PBSTrack is a behaviour data collection and analysis tool designed for Behaviour Support Practitioners, allied health clinicians, and education professionals working with individuals under the NDIS or similar disability support frameworks.

This Privacy Policy explains what information PBSTrack collects, how it is stored, and your rights in relation to that information.

PBSTrack stores two categories of information: your account information (where you, the practitioner, are the data subject) and participant clinical records (where the participant you support is the data subject). For participant records, you are the data controller and PracticeWise acts as a data processor on your behalf. You are responsible for obtaining lawful consent from each participant or their guardian for the data you record.

Account information (held by PracticeWise via Supabase, in AWS Sydney — for all tiers):

• Email address — used to identify your account, send sign-in or password-reset links, and contact you about service issues
• Encrypted password — never stored in plain text
• Account UUID — a unique identifier generated by Supabase Auth at sign-up; also used as your RevenueCat appUserID so your subscription persists across reinstalls
• Subscription state — your active tier, trial status, and entitlement records (managed by RevenueCat)
• Crash reports and app-activity events — sent to Firebase Crashlytics for diagnostics; contain no clinical data
• Consent record — the timestamp at which you accepted this Privacy Policy, kept for audit

Participant clinical records (stored locally on your device on every tier; synced to your account in AWS Sydney only when you are on the Professional tier — on lower tiers, clinical records remain on your device only):

• Participant identifiers — names or pseudonyms you enter, plus optional date of birth, contact phone, and diagnoses
• Behaviour definitions — names and operational definitions of behaviours of concern for each participant
• Session data — dates, times, durations, and notes from recorded sessions
• ABC episode data — antecedent, behaviour, consequence, intensity, and duration information recorded during sessions
• Motivating Operations data — pre-session physiological state checks (Sleep, Hunger, Pain, Medication) recorded per session
• FERB data — Functionally Equivalent Replacement Behaviour events recorded per session
• Preset labels — setting event, antecedent, and consequence labels you create for each participant
• Session reports — generated report data including frequency, rates, and pattern summaries
• Audio recordings — recordings saved to your device’s local storage. Audio is not uploaded to our cloud. Optional transcription can run entirely on-device, or via a cloud transcription provider if you choose the faster path — see Section 10.
• Generated clinical documents — BSPs, FBAs, progress notes, and other documents produced via the Document Builder
• Restrictive practice records — preset definitions and per-session usage logs (where applicable)
• External reports you upload — PDF or Word documents from other clinicians, plus any extracted text or structured data
• Pseudonymisation map — per-participant real-name ↔ pseudonym pairings used to keep AI output consistent
• AI call audit log — record of every AI call, including the pseudonymised payload, model response, and your decisions on each detected candidate
• Practitioner details — practitioner name and organisation name, if entered in your profile

Kept on your device only (never synced): audio recording files, in-app diagnostic logs (used for debugging), in-progress transcription chunks, and the Document Builder background job queue. Once those background jobs complete, their finished outputs — transcripts and generated clinical documents — do sync via the standard pipeline above.

Audit log (APP 12). Every read, create, update, and delete event on a participant record is written to an append-only audit log on your device and (when sync is enabled) in our cloud. This log answers “who accessed what, when” for the records you control, and is required by Australian Privacy Principle 12.

PracticeWise commits to the following limits on how we handle your information:

• We do not sell your data. Not in aggregate, not de-identified, not in any form.
• We do not use your clinical content to train AI models. Our AI sub-processor (Anthropic) is contractually prohibited from training on data submitted via the API. We do not run our own model training on your records.
• We do not transfer your participant records overseas as part of routine sync. All cloud-synced clinical data lives in AWS Sydney (ap-southeast-2). The narrow exceptions are AI features and crash reporting, listed in Section 10.
• We do not collect advertising identifiers. PBSTrack does not contain any third-party advertising SDKs.
• We do not collect location data. No GPS, no IP-based geolocation, no Wi-Fi or cell-tower fingerprinting.
• We do not upload audio recordings to our cloud. Audio stays on your device unless you trigger an opt-in cloud transcription, in which case the selected audio range is sent directly to the transcription provider (not via our servers).
• We do not read your clinical records ourselves. Participant data in our cloud is isolated per tenant by Supabase Row Level Security — only you can read your own rows. PracticeWise staff do not access individual records.

PBSTrack requests the following Android permissions:

No permissions are used to automatically collect, transmit, or share data with PracticeWise or any third party. Data is only transmitted when you explicitly initiate an optional cloud feature, as described in Section 10.

PracticeWise uses a small set of third-party processors to operate the app. We do not share data with anyone outside this list, and we do not sell data in any form.

Sub-processors that operate continuously (not opt-in):

• Supabase — cloud database and authentication, in AWS Sydney. Holds your account information (email, account UUID, encrypted password, consent record) on every tier. Clinical records sync to Supabase only on the Professional tier; on lower tiers, your participant records remain on your device. All Supabase data is hosted in the AWS ap-southeast-2 region; Row Level Security isolates your tenant from every other account. No data crosses the Australian border for routine sync.
• RevenueCat — subscription management. Receives your account UUID and subscription state to verify your active tier across devices and reinstalls. No clinical or audio data is shared.
• Firebase Crashlytics (Google) — crash reporting. Automatically transmits a stack trace, device model, OS version, and app version when the app crashes. Crash reports do not contain clinical data, audio, or participant identifiers.
• Google Play Store — app distribution and billing. Receives the data necessary to install and meter your subscription, governed by Google’s own privacy practices.

Opt-in AI sub-processors (only when you trigger a feature):

• Deepgram (USA) — cloud audio transcription. If you choose the cloud transcription path for a recording, the selected audio range is sent directly from your device to Deepgram’s Nova-2-Meeting API. The transcript text is returned to your device. The default transcription path runs entirely on-device and sends nothing to Deepgram.
• Anthropic (USA) — AI document drafting and clinical processing. Used by document generation, meeting summaries, external report processing, config extraction, and narrative synthesis features. Before any text is sent, an on-device pseudonymisation gate replaces detected names with placeholders, and you review and confirm each replacement — see Section 10 for the full description.

Cross-border transfers (APP 8). Routine sync of your participant records does not cross the Australian border. The AI sub-processors above are based in the United States; sending data to them constitutes a cross-border disclosure under APP 8. We have reviewed Anthropic’s contractual and technical safeguards (see the note in Section 10) and consider them substantively equivalent to the APPs. If overseas processing is not acceptable for a particular session, do not trigger the AI features for that recording — all core data collection, ABC capture, FERB tracking, MO data, and on-device session reporting work without them.

Exports and shares you initiate. If you use the app’s export or share features (PDF, CSV, Word document, email, etc.), the destination is determined by you and operates outside PracticeWise’s systems. You are responsible for ensuring any data you share complies with your professional obligations and applicable privacy laws.

In transit. All communication between PBSTrack and our servers, and between PBSTrack and the third-party sub-processors listed in Section 5, uses TLS 1.2 or higher. Data is never sent over an unencrypted connection.

At rest in our cloud. Supabase encrypts all data at rest using AES-256 with keys managed by AWS KMS. Authentication tokens are short-lived and refreshed transparently by the SDK. Row Level Security policies ensure that only your authenticated session can read or write your own rows — no other user, and no PracticeWise staff, can read your records through the standard application path.

At rest on your device. Modern Android devices encrypt local storage by default once a screen lock is set. We are rolling out an additional layer of database-level encryption (SQLCipher with a key derived via the Android Keystore) so that the PBSTrack SQLite file is unreadable even if extracted from an unlocked device. Until that layer ships, your device’s built-in full-disk encryption is the at-rest protection.

Authentication. Sign-in uses email and password against Supabase Auth. Your password is never stored in plain text; Supabase stores a salted hash. Multi-factor authentication will be added in a later release.

What you can do to keep your data safe:

• Use a screen lock or PIN on your device
• Choose a strong, unique password for your PBSTrack account
• Sign out from any device that is not yours, or that you no longer control
• Use Android’s built-in backup features only if you are satisfied with the security of the backup destination
• Use initials or participant codes rather than full names if you are concerned about device security
• Secure any exported files or reports in accordance with your organisation’s data governance policies

If your device is lost or stolen: sign in to your PBSTrack account from another device and the previously-signed-in session can be revoked from Supabase Auth. Your participant records remain accessible to you in the cloud and will sync down to a fresh install.

Notifiable Data Breaches scheme. PracticeWise complies with Part IIIC of the Privacy Act 1988 (the NDB scheme). If we become aware of a data breach that is likely to result in serious harm, we will notify you and the Office of the Australian Information Commissioner as soon as practicable.

PBSTrack is a professional tool intended for use by qualified practitioners. It is not directed at children and is not intended to be used by individuals under the age of 18.

The individuals whose behaviour data may be recorded using PBSTrack may include minors. Practitioners using PBSTrack are responsible for ensuring that their collection and use of behaviour data relating to minors complies with applicable laws, their professional obligations, and any consent requirements from participants or their legal guardians.

PBSTrack is designed for use in behaviour support practice under the NDIS. Practitioners using PBSTrack remain solely responsible for:

• Obtaining appropriate informed consent for data collection from participants and/or their authorised representatives
• Complying with the NDIS Privacy Rule and any applicable state or territory privacy laws
• Complying with their professional registration body’s requirements regarding clinical records
• Ensuring data stored on their device is handled in accordance with their organisation’s data governance policies
• Securing any exported reports or shared data in a manner consistent with professional and regulatory obligations

On your device. All PBSTrack data remains on your device for as long as you retain it. You can delete individual participants, sessions, episodes, or audio recordings within the app at any time.

In our cloud (Professional tier only). Clinical records sync to our cloud only when you are on the Professional tier. Synced records are kept while your account remains active. When you delete a record in the app, it is soft-deleted (marked with a deletion timestamp) so the deletion propagates to other devices, and then permanently removed from cloud storage 30 days later. Audio recordings are never synced on any tier — they live only on your device, and you can configure automatic on-device retention (e.g. delete audio after 30 days) in Settings. On lower tiers, no clinical records exist in our cloud at all.

Account deletion. If you delete your PBSTrack account, all account information and all participant records associated with that account are permanently removed from our cloud within 30 days. The audit log entries for those records are retained for the same 30-day window so that any access prior to deletion can be investigated, then permanently removed.

How to request account & data deletion. You can request deletion of your PBSTrack account and all associated data at any time. There are two ways to do this:

• In-app (recommended). Open PBSTrack → tap Settings → tap Account → tap Delete account → confirm the prompt. Your account is queued for deletion immediately and you are signed out.
• By web request. Go to practicewise.com.au/contact/, choose the subject “Account deletion request”, and include the email address registered to your PBSTrack account. We will verify your identity by replying to that email address before processing the deletion. We aim to confirm receipt within 2 business days and complete the deletion within 30 days.

What gets deleted. When you submit a deletion request through either path above, the following are permanently deleted within 30 days:

• Your account record (email, encrypted password, account UUID, consent record)
• All participant clinical records synced to our cloud (participants, sessions, ABC episodes, MO data, FERB events, preset labels, session reports, generated documents, restrictive practice records, uploaded external reports, pseudonymisation map, AI call audit log)
• Authentication sessions and refresh tokens for your account
• Your subscription state held by RevenueCat (deleted via RevenueCat’s subject-erasure API)
• The APP 12 access audit log for those records, after the 30-day investigation window

What may be retained, and why. A small amount of data may be kept after account deletion where we are legally required to do so or where it cannot be tied back to you:

• Crash reports sent to Firebase Crashlytics during the life of your account — retained per Google’s default retention (typically 90 days) and contain no clinical or participant data
• Billing records held by Google Play Billing — retained by Google as required by Australian tax and consumer law; PracticeWise does not control this retention
• De-identified, aggregated logs — for example, total API call counts — that cannot be used to re-identify you

No clinical or participant content is retained beyond the 30-day deletion window.

Deleting individual records without deleting your account. If you only want to remove specific data — for example, a single participant, session, episode, or audio recording — you can do this from inside the app at any time without deleting your whole account. Tap the item, choose Delete, and confirm. Cloud-synced records are soft-deleted (marked with a deletion timestamp so the deletion propagates to your other devices), then permanently removed from cloud storage 30 days later. Audio recordings are removed from your device immediately and were never synced to our cloud.

Audit log retention. The APP 12 audit log (read, create, update, delete events on participant records) is retained for the life of your account, in line with NDIS Practice Standards expectations for clinical recordkeeping. It is removed alongside the participant records on account deletion.

Uninstalling the app removes all locally stored PBSTrack data from your device but does not delete your cloud account. To delete the cloud copy as well, request account deletion as described above.

Crash reports sent to Firebase Crashlytics are retained according to Google’s default retention (typically 90 days for individual crash records).

The following third-party services receive data from PBSTrack. Supabase (cloud database and authentication, in AWS Sydney) and Firebase Crashlytics (crash reporting) operate automatically in the background. RevenueCat (subscription state) operates automatically only for paid tiers. The AI-powered features are explicitly triggered by you — none operate automatically.

Supabase (cloud database, authentication, storage)
PBSTrack uses Supabase for authentication on every tier, and to store your synced participant records on the Professional tier. On lower tiers, Supabase holds only your account row (email, UUID, encrypted password, consent record); no clinical data is uploaded. Supabase hosts your data in Amazon Web Services’ Sydney region (ap-southeast-2); your data does not cross the Australian border. Authentication uses Supabase Auth (email + salted-hash password). Row Level Security policies isolate your data so no other tenant can read or write your rows, and no PracticeWise staff can access your records through the standard application path. Data at rest is encrypted using AES-256 with keys managed by AWS KMS; data in transit uses TLS 1.2 or higher.
Supabase’s privacy policy: supabase.com/privacy. Supabase’s data processing addendum: supabase.com/legal/dpa.

Firebase Crashlytics (crash reporting)
PBSTrack uses Google Firebase Crashlytics to automatically collect crash reports when the app encounters an unhandled error. Information sent includes the crash stack trace, device model, Android OS version, and app version. No clinical data, session data, client names, or audio is included in crash reports. Crash reporting cannot be disabled by users.
Google’s privacy policy: policies.google.com/privacy

Deepgram (cloud transcription with speaker diarization)
When you trigger a transcription, a copy of the selected audio range is sent to Deepgram’s Nova-2-Meeting API for transcription and speaker labelling. The audio is processed by Deepgram and the transcript text is returned to your device. Transcription is an opt-in feature — no audio is transmitted unless you initiate it.
Deepgram’s privacy policy: deepgram.com/privacy

Anthropic Claude (AI document generation and clinical processing)
The following features send text content to the Anthropic Claude API:

• Document generation — transcript text is sent to generate clinical documents (Behaviour Needs Assessments, Progress Notes, Supervision Records, and other templates)
• Meeting summaries — transcript text is sent to generate structured BSP session summaries
• External report processing — text extracted from PDF or Word reports you upload is sent for clinical distillation and quality rating
• Config extraction — text from a generated clinical document is sent to extract suggested client configuration items (behaviours, antecedents, consequences, and more)
• Narrative synthesis — voice note transcripts and processed external report summaries are sent to generate a clinical formulation

Text sent to Anthropic does not include audio files. Under Anthropic’s API usage policies, data submitted via the API is not used to train Anthropic’s models. Data is processed on Anthropic’s servers — this constitutes cross-border disclosure under the Australian Privacy Principles (APP 8).
Anthropic’s privacy policy: anthropic.com/privacy

On-device pseudonymisation gate. Before any text is sent to Anthropic, PBSTrack runs an on-device pseudonymiser that scans the outgoing content for names and other directly identifying terms. Detected items are surfaced to you in a review screen where you can confirm, edit, or reject each proposed replacement before the request is dispatched. Replacements use stable pseudonyms (e.g. “JS” or “Participant 1”) so the model’s output still makes sense when re-mapped on your device. The pseudonymiser runs at the API choke point — no AI call can bypass it.

Strict mode (optional). A toggle in Settings (“Pseudonym strict mode”) requires every detected candidate to be explicitly resolved before the Send action becomes available. Recommended for formal assessments where any unredacted name reaching an overseas processor would be a compliance issue. Default: off.

Exception — narrative clinical documents. Some document types — including Functional Behaviour Assessments, Comprehensive Behaviour Support Plans, Clinical Narratives, and FERB Implementation Guides — must name members of the participant’s support network (family, teachers, support workers, allied-health colleagues) for the output to be clinically meaningful. For these document types, pseudonymisation is intentionally not applied to support-network names. You remain in control of what enters the prompt and can still redact manually before sending.

AI call audit log. Every AI call is recorded on your device with the pseudonymised payload, the model’s response, the list of detected candidates, and your decision on each (confirmed / rejected / edited). The log is reviewable in Settings and is used to tune the pseudonymisation detector over time. The audit log is stored locally and never leaves your device unless you choose to export it.

If cloud processing is not acceptable for a particular session, do not trigger transcription or any AI document feature for that recording. All core recording, ABC capture, function tagging, FERB tracking, MO data, and session reporting operate fully on-device without these features being used.

Your responsibilities with cloud features: You remain responsible for ensuring your use of these optional features complies with the NDIS Privacy Rule, the Australian Privacy Principles, and your organisation’s data governance policies. Where identifiability is a concern, use initials or participant codes rather than full names in any text that may be sent to the AI (e.g. in uploaded reports or document-generation prompts).

RevenueCat (subscription management)
PBSTrack uses RevenueCat to manage subscription entitlements via Google Play Billing. RevenueCat receives your subscription status and purchase history to verify your active tier. No clinical data, session data, or audio is transmitted to RevenueCat.
RevenueCat’s privacy policy: revenuecat.com/privacy

Google Play Store: The app is distributed through the Google Play Store. Google’s own privacy practices govern data collected by the Play Store during download and installation. See Google’s Privacy Policy for details.

Under the Privacy Act 1988 and the Australian Privacy Principles, you have the following rights in relation to the information PracticeWise holds about you:

• Access (APP 12). Request a copy of the personal information we hold about you, including your account details and the audit log of access events on your records.
• Correction (APP 13). Ask us to correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
• Deletion. Request deletion of your account and all associated data, either in-app (Settings → Account → Delete account) or by web request via the contact form. We will permanently remove your account and synced participant records from our cloud within 30 days. Step-by-step instructions and the full list of what is deleted are in Section 9 — How to request account & data deletion.
• Withdraw consent. Withdraw your consent to specific processing activities (for example, AI features) by disabling them in Settings. Withdrawal does not affect processing carried out before withdrawal.
• Complain. Raise a privacy concern with us, and if not satisfied, escalate to the Office of the Australian Information Commissioner.

Participant rights (where you are the data controller). The participants you record data about hold these same rights against you. PBSTrack is built to help you respond — the in-app records, exports, and audit log are designed so you can produce a complete copy of an individual’s data, correct it, or delete it on request.

How to exercise these rights. Use the contact form at practicewise.com.au/contact/. We aim to respond within 30 days, in line with OAIC guidance. If you are not satisfied with our response, you may complain directly to the Office of the Australian Information Commissioner at www.oaic.gov.au.

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For significant changes, we will notify users via an in-app notice or update release notes on the Google Play Store listing.

The current version of this policy is always available at practicewise.com.au/privacy-policy.

For privacy enquiries — including access, correction, or account-deletion requests — please use our contact form:

practicewise.com.au/contact/

We aim to respond within 30 days, in line with OAIC guidance. If you are not satisfied with our response, you may complain directly to the Office of the Australian Information Commissioner at www.oaic.gov.au.

This Privacy Policy is governed by the laws of Australia. PBSTrack is developed and operated in Australia. By using PBSTrack, you agree that any disputes relating to this Privacy Policy will be subject to Australian law.