KareShift ← Back to Home

Privacy Policy

Last updated: 3 July 2026

1. Introduction

Aventaryk Pty Ltd (ABN 86 628 196 921) ("we", "us", "our") is committed to protecting the privacy of your personal information. This Privacy Policy explains how we collect, use, store, and disclose personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using the Service, you acknowledge the collection, use, and disclosure of personal information as described in this Privacy Policy. You also acknowledge that certain service metadata — including transactional email content — may be disclosed to overseas recipients (including in the United States) as described in Section 11.

We collect, use, and disclose personal information where reasonably necessary for our functions and activities, to provide the Service, comply with legal obligations, and otherwise as permitted by applicable law.

1.1 Scope Across Organisations, Sectors, and Jurisdictions

This Privacy Policy applies to all Organisations you create or manage within the Service, regardless of:

  • The number of Organisations under your account
  • The country or jurisdiction in which each Organisation operates (including Australia and New Zealand)
  • The sector of care the Organisation operates in (including NDIS, Residential Aged Care, or any other sector supported by the Service)

Each Organisation's data is stored in the region assigned to its country (see Section 4.1). Where an Organisation operates in a jurisdiction with its own privacy legislation (e.g. the New Zealand Privacy Act 2020), the Organisation remains responsible for ensuring its collection and use of personal information complies with the applicable local privacy laws. We will handle data for all Organisations in accordance with this Privacy Policy and, where required, take reasonable steps to support compliance with applicable local privacy legislation.

We may introduce jurisdiction-specific privacy addenda in the future as the Service expands. If we do, we will notify you in accordance with Section 12 (Changes to This Policy).

2. Information We Collect

2.0 Sensitive Information (APP 3.3)

The Service may store sensitive information as defined under the Privacy Act 1988, including:

  • Health and disability information (participant disability type, support needs, progress notes)
  • Biometric data (GPS location for clock-in/out verification)

We only collect sensitive information where:

  • You have provided explicit consent by entering the data into the Service on behalf of your participants; or
  • The collection is required or authorised by law (e.g., NDIS record-keeping obligations); or
  • Collection is necessary to prevent a serious threat to life, health, or safety.

We apply additional safeguards to sensitive information, including encryption at rest and in transit, strict access controls, and audit logging of all access.

2.1 Account Information

When you create an account, we collect:

  • Full name
  • Email address
  • Phone number (optional)
  • Organisation name
  • State/territory
  • Password (stored in hashed form — we cannot see your password)

2.2 Organisation Data

When you use the Service, you may enter data about your organisation, including:

  • Support worker details (name, email, phone, address, employment details, compliance documents)
  • Participant/client details (name, contact information, NDIS number, disability type, funding information)
  • Resident details (name, contact information, medical history, medications, allergies, dietary needs, mobility, cognitive status, next of kin, GP details)
  • Facility and room information (wings, floors, bed counts, occupancy)
  • Shift and timesheet records
  • Leave records
  • Progress notes and incident reports
  • Clinical observations (vitals, skin integrity, falls risk assessments)
  • Care plans (ADL tasks, frequencies, priorities)
  • AN-ACC funding classifications
  • Restrictive practice event records
  • Messages, attachments, and communication records

Important: The Organisation remains responsible for determining the purposes and lawful basis for the collection and use of participant, resident, and worker information. KareShift acts as a service provider and processes personal information only to provide the Service and in accordance with the Organisation's instructions. For the purposes of the Privacy Act 1988, we are each independent APP entities with independent obligations under the APPs.

2.2A Sensitive Information

Participant and resident records may include "sensitive information" as defined by the Privacy Act 1988, including health information, disability-related information, and clinical observations. Under Australian Privacy Principle 3.3, sensitive information requires consent or a specific exception for collection.

You are responsible for obtaining appropriate consents from participants, residents (or their guardians/representatives) before entering their sensitive information into the Service. We are entitled to rely on you having obtained these consents and authorisations before sensitive information is entered into the Service.

2.3 Information We Receive From Others

We may receive personal information from Organisations, administrators, integrations, or other authorised users of the Service (for example, when an administrator invites a worker or imports records via CSV).

2.4 Automatically Collected Information

  • IP address
  • Browser type and version
  • Device type
  • Pages visited and features used
  • GPS location is collected only when a worker actively performs a clock-in or clock-out action. KareShift does not perform continuous or background location tracking.

3. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service
  • Process your subscription and payments
  • Send transactional emails (shift notifications, approval alerts, compliance reminders)
  • Provide customer support
  • Detect and prevent fraud or security issues
  • Comply with legal obligations

We do not use your information to:

  • Sell or rent your data to third parties
  • Send unsolicited marketing emails (unless you opt in)
  • Build advertising profiles
  • Share participant or worker data with anyone outside your organisation

4. Data Storage and Security

4.1 Where We Store Data

Organisation CountryData RegionAWS Region
AustraliaSydney, Australiaap-southeast-2
New ZealandSydney, Australiaap-southeast-2

Additional regions (United Kingdom, UAE, Singapore) will be made available as the Service expands to those markets.

Care-related operational data is stored in the region assigned to your organisation's country. See Section 11 for details on service metadata that may be processed outside your region.

4.2 Security Measures

  • Data is encrypted at rest using AES-256 or equivalent industry-standard encryption technologies
  • All data in transit is encrypted (TLS 1.2+)
  • Passwords are hashed using bcrypt (never stored in plain text)
  • Access to production systems is restricted and logged
  • Regular automated backups with point-in-time recovery
  • Infrastructure is provisioned and managed using modern security and automation practices

While we implement reasonable security safeguards, no method of electronic transmission or storage is completely secure and we cannot guarantee absolute security.

5. Data Retention

We retain your data for the following periods:

Data TypeRetention PeriodReason
Participant & worker recordsUp to 7 years (or longer where required by law)NDIS record-keeping requirements
Timesheets & payroll dataUp to 7 years (or longer where required by law)ATO requirements
Audit logsUp to 7 years (or longer where required by law)NDIS audit compliance
Account informationDuration of account + 30 daysService provision
Notification history90 daysOperational reference

After your subscription ends, your data remains in read-only mode for 30 days to allow you to export your records. After the read-only period, your account is suspended. Following account closure, we may retain archived records for up to 7 years where required to support legal, regulatory, audit, security, or record-keeping obligations. However, the Organisation remains responsible for maintaining its own copies of records required under applicable legislation. We strongly recommend exporting all data before or during the 30-day read-only period.

6. Third-Party Services

We use the following third-party services to operate KareShift:

ServicePurposeData Shared
Amazon Web Services (AWS)Infrastructure & hostingCustomer and operational data stored within the Service (encrypted, within your region)
StripePayment processingBilling email, payment method (we never see full card numbers)
AWS SESTransactional email (secondary)Email addresses, notification content
Resend (via resend.com)Transactional email (primary)Recipient email address, sender address, email subject and body content. Processed in the United States.

We do not share your organisation's participant or worker data with any third party for any purpose other than providing the Service.

We may engage carefully selected subprocessors and service providers to support the Service. A current list of subprocessors is available on request by contacting privacy@kareshift.com.

6A. Disclosure Required by Law

We may disclose personal information where required by law, court order, warrant, regulator request, or lawful request from a government authority. Where legally permitted, we will notify the affected Organisation before making such a disclosure.

7. Your Rights

Under the Australian Privacy Principles, you have the right to:

  • Access — Request a copy of the personal information we hold about you
  • Correction — Request correction of inaccurate or incomplete information
  • Export — Export supported categories of your organisation's data using the export tools made available through the Service
  • Deletion — Request deletion of your account and personal data (subject to legal, regulatory, audit, security, and record-keeping obligations)
  • Complaint — Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs

If you are based in New Zealand, you may also have rights under the New Zealand Privacy Act 2020, including the right to lodge a complaint with the New Zealand Office of the Privacy Commissioner (www.privacy.org.nz).

To exercise any of these rights, contact us at privacy@kareshift.com. We will respond within 30 days.

Where we process personal information on behalf of an Organisation, requests relating to participant or worker records should generally be directed to that Organisation in the first instance.

8. Cookies and Analytics

We use minimal cookies required for the Service to function:

  • Session cookies — to keep you logged in
  • Preference cookies — to remember your settings

We do not use third-party advertising cookies or tracking pixels. If we use analytics, we use privacy-friendly tools that do not track individual users across websites.

9. Data Breach Notification

If we become aware of a suspected security incident or eligible data breach, we will:

  • Investigate and assess the nature and scope of the incident
  • Notify the OAIC and affected individuals as soon as practicable after becoming aware that there are reasonable grounds to believe an eligible data breach has occurred, in accordance with the Privacy Act 1988 and the Notifiable Data Breaches scheme
  • Provide details of the breach, the data affected, and steps we are taking to mitigate harm

This is in compliance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988. Where an Organisation operates in New Zealand, we will also take reasonable steps to comply with applicable breach notification obligations under the New Zealand Privacy Act 2020.

10. Children's Privacy

The Service is intended for use by care providers and their authorised staff, not by children directly. We do not knowingly collect personal information directly from children. If you become aware that a child has provided us with personal information directly (not via an authorised care provider), please contact us and we will take steps to address it.

Participant records may include information about minors receiving care services. This data is entered and managed by the care provider (you) in your capacity as their service provider, and is subject to the same security and privacy protections as all other data.

11. International Data

If you are based outside Australia, your data will be stored in the region assigned to your country (see Section 4.1). We take reasonable steps to support our customers' compliance obligations in the jurisdictions in which they operate, including applicable privacy legislation in the UK, New Zealand, and other supported regions.

Cross-border operational data: Care-related operational data (participant records, shifts, timesheets, progress notes) remains in your designated region. Certain service metadata (email delivery routing, payment processing) may be processed outside that region by our service providers:

  • Email delivery (recipient address, email content, send status) — processed by Resend, Inc. (our primary email provider), whose infrastructure is located in the United States. Email content includes recipient address, subject, and message body. No participant care data is included in emails beyond what is necessary for the notification (e.g., shift time, worker name).
  • Email delivery metadata (recipient address, send status) — may also be processed by AWS SES (us-east-1) as a secondary provider
  • Payment processing — processed by Stripe (which may process payment-related information outside Australia)

We take reasonable steps to ensure that overseas recipients of personal information comply with the APPs (as required by APP 8.1), including through contractual obligations and selecting providers with robust privacy and security practices.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

12A. Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or substantially all assets, personal information may be transferred as part of that transaction subject to applicable privacy laws. Where required by law, or where reasonably practicable, we will notify you of any such transfer.

13. Complaints and Contact

If you believe we have breached the Privacy Act or the APPs, please contact our Privacy Officer first. We will acknowledge receipt of your complaint as soon as reasonably practicable and aim to provide a substantive response within 30 days.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

Aventaryk Pty Ltd
ABN: 86 628 196 921
NSW, Australia

Privacy Officer: privacy@kareshift.com
General enquiries: hello@kareshift.com

© 2026 Aventaryk Pty Ltd. All rights reserved.