Privacy Policy

1. Information we collect

1.1 Business Information (All Tools)

When you use any of our document builder tools, we collect business information to generate your customised documents:

• Business/organisation name
• Business address
• Business phone number
• Business email address
• Your role/position within the organisation

1.2 Additional Information (Verification Pack Only)

For the paid Verification Pack tool, we also collect:

Account Information:

• Your name (first and last)
• Email address (used as your account username)
• Password (stored securely using WordPress password hashing)

Organisation Profile Data:

• NDIS registration groups
• Worker engagement types (employees, contractors, sole operator)
• Service delivery methods and locations
• Data storage preferences
• Compliance confirmations

Policy Form Responses:

• Incident management procedures and preferences
• Complaints handling procedures
• HR and workforce management details
• Risk management and WHS information

Uploaded Images:

• Organisation logo (JPEG, PNG, GIF, or WebP format only)
• Used for document branding and colour extraction

Payment Information:

• Payment is processed securely by Stripe
• We do NOT store your credit card details on our servers
• We receive confirmation of successful payment from Stripe
• See Section 6 for details on payment processing

1.3 What We Do Not Collect

The information you provide relates only to your business operations and the systems you wish to implement.

2. How we use your information

2.1 Free Tools

Your information is used solely to:

• Generate your customised policy, procedure, or register documents
• Deliver documents to your email address (if you choose to provide one)

2.2 Verification Pack (Paid Tool)

Your information is used to:

• Create and manage your user account
• Process your one-time payment via Stripe
• Generate your customised policy manual and supporting documents
• Pre-fill your organisation details across multiple forms
• Send transactional emails (see Section 7)
• Provide customer support if you contact us

2.3 What We Do Not Use Your Information For

3. How we store your information

3.1 Free Tools - Temporary Storage

Download tokens:

• Used to generate your secure document download link
• Stored for a maximum of 30 minutes
• Automatically deleted after your document is downloaded
• Deleted even if you do not complete the download

Form submissions:

• Your form responses are stored in our secure WordPress database
• Submissions are automatically deleted after 7 days
• This allows us to provide support if you experience any issues

Generated documents:

• Documents are NOT stored on our servers
• They are created on-demand and streamed directly to you

3.2 Verification Pack - User Accounts and Data Retention

User Accounts:

• Your account (email, password, name) is retained permanently
• You paid for lifetime access to the tool
• You can request account deletion at any time (see Section 8)

Form Data Retention:

• Your form responses are stored while you actively use the tool
• Data is automatically deleted after 30 days of inactivity
• After downloading your documents, data is deleted after 7 days
• You receive warning emails before any automatic deletion

Inactivity Timeline:

• 23 days inactive: Warning email sent with "Keep My Data" option
• 30 days inactive: Form data deleted (account remains active)

Post-Download Timeline:

• Immediately after download: Confirmation email with 7-day notice
• 7 days after download: Form data deleted (account remains active)

Uploaded Images (Logos):

• Stored in WordPress media library while your account has data
• Deleted when your form data is deleted
• Only accessible to you and site administrators

3.3 Data Portability (Verification Pack)

JSON Backup:

• Your document download includes a backup file (my-policy-data.json)
• This contains all your form responses in a portable format
• You can use this to restore your data if it's been deleted
• The backup is secured with an email hash - only you can restore it

Restoring Data:

• Upload your JSON backup via the dashboard Account tab
• Your data is verified against your email before restoration
• You cannot restore another user's data

4. User accounts (Verification Pack only)

4.1 Account Creation

When you purchase the Verification Pack:

• A WordPress user account is created automatically
• Your email address becomes your username
• A secure password is generated or you choose one
• You are assigned the "Verification Pack User" role

4.2 Account Security

• Passwords are hashed using WordPress secure hashing (not stored in plain text)
• Login sessions use WordPress authentication cookies
• You can reset your password at any time via the standard process
• We recommend using a strong, unique password

4.3 Account Persistence

• Your account remains active even after form data is deleted
• This ensures you retain access to the tool you paid for
• You can start fresh or restore from backup at any time
• To delete your account entirely, contact us (see Section 8)

5. Security measures

5.1 Technical Security (All Tools)

• HTTPS encryption on all data transmission
• CSRF (Cross-Site Request Forgery) protection on all forms and downloads
• Input sanitization to prevent injection attacks
• Secure, cryptographically random tokens for download links

5.2 Additional Security (Verification Pack)

• Rate limiting on sensitive operations (prevents brute force attacks)
• Token-based authentication for sensitive actions (e.g., "Keep My Data" links)
• One-time use tokens that expire after use
• File upload validation:
  • Only JPEG, PNG, GIF, and WebP images allowed
  • MIME type verification
  • Image content validation (getimagesize check)
  • SVG files blocked due to security risks
• Path traversal prevention on file operations
• User data isolation (you cannot access other users' data)
• Ownership verification on uploaded files

5.3 Data Minimisation

• We only collect information necessary to generate your documents
• Free tools do not require account creation
• We do not retain data beyond necessary periods
• Form data is automatically deleted per our retention schedule

6. Payment processing (Verification Pack only)

6.1 Stripe Payment Processor

All payments are processed securely by Stripe:

• We do NOT store your credit card details on our servers
• Card information is entered directly into Stripe's secure form
• We only receive confirmation of successful/failed payment
• Stripe is PCI-DSS Level 1 certified (highest security standard)

6.2 What Stripe Receives

When you make a payment, Stripe processes:

• Your credit/debit card details
• Your name and email address
• Transaction amount ($370 AUD including GST)

6.3 Stripe's Privacy Policy

Stripe handles your payment data according to their privacy policy: https://stripe.com/au/privacy

6.4 Refunds

• Refund requests are handled manually via our support email
• If a refund is processed, your Verification Pack access is revoked
• Your user account may be retained or deleted at your request

7. Email communications

7.1 Free Tools - Document Delivery Only

If you provide an email address:

• Your document is emailed via our email service provider (Brevo)
• This is a transactional email only - it contains your requested document
• Your email address is not added to any mailing list
• Your email address is deleted within 30 minutes of form submission

7.2 Verification Pack - Transactional Emails

We send the following automated emails:

Account Emails:

• Registration confirmation with login details
• Password reset emails (when requested)
• Tax invoice/receipt on successful payment

Inactivity Warning (at 23 days inactive):

• Notifies you that your data will be deleted in 7 days
• Contains a "Keep My Data" button to reset the timer
• Sent only once per inactivity period

Download Confirmation (immediately after download):

• Thanks you for completing the tool
• Explains the 7-day data retention period
• Reminds you about the JSON backup file

7.3 No Marketing Emails

8. Your rights under the Australian Privacy Principles

You have the right to:

• (a) Access: Request access to any personal information we hold about you
• (b) Correction: Request correction of inaccurate information
• (c) Deletion: Request deletion of your data or account
  • Free tools: Data is automatically deleted within 7-30 days
  • Verification Pack: Contact us to request account deletion
• (d) Data Portability: Export your data
  • Verification Pack includes JSON backup in every download
• (e) Complaint: Lodge a complaint about our handling of your information

To exercise these rights, contact us at: support@paperbarkqc.com.au

We will respond to all requests within 30 days.

9. Third-party services

We use the following third-party services:

(a) VentraIP (WordPress Hosting)

• Our website is hosted by VentraIP, an Australian hosting provider
• Your data is stored on servers located in Australia
• VentraIP privacy policy: https://ventraip.com.au/legal/privacy-policy/

(b) Gravity Forms

• Form processing is handled by the Gravity Forms plugin
• Privacy policy: https://www.gravityforms.com/privacy/

(c) Brevo (email delivery)

• Transactional emails are sent via Brevo
• Privacy policy: https://www.brevo.com/legal/privacypolicy/

(d) Stripe (Verification Pack payments only)

• Payment processing is handled by Stripe
• We do not receive or store your card details
• Privacy policy: https://stripe.com/au/privacy

We do not sell, trade, or transfer your information to any other parties.

10. Cookies and tracking

10.1 Free Tools

• Do not use cookies to track your activity
• Do not use analytics tracking on the form pages
• Do not create user profiles or track behaviour across sessions

10.2 Verification Pack

• Uses WordPress authentication cookies for login sessions
• Does not use third-party analytics or tracking cookies
• Does not create marketing profiles or track behaviour

Standard WordPress functionality may use session cookies for form processing and authentication, but these do not track or identify you for marketing purposes.

11. Children's privacy

Our document builder tools are designed for business use by NDIS providers. We do not knowingly collect information from children under 18. The business information collected relates to organisations, not individuals.

12. Changes to this policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date.

For significant changes affecting the Verification Pack:

• We may notify registered users via email
• Continued use of the tool constitutes acceptance of changes

We encourage you to review this policy periodically.

13. Contact us

If you have questions about this Privacy Policy or our data practices, please contact us:

For privacy complaints that are not resolved to your satisfaction, you may contact the Office of the Australian Information Commissioner (OAIC):

• Website: https://www.oaic.gov.au
• Phone: 1300 363 992