Privacy Policy
Your privacy matters to us.
This policy explains how Statura Care collects, uses, stores, and protects your personal information.
Last updated: 27 May 2026
1. Introduction
Statura Operations Pty Ltd (ACN 696 303 269, ABN 70 696 303 269), trading as Statura Care ("we", "us", "our"), is committed to protecting your privacy and handling your personal information responsibly.
We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Privacy Policy describes how we collect, hold, use, and disclose personal information in connection with our website at statura.care, the Statura Care platform at app.statura.care, and the Statura Care Worker mobile application.
This Privacy Policy should be read with our customer legal pack, including the Master Services Agreement, Data Processing Schedule, and Subprocessor Schedule where they apply.
2. Information we collect
We may collect the following types of personal information:
Personal information provided by you
- •Name, email address, phone number, organisation name, and job title — collected through contact forms, demo requests, and account creation.
- •Billing and payment information — processed through our payment provider and not stored directly by us.
Usage data collected automatically
- •Pages visited, features used, browser type, device type, and IP address.
- •This data is used to improve platform performance and user experience.
Aged care resident data (web platform)
On the web platform, customer organisations enter and manage their own resident and care recipient data within organisation-scoped records. This data is protected through row-level security policies and role-based access controls. Statura Care personnel access customer data only where required for authorised support, security, legal, or service operation purposes.
2a. Mobile application data
The Statura Care Worker mobile application ("the App"), available on iOS and Android, collects additional data types specific to mobile care delivery. This data is collected on behalf of the care worker's employer (the aged care provider) who is the data controller.
Location data
We collect precise GPS location at the moment the care worker clocks in and out of shifts. This verifies the worker is at the correct client location for payroll accuracy and duty of care compliance. We do not continuously track location. Location is captured only at clock-in/out events and during home safety assessments.
Health information
In the course of delivering aged care services, care workers may record health information about care recipients, including:
- •Vital signs and clinical observations (blood pressure, heart rate, temperature, oxygen saturation, respiratory rate, consciousness)
- •Medication administration records (including Schedule 8 controlled drugs)
- •Wound assessments and clinical photographs
- •Incident reports (including SIRS reportable incidents)
- •Continence and nutrition records
- •Restrictive practice documentation
- •Progress notes and clinical handovers
This health information relates to care recipients, not to the care worker. It is collected as part of the employer's obligations under the Aged Care Act 2024 and the Aged Care Quality Standards.
Clinical photographs
Wound photographs and incident evidence photos are stored in the App's private storage area (not the device's camera roll). Photos are encrypted in transit and at rest. Consent must be obtained from the care recipient (or their decision-maker) before photographs are taken.
Authentication and device data
- •Biometric authentication — The App uses Face ID or fingerprint for quick re-authentication. Biometric data never leaves the device; we only receive a success/failure result from the operating system's secure enclave.
- •PIN — A 6-digit PIN is hashed with SHA-256 and stored in the device's hardware-backed keystore (iOS Keychain / Android Keystore). The raw PIN is never stored or transmitted.
- •Device identifier — A unique identifier generated at first app launch, used for audit trail integrity and session management.
- •App version — Collected for compatibility and support purposes.
Offline encrypted storage
The App stores clinical data in an encrypted local database (AES-256 via SQLCipher) to enable offline functionality. The encryption key is stored in the device's hardware-backed secure enclave and is not accessible to other apps. Locally cached data is automatically deleted 7 days after successful sync to the server.
Crash reports
We use Sentry (Functional Software Inc.) to collect crash reports and performance data. Screenshots are not attached to crash reports in production. User email addresses and personally identifying information are scrubbed from error payloads before transmission where practicable. Sentry's infrastructure is US-based, so limited technical metadata may be transmitted outside Australia.
Remote wipe
If a device is lost, stolen, or employment ends, the organisation administrator can remotely wipe all Statura data from the device. This deletes the encryption key (making the database unreadable), all cached data, all photos, and all authentication credentials.
3. How we use your information
We use the personal information we collect for the following purposes:
- •To provide, maintain, and improve the Statura Care platform and services.
- •To communicate with you about your account, service updates, and product announcements.
- •To respond to enquiries, demo requests, and support queries.
- •To comply with our legal obligations, including record-keeping and reporting requirements.
- •To detect, prevent, and address technical issues or security incidents.
We will not use your personal information for purposes other than those described in this policy without your consent, unless required or authorised by law.
4. Data storage and security
We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure.
- •Core production application hosting is configured in Sydney, Australia.
- •Data is encrypted in transit and at rest where supported by the relevant service component.
- •Row-level security (RLS) ensures each organisation can only access their own data, enforced at the database layer.
- •Audit trails record key platform actions, including who did what, when, and from where.
- •Role-based access controls restrict data access to authorised personnel only.
Certain limited support, telemetry, communications, and billing workflows may involve approved overseas recipients, including in the United States. Current subprocessors and location notes are published in our Subprocessor Schedule.
For more information about our security practices, visit our Security page.
5. How long we keep your information
We keep different types of personal information for different periods, depending on why we hold it:
- •Clinical and care records — retained for the period required by the provider's aged-care, health-record, funding, incident-management, or contractual obligations. The Aged Care Act 2024 requires registered providers to keep and retain records prescribed by the Aged Care Rules 2025. The customer remains responsible for selecting retention settings and instructions appropriate to its own obligations.
- •Account and identity data — retained for the life of the account, plus a recovery window of 30 days after your provider deactivates the account, then deleted or anonymised.
- •Audit logs of access to personal information — retained for the period required by the customer's aged-care, privacy, security, and audit obligations, or as otherwise agreed in the customer legal pack.
- •Time and pay records — retained by the employer for seven years under the Fair Work Act 2009 (s 535).
- •Locally cached data on mobile devices — automatically deleted seven days after successful sync to the server, or immediately on sign-out or a remote wipe.
- •Backups — encrypted infrastructure backups are retained for up to 35 days and then overwritten in the ordinary course.
Some information is retained longer if we are required to by law — for example to respond to a regulator's request, to defend a legal claim, or to comply with Serious Incident Response Scheme (SIRS) or complaints-handling obligations.
6. Third-party service providers
We do not sell, rent, or trade your personal information to third parties.
We may share limited personal information with the following categories of service providers who assist us in operating the platform:
- •Infrastructure providers — Supabase (database and authentication infrastructure), hosted in the Sydney region.
- •Hosting providers — Vercel (website and application hosting), with edge delivery from Australian nodes.
- •Website analytics and conversion measurement — Google Analytics 4 and Google Ads conversion tags may be used to understand website usage, attribute enquiries, and measure paid-campaign performance. These services may process website usage events, device and browser metadata, IP-derived approximate location, advertising click identifiers, and conversion events.
- •Product analytics — Vercel Analytics may collect privacy-preserving website and performance metrics for the public website.
- •Transactional email — Resend (Resend, Inc. — United States). We use Resend to send transactional email such as account-verification messages, password resets, shift notifications, and receipts. Data transmitted to Resend is limited to the recipient's name, email address, and the email body required for that specific message. Resend processes this data on our behalf under its standard data-processing terms and does not use it for any other purpose.
- •SMS and communications providers — Twilio may be used for SMS delivery and telehealth or video-token infrastructure where enabled.
- •Payment processors — for processing subscription payments securely. We do not store credit card details.
- •Error monitoring — Sentry (Functional Software Inc.) for crash reporting in the mobile application. Only non-identifying technical error metadata is transmitted; personal information is scrubbed before transmission. Sentry infrastructure is US-based.
All third-party providers are bound by contractual privacy and data protection obligations. We take reasonable steps to ensure they handle your information consistently with this policy and the APPs.
Where it is practicable to identify likely overseas locations, the current likely overseas recipient country is the United States for providers such as Google, Resend, Sentry, Twilio, and for certain communications or billing providers where enabled. We review these arrangements when subprocessors change.
7. Your rights
Under the Australian Privacy Principles, you have the right to:
- •Access — request access to the personal information we hold about you.
- •Correction — request correction of any personal information that is inaccurate, out of date, incomplete, or misleading.
- •Deletion — request deletion of your personal information, subject to any legal obligations we may have to retain certain records. If you use the Statura Care Worker mobile app, you can start this process at statura.care/account/delete.
To exercise any of these rights, contact us at privacy@statura.care. We will respond to your request within 30 days.
If you're not satisfied with our response
We'd appreciate the opportunity to address any concern directly first — you can reach us at privacy@statura.care. If you believe we have mishandled your personal information or have not responded adequately to a request, you can complain to the Office of the Australian Information Commissioner (OAIC):
- •Website: oaic.gov.au
- •Phone: 1300 363 992
- •Post: GPO Box 5218, Sydney NSW 2001
8. Children and minors
Statura Care is a business-to-business platform used by aged care staff, who must be adults employed or engaged by one of our customers. We do not market Statura Care to children and we do not knowingly collect personal information directly from children.
In some cases, personal information about a person under 18 may be processed through the platform — for example, a family member of a resident who is listed as an emergency contact, or a person receiving home-care services who is a minor. In those cases, the information is provided by, and processed under the authority of, our customer (the aged care provider) or the person's parent or guardian, and is handled in accordance with this policy and the provider's own obligations under the Privacy Act 1988 and the Aged Care Act 2024.
9. Cookies
We use essential cookies and similar technologies that are necessary for the platform to function correctly, including session management and authentication.
On the public website, we may also use Google Analytics, Google Ads conversion tags, Vercel Analytics, and marketing attribution parameters to understand website usage, measure enquiry and signup conversions, and assess paid-campaign performance. These tools may use cookies, scripts, or similar browser technologies depending on your browser settings and our current configuration.
You can configure your browser to refuse cookies, but this may affect your ability to use certain features of the platform.
10. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.
If we make material changes to how we handle your personal information, we will notify you by email (if we have your email address) and update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.
11. Contact us
If you have any questions about this Privacy Policy or how we handle your personal information, please contact us:
Privacy enquiries: privacy@statura.care
General enquiries: hello@statura.care
Website: statura.care/contact