Privacy Policy

Definitions

1. Scope and Application

This Policy applies to all personal information and sensitive data collected within the Content in connection with your use of the Platform. It applies to all Users.

By continuing to access the Platform, you expressly consent to the handling of your Content in accordance with this Policy.

2. Types of Data We Collect

We may collect the following categories of information on the Platform as inputted by you or your Users:

3. Organisational Control and Client Responsibility

The Platform is used by you and other clients to manage Participant support, case records, and workforce operations. In most cases, you act as the data controller, and the Platform acts as a data processor on your behalf.

By inviting Users and uploading data to the Platform, you:

• — Acknowledge and accept full responsibility for the Personal Information and sensitive information entered into the Platform by your Users, including the use of DS AI;
• — Warrant that you have obtained all necessary consents to collect and upload onto the Platform;
• — Are responsible for the accuracy of all the Content submitted to the Platform (we do not independently verify the legitimacy of data submitted by Users);
• — Must ensure that all Users are authorised to handle such data and understand their privacy obligations and that the Content is compliant with privacy legislation and guidance from the Office of the Australian Information Commissioner;
• — Must immediately report any suspected unauthorised access to your data;
• — Warrant that you comply with the Terms of Service when uploading the Content; and
• — Warrant that you will maintain the confidentiality of your account credentials.

We process any Personal Information of Users or Participants on the basis of your representations and warranties that you have collected the Personal Information lawfully and in accordance with the Terms of Service. When we obtain Personal Information from third parties such as Users and Participants, we will assume, and you must ensure that you have made that third party aware that you will upload Content relating to them onto the Platform and of the purposes involved in the collection, use and disclosure of the relevant Personal Information.

We hold and process the Personal Information on the Platform in accordance with the Privacy Act 1988.

4. Purposes for which we collect, hold, use and disclose Personal Information

We collect, hold, use and disclose Personal Information for the purposes for which it was collected and related purposes. This includes providing the service of a secure cloud-based platform to provide our clients with the tools to manage workforce and store data of Participants, including Personal Information and sensitive information. We may use the Content on the Platform to test platform security and legal compliance, to improve the services we offer via the Platform, and to contact a User for administrative or service related matters.

5. AI Tools and DS AI

The Platform includes proprietary artificial intelligence systems (“DS AI”) developed and operated internally to assist with platform functionality, including summarisation, data validation, and workflow optimisation. DS AI may analyse or generate outputs based on user-submitted content such as shift notes, incident reports, platform activity, and support tickets.

DS AI may also identify and flag potential risks or irregularities — including incomplete documentation, inconsistent data, or possible medication-related issues — to assist Users in their professional duties. These flags are surfaced for attention and review only.

AI-generated content, including any medication-related warnings or alerts, is for informational support only and must not be relied upon as medical, clinical, pharmaceutical, legal, or professional advice. DS AI is not a diagnostic tool and does not make decisions on behalf of Users. Outputs may be incomplete, inaccurate, or omitted entirely.

All Users remain solely responsible for reviewing and verifying any AI-generated content before taking action. We accept no liability for decisions made, or not made, in reliance on AI-generated outputs without appropriate human oversight or clinical judgment.

We do not permit the use of Content to train external AI models. Any training or performance improvement processes are conducted strictly within our secure infrastructure, and data relating to the Content remains under our control at all times.

In accordance with the Australian Privacy Principle APP 6, you must ensure that any Personal Information inputted into DS AI is only inputted for the primary purpose for which it is collected, unless the Participant has consented to a secondary use, or you can establish that the secondary use would be reasonably expected by the Participant.

In accordance with Australian Privacy Principle APP 3, you must not use DS AI to generate or infer sensitive information about a Participant without that person's consent.

For more information on how AI is used within the Platform, including system scope, safety limitations, and usage responsibilities, please refer to our AI Usage Statement: AI Usage Statement

6. Disclosure of Information

Any Personal Information loaded on the Platform will not be sold, rented, or disclosed to any third party for commercial gain. Any sharing of personal information is strictly limited to the purposes outlined in this Privacy Policy and in accordance with the Privacy Act. However, we may disclose data to the following categories of recipients:

• — Users within your organisation;
• — Third-party service providers that support our infrastructure (e.g. Microsoft Azure, Intercom, Datadog);
• — Legal or regulatory authorities, where required by law;
• — Our related entities and contractors, subject to strict confidentiality obligations.

Each third-party provider is bound by contractual and technical safeguards that meet or exceed Australian privacy standards.

7. Cross-Border Data Transfers

Some of our service providers may store or process data in jurisdictions outside of Australia. We only engage providers in countries with privacy protections substantially similar to those under Australian law, or where appropriate safeguards (such as contractual clauses) are in place. Core application data is hosted primarily in Australia.

8. Data Retention and Storage

All data is:

• — Encrypted in transit and at rest;
• — Stored on secure infrastructure within Australia or in jurisdictions with equivalent data protection laws;
• — Retained only for as long as reasonably necessary or legally required, and we will destroy the Personal Information if it is no longer needed for the purpose it was used by or disclosed to us.

We implement:

• — Role-based access controls;
• — Detailed access logs;
• — Data loss prevention (DLP) measures;
• — Regular penetration testing and risk assessments.

9. Data Deletion

Where applicable, you may request that Personal Information relating to the Participants or your Users is deleted from our systems. We will take such steps as are necessary in the circumstances to destroy the information or to ensure the information is de-identified, in accordance with APP 11. You are responsible for ensuring deletion requests comply with privacy legislation and guidance.

10. Data Breach Notification

In the event of an eligible data breach under the Notifiable Data Breaches (NDB) scheme, we will promptly investigate the incident, take appropriate remediation steps, and notify affected individuals and the Office of the Australian Information Commissioner (OAIC).

11. Data Access and Correction Rights

Subject to verification of identity, your User or a Participant under the scope of your organisation, may request:

• — Access to the Personal Information;
• — Correction of any inaccurate, out of date, misleading or incomplete data;
• — A copy of the Personal Information in a portable format, where applicable.

To make such a request, contact legal@newhorizoncode.io. We will respond within a reasonable period.

12. Limitation of Liability

To the fullest extent permitted by law:

• — We accept no liability for any loss or damage suffered by you or a third party resulting from your breach of privacy obligations, including under the Privacy Act, when using the Platform;
• — We shall not be liable for any indirect, incidental, or consequential damages, including loss of data, revenue, or reputation, arising out of or in connection with the use of the Platform;
• — You assume all risk related to the use of the Platform.

Nothing in this Policy limits your rights under the Australian privacy legislation where such rights cannot be excluded.

13. Updates to This Policy

We may revise this Policy at our discretion. Updates will be posted on the Platform, our website, and will take effect upon publication. Your continued use of the Platform constitutes acceptance of the revised Policy.

Where required by law, we will notify Users of material changes and, where applicable, seek renewed consent.

14. Contact & Complaints

If you have a concern or complaint regarding your privacy, please contact our Privacy Officer. We will investigate all complaints and respond within 30 days or a reasonable time frame.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

• — Website: www.oaic.gov.au
• — Phone: 1300 362 992
• — Email: enquiries@oaic.gov.au

15. Jurisdiction

This Policy is governed by the laws of Queensland, Australia. Any disputes arising in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of Queensland.

16. Children's Privacy

We do not knowingly collect on the Platform Personal Information directly from individuals under the age of 18. All child-related data processed through the Platform is provided by Users in accordance with relevant legal obligations. Clients are responsible for ensuring lawful handling of such information.