Privacy Policy

1. Introduction

DyslexAbility Pty Ltd (ABN 44 622 859 205) ("DyslexAbility", "we", "our", or "us") is committed to protecting the privacy, confidentiality, and security of personal information in compliance with:

• Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs)
• Notifiable Data Breaches scheme (Part IIIC of the Privacy Act)
• National Disability Insurance Scheme (NDIS) Act 2013
• NDIS Practice Standards 2021 (Core Module 3: Governance and Operational Management)
• NDIS Code of Conduct
• Victorian Health Records Act 2001
• Spam Act 2003 (for electronic communications)

This Privacy Policy explains what personal information we collect, how we use, store, and protect it, and your rights regarding your data. It applies to all individuals who engage with DyslexAbility, including:

• NDIS participants and private clients
• Parents, guardians, and authorised representatives
• Employees, contractors, and job applicants
• Users of our digital platforms (myDyslexAbility Portal, iOS applications, and websites)

2. Our Digital Platforms

DyslexAbility operates the following digital systems that process personal information:

3. What Personal Information Do We Collect?

We collect only the minimum personal information necessary to provide our services and meet legal obligations.

3.1 Client and Participant Information

• Full name, date of birth, gender
• Contact details (address, phone number, email)
• Emergency contact details
• NDIS participant number and plan details (if applicable)
• Diagnosis and disability-related information
• Reports from allied health professionals
• Medical history relevant to learning interventions
• Behavioural support requirements

3.2 Student Learning Data

• Current and past education history
• Learning assessments, dyslexia screenings, and progress reports
• Individualised education plans
• Literacy intervention progress (Barton level, lesson, and step completion)
• Session notes and practitioner observations
• Student work samples and attempt records

3.3 Parent and Guardian Information

• Full name and contact details
• Relationship to student
• Communication preferences
• Account credentials for the parent portal (email and phone for SMS 2FA)

3.4 Employee and Applicant Information

• Full name, contact details, and emergency contacts
• Employment history and qualifications
• Compliance documents (Working With Children Check, Police Check, NDIS Worker Screening, First Aid certificates)
• Training records and professional development
• Timesheet and attendance data
• Performance and onboarding information

3.5 Financial and Payment Information

• NDIS funding details and service agreement information
• Invoice and billing records
• Payment card details (processed securely via Stripe — we do not store card numbers)
• Bank account details for direct payments or refunds
• Expense claims and receipts

3.6 Digital Platform Data

• Authentication data (Microsoft Entra ID tokens, session data)
• Device information and IP addresses (for security and audit logging)
• Usage analytics (page views, feature usage — no tracking cookies)
• Files uploaded to our platform (documents, images, audio)
• Communication records (SMS and email sent through our system)
• Attendance and sign-in/sign-out records

3.7 Media

• Photos and videos taken during sessions (only with explicit written consent)
• Audio recordings for screening and assessment purposes

4. How Do We Collect Personal Information?

We collect information through:

• Directly from you — enrolment forms, consent forms, phone calls, emails, in-person interactions, and through our digital platforms
• From parents, guardians, or authorised representatives — for minors or individuals with guardianship arrangements
• Through referral sources — medical professionals, NDIS plan managers, support coordinators, and educational institutions
• Via our digital platforms — when you use the myDyslexAbility Portal, iOS applications, or our website
• During service delivery — observations, assessments, screenings, progress notes, and session records created as part of our intervention programs
• From Microsoft Entra ID — name, email, and profile information for staff authentication
• From third-party services — Splose (practice management), ClickSend (SMS delivery status), MailerLite (email engagement)
• From job boards (applicants only) — when you apply to a DyslexAbility role via SEEK or Indeed, the application data you submit through those platforms (name, email, phone, role applied for, resume, and any answers you provide) is delivered to our recruitment mailbox (`recruitment@dyslexability.com.au`) and stored in our portal Recruitment system on the same basis as a direct application via `dyslexability.com.au/apply`. We do not share additional data with SEEK or Indeed beyond what is required to post the role.

We will always tell you why we are collecting your information and how it will be used. We will not collect sensitive information without your explicit consent unless required by law.

5. Why Do We Collect and Use Personal Information?

5.1 Providing and Managing Services

• Delivering educational interventions tailored to individual learning needs
• Conducting dyslexia screenings and tracking student progress across literacy and numeracy programs
• Managing appointments, scheduling, and session logistics
• Communicating session updates, progress reports, and relevant information

5.2 Operating Our Digital Platforms

• Authenticating users and managing access permissions
• Storing and displaying student progress data, session notes, and resources
• Enabling practitioners to deliver lessons using our digital tools
• Providing parents with visibility into their child's progress (via the parent portal)
• Managing employee HR compliance, training, and onboarding

5.3 Legal, Regulatory, and Compliance Obligations

• Complying with NDIS registration, reporting, and auditing requirements
• Meeting obligations under the Privacy Act, NDIS Act, and Victorian Health Records Act
• Maintaining records required by the NDIS Quality and Safeguards Commission
• Fulfilling duty of care and mandatory reporting obligations

5.4 Administrative and Business Operations

• Managing bookings, invoicing, and payment processing
• Conducting internal audits, quality improvement, and staff training
• Analysing service delivery for continuous improvement

5.5 Safety, Security, and Risk Management

• Maintaining audit trails of data access and modifications
• Protecting against unauthorised access, fraud, and cyber threats
• Managing workplace health and safety incidents
• Responding to complaints, incidents, or investigations

6. Who Do We Share Personal Information With?

We only share personal information when necessary and in accordance with the APPs. Your information may be disclosed to:

6.1 Technology Service Providers

Our digital platforms use the following third-party services that may process personal information on our behalf:

6.2 Cross-Border Disclosures (Australian Privacy Principle 8)

Two of our technology service providers process limited categories of personal information outside Australia. Under Australian Privacy Principle 8 (APP 8), we disclose the following cross-border data flows:

We use Sentry to monitor and triage technical errors that occur in our portal and mobile applications. When an error occurs, Sentry receives technical details about the failure (including stack traces) along with technical identifiers such as the affected user ID, session ID, request path, and browser/device metadata. Before any payload is transmitted, sensitive identifiers (Medicare number, NDIS participant number, bank account details, dates of birth, and free-text health information) are scrubbed by our application. Sentry stores the resulting error data in its EU (Frankfurt, Germany) data centre. We have assessed Sentry's privacy and security posture (SOC 2 Type II, GDPR-compliant, EU-only data residency selected) and consider it provides a substantially similar level of protection to the Australian Privacy Principles. By using the portal you consent to this cross-border disclosure for the purpose of technical error monitoring and incident response.

Where you have explicitly opted in to marketing communications, your email address and marketing preferences are stored by MailerLite in the European Union. MailerLite is GDPR-compliant. You can withdraw consent at any time via the unsubscribe link in any marketing email.

7. Data Storage, Security, and Retention

7.1 How We Protect Your Information

7.2 Data Retention

When personal information is no longer required, it is securely destroyed (digital: cryptographic deletion; physical: cross-cut shredding).

7.3 Data Breach Response

In the event of a data breach that is likely to result in serious harm, we will:

1. Contain the breach immediately and assess the scope

2. Notify the Office of the Australian Information Commissioner (OAIC) within 72 hours as required under the Notifiable Data Breaches scheme

3. Notify affected individuals as soon as practicable, including what data was compromised, what we are doing about it, and steps they can take

4. Notify the NDIS Quality and Safeguards Commission if participant data is involved

5. Document the breach, our response, and preventive measures taken

6. Review security measures to prevent recurrence

8. Children's Data

DyslexAbility provides services primarily to children with learning difficulties. We take additional care with children's data:

• Children never have direct accounts on our digital platforms. Parents and guardians manage access on their behalf.
• Parental consent is obtained before collecting any child's personal information.
• Student progress data is accessible only to assigned practitioners and authorised administrators.
• The parent portal allows parents to view their child's progress, session notes, and documents — controlled by practitioner visibility settings.
• Account deletion is available upon parent request, including all associated student data, subject to legal retention requirements.
• Photos and videos of children are only taken with explicit written consent and stored securely.

9. Your Rights

Under the Australian Privacy Principles, you have the right to:

We will respond to access and correction requests within 30 days. If we refuse a request, we will provide reasons in writing.

10. Cookies and Analytics

10.1 Our Website (dyslexability.com.au)

• We use essential cookies only for session management and security
• We do not use tracking cookies, advertising pixels, or third-party analytics that track individuals
• Website analytics are aggregated and do not identify individual users

10.2 Our Portal and Apps

• The myDyslexAbility Portal uses session cookies for authentication (Microsoft Entra ID)
• iOS applications store authentication tokens in the device Keychain (encrypted, device-only)
• We do not use advertising SDKs, tracking frameworks, or sell usage data
• We do not implement App Tracking Transparency because we do not track users across apps or websites

11. How to Make a Privacy Complaint

If you have concerns about how we handle your personal information:

• Office of the Australian Information Commissioner (OAIC)

Phone: 1300 363 992

• NDIS Quality and Safeguards Commission

Phone: 1800 035 544

• Health Complaints Commissioner (Victoria)

Phone: 1300 582 113

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, technology, or legal requirements. When we make material changes, we will:

• Update the "Last Updated" date at the top of this document
• Notify affected individuals via email or in-app notification where appropriate
• Make the updated policy available on our website and through our digital platforms

13. Contact Information

For questions about this Privacy Policy, to exercise your rights, or to make a complaint:

1/45 Futures Road, Cranbourne West, Victoria 3977

Email: admin@dyslexability.com.au

Phone: (03) 5996 4006