Privacy Policy

Last updated: 25 February 2026

1. About This Policy

Titus CRM ("we", "our", "us") is operated by Delta Community Support Pty Ltd (ABN pending), an NDIS registered provider based in Brisbane, Queensland, Australia. This Privacy Policy explains how we collect, use, store and disclose personal information in compliance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. NDIS Data Handling

As a platform serving NDIS providers, we handle sensitive participant data including:

• NDIS participant numbers and plan details
• Disability and health-related information
• Progress notes and incident reports
• Support delivery records and service agreements
• Budgets and financial information related to NDIS plans

All NDIS data is handled in accordance with the NDIS Practice Standards and the NDIS Quality and Safeguards Commission requirements.

3. Information We Collect

3.1 Personal Information

• Names, email addresses, phone numbers
• Employment details (for support workers)
• NDIS numbers and plan information (for participants)
• Next of kin and guardian details
• Bank details (for invoicing purposes only)

3.2 Sensitive Information

• Health and disability information
• Incident reports and behavioural data
• Criminal history checks (NDIS Worker Screening)
• Working With Children checks

3.3 Usage Data

• Login times and session data
• Actions performed within the platform (audit trail)
• IP addresses and browser information

4. How We Use Your Information

• To deliver disability support services and manage NDIS participant plans
• To manage rosters, scheduling, and workforce operations
• To generate compliance reports required by the NDIS Commission
• To communicate with participants, families, and support workers
• To process invoices and financial transactions
• To maintain audit trails for regulatory compliance
• To improve our platform and services

5. Data Sovereignty & Storage

All primary data is stored on Australian servers. Our infrastructure is hosted on Railway (cloud infrastructure) with data centres in the Sydney region. We are committed to keeping participant data within Australian jurisdiction.

5.1 Third-Party Services

We use the following third-party services which may process data outside Australia:

• Twilio (USA) — Phone calls and SMS messaging. Call recordings are stored in Twilio's infrastructure.
• ElevenLabs (USA) — AI voice agent for call handling. Call transcripts are processed by their servers.
• Airtable (USA) — CRM database storage. Contact and operational data is stored in Airtable's US-based servers.
• Anthropic (USA) — AI-powered features including report generation and data analysis.
• Microsoft 365 (Australia/Global) — Email integration.

Where data is transferred overseas, we ensure appropriate safeguards are in place as required by APP 8.

6. Data Retention

• NDIS records: Retained for a minimum of 7 years as required by NDIS regulations
• Incident reports: Retained permanently or as required by state/territory legislation
• Financial records: Retained for 7 years per ATO requirements
• Audit logs: Retained for a minimum of 7 years
• Account data: Retained while account is active, plus 2 years after deactivation

7. Your Rights

Under the Australian Privacy Principles, you have the right to:

• Access your personal information held by us
• Correct inaccurate or outdated information
• Request deletion of your data (subject to legal retention requirements)
• Complain about how we handle your information
• Opt out of marketing communications

To exercise these rights, contact our Privacy Officer at the details below.

8. Data Security

• All data in transit is encrypted using TLS 1.2+
• Database access is restricted to authenticated and authorised users only
• Role-based access control ensures users only see data relevant to their role
• Session-based authentication with automatic timeout after 2 hours of inactivity
• Full audit logging of all data access and modifications
• Regular security assessments and monitoring

9. Cookies

We use essential cookies only for session management and authentication. We do not use tracking cookies or third-party advertising cookies. An authentication token cookie (authToken) is set upon login and is required for the platform to function.

10. Data Breach Response

In the event of a data breach involving personal information, we will:

• Assess the breach and its likely impact
• Notify the Office of the Australian Information Commissioner (OAIC) if required under the Notifiable Data Breaches scheme
• Notify affected individuals as required
• Notify the NDIS Quality and Safeguards Commission if NDIS participant data is involved
• Take steps to contain the breach and prevent recurrence

11. Contact — Privacy Officer

For privacy-related enquiries, complaints, or data access requests:

Delta Community Support
Email: privacy@deltacommunity.com.au
Phone: Contact via main office
Address: Brisbane, QLD, Australia

If you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.