SecondShift← Back to home
Sign in

Privacy Policy

Last updated: 24 March 2026

SecondShift Pty Ltd (“SecondShift”, “we”, “us”, “our”) operates the SecondShift platform at secondshift.com.au - a cloud-based software platform for allied health clinics in Australia.

This Privacy Policy explains how we collect, use, store, disclose, and protect personal information, including health information, in accordance with:

  • the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs); and
  • the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) and the Health Privacy Principles (HPPs).

By using the SecondShift platform or website, you agree to the collection and use of information as described in this policy.

1. Who this policy applies to

This policy applies to:

  • Clinic users - clinic owners, practitioners, and administrative staff who access the SecondShift platform under a clinic account (“Authorised Users”);
  • Website visitors - individuals who visit secondshift.com.au; and
  • Client and participant data - personal information and health information about a clinic's clients and NDIS participants that is inputted into or uploaded to the platform by Authorised Users.

Note on client and participant data: Where a clinic uploads personal information or health information about its own clients or NDIS participants to the SecondShift platform, the clinic is the data controller of that information and SecondShift processes it on the clinic's behalf. Individuals seeking access to, or correction of, their own health information should contact the clinic directly in the first instance.

2. Information we collect

2.1 Account and Clinic Information

When a clinic creates an account, we collect:

  • Clinic name, trading name, ABN, and registered address;
  • Practitioner names, email addresses, professional discipline, and AHPRA registration numbers;
  • Clinic contact details (phone, email, address);
  • Billing contact details and payment method information (payment card data is handled by our payment processor and is not stored by SecondShift);
  • Branding assets (logo and brand colours) uploaded by the clinic.

2.2 Client and Participant Information

When Authorised Users use the platform to manage clients or generate reports, they may enter or upload:

  • Client names, dates of birth, addresses, and contact details;
  • NDIS participant numbers, plan dates, funding categories, and plan manager details;
  • Session notes, voice recordings, and uploaded clinical documents;
  • Assessment results, therapy goals, functional capacity information, and clinical observations;
  • Health and disability diagnoses and support needs.

This information is health information and sensitive information under the Privacy Act and the HRIP Act. It is processed by SecondShift solely on behalf of the clinic.

2.3 Documents and Generated Reports

The platform stores documents uploaded by Authorised Users and reports generated using the platform, including NDIS Progress Reports, Functional Capacity Assessments, Service Agreements, and Allied Health Assessments. These documents may contain personal information and health information.

2.4 Integration Data

Where a clinic connects a third-party practice management system (such as Splose) or email and calendar service (such as Google Workspace or Microsoft 365), we collect data from those systems as authorised by the clinic, including appointment information, client records, and NDIS plan data.

2.5 Usage Data

We collect anonymised and aggregated usage data such as pages visited, features used, and session duration to improve the platform. We do not log or track client or participant personal information in our analytics systems.

2.6 Support Communications

If you contact us for support, we retain records of that communication, including your name, email address, and the content of your request.

3. How we use your information

We use personal information for the following purposes:

  • To provide and operate the SecondShift platform and deliver the services described in our subscription agreement;
  • To generate draft reports and clinical documents on behalf of practitioners (using AI tools - see section 4);
  • To process and score standardised assessments;
  • To send transactional emails, including report delivery notifications, account alerts, and billing communications;
  • To sync data from authorised integrations on behalf of clinics;
  • To provide technical support and resolve issues;
  • To improve the platform and develop new features, using anonymised and aggregated data only;
  • To comply with our legal and regulatory obligations; and
  • To protect the rights and safety of SecondShift, our users, and the public.

We do not sell personal information to any third party. We do not use client or participant health information for marketing purposes.

4. AI and automated processing

SecondShift uses artificial intelligence to assist with report generation, document processing, and clinical documentation. The following principles apply to all AI processing on the platform:

Health data stays in Australia. All AI processing of health information is performed exclusively through AWS Bedrock in the ap-southeast-2 (Sydney) region. Health information and NDIS participant data never leaves Australia for AI processing purposes. We do not send health information to OpenAI or any AI provider outside Australia.

Reports are always drafts. AI-generated content is presented to the practitioner as a draft. No report is sent to any person - including NDIS participants, plan managers, or any third party - without an explicit approval action by an Authorised User. The practitioner retains full clinical and professional responsibility for all reports.

Deterministic assessment scoring. Where the platform performs standardised assessment scoring (such as CELF-5), this is done using deterministic algorithms based on published normative data. No AI is involved in the scoring calculation.

5. Data storage and security

5.1 Data Residency - All Data Stored in Australia

All personal information and health information collected and processed by SecondShift is stored within Australia:

  • Database: Supabase PostgreSQL, hosted in the Oceania (Sydney) region;
  • File storage: Supabase Storage and AWS S3, both in ap-southeast-2 (Sydney);
  • AI processing: AWS Bedrock, ap-southeast-2 (Sydney) only;
  • Email delivery: Resend (transactional email service).

5.2 Security Measures

We implement reasonable technical and organisational measures to protect personal information, including:

  • Encryption in transit (TLS/HTTPS for all connections) and at rest (AES-256);
  • Multi-tenant data isolation - each clinic's data is logically isolated at the database level using row-level security policies;
  • Role-based access control (owner, practitioner, and admin roles);
  • JWT-based authentication with session management;
  • No logging of patient or participant personal information in application logs or error tracking systems;
  • Soft deletion only - data is never immediately destroyed and can be recovered if required; and
  • Audit logging of report approvals and sensitive data access events.

No security system is impenetrable. We cannot guarantee absolute security, and we are not responsible for unauthorised access that results from a breach of the clinic's own credentials or systems.

6. Third-party service providers (sub-processors)

We engage the following third-party services to operate the platform. Each is bound by contractual obligations to handle data securely and only for the purposes we specify:

  • AWS (Sydney region) - AI inference, file storage, and email delivery;
  • Supabase (Sydney region) - database, authentication, and file storage;
  • Vercel - web application hosting and CDN;
  • Resend - transactional email delivery;
  • PostHog (US) - anonymised product analytics (no health data);
  • Sentry - error monitoring (no health data logged).

Email delivery via clinic integrations: Where a clinic connects Google Workspace or Microsoft 365, report emails are sent through the clinic's own email provider on behalf of the clinic. SecondShift does not control the data handling practices of those providers in that context.

We may engage additional sub-processors from time to time. An up-to-date list is available on request.

7. Disclosure of information

We may disclose personal information in the following circumstances:

  • To Authorised Users within a clinic - practitioners and administrative staff within a clinic can access that clinic's own data, subject to their role permissions;
  • To sub-processors - as listed in section 6, solely for the purpose of operating the platform;
  • As required by law - where required by a court order, law enforcement request, or regulatory authority;
  • To protect safety - where necessary to protect the rights, safety, or property of SecondShift, our users, or the public; and
  • In connection with a business transfer - if SecondShift is acquired, merged, or transfers substantially all of its assets, personal information may be transferred as part of that transaction. We will notify affected users before any such transfer and ensure the recipient is bound by obligations equivalent to this policy.

We do not disclose personal information for any other purpose without consent.

8. Data retention

We retain personal information for as long as necessary to provide our services and to comply with our legal obligations:

  • Client and health records: Retained for 7 years from the date of last use for adult clients, and until the client's 25th birthday for records relating to minors, in accordance with healthcare record-keeping requirements under applicable professional standards and the HRIP Act.
  • Account information: Retained for the duration of the clinic's subscription and for a reasonable period after termination to allow for reactivation or dispute resolution.
  • Billing records: Retained for 7 years as required by the Corporations Act 2001 (Cth) and ATO record-keeping requirements.
  • Usage data: Anonymised and aggregated - retained indefinitely as it does not identify individuals.

Following account closure, we will retain data for the minimum period required by law. You may request a data export at any time before or after closure (see section 10).

9. Cross-border disclosure

Health information and NDIS participant data is not disclosed outside Australia. To the extent any personal information (such as administrative data) is handled by services with infrastructure outside Australia, we take reasonable steps to ensure those transfers comply with APP 8 of the Privacy Act, including by ensuring equivalent protections are in place.

10. Your rights

Under the Privacy Act 1988 (Cth) and, where applicable, the HRIP Act, you have the right to:

  • Access the personal information we hold about you, by making a written request;
  • Correct inaccurate, incomplete, or out-of-date information;
  • Delete your personal information, subject to our legal retention obligations;
  • Export your data in a standard format (clinics may export their data through the platform or by contacting us); and
  • Complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we have handled your personal information in breach of the Privacy Act.

For client and participant health information: If you are an NDIS participant or client of an allied health clinic that uses SecondShift, your health information is held by the clinic (as data controller). Please contact your clinic directly in the first instance for access, correction, or deletion requests. We will cooperate with clinics in responding to such requests.

11. Cookies and tracking

Our website and platform use cookies and similar technologies for:

  • Authentication (keeping you logged in);
  • Session management; and
  • Anonymised analytics (PostHog).

We do not use third-party advertising cookies or track you across other websites. You can disable cookies in your browser settings, but this may affect platform functionality.

12. Notifiable data breaches

In the event of an eligible data breach under the Notifiable Data Breaches (NDB) scheme, we will notify affected individuals and the OAIC as required by the Privacy Act 1988. We will also notify affected clinics within 72 hours of becoming aware of a breach affecting their data, in accordance with our Data Processing and Health Information Handling Schedule.

13. Children's privacy

The SecondShift platform is intended for use by healthcare professionals and clinic businesses. We do not knowingly collect personal information directly from individuals under the age of 18. Health information relating to minor clients is handled in accordance with the data retention obligations in section 8.

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. We will notify registered users of material changes by email at least 14 days before they take effect. The latest version will always be published at secondshift.com.au/privacy. Continued use of the platform after a change takes effect constitutes acceptance of the updated policy.

15. Contact us

For privacy enquiries, access or correction requests, or to make a complaint:

SecondShift Pty Ltd
Email: support@secondshift.com.au
Website: secondshift.com.au

We will respond to privacy requests within 30 days. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

Website: oaic.gov.au
Phone: 1300 363 992