⚠️ DRAFT — NOT YET LAWYER-REVIEWED. Replace this content with a version reviewed by an Australian privacy lawyer before going to production. Australian Privacy Principles + health-information rules apply.

Privacy Policy

Last updated: 20 May 2026 (draft)

1. Who we are

This Privacy Policy applies to information collected through the Playful Pilots web platform ("Service"), operated by Playful Pilots. We are bound by the Australian Privacy Principles in the Privacy Act 1988 (Cth) and, because we handle health information about children, by the Privacy Act's health-information rules and applicable state-based health-records legislation.

2. What we collect

  • Account information — name, email, phone, password (hashed), role (parent / therapist / organisation admin / platform admin), AHPRA number where applicable.
  • Child information — first/last/preferred name, date of birth, school, NDIS number, address, diagnoses, allergies, medications, dietary requirements, sensory profile, behaviour information.
  • Care information — goals, behaviours, daily activity logs, session notes (entered by therapists), achievements, messages.
  • Technical information — IP address, browser type, login times, audit log entries.

3. How we use it

We use the information you provide to operate the Service: to display it back to you and the people you’ve given access to, to provide daily summary emails (if enabled), to maintain audit trails, to respond to support requests, and to comply with legal obligations.

4. Who can see what

  • Parents see all information about their own children, plus any information shared by therapists they have invited.
  • Therapists see only the children they have been invited to, and only the fields the parent has consented to share.
  • Organisation admins see information about their own organisation's members and operational data only — not the clinical content about families unless they are also a therapist invited to that family.
  • Platform admins (us) can access account-level metadata and audit logs to operate the Service. Access to clinical content is recorded in an admin access log; any access requires a recorded reason.

5. Sharing with third parties

We do not sell your information. We may share information with third parties only as needed to operate the Service (for example, our email-delivery provider, our hosting provider). Where Australian law requires (e.g. a lawful police request, mandatory reporting), we will comply with that obligation. We do not transfer personal information offshore except to the extent necessary for the cloud / email infrastructure underlying the Service.

6. Storage and security

Information is stored on servers located in Australia. We take reasonable steps to protect information from misuse, interference, loss, unauthorised access, modification or disclosure, including HTTPS, password hashing with bcrypt, optional two-factor authentication, role-based access controls, audit logging, and regular backups. No system is perfectly secure.

7. Retention

We retain information for as long as your account is active. If you close your account, we retain audit-relevant records for at least 7 years to meet legal and clinical-record requirements, and de-identify or delete other content where reasonably practicable.

8. Children's information

Information about children is provided to us by their parent or legal guardian. Children do not have their own accounts. We do not knowingly accept information provided directly by a child under 16.

9. Your rights

  • Access — you can request a copy of the personal information we hold about you (and your children).
  • Correction — you can ask us to correct information that is inaccurate, out of date, incomplete or misleading.
  • Complaints — you can complain about how we’ve handled your information. We will respond within 30 days. If you are not satisfied you can complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

10. Cookies

We use a small number of cookies that are strictly necessary to operate the Service (session cookies, CSRF protection). We do not use third-party advertising or tracking cookies.

11. Changes

We may update this Privacy Policy from time to time. We will tell you about material changes by email or in-app notice.

12. Contact

Privacy enquiries: privacy@playfulpilots.com.au.

← Back home