Privacy Policy

HappyHome is operated by Elite Care and Services Group Pty Ltd (ACN 694 818 641) (“HappyHome”, “we”, “us”, “our”). We provide subcontracted fieldwork — transport, cleaning, gardening, and home maintenance — to registered NDIS and aged-care providers in Melbourne.

This Privacy Policy describes how we collect, use, store, disclose, and protect personal information. We treat all personal information in accordance with the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth), the NDIS Code of Conduct, and our contractual obligations to the registered providers we partner with.

Although HappyHome's turnover currently sits below the $3 million threshold at which the Privacy Act mandatorily applies, we have chosen to operate as an APP-compliant entity from day one. This protects the participants we work with, satisfies our anchor partners' contractual requirements, and avoids a future regime shift as the business scales.

We collect only the information we need to deliver services safely and to meet our compliance obligations.

From registered provider partners

• Provider organisation details (legal name, ABN, contact persons)
• Service requests on behalf of participants
• Participant identifying details necessary for service delivery (typically first name + last initial at job-acceptance stage; full name + address revealed to the assigned subcontractor on dispatch)
• Participant NDIS plan details limited to what is necessary for the specific service (e.g. funding category, support hours allocated)
• Participant access notes (entry instructions, pets, hazards)

From subcontractors

• Identity and contact details (name, address, phone, email, date of birth, ABN)
• NDIS Worker Screening Check (WSC) reference, expiry, and verification evidence
• Trade licences, insurance certificates of currency, vehicle and driver licence details (where relevant to the service line)
• Banking details for invoice settlement
• Right-to-work documentation
• Acknowledgement of the NDIS Code of Conduct

From website visitors and enquirers

• Information you provide via our partner-enquiry form (provider name, ABN, contact name, email, phone, service interest)
• Standard server-side analytics (Google Analytics — anonymised IP, device, browser, referrer, pages visited) where you have consented to analytics cookies

From service delivery

• Job records (date, location, services performed, time on site)
• Service-completion photos (we instruct subcontractors to focus on the work performed and to avoid capturing identifying features of participants wherever practicable)
• Incident reports, safety concerns, and complaints

We do not seek to collect government identifiers (Medicare number, TFN) unless an anchor partner contractually requires it for a specific service.

We collect personal information for the following purposes:

• Service delivery. To dispatch the right subcontractor to the right participant at the right time, with the access and safety context needed to perform the work.
• Anchor partner reporting. To provide registered providers with the documentation they require to meet their own NDIS Practice Standards obligations.
• NDIS audit. To produce audit-ready service records and incident documentation on request.
• Compliance verification. To confirm subcontractors hold a current Worker Screening Check, trade licence, and insurance cover before dispatch.
• Invoicing and payment. To process payments to subcontractors and invoices to provider partners.
• Incident response. To investigate and respond to safety incidents, complaints, and Code-breach reports.
• Legal and regulatory compliance. To meet our obligations under the Privacy Act 1988, the NDIS Act 2013, taxation law, and workplace safety law.

We will not use personal information for any unrelated purpose without consent, except where the law permits or requires it.

We tell you about our collection of your personal information through:

• This Privacy Policy
• Collection notices on our partner-enquiry form
• Our subcontractor onboarding pack, which includes a privacy notice and the NDIS Code of Conduct acknowledgement
• Notices given by the registered provider to participants at the point the provider engages us to deliver a service

We use personal information only for the purposes set out in section 3. We disclose personal information only to:

• The registered provider who engaged us to deliver the service
• Assigned subcontractors, limited to the participant information they need to perform the specific job safely
• Government and regulatory bodies where required by law (NDIS Quality and Safeguards Commission, Australian Taxation Office, WorkSafe Victoria, OAIC, courts and tribunals)
• Insurers and legal advisors where reasonably necessary for the defence or pursuit of legal claims
• Service providers that support our operations (cloud hosting, email, accounting software) under written confidentiality and data protection terms

We do not sell personal information.
We do not use participant information for marketing.

We do not engage in direct marketing to NDIS participants under any circumstances. We may from time to time communicate with provider partners about our services; provider contacts may opt out of these communications at any time by emailing [email protected].

We host data within Australia wherever practicable:

• Operational data (jobs, sub records, participant access notes) is stored in Postgres databases hosted in Oracle Cloud Infrastructure — Melbourne region (ap-melbourne-1).
• Application data for our portal stack is stored in Supabase hosted in the Australia region.
• File attachments (incident photos, licence evidence) are stored in Cloudflare R2 with EU/AU edge presence.

Where a service provider operates from outside Australia (for example, email delivery via Brevo or SendPulse), the data sent is limited to the minimum required to perform the function, and we take reasonable steps to ensure that provider handles the information in a manner consistent with the APPs.

We do not adopt, use, or disclose Commonwealth government identifiers (such as Medicare numbers or Tax File Numbers) as our own identifiers. NDIS participant numbers are held only when supplied to us by the registered provider for the specific purpose of service delivery or anchor reporting.

We take reasonable steps to ensure personal information we hold is accurate, complete, and up to date. Participants may request corrections through the registered provider; subcontractors may correct their own records directly via the sub portal or by emailing [email protected].

We protect personal information through:

• Encryption in transit (TLS) on all web traffic and API calls
• Encryption at rest on databases and file storage
• Role-based access control — operators, subcontractors, and provider contacts see only the information they are authorised to see
• Access logging — all access to participant records is logged
• Sub portal data minimisation — subcontractors see participant first name + last initial only until a job is accepted; full details are revealed on dispatch
• Incident reports restricted access — sensitive incident reports are visible only to HappyHome operators and the relevant anchor partner
• Secure deletion when data is no longer required

We retain personal information for 7 years after the engagement ends, consistent with the NDIS audit retention period and other legal record-keeping obligations. After that period, we securely destroy or de-identify the information.

You have the right to ask us what personal information we hold about you and to be given access to it.

• Participants should request access via the registered provider that engaged us. The provider will coordinate the request with us and respond to you. We will supply the information within 30 days of the request.
• Subcontractors may request access directly by emailing [email protected].
• Provider contacts and website enquirers may request access directly via the same email address.

We may charge a reasonable fee to cover the cost of retrieving and providing access to extensive records, and will inform you of any fee before proceeding.

If the personal information we hold about you is inaccurate, incomplete, out of date, or misleading, you may ask us to correct it. We will correct the information without charge, or explain in writing why we have declined to do so.

If we become aware of an actual or suspected data breach that is likely to result in serious harm to any individual, we will:

1. Notify the affected anchor partner within 4 hours of becoming aware of the breach
2. Investigate and contain the breach in coordination with the anchor partner
3. Notify the Office of the Australian Information Commissioner (OAIC) within the 30-day window required under the Notifiable Data Breaches scheme, where the breach meets the threshold of an “eligible data breach”
4. Notify affected individuals in coordination with the anchor partner

If you believe we have breached the Australian Privacy Principles, the NDIS Code of Conduct, or this policy, you may complain to us at [email protected]. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.

If you are not satisfied with our response, you may complain to:

• Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au — 1300 363 992
• NDIS Quality and Safeguards Commission — www.ndiscommission.gov.au — 1800 035 544 (for matters relating to the NDIS Code of Conduct or participant safety)

We may update this Privacy Policy from time to time. The current version is always published at https://happyhome.au/privacy, with the effective date shown at the top. Material changes will be communicated to provider partners and subcontractors via their usual contact channel.

For all privacy-related enquiries, requests, or complaints:

• Email: [email protected]
• General contact: [email protected]
• Postal: Elite Care and Services Group Pty Ltd, Melbourne, Victoria