Privacy
Effective 31 May 2026 · Version 1.3
This Privacy Policy explains how True North Analytics ("we", "us", "our") handles personal information when you, your organisation, or your end-users use Accorda (the "Service"). True North Analytics operates as a sole trader from New South Wales, Australia (ABN 24 726 502 584).
This policy covers what we do as the operator of the Service. If you are an end-user accessing Accorda at the invitation of an organisation that has subscribed to the Service (your "Customer Organisation"), that organisation is the data controller for your personal information, and a separate notice applies inside the Service describing what they collect from you. This policy describes our role as their data processor.
True North Analytics is a sole-trader business operating Accorda from New South Wales, Australia. We hold an Australian Business Number (ABN 24 726 502 584). We are bound by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs").
For all privacy enquiries, contact us at privacy@accorda.com.au.
This policy covers:
It does not cover:
When you visit pages such as our marketing site or this policy, we may collect:
When an authorised representative of an organisation signs up for Accorda, we collect:
When end-users from a Customer Organisation use Accorda, the Service collects information *on behalf of the Customer Organisation* (who is the data controller). This typically includes:
We process this information solely on the instructions of the Customer Organisation, under our standard Data Processing Agreement.
We do not knowingly collect "sensitive information" as defined by the Privacy Act (such as health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or biometric data). End-users and administrators must not enter sensitive information into free-text fields in the Service. Customer Organisations are responsible for instructing their personnel accordingly.
Incident records and incident attachments may naturally include references to or information about your clients, patients, service recipients, or other vulnerable individuals. Incident records in regulated sectors (such as healthcare, aged care, NDIS, childcare, and other community services) commonly document events involving vulnerable people, and may therefore contain health information or information about safeguarding concerns. When recording incidents, the Customer Organisation must ensure: (1) that it has a documented lawful basis for collecting and recording the incident information under Australian privacy law and any other applicable law, (2) that consent has been obtained where required by law, and (3) that any attachments to incidents (such as photographs) do not contain identifiable information about such individuals unless absolutely necessary and lawfully authorised. Accorda is designed to support compliance management and incident tracking, but is not a specialised system for medical records, safeguarding case management, or the secure handling of sensitive incident media; if your incident records or attachments frequently contain sensitive information about vulnerable individuals, consider whether a more specialised system is appropriate.
We use personal information to:
We use end-user personal information only to operate the Service on the Customer Organisation's instructions. We do not use it for our own purposes, do not analyse it for advertising or product development beyond the operation of the Service, and do not sell or rent it.
We do not:
Accorda uses cookies that are strictly necessary for the operation of the Service, including session cookies issued during sign-in. We do not use third-party advertising cookies or cross-site tracking. If we add analytics in future, we will update this policy and seek consent where the law requires it.
We use the following subprocessors to deliver the Service. Each is bound by contractual and (where applicable) statutory obligations to handle personal information only for the purposes of operating Accorda:
We may add or replace subprocessors from time to time. Material changes are notified to administrators by email and reflected here.
We may disclose personal information where:
We do not disclose end-user personal information to other Customer Organisations.
Customer Organisations may upload documents and other content to Accorda (their "Customer Data"). The Customer Organisation is solely responsible for the lawful basis for collecting and uploading any personal information contained in Customer Data, including the personal information of their own employees, contractors, clients, patients, participants, and other third parties. We process Customer Data only on the Customer Organisation's instructions.
Customer Organisations should not upload personal information of their own end-customers, clients, or service recipients (such as patient records, client case files, or participant data) into Accorda except where strictly necessary for compliance documentation purposes and where they have a lawful basis to do so. See our Acceptable Use Policy for further detail.
The Service is operated from Australia, and primary processing of Customer Data occurs in the Sydney region. Some subprocessors (such as Stripe, Anthropic, Sentry, and Vercel's edge network) may process certain personal information outside Australia. Where this occurs, we rely on the protections offered by those providers' privacy programmes, which include contractual and (where applicable) statutory safeguards. By using the Service, you agree that your personal information may be processed in those locations.
We implement reasonable technical and organisational measures to protect personal information, including:
For incident attachments specifically, additional measures include: private, non-public file storage accessible only to authorised users within the same organisation; tenant-scoped access control enforced at the storage layer; automatic removal of image metadata (EXIF data including GPS, timestamps, camera information) to prevent unintended disclosure of location or device information; validation of file type and content to prevent malicious uploads; and audit logging of all attachment access and downloads.
No system can be guaranteed entirely secure. We will notify affected individuals and the Office of the Australian Information Commissioner ("OAIC") of any eligible data breach in accordance with the Notifiable Data Breaches scheme under the Privacy Act.
When a Customer Organisation's subscription ends, Customer Data (including incident records and any remaining attachments) is retained in accordance with the data export and deletion provisions of our Data Processing Agreement (typically a 30-day grace period for export, followed by deletion).
If you are an individual whose personal information we hold (whether as administrator, end-user, or otherwise), you have the right to:
For end-user information processed on behalf of a Customer Organisation, please direct such requests to that organisation in the first instance, as they are the data controller. We will assist them in responding under our Data Processing Agreement.
To exercise any of these rights, contact us at privacy@accorda.com.au. We will respond within 30 days.
Accorda is a workplace-compliance platform and is not directed at children. We do not knowingly collect personal information from individuals under 16. If you become aware that a child has provided personal information through the Service, contact us and we will delete it.
We may update this policy from time to time. When we make material changes, we will:
Continued use of the Service after the effective date of an updated policy constitutes acceptance of the changes.
For all privacy enquiries, including to exercise your rights, contact:
True North Analytics ABN 24 726 502 584 Email: info@accorda.com.au
Postal correspondence is not currently accepted; please use email.
