Carepage

Menu
Book a demo

Privacy

Privacy Policy

Software

Revision:4.0

Issued: 1 October 2025

Purpose

The purpose of the policy is to establish a standard breach response process.

Background

Security breaches, in particular data breaches, are an unwelcome reality of any cloud service in the 2020s.  CarePage maintains a rigorous position on data privacy and security and has implemented all reasonable measures to protect the integrity and security of our customer data.  Notwithstanding this level of protection, this policy exists in case of the “what if” scenario that our data is subject to a breach.  

The policy shall be well publicised and made easily available to all personnel whose duties may involve data privacy and security protection.

Scope

This policy applies to all who collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle any CarePage customers personal data, including third-party suppliers and affiliates. Note! Under this policy, CarePage does not collect clinical data.

Policy 

Any individual who suspects that a theft, breach or exposure of CarePage customer data has occurred must immediately provide a description of what occurred via email to [email protected],  The operators monitoring this email is being handled by Carepage support which passes the information to the CTO’s office. 

The CTO’s office will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the CTO’s office will assess the breach and implement any required measures to contain the breach.

The CTO’s office will then notify the General Manager and the CEO, who will chair an incident response team to handle the breach.

The incident response team may include members from:

  • IT Infrastructure
  • Legal
  • Communications
  • Customer Services (if customer data is affected)
  • Human Resources

The incident response team will analyze the breach or exposure to:

  • Determine the root cause of the breach;
  • Determine the full impact of the breach; and
  • Develop a communication plan for affected parties.

You can always find the updated version of this privacy policy and terms of use on our website at https://carepage.com.au/terms-and-conditions/ 

Definitions

For the purposes of this Addendum:

Personal Information has the meaning given in the Privacy Act 1988 (Cth) and includes any information relating to the Customer’s employees, clients, residents, or stakeholders disclosed under this Agreement.

Permitted Purpose means the performance of the Company’s obligations under the Agreement and any related purpose necessary to provide the Services.

Privacy Laws means all applicable laws and regulations relating to privacy, data protection and cybersecurity in the jurisdiction of the Services.

Use and Handling of Personal Information

The Company agrees that it will:

(a) use Personal Information only for the Permitted Purpose or as otherwise required by law;

(b) take reasonable technical and organisational measures to protect Personal Information from unauthorised access, loss, misuse or disclosure;

(c) disclose Personal Information only to its personnel, contractors, or service providers who require access for the Permitted Purpose and are bound by appropriate confidentiality obligations;

(d) comply with applicable Privacy Laws with respect to the collection, use, storage, and handling of Personal Information;

(e) store Personal Information related to the Customer in Australia (unless otherwise agreed in writing);

(f) take reasonable steps to ensure that the Customer’s Personal Information is logically or physically segregated from the Company’s internal data and data of other customers, to reduce the risk of unauthorised disclosure or cross-access.

Data Breach Notification

If the Company becomes aware of a data breach involving the Customer’s Personal Information:

(a) the Company will notify the Customer as soon as reasonably practicable and, where feasible, within 72 hours;

(b) such notification will include (to the extent known and reasonably practical):

    (i) the nature and scope of the breach;

    (ii) types of individuals and data potentially affected;

    (iii) likely consequences of the breach;

    (iv) actions taken or proposed to contain and address the breach.

(c) the Company will provide reasonable assistance to enable the Customer to comply with its obligations under applicable Privacy Laws.

Data Access and Requests

Where the Customer is required to respond to a request from an individual regarding their Personal Information:

(a) the Company will, upon written request, provide reasonable assistance to facilitate compliance with such request, where it is reasonably able and legally permitted to do so;

(b) the Company will not respond directly to an individual request unless required by law, in which case the Company will, where permitted, notify the Customer prior to responding.

Return or Deletion of Personal Information

Upon expiry or termination of the Agreement:

(a) the Company may retain Personal Information to the extent required for legal, regulatory, or reasonable business purposes (e.g. backups, audit logs, billing data);

(b) where such retention is not required, the Company will take commercially reasonable steps to securely delete or de-identify Personal Information in accordance with standard industry practice;

(c) upon written request within 30 days of termination, the Company will return available Personal Information to the Customer in a standard electronic format;

(d) if no request is received within the specified timeframe, the Company will proceed with its data minimisation process outlined above.

Use of Subcontractors

The Company may engage subcontractors or third-party service providers to support its service delivery. Where such providers have access to the Customer’s Personal Information, the Company will:

(a) implement appropriate contractual safeguards; and

(b) ensure such providers are subject to data protection obligations materially similar to those set out in this Addendum.

List of subcontractors:

  • Microsoft Azure
  • Microsoft Azure AI
  • Twillio Sendgrid
  • Apple – (App Store)
  • Google – (Play Store)
  • Browserless

All personal information is hosted within secure data centres located in Australia. Data may be replicated for redundancy within Australian regions only; no routine transfers occur outside Australia or New Zealand. Any future hosting expansion to additional countries will be announced and governed by comparable-safeguard agreements.

Cross-Border Privacy and Data Protection

Australia & New Zealand

(a) Compliance with Australian and New Zealand Privacy Laws

CarePage is an Australian-based company and complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). When providing services to customers in New Zealand, CarePage handles personal information in a manner that is substantially consistent with the New Zealand Privacy Act 2020. Both frameworks govern how we collect, use, store, protect, and disclose personal information to ensure a high standard of privacy across all operations.

(b) Data Hosting and Location

All personal information is hosted within secure data centres located in Australia. Data may be replicated for redundancy across Australian regions only. CarePage does not routinely transfer or store personal information outside Australia or New Zealand. Any future hosting expansion to additional countries will be announced in advance and implemented only under arrangements that provide comparable safeguards to those required by both Australian and New Zealand privacy laws.

(c) Cross-Border Transfers (New Zealand Customers – IPP 12 Compliance)

When CarePage handles personal information collected in New Zealand, that information may be transferred to, or stored in, Australia. Such transfers occur only where the information is protected under contractual and organisational safeguards that provide comparable privacy protections to those required by the New Zealand Privacy Act 2020 (Information Privacy Principle 12). These safeguards are substantially consistent with the New Zealand Privacy Commissioner’s model clauses and require that any Australian-based recipients handle the data to the same high standard as if it remained in New Zealand. By using our services, you consent to the transfer and storage of your personal information in Australia under these protections.

(d) Your Rights as a New Zealand Customer

If you are located in New Zealand, you have rights under the Privacy Act 2020 to access and request correction of your personal information. If you believe your privacy rights have been affected, you may contact CarePage using the details below or reach out to the Office of the New Zealand Privacy Commissioner (www.privacy.org.nz). We will co-operate fully with any inquiry or investigation initiated by either authority.

CarePage Privacy Officer

Email: [email protected]

Address: Level 1, 24 Bank Place, South Melbourne VIC, 3205 Australia

Privacy Collection Notice – Private Surveys

We take your privacy seriously and only collect the data and information you choose to provide us and with your consent. Personal information you provide (such as name, email and your opinions that you share via this platform) is collected by Aged Care Report Card Pty Ltd (ABN: 76 168 514 127) trading as CarePage on behalf of this provider for the expressed purpose of assessing, improving and administering the services they provide.

We may also share and publish aggregated or anonymous data and information with third parties, such as government bodies, peak bodies, research and other aged care sector providers for the purposes of assessing and reviewing the performance of services and providing information back to consumers and other users o fwww.carepage.com.au and happylifeindex.com.auThis data and aggregated information may be explicitly identifiable as yours when explicitly indicated, or, in the event that data is aggregated and de-identified, may include your data as part of a dataset and trend.

We may be required by relevant laws to collect certain information from you. Details of any applicable laws that require us to collect information about individuals and why these laws require us to collect personal information are contained in our Privacy Policy. We may disclose information to recipients (including service providers and our related entities) which are (1) located outside Australia and/or (2) not established in or do not carry on business in Australia.

Internal processes and safeguards

CarePage, as part of the CareCo group, adheres to the internal safeguards and processes established to protect customer data. These include robust protocols for data handling, disaster prevention plans, and comprehensive privacy policies. For detailed internal documentation regarding these measures, please refer to the group level policies.

Limitation of Liability

This Addendum does not expand or increase the Company’s liability under the main Agreement. To the extent permitted by law, the Company excludes all indirect, special, or consequential losses arising from data breach or privacy-related events, except in cases of proven gross negligence or wilful misconduct. Updated information at https://carepage.com.au/terms-and-conditions/ 

 

Scroll to Top