Privacy Policy

Billa is a software-as-a-service platform (“Billa”, “we”, “us”, “our”) operated as an Australian business providing NDIS service delivery documentation tools, including AI-assisted progress note drafting, live budget tracking, approval workflows, claim export, and accounting integration.

We are subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) in respect of personal information we hold. To the extent we hold health information about individuals who are residents of Victoria, we are also subject to the Health Records Act 2001 (Vic) (HRA) and the Health Privacy Principles (HPPs) set out therein. Equivalent health privacy legislation applies in other Australian states and territories as applicable.

This Policy applies to all personal information and health information that Billa collects, holds, uses, or discloses in the course of operating the platform. It covers:

• Subscriber information — information about individuals and organisations that hold Billa accounts (NDIS providers, sole traders, and their staff);
• NDIS participant information — information about NDIS participants that is entered into the platform by Subscribers; and
• Website visitor information — information collected when individuals visit billa.app.

The subscriber / participant distinction is fundamental to this Policy. Billa's direct relationship is with Subscribers (NDIS providers), not with NDIS participants. Subscribers are the data controllers primarily responsible for participant information. Billa is a data processor that handles participant information on behalf of Subscribers solely for the purposes of providing the Service. Subscribers bear primary responsibility for:

• Ensuring participants have been notified, in accordance with APP 5 and HPP 2, that their information will be processed through third-party software platforms including Billa;
• Obtaining any consent required from participants for the collection and use of their sensitive health information; and
• Complying with their own obligations under the Privacy Act 1988 (Cth), the NDIS Act 2013 (Cth), the NDIS Practice Standards, and applicable state health privacy legislation.

Billa's collection and processing of participant information is incidental to, and reasonably necessary for, the delivery of NDIS-funded supports that Subscribers are authorised to provide under the NDIS Act 2013 (Cth).

In this Policy, the following terms have the following meanings:

• Personal information has the meaning given to it by s.6 of the Privacy Act 1988 (Cth): information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether or not the information or opinion is true, and whether or not it is recorded in a material form.
• Sensitive information has the meaning given to it by s.6 of the Privacy Act 1988 (Cth), and includes health information, information about a disability, and information about an individual's racial or ethnic origin.
• Health information has the meaning given in s.6 of the Privacy Act 1988 (Cth) and s.3 of the Health Records Act 2001 (Vic), and includes information or an opinion about the health or disability of an individual or about a health service provided or to be provided to an individual.
• NDIS participant means an individual who has been accepted as a participant in the National Disability Insurance Scheme under the NDIS Act 2013 (Cth).
• Protected NDIS information has the meaning given in s.3 of the NDIS Act 2013 (Cth), and includes information obtained in the course of the NDIS that relates to an identifiable NDIS participant.
• Subscriber means an individual or organisation that holds a Billa account and uses the Service in the capacity of an NDIS service provider.
• Worker means an individual who accesses the Service under a Subscriber's account.
• Overseas recipient has the meaning given in APP 8 of the Privacy Act 1988 (Cth): a person who is not in Australia or an external territory and who is not the individual to whom the information relates.
• AI-Generated Content means any text, data, or documentation produced by Billa's artificial intelligence functionality using inputs provided by a Subscriber.
• Eligible data breach has the meaning given in Part IIIC of the Privacy Act 1988 (Cth): unauthorised access to, or disclosure of, personal information held by an entity, or loss of personal information, that is likely to result in serious harm to any of the individuals to whom the information relates.

APP 2 requires us to offer individuals the option to interact with us on an anonymity or pseudonymity basis, where it is lawful and practicable to do so.

It is not lawful or practicable for Subscribers to use the platform anonymously or pseudonymously, as the platform's functions require accurate identification of the Subscriber, their organisation, and the participants to whom services are delivered, in order to produce compliant NDIS documentation and accurate claim exports.

Individuals visiting our website (billa.app) may browse without identifying themselves, subject to the cookies and analytics practices described in clause 22 of this Policy.

Health information and disability-related information about NDIS participants is sensitive information under s.6 of the Privacy Act 1988 (Cth) and health information for the purposes of the Health Records Act 2001 (Vic).

We collect this sensitive information from Subscribers (not directly from participants). The lawful basis for this collection is:

• Authorisation by Australian law (APP 3.3(b)): The NDIS Act 2013 (Cth) authorises registered NDIS providers to collect, hold, and use participant health and disability information in connection with the delivery of NDIS-funded supports. Billa's collection of this information is incidental to, and reasonably necessary for, the provision of documentation and claims management services to those authorised providers.
• Subscriber consent (APP 3.3(a), supplementary basis): Subscribers, by accepting our Terms of Service, acknowledge that they are responsible for obtaining participant consent for the processing of participant information through third-party software platforms, and represent that they have done so.

We treat sensitive information with heightened care. We do not collect, use, or disclose sensitive information except:

• Where reasonably necessary for the primary purpose of providing the Service (clause 10);
• For a directly related secondary purpose that the Subscriber would reasonably expect;
• As required or authorised by law; or
• With express consent.

To the extent we hold health information about individuals who are residents of Victoria (and equivalent health information legislation in other states), we comply with the applicable Health Privacy Principles (HPPs).

The NDIS participant number issued to each NDIS participant by the National Disability Insurance Agency (NDIA) is a government-related identifier for the purposes of APP 9 of the Privacy Act 1988 (Cth).

APP 9.2 prohibits us from adopting, using, or disclosing a government-related identifier as our own identifier of an individual. We comply with this prohibition: NDIS participant numbers are not used as Billa's own internal identifiers. We maintain separate internal identifiers for platform records.

We collect, hold, use, and disclose NDIS participant numbers only to the extent reasonably necessary to identify the participant to whom a service delivery record, note, or claim relates, and for no other purpose. Specifically:

• We use NDIS participant numbers to associate service delivery records with the correct participant plan within the platform (APP 9.3(a): identity verification in connection with service delivery);
• We include NDIS participant numbers in claim export files submitted to the NDIA or plan managers on behalf of Subscribers, where this is required by the NDIA's Pricing Arrangements and Payment Terms (APP 9.3(c): authorised by Australian law); and
• We display NDIS participant numbers to authorised Subscriber users within the platform to facilitate accurate record management.

We do not use NDIS participant numbers for analytics, marketing, product development, or any purpose other than the above. NDIS participant numbers are not disclosed to any third party other than as described in clause 13 of this Policy.

We recognise that personal information about NDIS participants, including service delivery records, progress notes, plan details, and financial data, may constitute “protected NDIS information” within the meaning of s.3 of the NDIS Act 2013 (Cth). Section 67 of the NDIS Act creates criminal liability for the unauthorised use or disclosure of protected NDIS information.

We maintain the following authorisation framework to ensure compliance with s.67:

• Access to participant information within the platform is restricted to: (i) the Subscriber's authorised Workers, as determined by the Subscriber's own role-based access configuration; (ii) Billa's technical and support staff, solely to the extent necessary to provide platform services and under binding confidentiality obligations; and (iii) our subprocessors, solely to the extent necessary to operate the infrastructure on which the platform runs, and under contractual data processing obligations described in clause 13.
• We do not disclose protected NDIS information to any person or entity other than as expressly permitted by the NDIS Act 2013 (Cth), as required by law, or as authorised in writing by the relevant Subscriber.
• All Billa staff and contractors with any access to participant data are bound by written confidentiality obligations that extend to protected NDIS information.
• Access events involving participant records are logged and subject to regular access review.

We collect personal information for the following primary purposes:

• To provide, operate, maintain, and improve the platform and its features;
• To enable the creation, storage, review, and export of NDIS service delivery documentation;
• To generate AI-assisted draft progress notes and documentation using inputs provided by Subscribers;
• To track NDIS participant plan budgets and support category utilisation;
• To create and export NDIS claim files and draft invoices for Subscribers;
• To process payments and manage Subscriber billing and account administration;
• To provide technical support and respond to Subscriber enquiries;
• To detect, prevent, and investigate security incidents, fraud, and unauthorised access;
• To comply with our legal obligations, including under the Privacy Act, Health Records Act, NDIS Act, and tax law; and
• To communicate with Subscribers about the Service, including material changes to the platform or these policies.

Where we use personal information for a secondary purpose, we will only do so where:

• The secondary purpose is directly related to the primary purpose and the individual would reasonably expect us to use the information in that way;
• We have obtained the individual's consent; or
• We are required or authorised by law to do so.

We will never use participant health information for secondary purposes including marketing, product development analytics involving identifiable data, or AI model training, without first satisfying the consent requirements applicable to sensitive information under the Privacy Act and, where applicable, the Health Records Act.

We disclose personal information to overseas recipients in two circumstances: in connection with AI note generation (clause 12.1) and in connection with the Xero integration (clause 12.2). Both disclosures are subject to the obligations in this clause.

We may disclose personal information to the following categories of domestic third parties:

We do not sell, rent, trade, or otherwise commercially exploit personal information to third parties for marketing, profiling, advertising, or any commercial purpose.

We may use Subscriber contact information (name, email address) to send communications about the Service, including feature updates, pricing changes, and relevant product news. We will not use participant information for any direct marketing purpose.

Subscribers may opt out of non-essential marketing communications at any time by:

• Clicking the unsubscribe link in any marketing email; or
• Contacting us at hello@billa.app with a request to opt out.

We will not use sensitive information for direct marketing purposes. We will not disclose personal information to third parties for the purpose of those third parties directing marketing at individuals.

We take reasonable steps to ensure that the personal information we collect, use, and disclose is accurate, up to date, and complete. In particular:

• Subscribers are responsible for the accuracy of information they enter about themselves and about participants. We provide mechanisms for Subscribers to update and correct Subscriber account information.
• We encourage Subscribers to review and correct participant information held within the platform, and we provide export and correction tools for this purpose.
• We do not independently verify the accuracy of participant information entered by Subscribers.
• AI-Generated Content is a drafting aid only. Accuracy of AI-Generated Content as a reflection of actual service delivery is the sole responsibility of the reviewing Subscriber.

We implement reasonable technical and organisational measures designed to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include, without limitation:

• Transport Layer Security (TLS 1.2 or higher) for all data in transit between users and our platform;
• Encryption of sensitive data at rest;
• Row-level database security ensuring that each Subscriber's data is logically isolated from other Subscribers' data;
• Role-based access controls restricting staff and Worker access to data on a need-to-know basis;
• Audit logging of note lifecycle events (submission, approval, and rejection), with logs retained for accountability and dispute resolution purposes;
• Periodic review of access permissions as part of our internal security practices; and
• Binding confidentiality and security obligations on all staff and subprocessors with access to personal information.

No method of electronic transmission or storage is completely secure. Subscribers are responsible for maintaining the security of their own account credentials. Shared passwords are not permitted. Subscribers must notify us immediately at hello@billa.app upon becoming aware of any suspected unauthorised access to their account.

We maintain a Data Breach Response Plan that governs our response to suspected data security incidents. Our process is as follows:

• Detection and containment: Upon becoming aware of a potential data security incident, we will take immediate steps to contain the incident, preserve evidence, and assess the scope of any potential unauthorised access or disclosure.
• Assessment (30-day period): Within 30 days of becoming aware of a potential eligible data breach, we will complete a reasonable and expeditious assessment of whether the incident constitutes an “eligible data breach” within the meaning of Part IIIC of the Privacy Act 1988 (Cth).
• Notification to OAIC: If we determine that an eligible data breach has occurred, we will notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable using the OAIC's prescribed notification form.
• Notification to affected individuals: We will notify affected individuals (or, in the case of participant data, the relevant Subscriber who will in turn notify affected participants) as soon as practicable after notifying the OAIC, unless the OAIC directs us otherwise.
• Notification to Subscribers: Regardless of whether a breach meets the NDB threshold, we will notify affected Subscribers promptly of any security incident that has or may have resulted in unauthorised access to their data within 72 hours of confirming the incident.

The 30-day assessment period is a statutory maximum, not a target. Where we are able to complete our assessment sooner, we will do so and will notify affected parties without unnecessary delay.

We retain personal information only for as long as is necessary for the purpose for which it was collected, or as required by applicable law. Our retention periods are set out below.

Legal retention obligation overrides account closure: Where the deletion of personal information upon account closure would conflict with a mandatory legal retention obligation (including NDIS record-keeping requirements and obligations under the Corporations Act 2001 (Cth)), the legal obligation prevails. We will retain the relevant information only for the minimum period required by law and will apply appropriate access restrictions during that period.

Upon expiry of the applicable retention period, we will take reasonable steps to destroy or permanently de-identify personal information in a manner that renders re-identification not reasonably practicable, in accordance with APP 11.2.

You have the right to request access to the personal information we hold about you.

We may decline to provide access to personal information in limited circumstances, including where access would unreasonably affect the privacy of other individuals, reveal our confidential commercial information, or be contrary to a law of the Commonwealth or a State. Where we decline access, we will provide written reasons and information about how to complain.

You have the right to request correction of personal information we hold about you that is inaccurate, out of date, incomplete, irrelevant, or misleading. Correction requests should be directed to hello@billa.app.

We will respond to correction requests within 30 days. Where we make the requested correction, we will take reasonable steps to notify third parties to whom we have disclosed the information of the correction, where requested and reasonably practicable.

Where we decline to make a requested correction, we will provide written reasons and will, if requested, attach a statement from the individual to the relevant record noting the disputed correction.

Our website and platform use cookies, pixels, and similar tracking technologies. We use the following categories of cookies:

• Strictly necessary cookies: Required for the platform to function, including authentication, session management, and security. These cannot be disabled without impairing platform functionality.
• Preference cookies: Used to remember your settings and preferences within the platform.

We do not currently use analytics, advertising, or marketing cookies. No analytics service is integrated into the platform at this time. If we integrate an analytics tool in the future, we will update this Policy with 14 days' notice to active Subscribers before it is enabled.

We do not permit third-party advertisers to set cookies through our platform.

You may control cookie settings through your browser. Disabling strictly necessary cookies will impair platform functionality and may prevent you from accessing the Service.

NDIS participants include individuals under the age of 18 (minors) and individuals with cognitive, intellectual, or communication disabilities who may have reduced capacity to make decisions about their personal information.

Billa does not interact directly with NDIS participants, including minors or individuals with reduced decision-making capacity. Information about minor participants or participants with reduced capacity is entered into the platform by Subscribers acting in their professional capacity as NDIS providers. Subscribers are responsible for:

• Ensuring that consent for the collection and processing of information about minor participants is obtained from a parent, guardian, or other legally authorised decision-maker;
• Ensuring that consent for participants with reduced decision-making capacity is obtained from a nominee, guardian, or other authorised representative consistent with applicable guardianship and administration law; and
• Applying appropriate safeguards to information about vulnerable participants within the platform, including restricting access to authorised Workers only.

We apply heightened care to participant information that appears, from context, to relate to minor participants or individuals with significant vulnerabilities, including restricting AI processing outputs to the minimum necessary for the documented service.

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. The version date at the top of this Policy indicates when it was last updated.

Where we make a material change to this Policy — including any change that expands the categories of information we collect, the purposes for which we use it, or the parties to whom we disclose it — we will:

• Notify active Subscribers by email at least 14 days before the change takes effect; and
• Display a prominent notice on the platform for at least 14 days before the change takes effect.

Non-material changes (such as clarifications of existing practices or typographical corrections) may take effect immediately on publication. Continued use of the Service after the effective date of a material change constitutes acceptance of the updated Policy.

Previous versions of this Policy are available on request from hello@billa.app.