Privacy Policy.
Last updated 20 May 2026
1. Who we are
roc.up is operated by Caring Abode Pty Ltd (ABN [REVIEW: ABN]) — referred to as "roc.up", "we", "us", or "our" in this policy. We provide software-as-a-service for Australian National Disability Insurance Scheme (NDIS) providers.
We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains how we collect, hold, use, and disclose personal information — including sensitive health information about NDIS participants — and how you can exercise your rights.
2. The information we collect
2.1 About the account holder
When you sign up to roc.up, we collect:
- Name and email address
- Username and password (passwords are hashed and salted, never stored in plain text)
- Organisation name, ABN, NDIS registration number, business address
- Billing details (handled by our payment processor — we do not store full card numbers)
2.2 About your team — support workers
When you invite support workers to your roc.up workspace, we hold:
- Name, email, date of birth, phone, address
- Employment type, qualifications, induction status
- Profile photo (if uploaded)
- Timesheet records, clock-in/out timestamps, mileage, allowances, bonuses
- Shift notes and handover forms authored by the worker
- Training read receipts
2.3 About NDIS participants — sensitive information
Care-file data for NDIS participants is the most sensitive category of information we hold. It includes health information, which is defined as "sensitive information" under the Privacy Act and which triggers heightened obligations under APP 3 — including, in most cases, the requirement for explicit consent from the individual.
We hold this category only because you, as the participant's NDIS provider, have lawfully collected it and uploaded it into roc.up to deliver care to that participant. You are responsible for obtaining and recording the necessary consents.
This category includes:
- Identifying details (name, DOB, NDIS number, plan number, plan dates)
- Health conditions, medications, allergies
- Care plans, routines, goals, risks, emergency-response instructions
- Clinical logs (food, fluid, bowel movements, behaviours, seizures)
- Shift notes, handover forms, incident reports
- Uploaded documents (GP letters, plans, photos)
- Service Agreements and signature samples
- Behaviour and mood patterns surfaced by Pattern Watch
2.4 Automatically collected technical information
When you use roc.up, we automatically log:
- IP address, browser type, device type
- Pages accessed, actions taken, timestamps
- Cookies (for authentication and session management — see section 10)
- Error and performance traces
3. How we use information
We use personal information to:
- Deliver the roc.up service to you and your team
- Process billing and payments
- Provide customer support and respond to your enquiries
- Generate invoices and send them to your connected Xero account (when configured)
- Run our Pattern Watch AI feature, which analyses shift notes and handover forms within your workspace only to surface risk patterns, weak documentation, and incident candidates
- Generate AI-drafted incident reports from flagged shift notes
- Improve and secure the service, including detecting fraud and abuse
- Comply with our legal obligations
3.1 Sensitive (health) information — APP 3
We collect, hold, and process participants' health information only on your behalf, in your role as their NDIS provider. We do not use participants' health information for any purpose other than delivering the service to you. We do not sell it. We do not share it with third parties for marketing.
4. How we share information
We never sell personal information. We share information only with:
4.1 Your own team
Per the access controls you configure inside roc.up. Workers see only what you have authorised them to see, scoped by participant and by care-file section permissions.
4.2 Sub-processors that help us run roc.up
We use a small number of third-party service providers under written data-processing arrangements. The full live list (with what each does, what data they touch, and where they're hosted) is at subprocessors.html. In summary:
- Supabase — database, authentication and storage. Hosted in AWS Sydney. All customer data stays in Australia.
- Vercel — web application hosting.
- Mailgun — outbound and inbound email.
- AI model provider — for Pattern Watch and AI-drafted incident reports. Under a no-training arrangement. Data is not retained by the provider after the response is returned.
- Stripe — payment processing. Full card numbers never reach us.
- Xero — invoicing, only when you connect your Xero org. Data flows only after you authorise the connection.
4.3 Legal compliance
We may disclose information where required by Australian law — for example, in response to a subpoena, search warrant, or order from a court or regulator (including the NDIS Quality and Safeguards Commission, where applicable).
5. Storage and security
Detailed in our Security overview. In summary:
- Where — All customer data is hosted in Australia (AWS Sydney). Backups stay within Australia.
- Encryption — TLS 1.2+ in transit, AES-256 at rest.
- Access controls — Row-level security on every database table. Workers see only what their administrator has authorised.
- Audit log — Edits to care files are logged with who, what, and when.
- Staff access — roc.up staff access production data only when required for support, and only with the affected account holder's knowledge.
6. How long we keep it
While your subscription is active, we keep your data for as long as you use the service. If you cancel:
- You can export all data at any time before cancellation — care files, rosters, timesheets, training records — as PDF or CSV.
- For 30 days after cancellation we keep your data in a recoverable state in case you reactivate.
- After 30 days we delete your workspace data from production. Encrypted backups containing your data may persist for up to a further 60 days before being overwritten in the normal backup rotation.
- NDIS providers have separate record-keeping obligations under the NDIS Quality and Safeguards Commission Rules. You must export and retain records yourself before cancellation.
7. Your rights under the Privacy Act
Under the Australian Privacy Principles, you have the right to:
- Access the personal information we hold about you (APP 12).
- Correct inaccurate information (APP 13).
- Withdraw consent for further processing (where consent is the basis for processing).
- Complain to us, and ultimately to the Office of the Australian Information Commissioner (OAIC) if you are dissatisfied with our response.
To exercise any of these rights, email privacy@caringabode.com.au. We will respond within 30 days.
For participant data — the participant (or their nominee) should make access and correction requests through the NDIS provider that holds their file in roc.up, not directly to us. We will support the provider in handling such requests.
8. Data breaches and the Notifiable Data Breaches scheme
Under Part IIIC of the Privacy Act, we are required to notify the OAIC and affected individuals when an "eligible data breach" occurs — that is, where unauthorised access, disclosure, or loss is likely to result in serious harm and we have not been able to prevent that harm through remedial action.
Our commitments:
- Assess within 30 days. Where we suspect a data breach, we have up to 30 days under the Privacy Act to assess whether it is an eligible data breach. In practice we aim to complete the assessment within 72 hours.
- Notify the customer first. If Customer Personal Information is affected, we notify the affected customer (you) directly, in writing, with what happened, what data was involved, what we've done, what you should do, and how to contact us. See clause 9 of the DPA.
- Notify the OAIC and individuals. Where the breach is an eligible data breach, we (and the affected customer) notify the OAIC and the affected individuals as soon as practicable. The notice must include recommendations about the steps individuals should take.
- Cooperate. We cooperate with the OAIC and with any further regulator (such as the NDIS Commission) where they are also required to be notified.
For incidents involving the My Health Record system (where applicable), we additionally notify the System Operator under the My Health Records Act 2012 (Cth).
9. Pattern Watch and AI processing
roc.up's Pattern Watch feature analyses shift notes and handover forms to flag risk patterns, weak documentation, and incident candidates. AI-drafted incident reports take a flagged shift note and produce a structured draft for your review.
- Analysis is performed by a third-party AI model provider under a no-training data-processing arrangement. Your data is not used to train the model.
- The model provider processes the text transiently to generate its response. No copy is retained by the model provider after the request.
- All outputs are surfaced inside your roc.up workspace, scoped to your provider only.
- You can request that AI processing be disabled on your workspace by contacting privacy@caringabode.com.au.
- AI outputs are suggestions for human review — they do not substitute for clinical, legal, or compliance judgement. See clause 8 of the Terms of Service.
10. Cookies
roc.up uses cookies for limited, essential purposes:
- Authentication — to keep you signed in after you log in.
- Session management — short-lived tokens used to maintain a session and protect against cross-site request forgery.
- Preferences — small bits of state stored to remember your interface choices (e.g., which week of the roster you were last viewing).
We do not use third-party advertising cookies, behavioural tracking cookies, or analytics cookies that share data with marketing platforms.
You can clear cookies in your browser settings; doing so will sign you out and may reset interface preferences. Disabling essential cookies prevents the service from working.
11. Children's privacy
roc.up is not directed at children. NDIS participants whose information we hold may be under 18 — this information is collected and managed by their NDIS provider (you) and their authorised nominee, with the same protections as adult participants. The Customer is responsible for any heightened consent or substitute-decision-maker arrangements that apply.
12. International transfers
Customer data is hosted in Australia. The exceptions are:
- The AI model provider — transiently processes text for AI features outside Australia. No copy is retained.
- Mailgun — provides email transport [REVIEW: confirm region].
Where an overseas transfer happens, we take reasonable steps under APP 8 to ensure the overseas recipient handles the information in a way consistent with the APPs, including by contract.
13. Changes to this policy
We may update this policy from time to time. We will email the account holder at least 30 days before any material change takes effect. The current version is always at rocup.com.au/privacy.html.
14. Contact us
For privacy questions, complaints, or to exercise your rights:
- Email — privacy@caringabode.com.au
- Post — [REVIEW: registered business address]
If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) — oaic.gov.au or 1300 363 992.