Back to Pracworks
Pracworks

Privacy Policy

Last updated: 2026-05-18

1. Introduction

Pracworks Pty Ltd(“Pracworks”, “we”, “us”, “our”) operates the Pracworks clinical-operations and accreditation platform (the “Service”). We act as the data controller of personal information collected about Pracworks users, and as the data processor of clinic-owned operational content that your clinic enters into the Service.

This Privacy Policy explains what information we collect, how we use it, how we protect it, and what rights you have. It aligns with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. Information We Collect

2.1 Account information

  • Name, email address, role (e.g. PM, Clinician, Admin Staff), and clinic affiliation
  • Authentication metadata (sign-in timestamps, identity-provider identifiers for Google or Microsoft SSO if used)
  • Optional profile preferences (notification settings, display preferences)

2.2 Operational data (clinic-owned)

Content your clinic creates and stores within Pracworks: documents, tasks, incident reports, register entries, messages, calendar events, quick notes, and similar operational records. Your clinic owns this data; we hold it as a processor on your clinic’s behalf.

2.3 System & diagnostic data

  • IP address and rough geolocation derived from it
  • User-agent string (browser and operating system)
  • Page views and basic interaction events recorded for diagnostic and product-improvement purposes
  • Audit-trail entries recording who took which action and when (required for accreditation)

2.4 No third-party tracking

At present, Pracworks does not use any third-party advertising cookies, marketing pixels, behavioural analytics, or cross-site tracking. If this changes in future, we will update this Policy and notify you in advance.

3. Australian Privacy Act & APP Compliance

We handle personal information in line with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APP 1 through APP 13). In summary:

  • APP 1 (Open and transparent management) — this Policy is our public statement of practice; updates are announced.
  • APP 3 (Collection of solicited personal information) — we collect only information reasonably necessary for the Service.
  • APP 5 (Notification of collection) — collection is described here and at the point of capture (e.g. at signup).
  • APP 6 (Use and disclosure) — personal information is used for the purpose collected, or for a reasonably related secondary purpose that you would expect.
  • APP 11 (Security) — we take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access (see Section 6).
  • APP 12 (Access) and APP 13 (Correction) — see Section 9 below.

4. Notifiable Data Breach Scheme

We are subject to the OAIC Notifiable Data Breaches scheme. In the event of an eligible data breach — where personal information is accessed, disclosed, or lost in a way that is likely to result in serious harm — we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, and in any event within 30 days of becoming aware of the breach.

Our incident-response process includes containment, forensic assessment, notification, and post-incident review. We will communicate with affected clinics directly via the primary account email on file.

5. Data Retention

  • Audit logs: retained for at least 7 years, aligned with RACGP record-keeping expectations and Australian healthcare record retention norms.
  • Soft-deleted content: when you delete a document, task, message, or register entry, it is held in a recoverable state for 30 days and then permanently deleted from active systems.
  • Account closure:upon account termination, your clinic’s data remains available for export for 30 days, after which it is permanently deleted from active systems.
  • Backups: encrypted backups may persist for up to 90 days for disaster-recovery purposes and are then overwritten on a rolling basis.

6. Security & Multi-Tenant Isolation

Pracworks is a multi-tenant platform. Every database query and API endpoint is scoped by a unique clinic identifier (“clinic id”), enforced at multiple layers (database, ORM, and authorisation policy). No request can read or write data outside its authenticated clinic context. This isolation is the single most important security boundary in the Service and is tested as part of our regression suite.

Additional controls include:

  • TLS encryption in transit (HTTPS) for all traffic
  • Encryption at rest for the production database
  • Role-based access control (RBAC) within each clinic
  • Audit logging of authentication and privileged actions
  • Principle of least privilege for staff accounts and operational tooling

No system is perfectly secure. We continue to invest in security controls, third-party scanning, and code review (every change is scanned for secrets, vulnerabilities, and dependency issues before merge).

7. Data Location

Pracworks data is hosted on infrastructure located in Australia (Sydney AU region) where supported by our subprocessors. Where a subprocessor cannot offer Australia-based hosting for a specific component, we will identify the region in the subprocessor list below and apply equivalent contractual protections.

If we ever need to materially change the storage region of your data, we will update this Policy and notify your clinic administrator in advance.

8. Subprocessors

We use the following subprocessors to operate the Service. Each is contractually bound to protect personal information consistent with this Policy:

  • Neon— managed PostgreSQL database hosting
  • Vercel— web-application hosting, edge functions, and blob storage
  • Resend— transactional email delivery (sign-in codes, notifications)
  • Ably— real-time messaging transport

Where we add or change subprocessors, we will update this list. For material changes (e.g. adding a subprocessor in a new region or with materially different access scope) we will give at least 30 days advance notice.

9. Your Rights

Under the Australian Privacy Act and the APPs, you have the right to:

  • Access— ask for a copy of personal information we hold about you (APP 12).
  • Rectification— ask us to correct personal information that is inaccurate, incomplete, or out of date (APP 13).
  • Erasure— ask us to delete personal information we no longer have a lawful reason to retain.
  • Data portability— receive a copy of your clinic’s data in a structured, machine-readable format, consistent with our export tooling.
  • Withdraw consent— where we rely on consent, withdraw it (this will typically end your access to the Service).
  • Complain— raise a privacy concern with us (Section 12) or with the OAIC at oaic.gov.au.

10. Cookies

Pracworks uses a small number of cookies and similar local-storage entries, all strictly necessary for the Service:

  • Session cookie (typically authjs.session-tokenor equivalent) — identifies your authenticated session.
  • CSRF protection cookie— protects against cross-site request forgery on form submissions.
  • UI-preference local-storage entries— e.g. sidebar expansion state, draft feedback text. Held in your browser, never transmitted to advertisers.

We do not use third-party analytics, advertising, or cross-site tracking cookies at present. If we later add optional analytics, we will update this section and seek appropriate consent.

11. Children’s Data

The Service is not directed to users under the age of 16, and we do not knowingly collect personal information from individuals under that age. If you become aware that a minor’s personal information has been entered into the Service, please contact us at privacy@pracworks.com.au so we can take appropriate action.

12. Contact for Privacy Requests

To exercise your rights, ask a question, or raise a privacy concern, contact us at privacy@pracworks.com.au. We will acknowledge requests within 5 business days and aim to respond substantively within 30 days, in line with the Privacy Act.

For other legal matters: legal@pracworks.com.au.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — for example a new subprocessor that processes sensitive information, a change in storage region, or the introduction of new tracking technology — we will notify you by email and/or in-product at least 30 days before they take effect. Non-material updates (clarifying language, contact-detail corrections) may be made without prior notice but will be reflected in the “Last updated” date below.