Privacy Policy

Last updated: June 2026

1. Who we are

CareLocate is an independent NDIS provider directory operated in Australia. We are not a disability service provider. We have no financial relationships with any provider listed on our platform.

This Privacy Policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. What personal information we collect

The information we collect depends on how you use CareLocate.

Searchers and participants

  • Name, email address, and phone number when you submit an enquiry to a provider
  • Message content included in your enquiry
  • Information you optionally provide about who needs support and your plan type
  • Location data (suburb/postcode) when you use location-based search

Providers

  • Business name, ABN, NDIS registration number
  • Contact name, email address, and phone number
  • Business address and service areas
  • Profile content you provide (description, photos, availability)
  • Billing information for Pro subscriptions (processed by Stripe — we do not store card details)

All visitors

  • IP address and browser type (collected automatically)
  • Pages visited and search queries (analytics only, not linked to identity)

3. How we collect it

  • Directly from you — when you submit an enquiry, submit a review, or claim and manage a provider profile
  • From public sources — NDIS provider data from the NDIA's public register (name, registration number, service areas)
  • Automatically — via cookies and analytics tools when you visit the site

4. How we use it

  • To forward your enquiry to the provider you selected
  • To send you a confirmation email when you submit an enquiry
  • To allow providers to manage their profile and respond to enquiries
  • To process Pro subscription payments
  • To improve search relevance and site performance
  • To detect and prevent fraud or abuse

We do not use your personal information for direct marketing without your explicit consent. We do not sell personal information to third parties.

5. Who we share it with

We share your personal information only in the following circumstances:

  • The provider you contact — when you submit an enquiry, your name, contact details, and message are sent to that provider only. Your details are not shared with any other provider.
  • Stripe — for payment processing (Pro subscriptions). Stripe's privacy policy applies to payment data.
  • Supabase — our database infrastructure provider. Data is stored in Australia where possible.
  • Where required by law — if compelled by a court order or regulatory authority.

6. Enquiry data

When you submit an enquiry through CareLocate:

  • Your enquiry details (name, email, phone, message) are sent to the provider you selected via email
  • A copy is stored in our database for up to 12 months, after which it is deleted
  • Your details are not shared with any other provider, advertiser, or third party
  • We do not follow up on your behalf or contact you about the enquiry unless you ask us to

7. Reviews

When you submit a review on CareLocate:

  • Your review is published with your first name and last initial only (e.g. "Sarah T.") — never your full name
  • Your email address is collected for verification purposes and is never displayed publicly
  • Reviews are moderated before publication
  • Providers cannot delete or suppress reviews — only CareLocate can remove a review if it breaches our guidelines

8. Cookies and analytics

We use cookies and similar technologies to:

  • Keep you logged in as a provider (session cookies)
  • Understand how the site is used — pages visited, search terms, time on page (analytics)
  • Improve search results and site performance

We do not use advertising cookies or sell analytics data. You can disable cookies in your browser settings, though some features (such as provider login) may not function correctly.

9. Data security

We take reasonable steps to protect personal information from misuse, loss, and unauthorised access, including:

  • HTTPS encryption on all pages
  • Access controls limiting who can access personal data
  • Secure third-party infrastructure (Supabase, Stripe, Cloudflare)

If a data breach occurs that is likely to result in serious harm, we will notify affected individuals and the OAIC as required under the Notifiable Data Breaches scheme.

10. Access and correction

You have the right to:

  • Request access to the personal information we hold about you
  • Request correction of inaccurate or outdated information
  • Request deletion of your personal information (subject to legal and operational requirements)

To make a request, email privacy@carelocate.com.au. We will respond within 30 days.

11. Complaints

If you believe we have mishandled your personal information, please contact us first at privacy@carelocate.com.au. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.

12. Contact

For privacy-related enquiries, contact us at privacy@carelocate.com.au.

Privacy Policy — CareLocate — CareLocate