Privacy policy
How NDIScribe handles customer and participant data
Last updated: 27 May 2026
Data we collect
We collect organisation account details, user emails and roles, participant labels and support documentation entered by users, shift notes, plans, incidents, restrictive practice event records, family update drafts, claim drafts, audit pack metadata, usage metadata, and security metadata such as IP address and browser details.
Why we process it
We process customer data to provide the NDIScribe workspace, authenticate users, isolate organisations, generate documentation assistance, produce exports requested by the customer, maintain audit records, prevent abuse, provide support, and meet legal and security obligations.
AI processing and data flows
Customer data is hosted with Australian data residency and is encrypted in transit and at rest. Text sent to AI models, including for note scoring, retrieval and the AI Advocate, is de identified with opaque tokens before any AI processing, so direct identifiers are removed before text leaves the workspace. How we secure data and the safeguards we apply are described on the security page.
Access, export and deletion
Organisation owners can export a JSON copy of organisation data from Settings. Owners can also permanently delete the organisation and all of its records from Settings. NDIScribe keeps only minimal deletion audit metadata needed to evidence the request and outcome; participant content is not retained in that audit trail. Our team can help with correction requests under APP 13.
Notifiable Data Breaches
If we suspect eligible serious harm from unauthorised access, disclosure, or loss of personal information, we assess and notify affected customers and the OAIC as required by the Notifiable Data Breaches scheme.
Contact
Privacy requests: mitsi@ndiscribe.com.