Privacy Policy

Maree-CareFlow Pty Ltd  ·  Last updated: 8 June 2026

1. About This Policy

Maree-CareFlow Pty Ltd ("Maree-CareFlow", "we", "our", or "us") is committed to protecting personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act.

This Privacy Policy explains how we collect, hold, use, and disclose personal information about:

• Visitors to our marketing website (maree-careflow.com.au);
• Prospective and current customers (practices, organisations, and their authorised representatives); and
• Individuals who contact us for support, sales enquiries, or general information.

This policy does not govern the health records or participant data managed by practices that use the Maree-CareFlow software. That data is held on the practice's own infrastructure and is subject to the practice's own privacy obligations under the Privacy Act 1988, applicable state health records legislation, and the NDIS Act.

2. Who We Are

Maree-CareFlow Pty Ltd is an Australian company that develops and distributes Maree-CareFlow — a self-hosted practice management platform for Australian allied health and NDIS providers.

We are bound by the Australian Privacy Principles and, where applicable, the Health Records Act 2001 (Vic) and equivalent state health records legislation.

3. Information We Collect

3.1 Information You Provide

We collect personal information that you voluntarily provide, including:

• Contact details: name, email address, phone number, practice name, practice address;
• Account information: subscription tier, billing details (processed by our payment provider — we do not store card numbers);
• Licence information: organisation name, licence key details, deployment method;
• Support enquiries: messages you send via our contact forms, email, or support portal;
• Demo and trial requests: information you provide when booking a demonstration or requesting a free trial.

3.2 Information Collected Automatically

When you visit our website, our web server may collect:

• IP address;
• Browser type and version;
• Pages visited and time of visit;
• Referring URL.

We use this information for security monitoring, service improvement, and aggregate analytics. We do not use third-party advertising trackers.

3.3 Information We Do Not Collect

We do not collect or store:

• Health records or clinical notes created within your Maree-CareFlow installation (these remain on your server);
• NDIS participant identifiers or funding information stored in your system;
• Payment card numbers (payments are processed by our PCI-DSS-compliant payment provider);
• Sensitive information about your clients or participants.

4. How We Collect Information

We collect personal information:

• Directly from you when you submit an enquiry, register for a trial, purchase a licence, or contact us;
• Through your use of our website (server logs and basic analytics);
• From our payment provider when you complete a subscription transaction;
• Via email correspondence.

Where it is lawful and practicable to do so, we will collect information directly from the individual concerned.

5. How We Use Your Information

We use personal information to:

• Provide, administer, and support your Maree-CareFlow licence and subscription;
• Respond to support requests, enquiries, and feedback;
• Send service-related communications (licence expiry reminders, security notices, release announcements);
• Process payments and issue invoices;
• Improve our product and website;
• Comply with legal obligations;
• Prevent fraud and misuse of our services.

We will not use your personal information for direct marketing unless you have consented. You may opt out of marketing communications at any time by following the unsubscribe link in any marketing email or contacting us directly.

6. Health Information

Maree-CareFlow is a self-hosted application. All health records, clinical notes, NDIS participant plans, and related sensitive health information managed within your Maree-CareFlow installation are stored on servers under your control — not on Maree-CareFlow's infrastructure.

As the operator of that infrastructure, your practice is the entity responsible for those health records under:

• The Privacy Act 1988 (Cth) — Australian Privacy Principles (health information as sensitive information under APP 3);
• The Health Records Act 2001 (Vic), Health Records and Information Privacy Act 2002 (NSW), and equivalent state legislation;
• NDIS Quality and Safeguards Commission privacy and information management requirements;
• AHPRA ethical and confidentiality obligations.

Maree-CareFlow provides the software tools and technical safeguards (access controls, audit logging, data retention enforcement) that help you meet these obligations, but the primary legal responsibility for participant health data lies with your practice.

7. Disclosure to Third Parties

We do not sell, rent, or trade personal information. We may disclose personal information to:

• Payment processors: to process subscription payments (subject to their own privacy policies and PCI-DSS compliance);
• Cloud infrastructure providers: who host our marketing website and licence management systems (data processing agreements are in place);
• Legal and regulatory authorities: where required by law, court order, or applicable regulation;
• Professional advisers: including lawyers, accountants, and auditors, under strict confidentiality;
• Business successors: in the event of a merger, acquisition, or business transfer (you will be notified in advance).

All third parties to whom we disclose personal information are required to handle it in accordance with Australian privacy law or equivalent protections.

8. Overseas Disclosure

Our marketing website and licence management systems may be hosted on infrastructure located outside Australia. Where personal information is transferred or stored overseas, we take reasonable steps to ensure that overseas recipients handle it in accordance with standards at least equivalent to the Australian Privacy Principles (APP 8.1).

We will not disclose personal information to an overseas recipient unless we are satisfied that the recipient provides adequate privacy protections, or you have consented to the transfer, or disclosure is required or authorised by law.

9. Data Residency (Your Client Data)

Because Maree-CareFlow is self-hosted, you decide where your client data is stored. You can install Maree-CareFlow on:

• An Australian-based cPanel hosting account;
• An Australian-based VPS or cloud server (e.g. AWS Sydney, Azure Australia East);
• On-premises hardware within your practice.

Maree-CareFlow does not transmit your clinical data to our servers or any third-party service without your explicit configuration (for example, enabling optional cloud integrations).

Enterprise customers can receive a written Australian data residency commitment on request — contact our enterprise team.

10. Security

We take reasonable steps to protect the personal information we hold from misuse, interference, loss, unauthorised access, modification, or disclosure. Our security measures include:

• Encrypted data transmission (HTTPS/TLS for all web communications);
• Access controls and authentication for our internal systems;
• Regular security reviews of our software;
• Staff training on data handling obligations.

If you become aware of a security vulnerability in Maree-CareFlow or suspect that your practice's installation has been compromised, please contact us immediately at security@maree-careflow.com.au.

11. Retention and Deletion

We retain personal information for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

• Account and licence records: retained for the duration of the subscription plus 7 years (Australian tax law and regulatory compliance);
• Support correspondence: retained for 2 years after resolution;
• Website server logs: retained for 90 days, then automatically deleted;
• Marketing enquiry records: retained until you opt out or request deletion, or for a maximum of 3 years if no subscription is established.

You may request deletion of your personal information by contacting us (see Section 17). We will delete or de-identify your information unless we are legally required or permitted to retain it.

12. Access and Correction (APP 12 & APP 13)

Under APP 12, you have the right to request access to the personal information we hold about you. Under APP 13, you have the right to request correction of information that is inaccurate, out of date, incomplete, irrelevant, or misleading.

To make an access or correction request:

• Email us at privacy@maree-careflow.com.au; or
• Write to our privacy officer (address in Section 17).

We will respond to access requests within 30 days. We will not charge a fee for making a request, but may charge a reasonable cost for providing access if the volume of information involved is large.

If we refuse an access or correction request, we will explain why in writing and advise you of your right to complain to the Office of the Australian Information Commissioner.

13. Complaints (APP 1)

If you believe we have handled your personal information in a manner inconsistent with the Australian Privacy Principles, you may lodge a complaint with us:

• Email: privacy@maree-careflow.com.au
• Post: Privacy Officer, Maree-CareFlow Pty Ltd (address in Section 17)

We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If you are not satisfied with our response, you may escalate to the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992

14. Cookies and Tracking

Our marketing website uses essential functional cookies only. We do not use advertising cookies, third-party tracking pixels, or behavioural analytics services.

Functional cookies we use:

• Session cookies: used temporarily while you navigate the site — deleted when you close your browser;
• Preference cookies: remember display preferences (e.g. monthly/annual pricing toggle) — stored for 30 days.

You can disable cookies in your browser settings. Disabling cookies will not prevent you from viewing our marketing website.

15. Children's Privacy

Our marketing website and services are directed at allied health practice operators and administrators. We do not knowingly collect personal information from individuals under 18 years of age through our website. If you believe we have inadvertently collected information about a child, please contact us and we will promptly delete it.

Note: Maree-CareFlow software is used by practices that do work with children (e.g. paediatric OT, speech pathology). The privacy of those children's health records is the responsibility of the practice as the data controller on their own server.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

• Update the "Last updated" date at the top of this page;
• Notify active subscribers by email.

Your continued use of our website or services after the effective date of the updated policy constitutes acceptance of the changes.

17. Contact Us