Privacy Policy

Last updated: 2 May 2026

Timeline is committed to protecting your personal information and your right to privacy. This policy explains what we collect, why we collect it, how we use it, and your rights under the Australian Privacy Act 1988.

What we collect

When you use Timeline we collect:

• Your name and email address (account registration)
• Your ABN (required for NDIS invoicing)
• Shift records — dates, times, client IDs, duration, and event logs you record during shifts
• Invoice and payment records — amounts, NDIS support item codes, payment status
• Compliance documents you upload (e.g. WWCC, Police Check expiry dates — stored as dates only, not file content unless you upload directly)
• Device identifiers for push notifications (Firebase Cloud Messaging tokens)
• Anonymised usage analytics if you opt in (no shift notes, client names, or personal information is included in analytics data)

Why we collect it

We collect this information solely to provide the Timeline service: recording NDIS shifts, generating NDIS-compliant invoices, supporting BAS preparation, and helping you meet your NDIS Practice Standards obligations. We do not sell your data, share it with advertisers, or use it for any purpose beyond operating the service.

Who we share it with

Timeline uses the following third-party services to operate. Each acts as a sub-processor of your personal data under contract:

• Google Firebase — authentication, Firestore database, and file storage. All data is stored in the australia-southeast1 (Sydney) region. Google's privacy policy: policies.google.com/privacy
• Stripe — payment processing. Timeline does not store your card details; they are handled entirely by Stripe. Stripe's privacy policy: stripe.com/au/privacy
• SendGrid (Twilio) — invoice email delivery. Your email address and invoice content pass through SendGrid's servers when you send an invoice. A Data Processing Agreement is in place.
• Sentry — crash and error monitoring. Crash reports may include anonymised session context (browser version, OS, device type, and a stack trace). Personal information is not intentionally included in crash reports.

We do not share your data with any other third parties. We do not use your data for marketing purposes.

How long we keep your data

Shift records, invoices, and compliance documents are retained for a minimum of 7 years from the date of the shift, in line with NDIS record-keeping obligations under the NDIS Practice Standards. If you close your account before 7 years have elapsed, records required for audit purposes are archived and access-restricted rather than deleted, in compliance with this obligation.

Account data (name, email, preferences) is deleted within 30 days of account closure.

Your rights

Under the Australian Privacy Principles, you have the right to:

• Access your data — Settings → Export your data. Downloads a full copy of your shifts, clients, and invoices as CSV files immediately.
• Correct your data — contact hello@timelineapp.com.au and we will correct any inaccurate personal information within 5 business days.
• Delete your data — Settings → Delete account. This permanently removes your account and all associated data. Backups are purged within 30 days. Note: NDIS-required records may be retained in a restricted archive for up to 7 years as described above.
• Make a complaint — if you believe we have handled your personal information incorrectly, contact the Office of the Australian Information Commissioner at oaic.gov.au.

Security

All data is encrypted in transit (HTTPS/TLS) and at rest (Google Cloud KMS). Access to Firestore is governed by security rules that prevent any user from reading or writing another user's data. We conduct security reviews before each major release.

Changes to this policy

We will notify you by email before making material changes to this policy. The "last updated" date at the top of this page reflects the date of the most recent change.

Contact

Privacy enquiries: hello@timelineapp.com.au

Timeline is operated by Billal Khan (ABN: 28 125 756 646), sole trader, New South Wales, Australia.