Dental Shift
Legal

Privacy Policy

VERTEQ PTY LTD (ABN 27 657 435 615), trading as Dental Shift ("we", "us", "our"), is an APP entity bound by the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles ("APPs"). This policy explains in plain English what personal information we collect about you, why we collect it, who we share it with, how we keep it safe, how long we keep it, and the rights you have to access and correct it. Last updated 5 May 2026.

1. About this policy (APP 1)

This policy applies to all personal information we hold about Clinics, Professionals, prospective users, website visitors, referees, and people who contact us. It does not apply to patient health records held by Clinics — those records remain the responsibility of the Clinic as the relevant APP entity. We review this policy at least annually and whenever we materially change how we handle personal information.

2. Information we collect

  • Identity & contact: full name, preferred name, email, phone, postal address, date of birth (where required for ID verification).
  • Professional credentials: AHPRA registration number and history, qualifications, CV, references and referee contact details, professional indemnity policy details, working-with-children check (where required).
  • Business details (Clinics): business name, ABN, ACN, trading name, business address, billing contact, authorised representatives.
  • Financial: bank account details for payouts and direct debits. Full card numbers and BSB/account numbers are tokenised and stored by Stripe — we hold only safe identifiers (last four digits, brand, expiry).
  • Health-adjacent declarations: immunisation status, fitness-to-practise declarations, criminal-history declarations, where required for an engagement. We treat these as sensitive information.
  • Device & usage: IP address, device type, browser, operating system, pages viewed, links clicked, shifts posted/applied to, time spent in-app, and crash diagnostics.
  • Location: suburb-level location for matching; precise location is only collected if you explicitly opt in (e.g. for travel-distance estimates).
  • Communications: messages, support requests, feedback, call recordings (with notice), and emails between you and us.
  • Marketing preferences: newsletter subscriptions, channel preferences and unsubscribe history.

3. Sensitive information (APP 3)

Some information is "sensitive" under the Privacy Act, including health information, criminal-history information, and information about union membership. We only collect sensitive information where it is reasonably necessary for our functions and where you have given consent — for example, when you complete an immunisation declaration required by a Clinic, or upload a national police check. Sensitive information is access-restricted to staff who need it for the relevant function and is retained only for as long as the related engagement and our legal obligations require.

4. How we collect personal information (APP 3 & APP 5)

  • Directly from you when you create an account, complete a profile, post a Shift, accept a Booking, submit a Timesheet or contact us.
  • From the AHPRA public register, to verify registration status.
  • From the Australian Business Register (ABR), to verify ABN and entity details.
  • From third-party identity-verification providers, where required for KYC/AML or to onboard a payout account.
  • From your nominated referees, where you have asked us to contact them.
  • Automatically through cookies, log files and analytics when you use the Platform (see clause 12).
  • Where it is unreasonable or impracticable to collect from you directly (for example, a public AHPRA listing), we collect only what is necessary and notify you in this policy.

5. Why we collect and use your information (APP 6)

  • To match Clinics with verified Professionals and to operate the Platform.
  • To verify identity, AHPRA registration, ABN, qualifications, insurance and right-to-work.
  • To process payments, payouts, GST records, RCTI invoicing and tax compliance.
  • To send transactional communications (booking confirmations, payment receipts, shift reminders, dispute updates).
  • To improve the Platform, debug issues, monitor performance and prevent fraud, abuse and misuse.
  • To comply with our legal, regulatory and audit obligations.
  • To send marketing communications (only with your consent — see clause 6).

6. Direct marketing (APP 7)

We send non-transactional marketing only to people who have opted in. Every marketing email contains a one-click unsubscribe link, and you can change your preferences at any time in your account settings. We do not share your contact details with third-party advertisers and we do not sell personal information.

7. Disclosure to third parties (APP 6)

  • Stripe — payment processing, KYC for Stripe Connect, payouts, dispute and chargeback handling.
  • Supabase — primary application database and authentication, hosted in Australian (Sydney) data centres.
  • Cloudflare — content delivery, edge compute and DDoS protection.
  • Email delivery providers — for transactional and marketing emails.
  • SMS providers — for two-factor authentication and shift reminders, where you have opted in.
  • Identity-verification providers — to confirm your identity and right-to-work where required.
  • AHPRA and the Australian Business Register — for credential and entity verification (read-only lookups).
  • Customer support tooling — to manage your support requests.
  • Analytics providers — privacy-respecting product analytics in aggregated form.
  • Professional advisers (lawyers, accountants, auditors) bound by confidentiality, where reasonably necessary.
  • Law enforcement, regulators (including AHPRA and the OAIC) and courts where compelled by law or where we reasonably believe disclosure is necessary to prevent harm.
  • An acquirer or successor entity in the context of a corporate restructure, sale or merger, on terms consistent with this policy.

8. Cross-border disclosure (APP 8)

Some of our service providers operate or store data outside Australia. In particular, Stripe processes payment data in the United States and the European Union, and Cloudflare operates a global edge network. Where personal information is disclosed overseas, we take reasonable steps to ensure the recipient is bound by enforceable contractual obligations and recognised security and privacy standards (including PCI DSS for payment data and SOC 2 / ISO 27001 controls for hosting). By using the Platform you acknowledge that we may disclose information to these recipients.

9. Storage, security & retention (APP 11)

  • Application data is stored in Australian data centres operated by our hosting provider.
  • All data is encrypted in transit (TLS 1.2+) and at rest.
  • Access is restricted by role-based access control; staff with access to personal information are required to use multi-factor authentication and are subject to confidentiality obligations.
  • We monitor for security events and run regular reviews of our access controls and dependencies.
  • Retention schedule (indicative): financial records — 7 years (as required by the ATO); AHPRA-related credential records — 5 years after the last engagement; account profile data — for the life of the account and up to 90 days after closure; marketing-consent records — until consent is withdrawn plus a short audit period; support correspondence — up to 3 years; backups may persist for a limited window beyond these timeframes before being overwritten.

10. Data quality (APP 10)

We take reasonable steps to ensure the personal information we hold is accurate, up to date and complete. You can help us by keeping your profile information current and notifying us promptly of changes to your registration, insurance, banking or contact details.

11. Access & correction (APP 12 & APP 13)

You have the right to ask us what personal information we hold about you and to ask us to correct it if it is inaccurate. To make a request, email privacy@dentalshift.io. We will verify your identity before disclosing any information and will respond within 30 days. Access is generally free; we may charge a reasonable cost-recovery fee for unusually large or complex requests, and we will tell you the estimate before proceeding. We may refuse access in limited circumstances permitted by the Privacy Act (for example, where access would unreasonably impact the privacy of others or relate to anticipated legal proceedings); if we refuse, we will tell you why and how to complain.

12. Cookies, analytics & tracking

  • Essential cookies — required for sign-in, session management and core security; cannot be disabled without breaking the Platform.
  • Preference cookies — remember settings such as language and dismissed banners.
  • Analytics — privacy-respecting product analytics that record aggregated usage; we do not use third-party advertising cookies and do not run cross-site tracking pixels.
  • You can clear cookies in your browser at any time. See our /cookies page for details and a current cookie list.

13. Children

The Platform is not directed at people under 18 and we do not knowingly collect personal information from children. Patient health records (which may relate to children) are held by Clinics, not by us. If you believe we have inadvertently collected personal information from a child, contact us and we will delete it.

14. Anonymity & pseudonymity (APP 2)

You can browse our marketing pages without identifying yourself. Where you transact on the Platform — for example, to post or accept a Booking, receive a payout, or have credentials verified — anonymity is not practicable because of the legal, regulatory and payment requirements involved.

15. Notifiable Data Breaches

We maintain an incident-response process aligned with the Notifiable Data Breaches (NDB) scheme. If we suffer an eligible data breach that is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, with a description of the breach, the kinds of information involved and the steps we recommend you take.

16. Complaints, contact & business details

  • Privacy contact: privacy@dentalshift.io (we acknowledge within 5 business days and respond within 30 days).
  • If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner: oaic.gov.au, 1300 363 992.
  • Legal entity: VERTEQ PTY LTD
  • ABN: 27 657 435 615
  • Trading as: Dental Shift
  • Registered office: 9/204 Alice St, Brisbane QLD 4000