Last updated: 6 June 2026
Aventaryk Pty Ltd (ABN 86 628 196 921) ("we", "us", "our") is committed to protecting the privacy of your personal information. This Privacy Policy explains how we collect, use, store, and disclose personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
By using the Service, you acknowledge the collection, use, and disclosure of personal information as described in this Privacy Policy. You also acknowledge that certain service metadata may be disclosed to overseas recipients as described in Section 11.
We collect, use, and disclose personal information where reasonably necessary for our functions and activities, to provide the Service, comply with legal obligations, and otherwise as permitted by applicable law.
When you create an account, we collect:
When you use the Service, you may enter data about your organisation, including:
Important: The Organisation remains responsible for determining the purposes and lawful basis for the collection and use of participant and worker information. KareShift acts as a service provider and processes personal information only to provide the Service and in accordance with the Organisation's instructions. For the purposes of the Privacy Act 1988, we are each independent APP entities with independent obligations under the APPs.
Participant records may include "sensitive information" as defined by the Privacy Act 1988, including health information and disability-related information. Under Australian Privacy Principle 3.3, sensitive information requires consent or a specific exception for collection.
You are responsible for obtaining appropriate consents from participants (or their guardians) before entering their sensitive information into the Service. We are entitled to rely on you having obtained these consents and authorisations before sensitive information is entered into the Service.
We may receive personal information from Organisations, administrators, integrations, or other authorised users of the Service (for example, when an administrator invites a worker or imports records via CSV).
We use your information to:
We do not use your information to:
| Organisation Country | Data Region | AWS Region |
|---|---|---|
| Australia | Sydney, Australia | ap-southeast-2 |
| New Zealand | Sydney, Australia | ap-southeast-2 |
Additional regions (United Kingdom, UAE, Singapore) will be made available as the Service expands to those markets.
Care-related operational data is stored in the region assigned to your organisation's country. See Section 11 for details on service metadata that may be processed outside your region.
While we implement reasonable security safeguards, no method of electronic transmission or storage is completely secure and we cannot guarantee absolute security.
We retain your data for the following periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| Participant & worker records | Up to 7 years (or longer where required by law) | NDIS record-keeping requirements |
| Timesheets & payroll data | Up to 7 years (or longer where required by law) | ATO requirements |
| Audit logs | Up to 7 years (or longer where required by law) | NDIS audit compliance |
| Account information | Duration of account + 30 days | Service provision |
| Notification history | 90 days | Operational reference |
After your subscription ends, your data remains in read-only mode for 30 days to allow you to export your records. After the read-only period, your account is suspended. Following account closure, we may retain archived records for up to 7 years where required to support legal, regulatory, audit, security, or record-keeping obligations. However, the Organisation remains responsible for maintaining its own copies of records required under applicable legislation. We strongly recommend exporting all data before or during the 30-day read-only period.
We use the following third-party services to operate KareShift:
| Service | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (AWS) | Infrastructure & hosting | Customer and operational data stored within the Service (encrypted, within your region) |
| Stripe | Payment processing | Billing email, payment method (we never see full card numbers) |
| AWS SES | Transactional email | Email addresses, notification content |
We do not share your organisation's participant or worker data with any third party for any purpose other than providing the Service.
We may engage carefully selected subprocessors and service providers to support the Service. A current list of subprocessors is available on request by contacting privacy@kareshift.com.
We may disclose personal information where required by law, court order, warrant, regulator request, or lawful request from a government authority. Where legally permitted, we will notify the affected Organisation before making such a disclosure.
Under the Australian Privacy Principles, you have the right to:
To exercise any of these rights, contact us at privacy@kareshift.com. We will respond within 30 days.
Where we process personal information on behalf of an Organisation, requests relating to participant or worker records should generally be directed to that Organisation in the first instance.
We use minimal cookies required for the Service to function:
We do not use third-party advertising cookies or tracking pixels. If we use analytics, we use privacy-friendly tools that do not track individual users across websites.
If we become aware of a suspected security incident or eligible data breach, we will:
This is in compliance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988.
The Service is intended for use by care providers and their authorised staff, not by children directly. We do not knowingly collect personal information directly from children. If you become aware that a child has provided us with personal information directly (not via an authorised care provider), please contact us and we will take steps to address it.
Participant records may include information about minors receiving care services. This data is entered and managed by the care provider (you) in your capacity as their service provider, and is subject to the same security and privacy protections as all other data.
If you are based outside Australia, your data will be stored in the region assigned to your country (see Section 4.1). We take reasonable steps to support our customers' compliance obligations in the jurisdictions in which they operate, including applicable privacy legislation in the UK, New Zealand, and other supported regions.
Cross-border operational data: Care-related operational data (participant records, shifts, timesheets, progress notes) remains in your designated region. Certain service metadata (email delivery routing, payment processing) may be processed outside that region by our service providers:
We take reasonable steps to ensure that overseas recipients of personal information comply with the APPs (as required by APP 8.1), including through contractual obligations and selecting providers with robust privacy and security practices.
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
In the event of a merger, acquisition, restructuring, or sale of all or substantially all assets, personal information may be transferred as part of that transaction subject to applicable privacy laws. Where required by law, or where reasonably practicable, we will notify you of any such transfer.
If you believe we have breached the Privacy Act or the APPs, please contact our Privacy Officer first. We will acknowledge receipt of your complaint as soon as reasonably practicable and aim to provide a substantive response within 30 days.
If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
Aventaryk Pty Ltd
ABN: 86 628 196 921
NSW, Australia
Privacy Officer: privacy@kareshift.com
General enquiries: hello@kareshift.com