← CaseFlow Note

Privacy Policy

1. The relationship this policy sits inside

Before anything else, it's worth being clear about who is responsible for what.

The organisation you work for — the ACCO, NDIS provider, or family services organisation — is the data controller. They decide what information is collected and why, and they remain accountable to their clients and families for it. That's their relationship, not ours.

Flow Outcomes acts as a data custodian. We hold and process information securely on the organisation's behalf, only to provide the CaseFlow Note service, and never for any other purpose. Think of us as the secure vault the organisation puts its case notes into — not the owner of what's inside it.

2. Who this policy is for

It also touches on how we handle information about clients and families that appears within case notes. Clients and families are not users of CaseFlow Note themselves — their information reaches us because a practitioner recorded it as part of their work, under the organisation's own consent arrangements. Questions about how a specific organisation collects consent should go to that organisation, not to us.

3. What we collect

Account information — your name, work email address, and organisation affiliation, so we can set up and manage your account and seat.

Case note content — what a practitioner records during the guided question flow: names as spoken, details of the interaction, observations, and any concerns raised. We don't strip, alter, or de-identify this information. Case note content is protected by where and how it's stored — Australian-hosted infrastructure, encryption, and strict separation between organisations (see section 6) — not by changing what's written in it.

Voice input — if you use voice capture, your speech is transcribed by your device's own speech recognition: on-device where your phone or tablet supports it, and otherwise via your device platform's speech service (Apple's or Google's, depending on your device). Either way, the audio itself is never sent to Flow Outcomes and is not retained by us — only the resulting text becomes part of your note. Where the fallback path is used, it is subject to Apple's or Google's own processing of speech audio for transcription, not ours; we'd encourage you to review your device manufacturer's speech-recognition privacy information for detail on that step.

Technical and usage information — device type, app version, and activity logs (for example, that a note was created or shared). In the activity and usage views — including the engagement and DEX exports supervisors and admins can generate — a supervisor sees that activity happened, not the content of a note. Two things sit outside that general rule, by design: a supervisor or admin with case access can open and read an individual note they don't own (always audit-logged as a note.viewed event recording who viewed it, which note, and who owns it — never the note's content), and the closure-letter approval queue and case-file report builder are built to show or assemble full note content, because that's their job.

4. Why we collect it, and what we don't do with it

We collect and use this information only to let you capture, draft, and send case notes; run your organisation's account, seats, and settings; keep the service secure and maintain an audit trail; and provide support.

We do not use your information, or your clients' information, for advertising. We do not sell it — every provider we use is contractually bound not to sell it either. And we do not use it to train AI models, ours or anyone else's. The cloud AI providers we use — Google Vertex AI (Gemini), and Microsoft Azure OpenAI where an organisation enables it — do not use the prompts we send them, or the notes they generate, to train or improve their AI models. This is their standard enterprise commitment, not a special arrangement: Google's "Training Restriction" in its Cloud Service Specific Terms, and Microsoft's Azure OpenAI data-handling terms, under which your data is never shared with OpenAI and is never used to train foundation models. We hold a Data Processing Addendum with each provider, and can make these available on request.

5. How the AI works, and where it runs

CaseFlow Note uses AI to turn a worker's guided answers into a clean, properly formatted case note. The AI's job is narrow and built to stay narrow: it cleans up spoken language into a professional register but keeps hedging exactly as spoken ("seemed", "appeared" are never inflated into certainty); it does not interpret, infer, categorise, or assess risk; it does not invent information — every sentence traces back to something the worker said; and it records names as the worker used them. Every note is reviewed by the worker before it's sent, and every share requires the worker to actively confirm the note is accurate. The AI drafts; the worker is accountable.

6. Where information is stored, and how it's protected

Your information — including case note content — is stored on Supabase's Australian infrastructure, in the Sydney (ap-southeast-2) region. Our technical protections include:

We don't use the phrase "data sovereignty" — we prefer to describe plainly what we actually do, so nothing is left open to misreading.

7. How long we keep information, and when it's deleted

CaseFlow Note is a capture and drafting tool, not a permanent record store. Once a worker sends or exports a note, it is automatically and permanently purged from our systems 7 days later (a short grace period, backed by a server-side purge job).

The note in CaseFlow Note is a draft, not the record. The authoritative case record lives in your organisation's own system once you've transferred the note there. Your organisation's own retention obligations govern how long that record is kept — this policy only covers what happens on our side, before that point.

8. Who we share information with

We don't share client or practitioner information with third parties for their own purposes. We only share it with the following providers who help us operate the Service, and only to the extent needed:

ProviderPurposeRegionHow they use your data
Google Vertex AI (Gemini)AI-assisted note drafting (primary)Processed via the Sydney (australia-southeast1) region; data at rest in AustraliaProcessor on our instructions. Does not use your data to train its models.
Microsoft Azure OpenAIAI-assisted note drafting (available alternative)Australia EastProcessor on our instructions. Does not train on your data and does not share it with OpenAI.
Supabase (on AWS)Database, authentication and application hostingYour database is hosted in Sydney, Australia (ap-southeast-2)Processor on our instructions; does not access or repurpose your database content. Some operational metadata may be handled outside Australia.
StripePayment and subscription processingUnited States / global, with an Australian entityProcesses billing details to take payment. Stripe also acts as an independent controller for payments and uses transaction data to detect and prevent fraud across its network. We keep case content out of Stripe entirely.
ResendTransactional email (e.g. sign-in codes)United StatesProcessor on our instructions; uses email content only to deliver the message. Emails carry no case content.
SentryError and crash monitoring (PII scrubbed before sending)United StatesProcessor on our instructions; does not sell or repurpose your data. We scrub personal information before sending, and Sentry scrubs again on receipt.

We hold a Data Processing Addendum with each of these providers. None of them sell your information, and — with the single exception of Stripe's cross-network fraud prevention noted above — none use it for anything beyond delivering their part of the Service. We also share information with authorities where we're required to by law.

9. Access, correction, and complaints

To see or correct the personal information we hold about your own account, contact [email protected] and we'll respond within a reasonable time. If a request relates to a client's information within a case note, it should generally go through your organisation first, since they're responsible for that relationship. If you think we've mishandled your personal information, you can contact us directly or lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

If we suspect a data breach, we assess it as soon as practicable and in any case within 30 days, in line with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth). If that assessment concludes the breach is likely to result in serious harm, we notify the OAIC and affected individuals as soon as practicable after forming that view. (This is the Australian standard; it differs from the EU GDPR's 72-hour rule, which does not apply to this service unless a customer agreement says otherwise.)

10. Information about children

Case notes may include information about children, given the nature of family services work. The child is not a user of CaseFlow Note. Practitioners record information about children as part of their professional work, under their organisation's consent processes and mandatory reporting obligations — this policy doesn't change or override those obligations in any way.

11. Changes to this policy

We may update this policy from time to time as our practices change. If we do, we'll publish the updated version here and update the date at the top.

12. Contact us