DocCheck
Worker Compliance Tracker
← Back to app

Privacy Policy

Last updated: 17 May 2026 · Effective: 17 May 2026

Plain-English summary: DocCheck is a compliance tracking tool. We store the documents your employer requires to keep on file, and we send reminders when documents are about to expire. We don't sell your data, and we keep it in Australia.

1. Who this policy applies to

This Privacy Policy explains how DocCheck ("we", "us", "our") collects, uses and protects personal information through the DocCheck platform (doccheck.com.au).

This policy applies to:

  • Organisations who subscribe to DocCheck to track their workers' compliance documents (the "Organisation")
  • Workers employed by those Organisations who use DocCheck to upload, view or manage their own compliance documents
  • Administrators within an Organisation who manage worker records

This policy operates under the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

2. What information we collect

Account information

  • Full name, email address, phone number (if provided)
  • Role title (e.g. Support Worker, Driver, Administrator)
  • Password (stored only as a salted cryptographic hash — we never see your actual password)
  • Account status (active, inactive, invitation accepted)

Compliance documents

The documents you upload — which may include sensitive personal information such as:

  • Worker screening checks (e.g. NDIS Worker Screening Check, Working with Children Check, National Police Check)
  • Industry licences (e.g. driver's licence, White Card, Heavy Vehicle Licence, High Risk Work Licence)
  • Training and certification records (e.g. First Aid, CPR, Manual Handling, Standard 11, industry-specific inductions)
  • Vehicle and equipment compliance (registration, insurance, roadworthy certificates)
  • Health and vaccination records (where required by your Organisation)
  • Right to work and visa documentation
  • Tax and banking information (where uploaded to the Forms Hub)
  • Any other documents your Organisation requires

This data is treated as sensitive information under the Privacy Act and is given the highest level of protection.

Billing information (Organisations only)

When an Organisation subscribes to a paid plan, billing details (business name, billing address, ABN where provided, payment card) are collected and processed by our payment processor Stripe Payments Australia Pty Ltd. DocCheck never stores or has access to your full payment card details — only a tokenised reference plus the last 4 digits and card brand for display purposes.

Usage and activity data

  • Login times and IP addresses (for security)
  • Document upload, approval, and rejection events (audit trail)
  • Email delivery status (whether reminders were sent successfully)

3. How we use your information

We use personal information for the following purposes:

  • Compliance tracking — the core function of the service
  • Sending reminders to you and your Administrator when documents approach expiry (30, 14 and 7 days before, plus on the expiry day)
  • Generating audit reports for your Organisation's NDIS Quality & Safeguards Commission audits or equivalent regulatory reviews
  • Security and fraud prevention — detecting unauthorised access, abuse, or breaches
  • Service operation — running the platform, fixing bugs, providing support

We do not use your data to:

  • Sell to advertisers or data brokers
  • Train AI models
  • Build profiles for marketing
  • Make automated decisions that legally affect you

4. Who can see your information

Inside your Organisation

  • You can see your own profile and your own documents at all times
  • Administrators of your Organisation can see your profile and all of your uploaded documents
  • Other workers in your Organisation cannot see your personal documents — only their own

Across Organisations

Your data is strictly isolated from other Organisations using DocCheck. We enforce this at the database level using Row-Level Security policies — even DocCheck staff cannot access cross-tenant data through normal application use.

Service providers (sub-processors)

We use the following third-party services to operate DocCheck. They process data on our behalf under contractual obligations to protect it:

  • Supabase — database and file storage. Australian region (Sydney, ap-southeast-2). Encrypted at rest.
  • Vercel — application hosting. The application code is hosted globally; no personal data is stored at Vercel.
  • Resend — email delivery (for invitations, reminders, and notifications). Tokyo region. Email content transits Resend briefly during sending.
  • Stripe Payments Australia Pty Ltd — subscription billing and payment card processing. Stripe is PCI-DSS Level 1 certified. Stripe Tax also calculates and remits Australian GST. Billing data may be processed in the United States subject to Stripe's Privacy Policy and Data Protection Agreement.

We may change or add sub-processors as the service evolves. Material changes will be notified to Organisation administrators by email at least 30 days before they take effect.

Government and legal requests

We may disclose information when required by Australian law — for example, in response to a court order, regulatory audit powers (such as the NDIS Quality & Safeguards Commission, SafeWork authorities, or industry-specific regulators), or other lawful direction.

5. How long we keep your information

Retention periods depend on the type of data and the applicable industry obligations:

  • While you are an active worker — your data is retained for as long as your Organisation needs it for compliance purposes
  • After your Organisation deactivates your account — compliance records are retained for the period required by your Organisation's industry regulations. Common retention windows include 7 years (NDIS Practice Standards, aged care), 5 years (construction, mining, transport workplace records) and similar periods under other Australian regulatory regimes
  • After the retention period — your Organisation's administrators may permanently delete your data. After permanent deletion, audit logs may retain a record of the deletion itself (for accountability) but not your underlying data
  • Billing records — invoices, tax records, and payment metadata are retained for at least 7 years as required by Australian tax law (whether or not your subscription is active)

6. Where your data lives

Your personal data is stored in Australia:

  • Database: Supabase Sydney (ap-southeast-2) — encrypted at rest with AES-256
  • Files: Supabase Storage Sydney — encrypted at rest
  • Backups: Supabase performs daily backups within the same Australian region

Email transmission may briefly transit other regions during delivery via Resend (Tokyo region — closest to Sydney for low-latency delivery to Australian inboxes).

7. How we protect your data

  • Encryption in transit — all connections use HTTPS / TLS
  • Encryption at rest — AES-256 for database and file storage
  • Password hashing — we never store plaintext passwords; we use industry-standard bcrypt / PBKDF2 hashing with per-user salts
  • Row-Level Security — the database itself enforces data access rules; even a compromised API key cannot read across organisations
  • Signed file URLs — uploaded documents are never publicly accessible; viewing requires a cryptographically signed link that expires after 5 minutes
  • Idle auto-logout — active sessions are automatically signed out after 15 minutes of inactivity
  • Audit logging — every meaningful action (upload, approval, rejection, deactivation, deletion) is recorded

8. Your rights under the Privacy Act

You have the following rights regarding your personal information:

Right to access

You can view all of your own data within the DocCheck application at any time. If you require a formal export, contact your Organisation's administrator.

Right to correct

You can update your personal information through the application or by contacting your Organisation's administrator.

Right to deletion

You can request that your personal information be deleted. However, this right is limited by:

  • Industry record-keeping obligations (typically 5–7 years depending on your Organisation's industry)
  • Other legal, tax, or regulatory retention requirements
  • Stripe's payment record-keeping obligations for billing-related data

Once retention periods elapse, your Organisation's administrators may permanently delete your data on request.

Right to lodge a complaint

If you believe your privacy has been mishandled, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

9. Cookies and tracking

DocCheck uses cookies only for essential functions:

  • Authentication — to keep you signed in between page loads
  • Session management — to remember your last activity time for idle timeout

We do not use:

  • Third-party advertising cookies
  • Cross-site tracking pixels
  • Analytics that identify individual users

10. Children

DocCheck is designed for use by adult workers in regulated industries. We do not knowingly collect personal information from individuals under 16. If you believe we have collected information from a minor, please contact us immediately so we can delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email to organisation administrators at least 30 days before they take effect. The current version is always available at doccheck.com.au/privacy.

12. Contact us

For privacy questions, requests, or concerns:

For worker-specific data requests, please contact your Organisation's administrator first — they are the primary data controller for your information.

DocCheck · Privacy · Terms