Privacy Policy

Nora is documentation and compliance software for NDIS providers, operated from Australia. We also operate NDIS Learning Hub (ndislearninghub.com), and Nora is built by the same team with the same focus on practical, standards-aware support for the sector.

Contact: support@nora.com.au · Website: nora.com.au · ABN 20 929 099 264.

We may collect the following categories of information:

• Account and organisation details (name, email, role, organisation name, billing contact).
• Participant and worker information you or your team enter into Nora (names, NDIS numbers, support details, goals, risks, contacts, and documentation content).
• Notes, incident records, service agreements, attachments, and approval history created in your workspace.
• Usage data (features used, timestamps, device/browser type, IP address, and logs needed for security and support).
• Communications with us (support emails, contact forms, and careers interest submissions).
• Payment-related information processed by our payment provider (we do not store full card numbers on our servers).

We use personal information to provide and improve Nora, including generating and structuring documentation, running quality and safeguarding checks, enabling team workflows, billing, customer support, and security monitoring.

We may use de-identified or aggregated data to understand product usage and improve reliability. Where content is used to improve AI-assisted features, we do so in controlled ways described in section 6.

To operate Nora, authorised Nora personnel and subprocessors may access account and workspace data when necessary — for example to investigate a support request, fix a defect, prevent abuse, or meet a legal obligation.

We restrict internal access on a need-to-know basis and use administrative controls and audit logging where practicable. Your organisation controls which users within your team can view and approve documents.

We store data using reputable cloud infrastructure providers with data centres appropriate to our service design. We apply technical and organisational measures including access controls, encryption in transit (TLS), and industry-standard hosting practices.

We are actively working to extend encryption for sensitive content at rest, including notes and service agreements. Until that rollout is complete for all environments, some content may be stored in forms that our systems and authorised personnel can access for operational and support purposes, as described in this policy.

No method of transmission or storage is completely secure. We encourage providers to use strong passwords, limit admin access, and follow your own policies for participant information.

Nora includes AI-assisted drafting, validation, and Ask Nora policy guidance. To provide these features, content you submit (such as briefs, note drafts, and questions) may be processed by Anthropic (our AI provider) under our instructions. See section 8 for details.

We may use service interactions — which can include note and agreement content — to maintain, evaluate, and improve AI quality, safeguarding prompts, and product reliability. We do not sell your participant data. Where we use content for improvement, we apply access controls and aim to minimise use of identifiable information through aggregation or de-identification where appropriate.

Your organisation remains responsible for reviewing and approving all documentation before it is relied upon clinically, operationally, or for compliance purposes.

We may disclose information to:

• Subprocessors listed in section 8 that help us run Nora (under contractual confidentiality and security obligations).
• Professional advisers (lawyers, accountants) where required.
• Regulators, courts, or law enforcement when required by Australian law or to protect rights, safety, or security.
• Another party with your consent or at your organisation's direction (for example exports you generate).

We use the following categories of service providers to operate Nora. They process personal information on our instructions and only for the purposes described below. We assess providers for security and privacy before use and require appropriate contractual protections where practicable.

This list reflects our subprocessors as at the last updated date above. We may add or replace providers as the product evolves. Material changes may be reflected in an updated policy or, where appropriate, notified to account holders.

• Supabase

  Purpose

  Authentication, database, and file storage for the Nora application

  Data involved

  Account details, organisation and workspace data, participant records, notes, service agreements, attachments, and support form submissions

  Typical location

  Australia, United States, or other regions per project configuration

  Supabase privacy policy →

• Anthropic

  Purpose

  AI-assisted drafting, validation, and Ask Nora policy guidance

  Data involved

  Text you submit for generation or review, such as note briefs, drafts, and policy questions (may include participant-related content entered by your team)

  Typical location

  United States

  Anthropic privacy policy →

• Resend

  Purpose

  Transactional email delivery

  Data involved

  Email addresses and message content for team invites, contact forms, careers interest, and related service notifications

  Typical location

  United States

  Resend privacy policy →

• Stripe

  Purpose

  Subscription billing and payment processing

  Data involved

  Billing contact details, payment method metadata, and transaction records (we do not store full card numbers on our servers)

  Typical location

  United States, Australia, and other regions per Stripe configuration

  Stripe privacy policy →

• Vercel

  Purpose

  Hosting the Nora marketing site, dashboard, and application infrastructure

  Data involved

  Technical logs, IP addresses, cookies, and content transmitted when you use Nora

  Typical location

  United States and other regions per Vercel configuration

  Vercel privacy policy →

Several subprocessors in section 8 may process data outside Australia, including in the United States. Where personal information is disclosed overseas, we take reasonable steps to ensure recipients handle it in a manner consistent with the Australian Privacy Principles, including contractual protections and provider security standards.

By using Nora, you acknowledge that participant and account data you enter may be processed in these locations to deliver the service.

We retain personal information for as long as your account is active and as needed to provide the service, comply with law, resolve disputes, and enforce agreements. You may request deletion of your account subject to legal and backup retention requirements.

Depending on your role and applicable law, you may request access to, or correction of, personal information we hold about you. Organisation administrators may manage much participant and worker data directly within Nora.

If you have concerns about our handling of personal information, contact support@nora.com.au. You may also lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au).

We use cookies and similar technologies for authentication, security, and to understand how the marketing site and product are used. You can control cookies through your browser settings; some features may not function if cookies are disabled.

We may update this Privacy Policy from time to time. We will post the current version at nora.com.au/legal/privacy with an updated 'Last updated' date. Material changes may be notified via email or in-product notice where appropriate.