PRIVACY POLICY

Privacy policy.

How we collect, use, and protect personal information across the ori.tools platform.

Last updated 31 May 2026

  1. 01 /

    About this policy

    ori.tools is operated by Matthew25 AI (ABN 19 692 319 476). We are committed to protecting the privacy of personal information, including health information, in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

    This policy applies to all personal information collected through our platform, including the Comply, Food Safety, and Learning modules.

  2. 02 /

    Information we collect

    We collect the following categories of personal information:

    • Identity information: Name, email address, role, job title
    • Account information: Login credentials (passwords are hashed, never stored in plain text)
    • Usage information: Training completion records, policy acknowledgments, compliance activity logs
    • Health-related information: Where applicable, health information that appears within care-related and compliance documentation (for example, care notes, incident records and policy documents)
    • Uploaded content: Profile photos, certificates, training documents, policy documents

    We collect personal information directly from you or your organisation's administrator when they invite you to the platform. We do not collect information from third parties without your knowledge.

  3. 03 /

    How we use your information

    We use personal information for the following purposes:

    • Providing and operating the ori.tools platform and its modules
    • Authenticating your identity and managing your account
    • Tracking training completion and compliance status for your organisation
    • Generating AI-assisted summaries and search results from your organisation's policy documents
    • Sending service notifications (training reminders, system updates)
    • Improving the platform based on aggregated, de-identified usage patterns

    We will not use your personal information for purposes other than those described above without your consent, except where required or authorised by law.

  4. 04 /

    Health information

    Where our platform processes health information (as defined under the Privacy Act), we apply additional protections in accordance with APP 3(collection of sensitive information). For resident and care-related health information, the provider organisation is the data controller and is responsible for obtaining any consent required to collect it; ori acts as the data processor and handles that information solely on the organisation's instruction, for the purpose for which the organisation provided it — typically clinical documentation, care planning, or regulatory compliance. Where you provide health information about yourself directly to us, we collect it only with your consent and use it solely for that purpose.

  5. 05 /

    Data storage & security

    Your data is protected by the following measures:

    • Data residency:Resident and operational data is stored in Australia (AWS ap-southeast-2, Sydney region) via our database provider Supabase. Some account and service data is handled by overseas sub-processors — see “Data sharing & disclosure” below
    • Encryption at rest: AES-256 encryption for all stored data
    • Encryption in transit: TLS encryption for all data transmission
    • Access control: Row-Level Security (RLS) ensures users can only access data belonging to their organisation
    • Authentication: Multi-factor authentication (MFA) available for all accounts
    • Infrastructure certification: Our infrastructure provider (Supabase) maintains SOC 2 Type II certification
    • Backups: Daily automated backups with point-in-time recovery capability
  6. 06 /

    Data sharing & disclosure

    We do not sell, rent, or trade personal information. We may share information with:

    • Your organisation's administrators: Who have access to manage users, view compliance reports, and configure the platform for their organisation
    • Sub-processors in Australia: Supabase and Amazon Web Services (database hosting and file storage), Vercel (application hosting), and AWS Bedrock and Amazon Transcribe (the AI used for the policy agent, regulatory-standards search, summarisation and voice transcription — all in the Sydney region)
    • Sub-processors overseas (United States): Clerk (authentication and identity), Stripe (payment processing), Resend (email delivery), and Sentry (error monitoring)
    • Law enforcement or regulators: Where required by Australian law or court order

    All sub-processors are bound by data processing agreements. In accordance with APP 8, where personal information is handled by the overseas sub-processors listed above, we take reasonable steps to ensure they protect it consistently with the Australian Privacy Principles. Resident and operational data — including health information — remains stored exclusively in Australia.

  7. 07 /

    Data retention & deletion

    For resident, care and operational data entered into ori.tools (“Customer Data”), the provider organisation is the data controller and ori is the data processor. Provider organisations carry record-keeping obligations under the Aged Care Act 1997 (Cth), the Records Principles 2014 and related health-records legislation — commonly seven years or longer. We will not unilaterally destroy a provider organisation's Customer Data on a subscription lapse or any other event short of a written deletion instruction.

    While your subscription is active:

    • Customer Data is retained continuously so the service can be used normally
    • Data is encrypted in transit and at rest; tenant isolation is enforced at the database level

    If your subscription lapses or is cancelled:

    • You have a 30-day export window during which authorised users can sign in to download Customer Data in a structured, machine-readable format. Contact privacy@ori.tools if you need help with export
    • After the 30-day window, platform access is revoked, but Customer Data is preserved on our systems — we do not run any automatic deletion triggered by subscription status. This is deliberate so that a commercial event does not destroy records you may be legally required to retain
    • You can resume normal access at any time by reactivating the subscription

    If you instruct us in writing to delete Customer Data (offboarding):

    • We make Customer Data available for export for 30 days from the date of the deletion instruction
    • At the end of that window, we delete Customer Data from the live platform within 30 further days
    • Deleted records cycle out of routine backups within the backup retention window (currently 7–28 days, depending on plan)
    • Sub-processors are instructed to delete associated personal information per their data processing agreements; some (for example Stripe) retain limited records to meet their own financial or legal obligations
    • The deletion event is recorded in an internal deletion log and we confirm completion to you on request

    Audit logs of AI model invocations are retained for seven years to support clinical-records traceability. Billing records held by our payment processor are retained for the period required by Australian financial record-keeping obligations (commonly seven years). Application and error logs are retained for shorter periods (90 days for system logs, 12 months for access logs).

  8. 08 /

    Your rights

    Under the Australian Privacy Principles, you have the right to:

    • Access the personal information we hold about you (APP 12)
    • Correct inaccurate or out-of-date information (APP 13)
    • Request deletion of your personal information
    • Withdraw consent for processing where consent was the basis for collection
    • Export your data in a machine-readable format

    To exercise any of these rights, contact us at privacy@ori.tools.

  9. 09 /

    Data breach notification

    In accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act, if we become aware of a data breach that is likely to result in serious harm, we will:

    • Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable, as required by the NDB scheme
    • Notify affected individuals as soon as practicable
    • Provide recommendations for steps individuals can take to protect themselves
  10. 10 /

    AI & automated processing

    Our platform uses AI to provide features such as policy search, document summarisation, regulatory-standards analysis, and assistance with care-related documentation. When using AI features:

    • AI processes only your organisation's data — never data from other organisations
    • AI-generated outputs are clearly labelled and should be reviewed by qualified staff before clinical or regulatory use
    • Your data is not used to train AI models
    • All AI processing — including chat, summarisation, transcription, and embeddings — runs on AWS Bedrock and Amazon Transcribe in the Sydney region (Australia). Data is transmitted securely and is not retained by the provider beyond the request lifecycle
  11. 11 /

    Changes to this policy

    We may update this privacy policy from time to time. We will notify you of material changes via email or an in-app notification. The “last updated” date at the top of this page indicates when the policy was last revised.

  12. 12 /

    Contact

    For privacy inquiries, data access requests, or complaints:

    If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).