisation cannot see your personal documents — only their own
Across Organisations
Your data is strictly isolated from other Organisations using DocCheck. We enforce this at the database level using Row-Level Security policies — even DocCheck staff cannot access cross-tenant data through normal application use.
Service providers (sub-processors)
We use the following third-party services to operate DocCheck. They process data on our behalf under contractual obligations to protect it:
- Supabase — database and file storage. Australian region (Sydney, ap-southeast-2). Encrypted at rest.
- Vercel — application hosting. The application code is hosted globally; no personal data is stored at Vercel.
- Resend — email delivery (for invitations, reminders, and notifications). Tokyo region. Email content transits Resend briefly during sending.
- Stripe Payments Australia Pty Ltd — subscription billing and payment card processing. Stripe is PCI-DSS Level 1 certified. Stripe Tax also calculates and remits Australian GST. Billing data may be processed in the United States subject to Stripe's Privacy Policy and Data Protection Agreement.
We may change or add sub-processors as the service evolves. Material changes will be notified to Organisation administrators by email at least 30 days before they take effect.
Government and legal requests
We may disclose information when required by Australian law — for example, in response to a court order, regulatory audit powers (such as the NDIS Quality & Safeguards Commission, SafeWork authorities, or industry-specific regulators), or other lawful direction.
5. How long we keep your information
Retention periods depend on the type of data and the applicable industry obligations:
- While you are an active worker — your data is retained for as long as your Organisation needs it for compliance purposes
- After your Organisation deactivates your account — compliance records are retained for the period required by your Organisation's industry regulations. Common retention windows include 7 years (NDIS Practice Standards, aged care), 5 years (construction, mining, transport workplace records) and similar periods under other Australian regulatory regimes
- After the retention period — your Organisation's administrators may permanently delete your data. After permanent deletion, audit logs may retain a record of the deletion itself (for accountability) but not your underlying data
- Billing records — invoices, tax records, and payment metadata are retained for at least 7 years as required by Australian tax law (whether or not your subscription is active)
6. Where your data lives
Your personal data is stored in Australia:
- Database: Supabase Sydney (ap-southeast-2) — encrypted at rest with AES-256
- Files: Supabase Storage Sydney — encrypted at rest
- Backups: Supabase performs daily backups within the same Australian region
Email transmission may briefly transit other regions during delivery via Resend (Tokyo region — closest to Sydney for low-latency delivery to Australian inboxes).
7. How we protect your data
- Encryption in transit — all connections use HTTPS / TLS
- Encryption at rest — AES-256 for database and file storage
- Password hashing — we never store plaintext passwords; we use industry-standard bcrypt / PBKDF2 hashing with per-user salts
- Row-Level Security — the database itself enforces data access rules; even a compromised API key cannot read across organisations
- Signed file URLs — uploaded documents are never publicly accessible; viewing requires a cryptographically signed link that expires after 5 minutes
- Idle auto-logout — active sessions are automatically signed out after 15 minutes of inactivity
- Audit logging — every meaningful action (upload, approval, rejection, deactivation, deletion) is recorded
8. Your rights under the Privacy Act
You have the following rights regarding your personal information:
Right to access
You can view all of your own data within the DocCheck application at any time. If you require a formal export, contact your Organisation's administrator.
Right to correct
You can update your personal information through the application or by contacting your Organisation's administrator.
Right to deletion
You can request that your personal information be deleted. However, this right is limited by:
- Industry record-keeping obligations (typically 5–7 years depending on your Organisation's industry)
- Other legal, tax, or regulatory retention requirements
- Stripe's payment record-keeping obligations for billing-related data
Once retention periods elapse, your Organisation's administrators may permanently delete your data on request.
Right to lodge a complaint
If you believe your privacy has been mishandled, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
9. Cookies and tracking
DocCheck uses cookies only for essential functions:
- Authentication — to keep you signed in between page loads
- Session management — to remember your last activity time for idle timeout
We do not use:
- Third-party advertising cookies
- Cross-site tracking pixels
- Analytics that identify individual users
10. Children
DocCheck is designed for use by adult workers in regulated industries. We do not knowingly collect personal information from individuals under 16. If you believe we have collected information from a minor, please contact us immediately so we can delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified by email to organisation administrators at least 30 days before they take effect. The current version is always available at doccheck.com.au/privacy.
12. Contact us
For privacy questions, requests, or concerns:
- Email: privacy@doccheck.com.au
- Mail: DocCheck Privacy Officer, Australia
For worker-specific data requests, please contact your Organisation's administrator first — they are the primary data controller for your information.