VITL Care Logo
VITL CARE

VITL CARE Privacy Policy

Entity: VERTILE AI PTY LTD (ABN 11 688 480 499) trading as VITL CARE
Website: vitlcare.com.au
Effective date: 11 August 2025

1. Who we are and scope

This Privacy Policy explains how VITL CARE collects, uses, discloses and protects personal information when you visit our website, create an account, complete digital forms, manage documents, or otherwise use our services, including care planning and participant/representative portals. We are an Australian NDIS provider and a health service provider for the purposes of the Privacy Act 1988 (Cth).

2. Key terms

Personal information: information or an opinion about an identified individual (or reasonably identifiable).

Sensitive information / health information: includes information about health, disability, or care supports; it receives additional protections under the Privacy Act.

NDIS participant includes a participant's authorised representative (e.g., plan nominee, child's parent/guardian) acting on their behalf.

3. What we collect

We collect information directly from you (or your authorised representative), and sometimes from third parties where reasonably necessary for service delivery and permitted by law. The specific types of information we may collect include:

3.1 Identity and Contact Information

  • Full name, preferred name, and any aliases
  • Date of birth and age
  • Gender identity and pronouns
  • Residential address, postal address, and emergency contact details
  • Phone numbers (mobile, home, work)
  • Email addresses
  • NDIS participant number, Medicare number, and other relevant identification numbers
  • Emergency contact information and next of kin details
  • Preferred communication methods and languages

3.2 Sensitive Health and Care Information

  • Medical diagnoses, conditions, and disability information
  • Functional capacity assessments and mobility requirements
  • Medication lists, allergies, and medical alerts
  • Care plans, support goals, and intervention strategies
  • Progress notes, incident reports, and service delivery records
  • Mental health assessments and psychological reports
  • Allied health reports (physiotherapy, occupational therapy, speech therapy, etc.)
  • Hospital discharge summaries and medical referrals
  • Risk assessments and safety plans
  • Dietary requirements and nutritional needs

3.3 NDIS and Funding Information

  • NDIS plan details, including plan start and end dates
  • Funding allocations across different support categories
  • Plan management arrangements (self-managed, plan-managed, or NDIA-managed)
  • Support coordinator and key worker details
  • Other service provider information and coordination requirements
  • Invoice and payment processing information
  • Service agreements and funding approvals

3.4 Account and Authentication Data

  • Username and account credentials (passwords are always stored in encrypted/hashed form - we never store passwords in plain text)
  • Account settings and preferences
  • Security questions and two-factor authentication settings
  • Login history and session information
  • Password reset requests and security verification data

3.5 Payment and Financial Information

  • Bank account details for direct debit or refund purposes
  • Payment card information (processed securely through our payment providers - we do not store full card details)
  • Billing addresses and payment preferences
  • Transaction history and payment receipts
  • Funding source information and payment authorization details

3.6 Document and File Management

  • Documents you upload (referrals, assessments, consent forms, identification documents)
  • Digital signatures and electronic consent records
  • File metadata (creation date, file size, document type)
  • Document access logs and audit trails
  • Version history and document modification records

3.7 Technical and Usage Information

  • Device information (type, operating system, browser version)
  • IP address and geolocation data (for security and service delivery)
  • Pages visited, time spent on site, and user journey patterns
  • Form interactions, button clicks, and navigation behavior
  • Error logs and technical diagnostic information
  • Cookies and similar tracking technologies (see Section 10)
  • Mobile app usage data and push notification preferences

3.8 Communications and Support

  • Email correspondence and attachments
  • Phone call recordings (where legally permitted and disclosed)
  • Live chat transcripts and support ticket history
  • Feedback forms, surveys, and satisfaction ratings
  • Complaint records and resolution documentation
  • Marketing communication preferences and opt-out requests

3.9 Third-Party and Professional Information

  • Information from your GP, specialists, and allied health professionals
  • Reports from other NDIS service providers
  • Plan manager and support coordinator communications
  • Government agency correspondence (NDIS Commission, Centrelink, etc.)
  • Insurance and workers' compensation information
  • Guardian, power of attorney, or plan nominee details

3.10 Emergency and Safety Information

  • Emergency contact details and relationships
  • Safety alerts, risks, and incident reports
  • Evacuation plans and emergency procedures
  • Medication administration records and alerts
  • Behavioral support plans and intervention strategies

Where it is lawful and practicable, you may interact with us anonymously or using a pseudonym (e.g., general website enquiries). However, we usually need accurate identity and health details to deliver NDIS services safely and effectively.

4. How we collect information

We collect personal information through various methods, always in accordance with applicable privacy laws:

4.1 Direct Collection from You

  • Online platforms: Registration forms, account portals, service request forms, and feedback surveys
  • Digital interactions: Email communications, secure messaging systems, and online chat support
  • Telephone: Phone consultations, support calls, and helpdesk interactions (calls may be recorded for quality and training purposes with your consent)
  • In-person meetings: Face-to-face consultations, home visits, and community-based services
  • Mobile applications: Through our mobile app interfaces and push notification preferences
  • Document uploads: When you provide digital copies of referrals, assessments, consent forms, and identification documents
  • Electronic signatures: Digital consent processes and service agreement confirmations

4.2 Automatic Collection

  • Website analytics: Through cookies, web beacons, and similar technologies that track your interaction with our website
  • Device information: Automatically collected when you access our services through various devices
  • Location data: With your permission, for service delivery and emergency response purposes
  • Usage patterns: Navigation paths, time spent on pages, and feature utilization for service improvement
  • Security monitoring: Login attempts, session data, and security incident detection

4.3 Third-Party Sources (with appropriate consent or legal basis)

  • Healthcare providers: Medical reports, discharge summaries, and treatment plans from your doctors, specialists, and allied health professionals
  • NDIS ecosystem: Information from plan managers, support coordinators, and other NDIS service providers involved in your care
  • Government agencies: NDIS Commission, Medicare, Centrelink, and other relevant authorities as required for service delivery
  • Emergency services: In urgent situations where your safety or wellbeing is at risk
  • Legal representatives: Guardians, power of attorney holders, plan nominees, and authorized family members
  • Insurance providers: For billing, claims processing, and coordination of care
  • Educational institutions: School reports and transition planning information (where relevant)

4.4 Data Processing and Storage Security

  • Encryption: All sensitive data is encrypted both in transit (using TLS/SSL protocols) and at rest
  • Password security: User passwords are never stored in plain text - we use industry-standard hashing algorithms with salt
  • Access controls: Role-based access ensures only authorized personnel can access specific information
  • Data segregation: Different types of data are stored with appropriate security levels and access restrictions
  • Regular backups: Secure, encrypted backups with tested recovery procedures
  • Audit logging: Comprehensive logs of data access and modifications for security and compliance purposes

5. Why we collect and use information (purposes)

We handle personal and sensitive information only for lawful purposes reasonably necessary for our functions as an NDIS provider, including to:

  • deliver and coordinate care/services; develop, review, and share care plans with you and authorised parties
  • verify identity and authority; set up and administer user accounts
  • manage documents and digital forms; maintain accurate clinical and service records
  • provide customer support and respond to enquiries/complaints
  • meet NDIS Practice Standards, Code of Conduct, and other legal, clinical, and audit requirements
  • maintain service quality, safety, and security; conduct incident and risk management
  • perform internal reporting and analytics (often using de-identified or aggregated data) to improve our services
  • send service-related notices; limited direct communications about our services where permitted (you can opt out at any time).

We do not sell personal information. We do not use your health information for unrelated marketing.

6. Our legal basis and consent

We collect/handle sensitive health information with your consent where required, or under permitted health situations and other exceptions under the Privacy Act (e.g., to provide a health service, manage a serious threat to life/health, or as required/authorised by law). You may withdraw consent at any time; this may affect our ability to provide services.

7. Disclosures we may make

We only disclose personal information where necessary and appropriate, for example to:

  • you and your authorised representatives (including plan/child nominees or guardians)
  • clinicians and other providers directly involved in your care (GPs, allied health, hospitals, laboratories)
  • NDIS-related parties where necessary (e.g., plan managers, support coordinators)
  • government regulators or agencies where required/authorised (e.g., NDIS Commission, OAIC, law enforcement, public health orders)
  • IT and administrative service providers who support our systems (cloud hosting, secure messaging, email/SMS, e-signature, backups, analytics). These providers are bound by confidentiality and privacy obligations.

We will not otherwise disclose personal information without your consent unless required or permitted by law.

8. Cross-border disclosure

Some trusted service providers or data backups may be located outside Australia. Before we disclose personal information overseas, we take reasonable steps to ensure the recipient will protect it in accordance with the Australian Privacy Principles (including contractually). Where we cannot ensure this, we will seek your consent where required or avoid cross-border disclosure.

9. Data security and retention

We take reasonable technical and organisational measures to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Measures may include role-based access controls, multi-factor authentication, encryption in transit/at rest where appropriate, audit logging, secure development, vendor due diligence, staff training, and regular backups.

We retain records for periods required by health, NDIS and general recordkeeping laws, then securely destroy or de-identify them when no longer needed.

10. Cookies, analytics, and tracking

We use cookies and similar technologies to operate our site and understand usage (e.g., page performance, error diagnostics, form completion rates).

Analytics: We primarily rely on aggregated or de-identified analytics to improve our services and user experience.

Choices: You can block or delete cookies via your browser settings. Certain features (e.g., secure login, form persistence) may not work without essential cookies.

11. Access and correction

You may request access to or correction of your personal information. We will respond within a reasonable time. Where we decline access (e.g., legal exceptions), we'll tell you why and how to complain. We will correct inaccurate, out-of-date or incomplete information when you ask or when we identify issues.

12. Children and decision-makers

For children and individuals who require support to make decisions, we accept instructions from a parent, guardian, plan nominee or other authorised representative. We may request evidence of authority and will act in the participant's best interests and applicable law.

13. Direct marketing

We do not use sensitive health information for direct marketing. If we send permitted service updates or news, you can opt out at any time via the message or by contacting us.

14. Data breaches

If personal information is involved in a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in line with the Notifiable Data Breaches scheme. We also maintain incident response procedures and will take steps to mitigate risk.

15. Links and third-party services

Our website may link to external sites or embed third-party services. Those providers have their own privacy practices. We recommend you review their privacy information.

16. Changes to this policy

We may update this Policy from time to time to reflect changes in law, technology, or our practices. The latest version will be posted on our website with the effective date. Material changes will be notified via the site or by email where appropriate.

17. Contact us

Privacy Officer – VITL CARE
VERTILE AI PTY LTD (ABN 11 688 480 499)
Email: hello@vitlcare.com.au
Postal: 11 Dodson Ct, Ferryden Park, SA 5010, Australia

For NDIS concerns related to quality and safeguards, you may also contact the NDIS Quality and Safeguards Commission. If you remain concerned about our handling of your personal information, you can complain to the OAIC. We will provide details on how to lodge a complaint on request.