overed
Terms of Service← Back to login
Legal

Privacy Policy

Callixo Pty Ltd · Last updated March 2026 · Effective immediately

At Covered, privacy is not a feature — it is the foundation of our service. Covered processes deeply sensitive personal information: children's details, educator credentials, medical records, court orders, and incident reports. We take that responsibility seriously.

1.Privacy Philosophy

Client data is sacred
Information stored in our system belongs to educators, families, and children. We are custodians, not owners.
Zero tolerance for exposure
Any compromise of personally identifiable information (PII) is a critical incident treated with SEV1 escalation.
Privacy by design
Privacy architecture is built into every layer — database, API, authentication — not bolted on as an afterthought.
Australian context
We operate under Australian Privacy Principles, the Privacy Act 1988 (Cth), and the Notifiable Data Breaches scheme.
Minimalism
We collect and retain only what is necessary for childcare management and regulatory compliance.
Transparency
Organisations know exactly what data we hold, how we protect it, who can access it, and how long we keep it.

2.Australian Privacy Principles (APPs) Compliance

Covered complies with all 13 Australian Privacy Principles (APPs) as set out in the Privacy Act 1988 (Cth). Key highlights:

PrincipleHow we comply
APP 1 — TransparencyThis policy is publicly available. Organisations are required to share it with educators and families during enrolment.
APP 2 — PseudonymityExternal API calls use deterministic pseudonyms (e.g. “Educator 1”, “Service A”) rather than real identifiers.
APP 3 — CollectionData collection is limited to fields necessary for childcare management and regulatory compliance.
APP 6 — Use & DisclosureData is used only for its primary purpose. Data is never sold or shared for marketing. We may share de-identified, aggregated statistical data with government health bodies or regulatory partners where this serves a clear public benefit. No personally identifiable information is included in any such sharing.
APP 8 — SecurityTLS 1.3 in transit, AES-256-GCM field-level encryption at rest for critical PII, row-level security for multi-tenancy.
APP 10 — AccessEducators and families can view and correct their own data via self-service dashboards.
APP 12 — Subject AccessIndividuals can request their data via privacy@coveredapp.com.au. Response within 30 days.

3.Data Security

  • Encryption in transit: TLS 1.3 for all data transmission
  • Encryption at rest: Field-level AES-256-GCM for critical PII (WWCC numbers, TFNs, medical records, court orders)
  • Database security: Row-Level Security (RLS) enforced at the database level for complete multi-tenancy isolation
  • PII redaction: All AI API calls go through a server-side redaction service with deterministic pseudonyms. Fail-closed: if redaction fails, the API call is blocked.
  • Infrastructure: All data hosted in Sydney, Australia. No sensitive data leaves Australian jurisdiction except via PII-redacted external API calls.
  • Access controls: Role-based access, session management with timeout, audit logging of all data access

4.External Service Providers

Covered shares limited data with the following providers:

ProviderData shared
Anthropic (Claude API)PII-redacted compliance data only (pseudonymised)
StripeBilling data (organisation name, email, payment method)
ResendEmail notifications (recipient email + sanitised content)
TwilioSMS notifications (recipient phone + sanitised content)
SupabaseDatabase infrastructure (data residency within Australia)

5.Data Retention

  • Active records: Retained while the organisation's subscription is active
  • Educator & staff records: 3 years from the last day the staff member provided education and care at the service (per ACECQA Regulation 183)
  • Children's general records: 3 years after the child's last day of attendance (per ACECQA Regulation 183)
  • Incident, injury, trauma & illness records: Retained until the child turns 25 (per ACECQA Regulation 183)
  • Family Assistance Law records: 7 years (regulatory requirement)
  • Financial records: 7 years (ATO requirement)
  • Audit logs: Immutable, retained for the life of the organisation
  • Deleted data: Soft-deleted immediately, hard-deleted after retention period expires

6.Your Rights

As an individual whose data is stored in Covered, you have the right to:

  • Access your personal information
  • Request correction of inaccurate data
  • Request deletion of your data (subject to regulatory retention requirements)
  • Export your data in machine-readable format (CSV, JSON)
  • Lodge a complaint with us or the Office of the Australian Information Commissioner (OAIC)

7.Contact

Privacy enquiries

For privacy inquiries, data access requests, or complaints:

Email: privacy@coveredapp.com.au

Company: Callixo Pty Ltd · Australia

If you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

Callixo Pty Ltd · Covered
PrivacyTerms