Skip to main content

Privacy Policy

Last updated: March 2026  |  Version 1.0

1. About This Policy

Polished Surfaces Pty Ltd (ABN 60 690 408 854), trading as SupportPath (“we”, “us”, “our”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal information in accordance with the Privacy Act 1988 (Cth) (“Privacy Act”) and the Australian Privacy Principles (“APPs”) contained in Schedule 1 to the Privacy Act.

This policy applies to all personal information we collect through the SupportPath provider directory and listing service at supportpath.com.au, associated applications, and any other services we operate.

By using SupportPath, you consent to the collection and use of your personal information as described in this policy. If you do not agree with this policy, please do not use SupportPath.

2. What Personal Information We Collect

We may collect the following categories of personal information:

From registered users (providers):

  • Full name and business name;
  • Business email address and phone number;
  • Business address and state/territory;
  • NDIS registration number;
  • ABN (Australian Business Number);
  • Payment information (processed by Stripe — we do not store card numbers);
  • Working With Children Check (WWCC) details, where provided;
  • National Police Check status, where provided;
  • Account credentials (email and hashed password);
  • Profile content (descriptions, photos, service categories).

From registered users (families / participants):

  • Full name and email address;
  • Mobile phone number (used for SMS verification only);
  • Suburb or postcode;
  • Messages sent to providers through SupportPath;
  • Saved provider lists and search preferences.

From all users (including public visitors):

  • IP address;
  • Browser type and version;
  • Operating system;
  • Pages visited and search queries;
  • Referring URL;
  • Date and time of access;
  • Session identifiers;
  • Cookie data (see Section 10).

ToS acceptance records:

When you accept our Terms of Service, we record your email address, IP address, user-agent, and the date/time of acceptance. This record constitutes evidence of your informed consent to our Terms.

Enquiries and communications:

If you contact us (e.g. via email or a contact form), we collect your name, email address, and the content of your communication.

Sensitive information:

In certain circumstances, we may collect sensitive information as defined under the Privacy Act, including:

  • Health or disability information included in incident reports or support needs descriptions;
  • Criminal record information (e.g. police check results uploaded by providers);
  • Information about a person's racial or ethnic origin, religious beliefs, or sexual orientation where voluntarily provided for profile matching purposes (e.g. cultural background, LGBTQIA+ friendly status).

We only collect sensitive information where you have consented, or where collection is required or authorised by law (such as for incident reporting under the NDIS framework). Sensitive information is handled with additional care and access controls.

Verification documents:

Providers may upload verification documents including NDIS Worker Screening Check certificates, Working with Children Check documents, First Aid certificates, insurance certificates, and qualification documents. These are stored securely and only accessible to the provider and our administrative team for verification purposes.

3. How We Collect Personal Information

We collect personal information:

  • Directly from you when you register an account, submit a connection request, or interact with SupportPath;
  • Automatically through cookies, server logs, and analytics tools when you visit SupportPath;
  • From third-party payment processors (Stripe) during subscription transactions;
  • From publicly available sources, including the NDIS Quality and Safeguards Commission's public Provider Register. We have sourced provider data (including business names, suburbs, and registered service types) from this register to populate the SupportPath directory. Providers whose data has been sourced this way may claim and manage their profile at any time.

4. Why We Collect and Use Personal Information

We collect and use personal information for the following purposes:

  • To operate, maintain, and improve SupportPath;
  • To create and manage provider accounts and listings;
  • To process subscription payments via Stripe;
  • To connect families and individuals with NDIS providers and support workers;
  • To verify provider registration and credentials;
  • To send transactional communications (account confirmations, payment receipts, subscription renewal notices);
  • To send service-related updates and, where you have consented, marketing communications;
  • To detect and prevent fraud, scraping, abuse, and security threats;
  • To comply with our legal obligations;
  • To enforce our Terms of Service;
  • To analyse usage patterns and improve the service.

We will not use your personal information for a purpose materially different from those listed above without your prior consent, unless required or authorised by law.

5. Disclosure to Third Parties

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

We may disclose your personal information to the following categories of third parties:

Service providers:

  • Stripe — payment processing. Stripe collects and stores payment card details in accordance with PCI DSS standards. We receive transaction confirmation data only;
  • Cloud infrastructure providers — for database hosting, website hosting, and search functionality. Data is stored with encryption at rest and in transit;
  • Email service providers — for delivering transactional emails, account notifications, and service communications;
  • Twilio — for sending SMS verification codes and account notifications;
  • Live chat provider — for providing real-time customer support. Your name, email, and chat messages may be collected when you use this feature;
  • Google Analytics — for understanding how users interact with SupportPath, including pages visited and session duration;
  • hCaptcha — for bot protection. hCaptcha processes IP addresses and browser data to verify that users are human.

Legal and regulatory disclosures:

We may disclose personal information if required to do so by law, court order, or regulatory authority, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business transfers:

If SupportPath is acquired, merged, or undergoes a change of control, your personal information may be transferred to the acquiring entity, subject to equivalent privacy protections.

6. How We Store and Protect Your Information

We implement reasonable technical and organisational security measures to protect your personal information against unauthorised access, disclosure, alteration, and destruction. These measures include:

  • Encryption of data in transit (TLS/HTTPS);
  • Encryption of data at rest;
  • Access controls and authentication for database and administrative access;
  • Row-level security policies;
  • Regular review of security practices.

No method of data transmission or storage is 100% secure. While we take reasonable steps to protect your information, we cannot guarantee absolute security. If you become aware of any security concerns, please contact us at hello@supportpath.com.au.

Data retention periods:

We retain your personal information for as long as your account is active, or as necessary to provide services, comply with legal obligations, resolve disputes, and enforce agreements. Specific retention periods:

  • Active accounts: Data retained for the lifetime of the account;
  • Closed accounts: Core records (name, email, transaction history) retained for 7 years to comply with Australian tax and record-keeping obligations;
  • Messages: Retained for 2 years after account closure, then deleted;
  • Incident reports: Retained for 7 years (NDIS reporting requirements);
  • Server logs and IP addresses: Retained for 12 months, then deleted or anonymised;
  • Verification documents: Retained for the validity period of the document plus 12 months;
  • ToS acceptance records: Retained permanently as evidence of consent.

When personal information is no longer required, we will securely delete or de-identify it.

7. Your Rights Under the Australian Privacy Principles

Under the Privacy Act 1988 (Cth), you have the following rights in relation to your personal information:

Access:

You may request access to the personal information we hold about you. We will provide access within a reasonable time, subject to exceptions permitted by the Privacy Act (e.g. where access would unreasonably impact the privacy of other individuals).

Correction:

If you believe any personal information we hold about you is inaccurate, incomplete, or out of date, you may request that we correct it. Registered providers can update most profile information directly through their dashboard.

Deletion:

You may request that we delete your personal information. We will comply unless we are required by law to retain it, or retention is necessary to resolve outstanding disputes or enforce agreements. Note that deleting your account will remove your provider listing from SupportPath.

Complaints:

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us first (see Section 11). If you are not satisfied with our response, you may escalate the complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

To exercise any of these rights, please contact us at hello@supportpath.com.au. We may require you to verify your identity before processing your request.

8. Direct Marketing

We may send you marketing communications about SupportPath features, updates, and services where you have consented or where we reasonably believe you would expect to receive such communications based on your use of SupportPath.

You may opt out of marketing communications at any time by:

  • Clicking the “unsubscribe” link in any marketing email;
  • Updating your notification preferences in your account settings;
  • Contacting us at hello@supportpath.com.au.

Opting out of marketing communications will not affect transactional communications (e.g. payment receipts, security alerts, account notifications).

9. Cross-Border Data Transfers

Some of our third-party service providers may store or process data in jurisdictions outside Australia, including the United States and the European Union. When we disclose personal information to overseas recipients, we take reasonable steps to ensure that the recipient handles that information in a manner consistent with the Australian Privacy Principles, including through contractual data processing agreements.

10. Cookies

We use cookies and similar tracking technologies to operate and improve SupportPath. Cookies are small files stored in your browser.

Types of cookies we use:

  • Essential cookies: Required for SupportPath to function (e.g. session authentication, security tokens). These cannot be disabled.
  • Analytics cookies: Help us understand how users interact with SupportPath (e.g. pages visited, search terms). We use Google Analytics for website usage analytics and hCaptcha for bot protection.
  • Preference cookies: Remember your settings and preferences.

You can control or disable cookies through your browser settings. Note that disabling essential cookies may prevent you from accessing certain features of SupportPath, including your provider dashboard.

11. Contact for Privacy Concerns

If you have any questions, concerns, or complaints about this Privacy Policy or the way we handle your personal information, please contact our Privacy Officer:

Privacy Officer — SupportPath

Email: hello@supportpath.com.au

General: hello@supportpath.com.au

We will acknowledge your complaint within 5 business days and endeavour to resolve it within 30 days. If we cannot resolve your complaint to your satisfaction, you may contact the OAIC at oaic.gov.au or by calling 1300 363 992.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will post the updated policy on this page with a revised “Last updated” date. For material changes, we will notify registered users by email. Your continued use of SupportPath after the effective date of any changes constitutes your acceptance of the updated policy.