Sahajilo CRM – Privacy Policy

1. Who we are

In this Privacy Policy, Sahajilo, we, us or our means the Sahajilo business operating the CRM and NDIS tools (ABN / entity details to be inserted by you).

Our Service is primarily provided to organisations such as NDIS and disability service providers (Customer Organisations), who then use the Service to manage information about their participants, staff, contractors and other contacts.

2. Scope of this policy

This Privacy Policy applies to personal information we collect and handle in connection with the Service, including:

• information about users who create and manage accounts (for example, staff of Customer Organisations); and
• personal information about participants, clients and others that Customer Organisations choose to store or process in the Service (Customer Data).

For much of the Customer Data, the relevant Customer Organisation is primarily responsible for privacy compliance and notice to individuals. We act as a service provider / processor on their behalf. If you are a participant or client of a Customer Organisation, you should also review that organisation’s own privacy policy.

3. Information we collect

3.1 Information you or your organisation provide directly

We may collect the following types of personal information:

• Account and contact details – name, role, organisation, email address, phone number, login details.
• Organisation details – company name, ABN, business address, billing contact, NDIS-related information you choose to store.
• Customer Data – information about participants, clients, staff and others that you enter into the Service, which may include:
  • identifiers (name, contact details, date of birth);
  • support information, rosters, service agreements, notes and documents;
  • potentially sensitive health, disability or support-related information, where you choose to store this in the Service.
• Support and communication – information you provide when you contact us for help, submit a help-desk ticket, or respond to surveys and feedback.

3.2 Technical and usage information

When you use the Service, we may also collect:

• log data (such as IP address, browser type, pages viewed, date/time of access);
• device information (such as device type, operating system and approximate location based on IP);
• usage data (such as features used, actions taken and time spent) to help us improve performance, security and user experience.

4. How we collect personal information

We collect personal information in several ways, including:

• when you or your organisation create an account or profile in the Service;
• when you enter or upload data, documents or notes into the Service;
• when you contact us by email, phone, support form or other channels;
• through automated means (such as logs, cookies and similar technologies);
• from third parties where permitted (for example, an integration or another system you connect to our Service).

5. How we use personal information

We use personal information for purposes including:

• Providing and operating the Service – to create and manage user accounts, process data, generate reports, and enable features you request.
• Support and communication – to respond to enquiries, help-desk tickets and feedback; to send important service messages (for example, security alerts or changes to features).
• Improving the Service – to monitor, analyse and improve usability, performance and security, including by producing de-identified or aggregated statistics.
• Billing and administration – to manage subscriptions, invoicing and payments where applicable.
• Legal and compliance – to comply with our legal obligations, respond to lawful requests from authorities, and protect our rights and the rights of others.
• Optional marketing – to send information about new features, resources or services where permitted by law. You can opt out of marketing communications at any time.

6. Legal bases for processing (where relevant)

For individuals in jurisdictions that require a legal basis for processing (for example, the EU or UK), we generally rely on one or more of the following:

• performance of a contract with you or your organisation;
• our legitimate interests in operating, securing and improving the Service;
• your consent, where we rely on consent (for example, certain marketing or optional features);
• compliance with legal obligations.

Where your organisation uses the Service, we typically act on their instructions as a processor / service provider. Your organisation’s legal basis will depend on its own role and policies.

7. Sharing and disclosure of personal information

We may share personal information with:

• Service providers and contractors – such as hosting providers, email and notification services, analytics providers and technical support, who help us operate the Service. They are only authorised to use the information as needed to provide their services to us.
• Customer Organisations – where we are processing Customer Data on their behalf, the data is available to them and to their authorised users.
• Professional advisers – such as lawyers, accountants and auditors, under confidentiality obligations.
• Authorities – where required by law, regulation, court order or regulatory request, or to protect the safety, rights or property of any person.
• Business transfers – in connection with a merger, acquisition, restructuring or sale of all or part of our business, in which case we will take reasonable steps to ensure appropriate protections and notice where required.

We do not sell personal information as a standalone asset for unrelated marketing purposes.

8. International transfers

Our infrastructure and service providers may be located in Australia and in other countries. This means personal information may be transferred to, and stored on, servers in jurisdictions that may have different privacy laws from your home jurisdiction.

Where required by law, we will take reasonable steps to ensure that any overseas recipient will handle personal information in a way that is consistent with the Australian Privacy Principles or other applicable requirements (for example, by using contractual protections).

9. Security

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Measures may include:

• encryption in transit via HTTPS;
• access controls and authentication for user accounts;
• regular updates and monitoring of our infrastructure;
• backups and disaster recovery processes.

However, no system can be guaranteed to be completely secure. You are responsible for keeping your login credentials secure and for choosing strong passwords.

10. Data retention

We retain personal information for as long as reasonably necessary to provide the Service, fulfil the purposes described in this Policy, comply with legal obligations, resolve disputes and enforce our agreements.

When a subscription ends, we may retain Customer Data for a limited period for backup, audit or legal purposes, after which it may be deleted or de-identified, in accordance with our internal policies and any agreements with the relevant Customer Organisation.

11. Your rights and choices

Under the Privacy Act 1988 (Cth), you may have the right to access and request correction of personal information we hold about you, subject to certain exceptions.

You may also:

• update your details by logging into your account (where available);
• opt out of marketing emails by using the unsubscribe link or contacting us; and
• lodge a privacy complaint with us using the contact details below. If you are not satisfied with our response, you may be able to contact the Office of the Australian Information Commissioner (OAIC).

If we process your information on behalf of a Customer Organisation, we may need to refer your request to that organisation.

12. Cookies and similar technologies

We may use cookies and similar technologies to:

• keep you logged in and maintain session security;
• remember your preferences and settings;
• understand how the Service is used and improve performance.

You can usually control cookies through your browser settings. However, disabling certain cookies may affect the functionality of the Service.

13. Children

The Service is designed for use by organisations and their authorised staff, not directly by children. While Customer Data may include information about participants who are children or minors, this is managed under the responsibility of the relevant Customer Organisation.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will take reasonable steps to notify you (for example, by email or via the Service). The updated Policy will take effect from the stated effective date.

15. Contact us

If you have any questions, concerns or complaints about privacy or this Policy, please contact us: