Privacy Policy

View Terms of Service

Effective date: 18 December 2024

Last updated: 20 March 2026

Able Technology Group Pty Ltd ABN 79 673 407 844 trading as OnSquare (OnSquare, we, us or our) recognises the importance of protecting personal information and is committed to managing personal information in an open and transparent way.

This Privacy Policy explains how we collect, hold, use and disclose personal information, how individuals may access and seek correction of personal information, and how to make a privacy complaint.

This Privacy Policy applies to personal information collected by us through:

  • our website at www.OnSquare.au;
  • any related websites, domains, portals, mobile applications and digital platforms through which we make our products and services available; and
  • our interactions with customers, users, prospective customers, service providers and other individuals in connection with our business and services,

including each platform, product or service listed in Schedule 1 (together, the Platform).

By accessing or using the Platform, or otherwise providing personal information to us, you acknowledge that your personal information will be handled in accordance with this Privacy Policy.

Our role as a platform provider

OnSquare operates in two capacities in relation to personal information:

  • Direct data holder: We collect and hold personal information directly from our customers, their staff, administrators and users in the course of providing our services. For this information, we are responsible for compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles as the collecting entity.
  • Platform processor: We also store and process personal information that is entered into or uploaded to the Platform by our customers (such as plan managers, registered providers and support coordinators) in connection with their own service delivery activities. In this capacity, our customers are responsible for the collection of that personal information and for their own compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles, including any applicable notification and consent obligations. We process such information on our customers’ instruction as their service provider, subject to the terms of our agreements with them.

This Privacy Policy applies to personal information we hold in both capacities.

1. Definitions

In this Privacy Policy:

Personal Information has the meaning given in the Privacy Act 1988 (Cth) and generally means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether it is recorded in a material form or not.

Sensitive Information has the meaning given in the Privacy Act 1988 (Cth) and includes information such as health information and certain other categories of information afforded a higher level of protection under that Act.

2. The kinds of personal information we collect and hold

The personal information we collect and hold will depend on the nature of our relationship with you, how you interact with us, and how our Platform is used. The kinds of personal information we may collect and hold include:

  • Identity and contact information, including name, work email address, postal address, telephone number, job title and organisation name.
  • Account and profile information, including username, password or authentication credentials, single sign-on identifiers, multi-factor authentication details, account preferences, profile details, permissions, user role and account status.
  • Customer, participant, provider and operational information entered into, uploaded to, generated through, or otherwise processed through the Platform, including records, notes, documents, invoices, claims, remittances, approvals, audit logs, budget and funding data, service records, payment-related information, provider details, participant details and related operational data.
  • Communication information, including information contained in emails, support requests, helpdesk tickets, phone calls, chat messages, meeting notes, feedback, survey responses and other correspondence with us.
  • Billing and transaction information, including billing contact details, subscription information, invoicing details, payment status, transaction history and limited payment-related information. Where payments are processed by third-party payment providers, we do not receive full card details.
  • Technical, device and usage information, including IP address, browser type, operating system, device identifiers, log data, crash data, session data, time zone settings, dates and times of access, referring pages, feature usage, clickstream data, system activity, event logs and other analytics data.
  • Location information, including approximate location derived from IP address or network information.
  • Marketing and preference information, including communication preferences, event registrations, campaign engagement data and records of whether you have opened, clicked or interacted with communications from us.
  • Cookie and similar technology data, including information collected through cookies, web beacons, pixels, SDKs and similar technologies.
  • Sensitive Information, where relevant to the services provided through the Platform or otherwise permitted by law, including health-related information and other information that may be entered into the Platform by customers or users in connection with participants or service delivery.
  • Other information you provide to us, including information provided when you request a demo, complete a form, apply for a role, participate in a survey, attend an event, or otherwise interact with us.

3. How we collect personal information

We may collect personal information in a variety of ways, including:

  • directly from you when you create an account, use the Platform, request a demo, contact us, subscribe to updates, submit a form, apply for a role, respond to a survey or otherwise interact with us;
  • when personal information is entered into or uploaded to the Platform by our customers, users, administrators or authorised representatives;
  • automatically through your use of the Platform, including through cookies, log files, SDKs, pixels, analytics tools and similar technologies;
  • from third parties engaged by us to assist in operating our business and Platform, including authentication providers, payment processors, analytics providers, cloud and infrastructure providers, support providers, communications providers and integration partners;
  • from publicly available sources where it is lawful and appropriate to do so; and
  • from other persons or organisations where you have authorised them to provide your personal information to us or where this is otherwise lawful.

Where we receive personal information from a third party, we will take steps required by applicable law to notify the relevant individual or ensure they are aware of the matters required by law, unless an exception applies.

If we receive personal information that we did not solicit and that we could not have collected under the Privacy Act 1988 (Cth), we will, as soon as practicable, destroy or de-identify the information if it is lawful and reasonable to do so.

4. Collection of personal information about other individuals

Our customers and users may provide us, or upload to the Platform, personal information about other individuals, including participants, providers, employees, contractors, support coordinators, carers, nominees or other third parties.

If you provide personal information about another individual to us, or through the Platform, you must ensure that:

  • you are authorised to do so;
  • you have provided any notices required by law to that individual, including notifying them that their personal information will be stored and processed by us as described in this Privacy Policy; and
  • where required, you have obtained any necessary consents.

We may rely on customers and users to have taken those steps, to the extent permitted by law.

5. Purposes for which we collect, hold, use and disclose personal information

We may collect, hold, use and disclose personal information for purposes including to:

  • provide, operate, administer, maintain, support and improve the Platform and our services;
  • create, manage and secure accounts and user access;
  • authenticate users and administer identity, permissions and access controls;
  • process invoices, claims, remittances, approvals, statements and related transactions;
  • provide customer support, training, onboarding, implementation and account management;
  • communicate with you about the Platform, support issues, releases, incidents, updates and service-related matters;
  • respond to enquiries, feedback, complaints and requests;
  • monitor, secure, audit and protect the Platform, our systems, our customers and users, including for fraud prevention, misuse detection, incident response, vulnerability management and system administration;
  • carry out analytics, service monitoring, troubleshooting, reporting, product development, testing and quality assurance;
  • send direct marketing communications where permitted by law;
  • comply with legal, regulatory, contractual, risk management and compliance obligations;
  • establish, exercise or defend legal rights;
  • facilitate a merger, acquisition, restructuring, financing, sale of assets or other corporate transaction, subject to appropriate confidentiality obligations on the part of recipients; and
  • create and use de-identified, anonymised or aggregated data for analytics, service improvement, research, benchmarking and business intelligence, provided such data does not reasonably identify an individual.

We will only use or disclose personal information for a secondary purpose where the individual would reasonably expect us to do so, where they have consented, or as otherwise permitted or required by law.

We may also use or disclose personal information for any other purpose notified at the time of collection, authorised by you, or permitted or required by law.

Automated processing

Our Platform uses automated tools to assist with tasks such as claims validation, anomaly detection and data processing. These tools may generate outputs that inform or assist decisions made through the Platform. However, automated tools do not make final decisions independently — all outputs that materially affect participants or users are subject to human review before any decision is confirmed or acted upon. If you have questions about how automated tools operate in relation to your information, please contact us using the details below.

6. Government-related identifiers

Our Platform may process government-related identifiers, including NDIS participant numbers and Medicare numbers, where this occurs in the course of providing services to our customers or as required for claims processing, remittances and related activities. These identifiers are typically entered into the Platform by our customers or their authorised users. We do not adopt government-related identifiers as our own identifier for individuals. We use and disclose such identifiers only as permitted or required by law, including as necessary to perform services on behalf of our customers.

7. Sensitive Information

Most Sensitive Information processed through the Platform is entered by, or on behalf of, our customers (such as plan managers, registered providers and support coordinators) in the course of managing participant or service delivery records. In these cases, our customers are responsible for the collection of that Sensitive Information and for compliance with applicable consent and collection obligations under the Privacy Act 1988 (Cth). We process such information on our customers’ instruction as their service provider, subject to the terms of our agreements with them.

We generally do not seek to collect Sensitive Information directly from individuals unless it is reasonably necessary for our functions or activities, or otherwise permitted by law. Where we collect Sensitive Information directly from individuals and consent is the applicable basis for collection, we will seek express consent from the relevant individual (or their authorised representative or nominee where the individual lacks capacity to consent), in a manner appropriate to the circumstances. Consent may be withdrawn at any time by contacting us using the details below, subject to any legal obligations requiring continued retention.

We will use and disclose Sensitive Information only for the purpose for which it was collected, for a directly related secondary purpose where permitted, or otherwise as authorised or required by law. We do not use Sensitive Information for direct marketing without consent.

8. Cookies, analytics and similar technologies

We and our third-party service providers may use cookies, pixels, SDKs, log files and similar technologies to collect and process technical and usage information for purposes such as:

  • operating and securing the Platform;
  • remembering preferences and settings;
  • improving functionality and user experience;
  • measuring performance and engagement;
  • analysing usage patterns; and
  • supporting communications and marketing activities where permitted by law.

You may be able to control cookies through your browser or device settings. However, disabling certain cookies or similar technologies may affect the functionality of the Platform.

9. Direct marketing

We may use personal information to send you direct marketing communications about our products, services, events and updates where permitted by law.

We do not use Sensitive Information for direct marketing without consent.

You may opt out of receiving marketing communications from us at any time by using the unsubscribe facility in the relevant communication or by contacting us using the details below.

Opting out of marketing communications will not affect service-related, transactional, legal or administrative communications that we need to send to you.

10. To whom we disclose personal information

We may disclose personal information to:

  • our employees, officers, contractors and related bodies corporate, where necessary for our business operations;
  • our customers and their authorised users, where disclosure occurs through the use of the Platform or in the course of providing services;
  • third-party service providers who assist us to operate our business and Platform, including providers of hosting, cloud infrastructure, data storage, analytics, logging, monitoring, security, communications, customer support, identity and authentication, payment processing, professional services and other operational services;
  • integration partners and third-party software providers where you enable, request or use integrations;
  • professional advisers, including lawyers, accountants, auditors, insurers and financiers;
  • government agencies, regulators, courts, tribunals, law enforcement bodies and other persons where disclosure is authorised or required by law;
  • actual or prospective purchasers, investors, funders or counterparties, and their advisers, in connection with a proposed or actual transaction affecting our business or assets, subject to appropriate confidentiality obligations; and
  • any other person or entity where you have consented to the disclosure or the disclosure is otherwise permitted by law.

11. Overseas disclosure of personal information

We maintain our primary data store in Australia.

However, some of our third-party service providers may be located outside Australia, or may access, process, transmit, back up or store personal information from or through systems or servers located outside Australia, in connection with the services they provide to us, including hosting, infrastructure, logging, analytics, communications, customer support, security, technical support and other software services.

We seek, where practicable, to avoid overseas disclosure or overseas handling of personal information. Where overseas disclosure or handling is necessary, we take steps appropriate to the circumstances to:

  • limit the personal information disclosed, transmitted or otherwise made available to the minimum necessary for the relevant purpose;
  • ensure that the overseas recipient is subject to contractual, technical, organisational or other safeguards appropriate to the sensitivity of the information and the nature of the services; and
  • otherwise comply with applicable requirements under the Privacy Act 1988 (Cth).

Where we disclose personal information to overseas recipients and take reasonable steps under the Privacy Act 1988 (Cth) to ensure they handle the information consistently with the Australian Privacy Principles, we remain accountable under Australian law for any breach of those Principles by that overseas recipient in relation to that information. We require overseas service providers to enter into written contractual arrangements imposing data protection obligations consistent with the Australian Privacy Principles.

We may disclose personal information to overseas recipients where:

  • you have expressly requested or authorised the relevant disclosure;
  • the disclosure is required or authorised by law;
  • the disclosure is otherwise permitted under the Privacy Act 1988 (Cth); or
  • the disclosure occurs in connection with our engagement of overseas service providers for the purposes described in this Privacy Policy.

The countries or regions in which overseas recipients are likely to be located include those listed in Schedule 2.

You may contact us using the details below if you have questions about overseas disclosure of personal information.

12. How we hold and protect personal information

We hold personal information in electronic records, systems and databases operated by us and by service providers on our behalf. In limited cases, personal information may also be held in physical records.

We take steps appropriate to the circumstances to ensure that personal information we hold is accurate, up to date, complete and relevant for the purpose for which it is used or disclosed. We rely on our customers and users to maintain the accuracy of participant and provider information entered into the Platform, and encourage individuals to contact us if they believe information we hold about them is inaccurate or out of date.

We take steps appropriate to the circumstances to protect personal information from misuse, interference and loss, and from unauthorised access, modification and disclosure. Those steps may include:

  • access controls and identity management;
  • encryption in transit and, where appropriate, at rest;
  • logging, monitoring and alerting;
  • segregation of environments and permissions;
  • backup and disaster recovery processes;
  • security testing, patching and vulnerability management;
  • staff training and confidentiality obligations; and
  • incident response and business continuity procedures.

No method of transmission over the internet or method of electronic storage is completely secure. While we take steps appropriate to the circumstances to protect personal information, we cannot guarantee absolute security.

13. Retention and destruction of personal information

We retain personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, for our legitimate business needs, and to comply with legal, regulatory, contractual, accounting, reporting and record-keeping obligations.

Retention periods may vary depending on the nature of the information, the purpose for which it was collected, the sensitivity of the information, whether the information is required to support our customers’ ongoing use of the Platform, and applicable legal or regulatory requirements.

When personal information is no longer required, we will take steps appropriate to the circumstances to destroy it or de-identify it, unless we are required or permitted by law to retain it.

14. Access to and correction of personal information

You may request access to personal information we hold about you, and request correction of personal information if you believe it is inaccurate, out-of-date, incomplete, irrelevant or misleading.

Where personal information about you has been entered into the Platform by one of our customers (such as a plan manager, registered provider or support coordinator), we recommend you contact that organisation in the first instance, as they are responsible for the collection and management of that information. We will cooperate with our customers to facilitate access or correction requests as required by law.

We will respond to requests for access or correction within 30 days of receiving the request. If a request is complex, we may require additional time and will notify you accordingly and agree a reasonable extension with you, in accordance with applicable law.

Where we correct personal information and have previously disclosed that information to a third party, we will take reasonable steps to notify the third party of the correction if you request us to do so, unless it is impracticable or unlawful to do so.

We may refuse access or correction in whole or in part where permitted by law. If we refuse a request, we will provide written reasons and information about available complaint mechanisms, except where we are not required to do so by law.

A fee may apply to requests for access to personal information made by Plan Management users. Where a fee applies, we will advise you of the amount before processing the request, and the fee will not exceed what is reasonable in the circumstances and will not apply to the making of the request itself.

To request access to or correction of your personal information, please contact us using the details below.

15. Anonymity and pseudonymity

Where lawful and practicable, you may deal with us anonymously or by using a pseudonym.

However, in many cases this will not be practicable, including where we need to verify your identity, provide access to the Platform, manage an account, respond to a support request, process a transaction, comply with legal obligations, investigate a complaint, or otherwise provide our services.

16. Data breaches

We maintain processes to identify, assess, contain and respond to suspected and actual data breaches.

Where we are subject to the Notifiable Data Breaches scheme and become aware of an eligible data breach, we will comply with our notification obligations under the Privacy Act 1988 (Cth), including notifying affected individuals and the Office of the Australian Information Commissioner where required.

17. Complaints

If you believe that we have breached the Privacy Act 1988 (Cth), the Australian Privacy Principles, or an applicable registered APP code, you may make a complaint by contacting us using the details below.

Please include sufficient detail about the complaint, including:

  • your name and contact details;
  • the nature of your complaint;
  • the relevant dates and circumstances; and
  • the outcome you are seeking.

We may ask you to provide further information in order to investigate your complaint.

We will acknowledge your complaint and seek to investigate and respond within a reasonable period, typically within 30 days.

If you are dissatisfied with our response, you may refer your complaint to the Office of the Australian Information Commissioner.

18. Third-party websites and services

The Platform may contain links to third-party websites, products, services or integrations. We are not responsible for the privacy practices of those third parties. Those third parties may handle personal information in accordance with their own privacy policies and terms.

You should review the privacy policies of those third parties before providing them with personal information.

19. Changes to this Privacy Policy

We may amend this Privacy Policy from time to time.

The updated version will be posted on our website and, where appropriate, notified to customers or users through the Platform or by other means. The updated policy will take effect from the date stated at the top of the policy.

20. How to contact us

If you have any questions about this Privacy Policy, wish to request access to or correction of personal information, or wish to make a complaint, you may contact us at:

Privacy Officer

Able Technology Group Pty Ltd trading as OnSquare

Email: privacy@OnSquare.au

Address: Level 3, 219-223 Castlereagh Street, Sydney NSW 2000

Schedule 1 — Platform

For the purposes of this Privacy Policy, the Platform includes:

Schedule 2 — Possible overseas recipients

Personal information may, where permissible by law, be disclosed to, or handled by, service providers located in or operating from the following countries or regions:

  • European Union
  • Singapore

Book a free demo

Get an in-depth overview of our product. Simply let us know a time that works for you.

Request a demo
Saas Webflow Template - Whistler - Designed by Azwedo.com and Wedoflow.com
Workflow automation
for Plan Managers.
Home
Pricing
About
Academy
Careers
Contact Us
API Docs
Status
Privacy Policy
Support
Legals | Privacy Policy | © 2024 - Built with 🧡 in Sydney, Australia