SecondShift← Back to home
Sign in

Privacy Policy

Last updated: 20 March 2026

SecondShift (“we”, “us”, “our”) operates the SecondShift platform (secondshift.com.au), a cloud-based software platform for allied health clinics in Australia. We are committed to protecting the privacy and security of the personal information we collect and handle.

This Privacy Policy explains how we collect, use, store, disclose, and protect personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. Information we collect

Account information

When you create an account, we collect your name, email address, profession/discipline, clinic name, and clinic contact details.

Client/participant information

When practitioners use the platform, they may enter information about their clients, including names, dates of birth, NDIS participant details, session notes, assessment results, and clinical observations. This information is entered and controlled by the clinic. SecondShift processes this data on behalf of the clinic.

Documents and reports

The platform stores uploaded documents (session notes, referrals, assessments) and generated reports (progress reports, assessment results, functional capacity assessments). These may contain personal and health information about clients.

Usage data

We collect anonymised usage data such as pages visited, features used, and session duration to improve the platform. We do not track or log client/participant personal information in our analytics.

2. How we use your information

We use personal information to:

  • Provide and operate the SecondShift platform
  • Generate reports and clinical documents on behalf of practitioners
  • Process and score standardised assessments
  • Send transactional emails (report delivery, account notifications)
  • Improve the platform and develop new features
  • Provide technical support

We do not sell personal information to third parties. We do not use client health information for marketing purposes.

3. AI and data processing

SecondShift uses artificial intelligence to assist with report generation, clinical interpretation, and document processing. All AI processing of health data is performed using AWS Bedrock in the ap-southeast-2 (Sydney) region. Health data never leaves Australia for AI processing.

AI-generated content is always presented as a draft for practitioner review and approval before being finalised or sent. The practitioner retains full clinical responsibility for all reports.

Assessment scoring (e.g. CELF-5) is performed using deterministic algorithms with no AI involvement. The scoring is based on published normative tables and produces the same result every time for the same input.

4. Data storage and security

All data is stored within Australia:

  • Database: Supabase PostgreSQL, hosted in the Oceania (Sydney) region
  • File storage: Supabase Storage (Sydney) for uploaded documents; AWS S3 (ap-southeast-2) for generated PDFs
  • AI processing: AWS Bedrock (ap-southeast-2) only

We implement the following security measures:

  • Encryption in transit (TLS/HTTPS) and at rest (AES-256)
  • Row-level security ensuring clinics can only access their own data
  • Role-based access control (owner, practitioner, admin roles)
  • Multi-tenant data isolation at the database level
  • No logging of patient/participant personal information in application logs
  • Soft deletion only (data is never permanently destroyed without explicit request)

5. Data retention

We retain your data for as long as your account is active. Client and report data is retained in accordance with Australian healthcare record-keeping requirements (7 years for adults, until age 25 for minors).

If you close your account, we will retain data for the minimum period required by law, after which it will be securely deleted. You may request data export at any time.

6. Third-party services

We use the following third-party services to operate the platform:

  • Supabase (database and authentication) – Sydney region
  • AWS (AI processing and PDF storage) – Sydney region
  • Vercel (application hosting) – edge network with Sydney PoP
  • Resend (transactional email delivery)
  • PostHog (anonymised product analytics)

When a clinic connects their own email provider (Google Workspace or Microsoft 365), report emails are sent through that provider on behalf of the clinic.

7. Disclosure of information

We may disclose personal information:

  • To the clinic that controls the data (practitioners accessing their own clinic's client information)
  • To third-party service providers listed above, solely for the purpose of operating the platform
  • When required by law, regulation, or court order
  • To protect the rights, safety, or property of SecondShift, our users, or the public

8. Your rights

Under the Australian Privacy Act, you have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your data (subject to legal retention requirements)
  • Export your data in a standard format
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

9. Data breach notification

In the event of an eligible data breach under the Notifiable Data Breaches (NDB) scheme, we will notify affected individuals and the OAIC as required by the Privacy Act 1988.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The latest version will always be available at this page.

11. Contact us

If you have questions about this Privacy Policy or wish to make a privacy-related request, please contact us:

Email: hello@secondshift.com.au