This policy at a glance
- Silware is software that NDIS providers use to run their services — rostering, care records, medication administration, incidents, billing and claims.
- The platform holds sensitive information, including health and disability information, that providers record about the people they support and about their workers.
- Each provider decides what is collected and why, and is responsible for the information it enters; we host and protect that information and use it only to run the service.
- Platform data is hosted in Australia (AWS Sydney), and our AI features do not train third-party models on your data.
- We never sell personal information and we do not use it for advertising.
- Access and correction of the records your provider holds about you go through that provider, which controls them. For Silware’s own handling of information, contact us — with the OAIC as the escalation path.
- Contact: info@silware.com.au · +61 449 944 533. We can help in accessible formats, through an interpreter, or via an advocate.
This summary does not replace the full policy below.
Contents
1 About this policy
Silware (ABN 81 644 338 125) (“Silware”, “we”, “us”, “our”) operates the Silware Platform, a cloud-based operations-management platform (the “Platform”) built for providers of supports and services under the National Disability Insurance Scheme (“NDIS”).
We are an APP entity under the Privacy Act 1988 (Cth) (the “Privacy Act”) and are bound by the Australian Privacy Principles (“APPs”). We also handle health information and other sensitive information, which receives additional protection under the Privacy Act and, where applicable, State and Territory health-records legislation. The Platform is designed to support Providers in meeting their own obligations under the National Disability Insurance Scheme Act 2013 (Cth), the NDIS Practice Standards and the NDIS Code of Conduct.
This policy is governed by Australian law. It explains how we collect, hold, use, disclose, secure and dispose of personal information, and how you can access and correct your information or make a complaint. It applies to our website (silware.com.au), the Platform (web application, support-worker mobile apps, and APIs), our AI features, and our dealings with customers, prospective customers, website visitors, and individuals whose information is processed through the Platform.
This policy is a statement of our information-handling practices — it is not a contract, and it does not create rights or obligations beyond those in applicable law or in our customer agreement — the Silware Terms of Service, which includes our Service Level Agreement. If this policy is inconsistent with a signed customer agreement (including the Terms of Service) about how we process a Provider’s data, the agreement governs. This policy does not apply to third-party websites or services that link to, or are integrated with, the Platform — those are governed by their own privacy policies.
The Platform is an administrative and record-keeping tool. Providers and their qualified staff remain solely responsible for all care, clinical, medication and service-delivery decisions. Nothing in the Platform (including its AI features) is professional, clinical or legal advice.
1.1 Two roles — who is responsible for what
Silware is a business-to-business platform. Our customers are NDIS provider organisations (each a “Provider”). We act in two distinct capacities:
(a) Silware-controlled data. Information we collect for our own purposes — account and billing contacts, enquiries, website visitors, and our own staff. We are directly responsible for this information under the APPs.
(b) Provider-controlled data. Information a Provider records in the Platform about its NDIS participants, the participants’ families, nominees and health contacts, and the Provider’s own workers and applicants. The Provider decides what is collected and why, and is responsible to those individuals for those decisions. We host and process this information only on the Provider’s behalf, under our contract with the Provider, and only as needed to provide, secure, support, maintain and improve the Platform.
Provider responsibilities. Each Provider is responsible for: the lawfulness, accuracy and completeness of the information it and its users enter; obtaining any consent and giving any collection notice (APP 5) required for that information; configuring roles, permissions, integrations and public forms appropriately; and its users’ compliance with law and the customer agreement. Silware is not responsible for a Provider’s decisions about what to collect or how to use it.
Silware’s own obligations are not reduced by these roles. To the extent Silware holds personal information, Silware complies with the APPs in respect of how it holds, secures and handles that information. If you are an individual whose information a Provider holds in the Platform, contact that Provider for access, correction or complaints. If you contact us instead, we will refer your request to that Provider (sections 16 and 18).
2 The kinds of personal information we collect and hold
“Personal information” is information or an opinion about an identified or reasonably identifiable individual. “Sensitive information” (including health information) receives extra protection. The categories below describe what the Platform can hold — what is actually held depends on how each Provider configures and uses it.
2.1 NDIS participants (Provider-controlled)
- Identity and contact details, date of birth, photograph, and an internal participant code.
- NDIS participant number and plan and funding information (service agreements, budgets, support items, claims).
- Health and disability information (sensitive): diagnoses and support needs; allergies; medications and medication-administration records (including PRN and Webster-pack records); behaviour-support and restrictive-practices information; mealtime-management plans; and daily care logs.
- Care records: case and progress notes, goals, incident records (including NDIS reportable-incident details), and records of which supports were provided, when and by whom.
- Documents uploaded by the Provider (plans, agreements, consents, reports, identity documents).
- Residential (SIL) information: house, room and support-plan details and visitor logs.
- People connected to a participant: emergency contacts, guardians and nominees, plan managers, support coordinators and treating health professionals — often collected indirectly.
- Cultural and preference information, which may reveal racial or ethnic origin (sensitive).
2.2 Workers and job applicants (Provider-controlled)
- Identity and contact details and emergency contacts.
- Screening, clearances and compliance records (sensitive): NDIS Worker Screening, Working With Children Checks, police checks, qualifications and training records.
- Health-related attributes (sensitive): medical conditions, restrictions and vaccination status recorded by the Provider.
- Licence and vehicle details.
- Employment, payroll and tax information, including award classification, superannuation details and tax file number (TFN) (stored encrypted and masked). The Platform does not store worker bank-account or BSB details.
- Work records: rosters, timesheets and check-in/out records, and leave requests (which may reveal health information).
Some worker information may form part of an “employee record” held by the Provider as employer, which the Privacy Act treats differently in the employer’s hands. This does not change how we protect the information we hold.
2.3 Communications (Provider-controlled)
Where a Provider connects a mailbox or messaging channel: synchronised email content and metadata and calendar events (Microsoft 365), SMS content and phone numbers, and internal staff-to-staff chat and notifications.
2.4 Public / QR forms (Provider-controlled)
Providers can publish forms that the public can complete without logging in. What is collected depends entirely on the Provider’s form design. The Provider is responsible for the design of its forms, including any collection notice and any consent required under APP 3.3 at the point of submission.
2.5 Account, billing and website information (Silware-controlled)
- Account and billing contact details, organisation details (ABN, NDIS registration number), and billing/payer details collected by our payment processor (section 10).
- Login credentials — passwords and PINs are held in our systems only in hashed (irreversible) form.
- Technical and usage information: IP address, device and browser information, logs, diagnostics and cookies (section 13).
- Enquiries, demonstration requests and support correspondence.
2.6 AI interactions
When AI features are used, we process the user’s messages, any content provided to the AI, and the Platform records it retrieves — which may include participant and worker information (section 12).
2.7 Children
Participants (and people connected to them) may be children. Consent and authority for a child are generally exercised by a parent, guardian or nominee, managed by the Provider. We apply the same protections to children’s information as to all sensitive information.
3 How we collect personal information
- Directly from you — when you register, contact us, use the Platform, or submit a form.
- From a Provider — which enters or uploads information about its participants, their contacts, and its workers, and connects mailboxes and messaging channels.
- Indirectly — some individuals’ details are provided by someone else (for example emergency contacts, nominees, health professionals, and the parties to synchronised messages), and we receive limited data back from integrated services (delivery results, invoice/payment status).
- Automatically — through cookies, logs and similar technologies (section 13).
Where Silware collects information directly for its own purposes, we take reasonable steps to notify the APP 5 matters, including through this policy. Where a Provider collects information through the Platform (including indirectly and through public forms), the Provider is responsible for any required collection notice. We collect only by lawful and fair means and deal with unsolicited information under APP 4.
4 Why we collect, hold, use and disclose personal information
For our own purposes (Silware-controlled): to create and administer accounts; to provide, operate, secure, support, maintain and improve the Platform; to process payments and billing; to communicate about the service; to respond to enquiries; to detect and prevent fraud, misuse and security incidents and maintain audit logs; to comply with legal obligations and establish, exercise or defend legal claims; and to develop and improve our products (using de-identified or aggregated information wherever practicable).
On behalf of Providers (Provider-controlled): to enable Providers to manage participants, supports, rostering, care records, incidents, compliance, workforce, communications, claiming and reporting, and to perform the functions Providers initiate through the Platform.
We do not use or disclose personal information for a purpose other than the primary purpose of collection unless an APP 6 exception applies (for example, a directly related secondary purpose you would reasonably expect, consent, or a use required or authorised by law). We do not sell personal information.
5 Sensitive information and consent
Under APP 3.3, sensitive information may generally only be collected with consent and where reasonably necessary, unless an exception applies.
- Provider-controlled data. Sensitive information about participants and workers is collected and entered by Providers in delivering NDIS supports. The Provider is responsible for having the individual’s consent (or another lawful basis). Silware processes it on the Provider’s behalf.
- Silware-controlled data. Where we collect sensitive information for our own purposes, we obtain consent unless an exception applies.
Withdrawing consent. You may withdraw consent at any time. Withdrawal does not affect prior handling, and legal obligations may still require some information to be kept. For Provider-controlled data, contact the Provider; otherwise contact us (section 18).
6 Who we disclose personal information to
We disclose personal information only as necessary for the purposes above:
- Within Silware — personnel who need it for their roles, under access controls.
- A Provider’s authorised users — according to the roles, permissions and scoping the Provider configures. Operational data is segregated between Providers (section 11).
- Service providers — third parties that help us run the Platform (Appendix A); they may use personal information only to provide services to us, under confidentiality and data-protection obligations.
- Integrated services chosen by a Provider — where a Provider enables an integration, we transmit the relevant information to perform the Provider’s instruction. Information sent to an integrated service is then handled under that service’s own terms and privacy policy; enabling an integration is the Provider’s decision and responsibility.
- Government and regulators — NDIS payment claims to the NDIA and notifications to the NDIS Quality & Safeguards Commission where a Provider initiates them, and disclosures required or authorised by law or needed to protect the safety of any person.
- Professional advisers, and parties to a business transaction (merger, acquisition or asset sale) under appropriate confidentiality and privacy protections.
7 Direct marketing (APP 7)
We may send customers and prospective business contacts information about Silware products and features, always with a simple opt-out, and we stop on request. Our electronic marketing complies with the Spam Act 2003 (Cth). We do not use participant, worker or other Provider-controlled information for marketing, and we do not use sensitive information for marketing without consent.
8 Government-related identifiers (APP 9)
The Platform handles NDIS participant numbers, worker screening numbers and worker TFNs. We do not adopt a government identifier as our own identifier of an individual, and we use or disclose them only as permitted under APP 9 — for example in NDIA payment claims and NDIS-related invoices, or as required or authorised by law. TFNs are handled under the Privacy (Tax File Number) Rule 2015, stored encrypted and masked in the interface.
9 Data quality (APP 10)
We take reasonable steps to keep personal information accurate, up to date, complete and relevant for its purpose. Most Platform information is entered and maintained by Providers and their users, and we rely on Providers to maintain the accuracy of the information they enter. You can ask for corrections at any time (section 16).
10 Payments and accounting integrations
- Subscription payments are processed by Stripe on Stripe’s hosted checkout. We do not collect or store full card numbers. Stripe handles payer details under its own privacy policy.
- Accounting/invoicing: where a Provider connects Xero, we send the invoice-relevant details (participant name, NDIS number, support items, amounts and dates) to Xero on the Provider’s instruction.
- Payroll: an optional payroll integration (for example Employment Hero) is planned but not currently active — no worker data is sent unless a Provider enables it.
11 How we hold and protect personal information (APP 11)
We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure, including:
- Hosting on Amazon Web Services (AWS) in Australia, using managed database and object-storage services.
- Tenant segregation — each Provider’s operational data is held in a separate, dedicated database with its own credentials.
- Access controls — authentication for all access; role-based permissions and branch/location scoping configured by the Provider; internal Silware access limited to personnel who need it.
- Encryption in transit (HTTPS/TLS), with application-layer encryption of particularly sensitive fields (such as worker TFNs and stored integration credentials).
- Credential protection — passwords and PINs held only in hashed (irreversible) form.
- Audit logging of changes to key records, and monitoring to detect and resolve faults and security issues.
- Organisational measures — confidentiality obligations and need-to-know access for personnel and contractors.
No system is completely secure, and we cannot guarantee absolute security. To the extent permitted by law, we are not responsible for unauthorised access that results from a Provider’s or user’s failure to keep credentials secure, to configure roles and access appropriately, or to secure their own devices and networks. If we suspect unauthorised access to an account, we may restrict access to some or all of the Platform until access is verified.
11.1 Your responsibilities
Keep credentials confidential and accounts individual; use strong, unique passwords; configure roles and permissions appropriately; enter only information you are authorised to collect; do not enter payment-card numbers, bank details or government identifiers into free-text fields that are not designed for them; log out of shared devices; and report suspected security issues to us promptly (section 18). Where we make optional security features available and you choose not to use them, you are responsible for the consequences of that choice.
12 Artificial intelligence (AI) features
The Platform includes an AI assistant and related features (document understanding and search).
- What it processes: the user’s messages, content the user provides, and Platform records retrieved to answer the question — which can include sensitive information.
- Where it runs: on AWS, using the Amazon Bedrock service and its foundation models. Information processed by these models stays within AWS.
- No training on your data: the foundation models we use are not trained on, or improved using, information we send them, and it is not shared with the model providers. We do not use Provider-controlled information to train our own models.
- Human review: AI features are designed to assist. Outputs are suggestions for review by the Provider’s qualified staff — they are not professional, clinical or legal advice, and the Provider remains responsible for decisions and records.
- No significant automated decisions: we do not use personal information to make automated decisions that produce legal or similarly significant effects on an individual without human involvement. If that changes, we will update this policy first, consistent with the Privacy Act’s automated-decision-making transparency requirements.
13 Cookies, analytics and similar technologies
- Essential cookies keep you logged in and route you securely (required for the Platform to work).
- Preference cookies remember choices such as language.
- Local browser storage keeps you authenticated and temporarily holds in-progress information (for example onboarding details) in your own browser.
Error monitoring. We use Sentry for error and performance monitoring, which captures technical context (including IP address) to help us diagnose and fix faults. These diagnostics are used only to operate, secure and improve the Platform, and access to them is restricted to authorised personnel.
We do not use third-party advertising, marketing or social-media tracking pixels (such as Google Analytics or Meta Pixel) on the Platform. You can control cookies in your browser; blocking essential cookies will stop the Platform working properly.
14 Overseas disclosure and data location (APP 8)
Provider-controlled participant and worker data (databases and uploaded documents) is hosted, and AI processing performed, in AWS’s Australian (Sydney) region (ap-southeast-2).
Some supporting service providers process limited personal information outside Australia — currently in the United States and the European Union. Before disclosing personal information overseas, we take reasonable steps — including contractual data-protection terms and limiting what is shared — to ensure the recipient handles it consistently with the APPs. Australian law continues to govern our own handling of personal information. Our third-party service categories are summarised in Appendix A, and current details are available on request.
15 How long we keep personal information
We keep personal information only as long as needed for the purposes in this policy or as required by law (including NDIS and employment record-keeping obligations).
- Provider-controlled data: while a subscription is active, the Provider controls its records. Records deleted in the Platform are generally archived (soft-deleted) and recoverable rather than immediately erased. On termination, the Provider can request an export of its data in a machine-readable format (such as CSV) within the window set by our Terms of Service — supporting continuity of care and the Provider’s record-keeping obligations — after which we may delete it, except where law requires us to retain it.
- Backups: deleted information may persist in backups for a limited period before backups cycle out. Information stored locally on a user’s own device (including mobile-app caches) sits outside our hosted service and is not included in our backups.
- Minimum retention: NDIS participant, clinical and medication records are commonly required to be retained for seven years or more (longer for records relating to children); the Provider determines the applicable periods as the accountable entity.
- Destruction (APP 11.2): when information is no longer needed and no law requires its retention, we take reasonable steps to destroy or de-identify it.
- Requesting deletion: you may ask the relevant Provider (or us, for Silware-controlled data) to delete your information. Where a legal retention obligation prevents deletion — as is common for NDIS and clinical records — we or the Provider will tell you.
16 Accessing and correcting your personal information (APP 12 and 13)
You may ask for access to personal information held about you, and for it to be corrected.
- Provider-controlled information (participants, their family and contacts, and workers): the Provider controls these records and is responsible for responding to access and correction requests. Make your request directly to your Provider. If we receive such a request, we will refer it to the relevant Provider and let you know we have done so. We do not action access or correction requests for Provider-controlled records without the Provider’s instruction, except where the law requires us to.
- Silware-controlled information (account and billing contacts, enquirers, website visitors): contact us (section 18).
For Silware-controlled information: we respond within a reasonable time (generally 30 days) and may first verify your identity; there is no charge to make a request, though a reasonable cost may apply to giving access in some cases; we refuse only on grounds permitted by the Privacy Act and will give written reasons and complaint options; and if we cannot give access as requested, we will work out a reasonable alternative where appropriate.
17 Anonymity and pseudonymity (APP 2)
Where lawful and practicable — for example a general enquiry — you can deal with us anonymously or by pseudonym. This is not practicable for using the Platform or holding an account.
18 How to contact us and make a complaint
For your provider’s records: access, correction, consent and complaint requests about information your Provider holds in the Platform should be made to that Provider, which is responsible for them (section 16). For Silware’s own handling of personal information, questions about this policy, or to report a suspected security issue, contact our Privacy Officer:
Privacy Officer — Silware
Email: info@silware.com.au
Phone: +61 449 944 533
We will acknowledge a complaint about our own handling of personal information, investigate, and respond within a reasonable time (generally 30 days). If you are not satisfied, you can complain to the Office of the Australian Information Commissioner (oaic.gov.au · 1300 363 992 · GPO Box 5288, Sydney NSW 2001). NDIS service-delivery complaints can also go to the NDIS Quality & Safeguards Commission (ndiscommission.gov.au · 1800 035 544).
Accessibility and support. If you need this policy in a different format or help understanding it, contact us and we will provide reasonable assistance. You are welcome to contact us through an interpreter or the National Relay Service, and to use a family member, advocate, guardian or nominee (we may need to confirm their authority).
19 Changes to this policy
We may update this policy from time to time. The current version is always at silware.com.au/privacy.html; the version number and “last updated” date change with each substantive revision. We take reasonable steps to notify customers of significant changes.
A Third-party services
We use a small number of third-party services to operate the Platform: cloud hosting and AI processing (in Australia, as described in section 14), payment processing, communications delivery (email and SMS), accounting and payroll integrations a Provider chooses to connect, error monitoring, and Provider-initiated exchanges with government agencies (such as NDIS claiming and reporting).
We share with each service only what it needs to perform its function, under confidentiality and data-protection obligations. Each third party handles information under its own terms and privacy policy, and we are not responsible for the services a Provider chooses to connect (section 6). Some supporting services process limited information overseas, as described in section 14.
The specific services we use may change from time to time. Current details are available on request (section 18), and Providers are notified of material changes in accordance with our customer agreement.
B How this policy maps to the Australian Privacy Principles
| APP | Topic | Where addressed |
| APP 1 | Open and transparent management | §1, §18 |
| APP 2 | Anonymity and pseudonymity | §17 |
| APP 3 | Collection of solicited (incl. sensitive) information | §2, §3, §5 |
| APP 4 | Dealing with unsolicited information | §3 |
| APP 5 | Notification of collection | §3 |
| APP 6 | Use and disclosure | §4, §6 |
| APP 7 | Direct marketing | §7 |
| APP 8 | Cross-border disclosure | §6, §14 |
| APP 9 | Government-related identifiers | §8 |
| APP 10 | Quality of information | §9 |
| APP 11 | Security, retention, destruction | §11, §15 |
| APP 12 | Access | §16 |
| APP 13 | Correction | §16 |