Legal

Privacy Policy.

Last updated 20 May 2026

Plain-English summary. roc.up holds the most sensitive category of personal information that exists under Australian law: the health information of NDIS participants. This policy explains, in detail, how we handle it. We're bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles. If something on this page isn't clear, email privacy@caringabode.com.au and a person will reply.

1. Who we are

roc.up is operated by Caring Abode Pty Ltd (ABN [REVIEW: ABN]) — referred to as "roc.up", "we", "us", or "our" in this policy. We provide software-as-a-service for Australian National Disability Insurance Scheme (NDIS) providers.

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains how we collect, hold, use, and disclose personal information — including sensitive health information about NDIS participants — and how you can exercise your rights.

2. The information we collect

2.1 About the account holder

When you sign up to roc.up, we collect:

2.2 About your team — support workers

When you invite support workers to your roc.up workspace, we hold:

2.3 About NDIS participants — sensitive information

Care-file data for NDIS participants is the most sensitive category of information we hold. It includes health information, which is defined as "sensitive information" under the Privacy Act and which triggers heightened obligations under APP 3 — including, in most cases, the requirement for explicit consent from the individual.

We hold this category only because you, as the participant's NDIS provider, have lawfully collected it and uploaded it into roc.up to deliver care to that participant. You are responsible for obtaining and recording the necessary consents.

This category includes:

2.4 Automatically collected technical information

When you use roc.up, we automatically log:

3. How we use information

We use personal information to:

3.1 Sensitive (health) information — APP 3

We collect, hold, and process participants' health information only on your behalf, in your role as their NDIS provider. We do not use participants' health information for any purpose other than delivering the service to you. We do not sell it. We do not share it with third parties for marketing.

4. How we share information

We never sell personal information. We share information only with:

4.1 Your own team

Per the access controls you configure inside roc.up. Workers see only what you have authorised them to see, scoped by participant and by care-file section permissions.

4.2 Sub-processors that help us run roc.up

We use a small number of third-party service providers under written data-processing arrangements. The full live list (with what each does, what data they touch, and where they're hosted) is at subprocessors.html. In summary:

4.3 Legal compliance

We may disclose information where required by Australian law — for example, in response to a subpoena, search warrant, or order from a court or regulator (including the NDIS Quality and Safeguards Commission, where applicable).

5. Storage and security

Detailed in our Security overview. In summary:

6. How long we keep it

While your subscription is active, we keep your data for as long as you use the service. If you cancel:

7. Your rights under the Privacy Act

Under the Australian Privacy Principles, you have the right to:

To exercise any of these rights, email privacy@caringabode.com.au. We will respond within 30 days.

For participant data — the participant (or their nominee) should make access and correction requests through the NDIS provider that holds their file in roc.up, not directly to us. We will support the provider in handling such requests.

8. Data breaches and the Notifiable Data Breaches scheme

Under Part IIIC of the Privacy Act, we are required to notify the OAIC and affected individuals when an "eligible data breach" occurs — that is, where unauthorised access, disclosure, or loss is likely to result in serious harm and we have not been able to prevent that harm through remedial action.

Our commitments:

For incidents involving the My Health Record system (where applicable), we additionally notify the System Operator under the My Health Records Act 2012 (Cth).

9. Pattern Watch and AI processing

roc.up's Pattern Watch feature analyses shift notes and handover forms to flag risk patterns, weak documentation, and incident candidates. AI-drafted incident reports take a flagged shift note and produce a structured draft for your review.

10. Cookies

roc.up uses cookies for limited, essential purposes:

We do not use third-party advertising cookies, behavioural tracking cookies, or analytics cookies that share data with marketing platforms.

You can clear cookies in your browser settings; doing so will sign you out and may reset interface preferences. Disabling essential cookies prevents the service from working.

11. Children's privacy

roc.up is not directed at children. NDIS participants whose information we hold may be under 18 — this information is collected and managed by their NDIS provider (you) and their authorised nominee, with the same protections as adult participants. The Customer is responsible for any heightened consent or substitute-decision-maker arrangements that apply.

12. International transfers

Customer data is hosted in Australia. The exceptions are:

Where an overseas transfer happens, we take reasonable steps under APP 8 to ensure the overseas recipient handles the information in a way consistent with the APPs, including by contract.

13. Changes to this policy

We may update this policy from time to time. We will email the account holder at least 30 days before any material change takes effect. The current version is always at rocup.com.au/privacy.html.

14. Contact us

For privacy questions, complaints, or to exercise your rights:

If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC)oaic.gov.au or 1300 363 992.