← Back

Privacy Policy

Last updated: April 2026

1. About This Policy

Togetherwise (“we”, “our”, “the platform”) is a coordination tool for parents of neurodivergent children and their support teams. This policy explains how we collect, store, use, and disclose personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. What Information We Collect

We collect the following categories of personal information:

  • Account information: email address, display name, account role (parent, therapist, or teacher), and optionally a phone number, provided during sign-up or updated in account settings. Phone numbers are only shared with team members when you explicitly enable the phone visibility setting.
  • Child profile data:name, date of birth, diagnoses (with status: formal, under assessment, or suspected), and support profile information across ten sections (Early Signs, What Works, What Doesn’t Work, Support Level, Transition Support, Sensory Needs, Triggers & Stressors, Regulation Strategies, Learning & Engagement, Communication Style) entered by parents.
  • Observations:text notes, context tags, outcome ratings, and optional file attachments (up to 10 MB) logged by team members about the child’s progress or behaviour.
  • Specialist sessions and tasks: session notes, intervention categories, task titles, guidance notes, due dates, and optional instruction files logged by specialists. Task completion notes and optional proof-of-completion photos or videos (up to 10 MB) uploaded by parents or children.
  • Messages:thread titles, text messages, replies, and optional file attachments (up to 10 MB) exchanged between team members on the child’s profile.
  • Team membership data: email addresses of invited team members, their assigned role description, and their access permissions per child profile.
  • Photos: optional profile photos uploaded by adult users, and optional child profile photos uploaded by parents. All photos are stored in Supabase Storage with team-only access controls.
  • Child portal account data: a username and password created by parents for child portal access, and child progress data including task completion history, streak counts, and badge milestones.
  • Theme preference: the child portal theme selected by the child (stored in the database and in a browser cookie).

3. Why We Collect This Information

We collect personal information solely to operate the coordination features of Togetherwise: to allow parents to maintain a child profile, invite a support team, and enable the team to log observations and communicate. We do not collect information for advertising or marketing purposes and do not sell personal information to third parties.

4. Where Your Information Is Stored

All data is stored in Supabase (supabase.com), with servers located in the ap-southeast-2 (Sydney, Australia) region. Choosing this region ensures your data remains in Australia, consistent with our obligations under the Australian Privacy Act and APP 8 (cross-border disclosure).

5. Cross-Border Disclosure

We use Resend (resend.com, a US-based service) to send email notifications. The following events trigger an email:

  • A new observation is logged — notification sent to team members with observation access (child’s first name in subject line).
  • A new message or thread is posted — notification sent to team members with messages access (child’s first name in subject line).
  • A specialist logs a session with tasks — notification sent to the parent (child’s first name in subject line and email body).
  • A task becomes overdue — notification sent to the parent once per task (child’s first name in subject line and email body).
  • A team invitation is sent — invite email sent to the invitee (child’s first name and the inviting parent’s display name in the email body).
  • A team member’s access is revoked — notification sent to the removed member (child’s first name and the removed member’s display name in the email body).

By using Togetherwise, you consent to the child’s first name and relevant team members’ display names being transmitted to Resend’s email infrastructure in the United States solely for the purpose of delivering these notifications.

We also use OpenAI (openai.com, a US-based service) to power the optional AI Draft Summary feature. When you use this feature, your child’s profile sections, diagnoses, and recent observations are transmitted to OpenAI’s API in the United States. According to OpenAI’s API terms, data submitted via the API is not used to train OpenAI’s models. This feature requires your explicit consent before any data is transmitted — see Section 6 below. Togetherwise remains responsible for ensuring OpenAI handles your information consistently with the Australian Privacy Principles.

6. AI-Powered Features

Togetherwise offers an optional AI Draft Summaryfeature that generates a structured summary of your child’s profile for use in appointment preparation. This feature is powered by OpenAI’s API.

What data is sent:When you generate an AI Draft Summary, your child’s profile sections (such as sensory needs, regulation strategies, and communication style), diagnoses, and recent observations are transmitted to OpenAI’s API. This data is classified as sensitive health information and is handled with heightened care.

Explicit consent required: This feature is strictly opt-in. No data is sent to OpenAI until you provide explicit, specific consent. You will be shown a consent prompt before your first use that explains exactly what will be shared and why. Providing consent for AI summaries does not affect any other part of your account.

How to opt out: You can revoke your consent at any time by going to Account Settings → AI features → Revoke AI consent. Revoking consent immediately disables the AI Draft Summary feature for your account. No further data will be sent to OpenAI after consent is revoked.

Data retention at OpenAI:According to OpenAI’s API terms, data submitted via their API is not used to train OpenAI’s models. We rely on OpenAI’s contractual commitments to ensure your information is handled in a manner consistent with the Australian Privacy Principles. For OpenAI’s full data handling terms, see openai.com/policies/privacy-policy.

7. How Long We Retain Your Information

  • Active accounts: Your data is retained for as long as your account exists.
  • Deleted parent accounts: When a parent deletes their account, all child profiles, observations, messages, and associated data they own are permanently deleted immediately. This deletion cannot be undone.
  • Deleted therapist or teacher accounts:When a therapist or teacher deletes their account, their user account and login credentials are permanently deleted. However, observations and messages they authored remain on the child profile (visible to the child’s parents and remaining team members) and their name is replaced with “Former team member”. This ensures the child’s longitudinal record is preserved for the family.
  • Revoked team memberships:When a parent revokes a team member’s access, the team member’s access is removed immediately. Their authored contributions remain on the profile as described above.

8. Accessing and Exporting Your Information

Under APP 12, you have the right to access the personal information we hold about you. You can download a complete export of your data at any time from the Account Settings page within the app. The export is provided as a JSON file containing your account details and all content you own or authored.

9. Deleting Your Account

You can permanently delete your account at any time from the Account Settings page. See Section 7 above for details of what is deleted and what is retained. Account deletion is immediate and cannot be reversed.

10. Cookies and Tracking

Togetherwise uses the following strictly necessary cookies:

  • Session cookie: keeps you logged in. Contains only an encrypted session token — no personal information.
  • Child portal theme cookie (child-theme):stores the child’s selected colour theme to prevent a flash of the default theme on page load. Contains only the theme name (e.g. “sky”).

We do not use advertising cookies, tracking pixels, or third-party analytics.

11. Security

We use Supabase’s Row Level Security (RLS) to enforce that each user can only access data they are authorised to see. Passwords are hashed by Supabase Auth (bcrypt). Session tokens are stored in httpOnly cookies and cannot be accessed by JavaScript.

12. Contact Us

For privacy enquiries, correction requests, or complaints, please contact:

Katherine Black
Email: PRIVACY@TOGETHERWISE.APP

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.