Your privacy matters.
We handle NDIS plan data and health information. Here is exactly what we collect, why, and how we protect it — written in plain English.
1. About this policy
This Privacy Policy explains how PlanMind collects, uses, stores, and discloses personal information, including sensitive health and disability information. It is written to comply with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs), and to reflect our additional obligations in handling information relating to NDIS participants.
What PlanMind is. PlanMind is an AI-powered self-service platform that helps NDIS participants, families, and carers do more themselves. Our live tools are:
- —Plan Decoder — upload a PDF, DOCX, or image of your NDIS plan and receive a plain-English summary with budget breakdown
- —Jargon Buster — explain NDIS terms and acronyms in everyday language
- —NDIS Glossary — searchable reference of 50+ NDIS terms
- —Budget Calculator — track and plan spending against a participant's plan budget with live rate data
- —Goal Planner — draft NDIS goals in the SMART format the NDIA expects
- —Support Letter Generator — draft letters to the NDIA (e.g. plan review requests, assistive technology evidence)
What PlanMind is not. PlanMind is not an NDIS provider. We do not deliver supports or services. We do not employ, match, roster, book, or pay support workers. We do not collect or handle NDIS funds. We are not a plan manager or support coordinator. We do not currently operate a provider directory, and we do not currently act as a “platform provider” within the meaning of the NDIS Act 2013 (Cth).
Operator: Rounak Shrivastava, ABN 65 282 442 851, trading as “PlanMind”
Address: 85 Victoria Road, Parramatta, Sydney NSW 2150
Contact: privacy@planmind.com.au
Although PlanMind may be operated by a sole trader whose turnover is below the $3 million small business threshold, PlanMind handles health information as defined in section 6 of the Privacy Act. Under section 6D(4)(b), any entity that provides a health service and holds health information is an “APP entity” and must comply with the Privacy Act regardless of turnover. We treat ourselves as a full APP entity and apply all APPs.
By using the PlanMind website or app (the “Service”), you agree to this Privacy Policy. If you do not agree, please do not use the Service.
2. Summary (plain English)
If you only read one section, read this.
- ✓PlanMind gives you AI tools to understand and manage your NDIS plan yourself. We are not a provider, plan manager, or worker-matching platform.
- ✓We collect the minimum information we need. We never ask for your Medicare number, Centrelink CRN, bank details, or full NDIS plan number.
- ✓We never store the content of NDIS plans you upload to the Plan Decoder. The document is processed in memory and discarded as soon as your summary is returned.
- ✓Budget Calculator, Goal Planner and Support Letter drafts that you choose to save are stored in Australia (Supabase, Sydney region). You can delete them at any time.
- ✓Some of our suppliers (Clerk, Stripe, Vercel, Anthropic, Resend, Google Analytics) process data in the United States under APP 8 cross-border protections.
- ✓We never sell your personal information. We never use your plan content, budget data, or goals to train AI models.
- ✓You can ask us at any time to show you what we hold, correct it, or delete it.
3. Who this policy applies to
This policy applies to:
- —Participants, families, and carers — people using PlanMind tools to plan, budget, draft goals, or write letters.
- —Visitors — anyone browsing the Service without an account.
If PlanMind adds a provider-facing service or provider search feature in the future (see section 18), we will update this policy and notify registered users before the new feature goes live.
4. What personal information we collect
4.1 Information you give us directly
Everyone who signs up: Name or chosen display name, email address, optional phone number. Password is handled and encrypted by Clerk — PlanMind never sees it.
Your account profile: If you choose to provide it, your Australian postcode and state/territory. This is optional and used only to improve tool relevance (e.g. state-specific NDIS provider search). You can delete or update it at any time.
Plan Decoder: The NDIS plan document you upload (PDF, Word/DOCX, JPG, or PNG) is processed ephemerally and not stored (see section 6.1). You may save an AI-generated summary to your account if you choose to.
Budget Calculator: NDIS plan budget amounts by category (as numbers, not document content), purchases, hours, or expenses you log, and notes you attach.
Goal Planner: Goals you draft, the category or life-area you choose, and optional disability type or support context.
Support Letter Generator: The situation you describe, any names or facts you include in the letter, and the finished draft if you save it.
4.2 What we never ask for
4.3 Information collected automatically
Via Vercel logs and Google Analytics 4: IP address, approximate location, device type, browser, pages visited, referring URL, time on page, and search terms entered on our site.
4.4 Information from third parties
Clerk provides authentication events. Stripe provides payment events and subscription status. We do not currently pull data from the Australian Business Register or NDIS Provider Register.
5. Sensitive information and consent
Under the Privacy Act, health information (including disability-related information) is “sensitive information” and carries extra protection under APP 3.
Several PlanMind tools may involve you sharing sensitive information — for example, describing your disability when drafting a goal, or uploading a plan that mentions your diagnoses. We only collect sensitive information with your express consent, obtained through a clear, unambiguous opt-in at the point of collection (for example, a tick-box before the Plan Decoder processes your upload).
You can always choose not to share sensitive information. The tools will still work — they will simply produce more generic output.
6. The AI tools and what happens with your data
PlanMind uses Anthropic's Claude API to power the AI in our tools.
6.1 Plan Decoder
- —You upload a PDF, Word document (DOCX), JPG, or PNG image of your NDIS plan.
- —The content is extracted on our server, sent to Claude, and a structured summary with budget dashboard is streamed back to you.
- —The plan content is never stored in our database. It exists only for the duration of the HTTP request (typically under 30 seconds).
- —Follow-up chat questions are held only in your browser's memory for that session and discarded when you close the tab.
- —If you save the AI-generated summary to your account, only the summary is stored — not the original document.
- —We never train any AI model on your plan content. We never share plan content with anyone.
6.2 Jargon Buster
- —You type an NDIS term; we send it to Claude and stream back a plain-English explanation.
- —We may log the term looked up (not your identity) to improve the glossary. Free-text context you add is not retained.
6.3 Budget Calculator
- —Budget amounts, hours, spending entries, and notes you enter are processed in your browser. Nothing is stored server-side from the Budget Calculator.
- —NDIS support category rates displayed are sourced from the published 2024–25 NDIS Price Arrangement and Price Limits. They are updated annually.
6.4 Goal Planner
- —Goals you draft are saved to your account. You can edit and delete them.
- —When you ask the AI to refine a goal, the draft is sent to Claude without your name or email.
- —The AI output is a suggestion, not advice. Your goals belong to you.
6.5 Support Letter Generator
- —The situation description and details you enter are sent to Claude to produce a draft letter.
- —Drafts are saved to your account only if you choose to save them. You can delete them at any time.
- —The AI-drafted letter is a suggestion, not legal advice. You are responsible for reviewing it before sending.
- —A one-time payment of $9.99 (via Stripe) is required to generate and download a letter. Card data is handled solely by Stripe — we never see or store card numbers.
6.6 Anthropic's handling of your data
When PlanMind calls the Claude API, Anthropic processes the data on servers in the United States. Under Anthropic's commercial API terms:
- —Anthropic does not use API inputs or outputs to train its models under its standard commercial API agreement.
- —Anthropic may retain API inputs and outputs for up to 30 days for Trust & Safety review (abuse detection and policy enforcement), after which they are deleted. Refer to Anthropic's current Usage Policy for the latest terms.
You consent to this cross-border disclosure when you use an AI tool. If you do not want your information processed outside Australia, please do not use the AI tools.
6.7 AI is not advice
Output from any PlanMind tool is general information only — not clinical, medical, legal, financial, or NDIS plan management advice. Always review AI-generated drafts before acting on them. If your situation is complex, speak to your support coordinator, plan manager, LAC, advocate, or a qualified professional.
7. Why we collect your information
- —To operate the Service — create accounts, authenticate logins, save your work
- —To run the AI tools listed in section 6
- —To save outputs you choose to keep (summaries, budgets, goals, letters)
- —To process any paid subscription payments and manage billing
- —To send transactional emails (account confirmations, password resets)
- —To detect fraud, abuse, spam, and breaches of our Terms of Service
- —To comply with legal obligations and respond to lawful requests
- —To improve the Service using aggregated, de-identified analytics
We will only use your information for a secondary purpose (such as direct marketing) where you would reasonably expect it, or with your consent, consistent with APP 6.
8. Direct marketing
We may send you occasional product update emails or NDIS news digests.
- —You can opt out at any time via the “unsubscribe” link in any marketing email, or by emailing us.
- —We do not sell or rent your contact details to third-party marketers.
- —Marketing emails are sent via Resend (see section 10).
- —We do not send direct marketing using sensitive information.
- —You will be removed from marketing lists when you unsubscribe or delete your account, whichever is earlier.
9. How we disclose your information
We disclose personal information only to the parties listed in section 10 and for the purposes in section 7.
We will disclose when
- ✓You ask us to
- ✓Required by Australian law (subpoenas, warrants, regulator requests)
- ✓Necessary to lessen a serious threat to life or safety under section 16A
We will never
- ✕Sell personal information to anyone
- ✕Share your plan uploads, goals, or budget entries with any provider or broker
- ✕Use your data to train AI models
- ✕Disclose to NDIS providers or coordinators without your explicit instruction
10. Third parties who process data on our behalf
Each supplier is bound by terms that require it to protect personal information.
| Supplier | Role | Data location | Data involved |
|---|---|---|---|
| Supabase | Primary database, file storage, RLS | Sydney, AU (ap-southeast-2) | Account data and saved outputs |
| Clerk | User authentication, session management | United States | Name, email, password hash, login metadata |
| Stripe | Payments and subscriptions | United States and globally | Billing name, address, card token |
| Anthropic (Claude API) | AI inside all tools | United States | Inputs to each AI tool (ephemerally processed) |
| Vercel | Website hosting, edge network | United States and globally | IP address, request logs, error logs |
| Resend | Transactional and marketing email | United States | Name, email, email content |
| Google Analytics 4 | Website analytics | Globally | IP address (anonymised at collection), page views, user agent |
| Cloudflare R2 | File and media storage | Globally (Cloudflare network) | Uploaded files processed by AI tools, stored temporarily pending deletion |
| Google Search Console | SEO performance data | Globally | Aggregated search query data only |
Supabase Australian hosting ensures that all persistent user data you save (accounts, budgets, goals, letters, summaries) stays in Australia.
12. Security of personal information
Encryption in transit
All traffic uses HTTPS/TLS 1.2 or higher
Encryption at rest
Supabase encrypts all data at rest using AES-256
Row-Level Security
Every database table uses Supabase RLS
Access control
Admin access limited to operator, protected by 2FA
Password security
Passwords hashed and managed by Clerk — we never see them
Payment security
Card data handled solely by Stripe (PCI DSS Level 1)
Secret management
API keys stored in encrypted environment variables
Monitoring
Vercel and Supabase logs monitored for abuse patterns
No online service can guarantee perfect security. If we become aware of a data breach likely to result in serious harm, we will comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act and notify affected individuals and the OAIC as soon as practicable.
13. Your rights
To exercise any of these rights, email privacy@planmind.com.au with enough information to identify you. We may ask for verification before acting.
14. How long we keep your information
| Data type | Retention |
|---|---|
| Account basics (name, email) | While your account is active, plus 90 days after deletion for fraud prevention |
| Saved Plan Decoder summaries | Until you delete them, or until you delete your account |
| Budget Calculator entries | Until you delete them, or until you delete your account |
| Goal Planner drafts | Until you delete them, or until you delete your account |
| Support Letter drafts | Until you delete them, or until you delete your account |
| Original Plan Decoder uploads | Not stored (ephemeral — discarded after processing) |
| Jargon Buster free-text context | Not stored |
| Payment records (if applicable) | 7 years (Australian tax law) |
| Server logs (Vercel) | 30 days |
| Backups (Supabase) | 30 days rolling |
| Marketing email lists | Until you unsubscribe, or when you delete your account (whichever is earlier) |
When retention periods end, information is deleted or irreversibly de-identified.
15. Children and minors
PlanMind is not directed at children under 18. We do not knowingly collect personal information from a person under 18 without verifiable parental or guardian consent.
Many NDIS participants are children or young people. If you are a parent, guardian, or NDIS-appointed nominee acting on behalf of a participant under 18, you may use the Service on their behalf — you are responsible for ensuring you have the authority to do so under the participant's NDIS plan, and for any information you disclose about them. We treat information about minors with the same protections as other sensitive information and apply additional caution in accordance with the OAIC's guidance on children's privacy.
16. Complaints
If you think we have breached the Privacy Act or the APPs, please contact us first at privacy@planmind.com.au with the subject line “Privacy Complaint”. We will acknowledge within 5 business days and aim to resolve within 30 days.
If you are not satisfied with our response, you can complain to the:
Office of the Australian Information Commissioner (OAIC)
GPO Box 5288, Sydney NSW 2001
Phone: 1300 363 992
PlanMind is not an NDIS provider. If you have a complaint about an NDIS provider, plan manager, or support coordinator, contact the NDIS Quality and Safeguards Commission on 1800 035 544 or at ndiscommission.gov.au.
17. Changes to this policy
When we update this policy we will:
- —Post the updated policy at this URL with a new Effective date and Version
- —Notify registered users by email at least 14 days before material changes take effect
- —For changes requiring consent (new uses of sensitive information, new features like provider search), ask for renewed consent before applying them to your account
Continued use of the Service after the effective date means you accept the updated policy.
18. Future features
Any feature that would materially change how we collect or use personal information — for example, a provider directory, provider-enquiry system, reviews, or any feature that connects participants with workers or handles NDIS funds — will only be launched after:
- —We update this Privacy Policy with clear disclosure of the new data flows
- —We obtain fresh consent from registered users where the change affects them
- —We complete any regulatory review required under the NDIS Act 2013 (Cth), including a fresh assessment of whether we fall within the definition of a 'platform provider'
Until then, PlanMind is a self-service tools platform only.
19. Contact us
PlanMind
Rounak Shrivastava, ABN 65 282 442 851, trading as PlanMind
Email: privacy@planmind.com.au
85 Victoria Road, Parramatta, Sydney NSW 2150
We are the privacy officer contact point for PlanMind under APP 1.4. If you prefer to write in a language other than English, or need this policy in an accessible format (large print, plain text, screen-reader friendly), please email us and we will accommodate your request at no cost.
This policy was last reviewed on 21 April 2026 (Version 1.2). If there is any inconsistency between this document and the version on our website, the website version prevails.