1. Who we are
SublimeCare ("SublimeCare", "we", "us", or "our") operates the PRISM platform, an operations platform used by SublimeCare and offered to partner NDIS provider organisations in Australia. This policy explains how we handle personal information in connection with PRISM.
2. Scope of this policy
This policy applies to information processed through the PRISM web application, its administrative interfaces, and connected services (for example, the Meta Graph API integrations connected by a partner organisation).
Where a partner organisation is the controller of personal information processed through its workspace (for example, employee records or client-care notes), the partner's own privacy notice governs that information, and SublimeCare acts as a processor on the partner's instructions.
3. Information we collect
Account information
Name, work email address, password (stored as a salted bcrypt hash), role, organisation membership, profile image (optional), and authentication timestamps.
Operational content
Content that authenticated users create or upload through PRISM, including projects, tasks, forms, survey questions and responses, call notes, recruitment records, documents in the Document Hub, AI chat threads, and audit log entries.
Connected-platform tokens
When a partner organisation connects a third-party service (for example, a Facebook Page, Instagram Business account, Google Search Console property, or Microsoft 365 tenant), we store the OAuth access and refresh tokens needed to call that service on the partner's behalf. Tokens are encrypted at rest using AES-256-GCM.
Technical and security data
IP address, user agent, request timestamps, and session identifiers, used to secure the service and produce audit logs.
4. How we use information
- To operate, secure, and maintain the PRISM platform.
- To authenticate users and enforce role-based access controls.
- To process content on behalf of partner organisations under their instructions.
- To detect, investigate, and prevent fraud, abuse, and security incidents.
- To comply with legal obligations applicable to SublimeCare in Australia.
- To improve the platform, subject to the safeguards in this policy.
5. Platform Data from Meta
With a partner organisation's explicit consent, PRISM connects to that partner's own Facebook Page and Instagram Business account through the Meta Graph API. We use the resulting Platform Data only to:
- Display the partner's post performance and audience insights inside the partner's PRISM workspace; and
- Schedule and publish content the partner has authored to the partner's own pages.
We do not sell Platform Data. We do not combine Platform Data across partner organisations. We do not use Platform Data to build advertising profiles. We do not share Platform Data with third parties except as required by law or as strictly necessary to provide the service the partner requested.
7. Storage, security, and retention
Production data is stored on managed MongoDB infrastructure with encryption in transit (TLS 1.2+) and at rest. OAuth and integration tokens are additionally encrypted using AES-256-GCM with a key held outside the database. Access to production systems is restricted to authorised SublimeCare personnel under role-based controls and is audit-logged.
We retain personal information for as long as a partner organisation maintains its account, and for the longer of (a) the period required by Australian law and the NDIS Quality and Safeguards Commission record-keeping requirements (typically seven years for service-delivery records) and (b) the period reasonably required to resolve disputes, enforce agreements, or meet audit obligations.
8. Your rights
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you may request access to the personal information we hold about you, ask us to correct inaccuracies, or lodge a complaint about how we handle your information.
For information held by SublimeCare as a controller, contact us at the address in section 13. For information held inside a partner organisation's workspace, the partner organisation is the relevant controller; we will pass your request to the partner and assist with the response.
To request deletion of personal information, see our dedicated Data Deletion page, which sets out the process, timeframes, and the narrow legal-retention exceptions.
10. Children
PRISM is intended for use by authenticated staff of SublimeCare and partner organisations. It is not directed to children under 16, and we do not knowingly collect personal information directly from children. Where a partner organisation stores information about NDIS participants who are minors, the partner remains the controller of that information and is responsible for the relevant consents.
11. International transfers
Some of our sub-processors operate outside Australia. Where personal information is transferred internationally, we rely on the sub-processor's contractual commitments and recognised safeguards, and we take reasonable steps to ensure the recipient handles the information consistently with the Australian Privacy Principles.
12. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Where a change is material, we will give reasonable notice through the platform or by email before it takes effect.
13. Contact
For privacy questions, requests, or complaints, contact us at contact@sublimecare.com.au. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.