What personal information does NoteGate collect about NDIS participants?

NoteGate collects participant and resident information provided by subscribing organisations: names, NDIS numbers, care plans, and shift note content. This information is used solely to operate the shift note validation and compliance service. It is stored in Australia and never sold to third parties.

Does NoteGate share participant data with overseas third parties?

Participant identifiers are never transmitted overseas. NoteGate uses the Anthropic Claude API for AI validation, but all participant names, NDIS numbers, and other identifiers are tokenised by DeIDProxy before transmission, and Anthropic operates under a Zero Data Retention agreement. All other data remains in Australia (AWS ap-southeast-2, Sydney).

How long does NoteGate retain participant data?

NoteGate retains participant data for the duration of the subscription and for a period after termination as required by Australian law and NDIS record-keeping obligations. Subscribing organisations may request deletion of their data in writing. See the full Privacy Policy for specific retention periods by data type.

How can I make a privacy complaint about NoteGate?

Privacy complaints should be directed to privacy@notegate.com.au. NoteGate will acknowledge the complaint within 5 business days and seek to resolve it within 30 days. If you are not satisfied with the outcome, you may escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Privacy Policy — NoteGate™

Contents

1.Who we are 2.Information we collect 3.How we use your information 4.Disclosure to third parties 5.Overseas disclosure and APP 8 6.NDIS protected information 7.Aged care information 8.Data security 9.Data retention and deletion 10.Your rights 11.Cookies and analytics 12.Complaints 13.Contact us

1. Who we are

NoteGate is a product of AgenticX Australia (ABN: 27 680 398 305), a company based in Queensland, Australia. We operate the NoteGate platform at notegate.com.au and its subdomains.

We are bound by the Privacy Act 1988 (Cth) as amended by the Privacy and Other Legislation Amendment Act 2024, including the 13 Australian Privacy Principles (APPs).

In this policy, "we", "us", and "our" refers to AgenticX Australia. "You" refers to the organisation (provider) that subscribes to NoteGate, or an individual user of the platform. "Participant" or "resident" refers to the NDIS participant or aged care resident whose information appears in shift notes processed through NoteGate.

2. Information we collect

2.1 Subscriber and user information

When your organisation subscribes to NoteGate, we collect:

Organisation name, ABN, trading name, and state/territory
Primary contact name, email address, and phone number
Billing information (processed and stored by Stripe — we do not store card numbers)
User accounts: full name, email address, role, and login history

2.2 Participant and resident information

As part of the shift note validation service, we process:

Participant/resident names and NDIS numbers or care identifiers
Date of birth and support type
Clinical documents uploaded for rule extraction (BSPs, OT assessments, care plans)
Shift note content including structured observations and narrative text
Validation results, scores, and correction history

This information is sensitive health information under the Privacy Act and is handled with the highest level of protection.

2.3 Automatically collected information

Server access logs (IP address, browser type, pages accessed)
API call metadata (timestamp, endpoint, response code — no content)
AI transmission log metadata (token counts, latency — no prompt content stored)

3. How we use your information

We use personal information only for the purposes for which it was collected:

Service delivery — validating shift notes, scoring documentation quality, routing notes through the approval workflow
Account management — provisioning tenant workspaces, managing user access, processing billing
Communications — onboarding, payment notifications, note approval alerts. We do not send marketing emails without consent.
Platform improvement — aggregated, non-identifiable usage analytics only. We never use participant data or shift note content to train, fine-tune, or evaluate any AI model.
Regulatory compliance — maintaining audit logs available for inspection by the NDIS Quality and Safeguards Commission, Aged Care Quality and Safety Commission, or the Department of Veterans' Affairs if required by law.

4. Disclosure to third parties

We disclose personal information only to the following categories of recipients, and only as necessary to operate the platform:

Anthropic PBC — AI validation engine. Participant identifiers are tokenised by our DeIDProxy service before transmission. Anthropic is subject to a Zero Data Retention (ZDR) agreement — requests are not stored after call completion. No participant data is used to train AI models.
Amazon Web Services (AWS) — Cloud infrastructure, hosted exclusively in Sydney (ap-southeast-2). Subject to AWS Data Processing Addendum.
Stripe Inc. — Payment processing. Stripe handles billing data under their own Privacy Policy and PCI-DSS certification. We do not share participant or clinical data with Stripe.
Resend Inc. — Transactional email delivery. Only subscriber email addresses and notification content (no participant clinical data) are transmitted.

We do not sell, rent, or trade personal information to any third party for commercial purposes.

5. Overseas disclosure and APP 8

Our position on overseas disclosure: All participant and resident personal information is stored exclusively in Australia (AWS ap-southeast-2, Sydney). The only overseas disclosure is the AI validation API call to Anthropic (USA). This disclosure is protected by a Zero Data Retention agreement, DeIDProxy tokenisation of all identifiers, and contractual terms equivalent to the APPs.

Under Australian Privacy Principle 8, before disclosing personal information to an overseas recipient, we must either take reasonable steps to ensure the recipient does not breach the APPs, or obtain consent. Our three-mechanism framework (ZDR agreement + DeIDProxy + ai_transmission_log) satisfies this obligation.

Subscriber organisations who have obligations under APP 8 in their own privacy policies may request a copy of our ZDR agreement summary and sub-processor disclosure document by contacting privacy@notegate.com.au.

6. NDIS protected information

Shift notes processed through NoteGate may contain NDIS protected information as defined under Part 7, Division 2 of the NDIS Act 2013. Unauthorised disclosure of NDIS protected information is a criminal offence.

NoteGate treats all participant data as NDIS protected information. Role-based access controls ensure support workers can only access data for participants to whom they are explicitly assigned. All access is logged. No participant information is visible to other organisations on the platform.

If we become aware of an unauthorised disclosure of NDIS protected information, we will notify the affected organisation and the NDIS Quality and Safeguards Commission as required.

7. Aged care information

For aged care providers, shift notes processed through NoteGate may contain information subject to the Aged Care Act 2024 and the Strengthened Aged Care Quality Standards (effective 1 November 2025).

We comply with the information-handling obligations under the Aged Care Act 2024, including obligations relating to the Serious Incident Response Scheme (SIRS). Resident information is handled with the same controls as NDIS participant information.

8. Data security

We implement the following security measures to protect personal information:

Encryption at rest — all data stored on AWS RDS and S3 is encrypted using AES-256
Encryption in transit — all communications use TLS 1.2 or higher
Access controls — role-based access, JWT authentication, worker-to-participant assignment scoping
Network isolation — database and application servers in private subnets with no direct internet access
Audit logging — all supervisor overrides and AI transmission metadata logged immutably
VPC endpoints — AWS service calls do not traverse the public internet
S3 region-deny policy — bucket policy prevents any access from outside ap-southeast-2

If we become aware of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.

9. Data retention and deletion

We retain personal information for as long as necessary to provide the service and meet legal obligations:

Active account data — retained for the duration of the subscription
Shift notes and validation records — retained for 7 years from the date of submission (consistent with aged care record-keeping requirements)
Billing records — retained for 7 years for tax compliance
Server access logs — retained for 90 days then deleted automatically
AI transmission logs — retained for 3 years for regulatory audit purposes (metadata only — no content)

When a subscription is cancelled, subscriber organisation data is flagged for deletion after 90 days. Participant clinical information may be retained for the statutory 7-year period unless the subscriber requests earlier deletion and demonstrates no legal obligation to retain it.

10. Your rights

Under the Privacy Act 1988 (Cth), you have the right to:

Access — request access to personal information we hold about you or your organisation
Correction — request correction of inaccurate or incomplete information
Complaint — lodge a complaint about how we have handled your information

For participant or resident information held on behalf of a subscriber organisation, access and correction requests should be directed to the subscribing organisation in the first instance, as they are the data controller for that information.

To exercise these rights, contact: privacy@notegate.com.au

11. Cookies and analytics

The NoteGate marketing website (notegate.com.au) uses only essential cookies for session management. We do not use third-party advertising cookies, tracking pixels, or behavioural analytics tools. No personal information is shared with advertising platforms.

The NoteGate application (subdomain.notegate.com.au) uses session tokens stored in browser session storage. These are cleared when the browser tab is closed.

12. Complaints

If you have a concern about how we have handled your personal information, please contact us at privacy@notegate.com.au. We will respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Website: oaic.gov.au
Phone: 1300 363 992
GPO Box 5218, Sydney NSW 2001

13. Contact us

Privacy enquiries

For any privacy-related questions, access requests, or concerns:

AgenticX Australia
privacy@notegate.com.au
Queensland, Australia
ABN: 27 680 398 305

This policy was last updated 1 April 2026. We will notify subscribers of material changes by email at least 30 days before they take effect.