Privacy Policy

HAVEN is an aged care and disability support marketplace operated by Inevara Pty Ltd (ABN [TBD — confirm with Inevara Pty Ltd before public launch]), a company incorporated in Australia (“Inevara”, “we”, “us”, or “our”). HAVEN is one of the SINGULARITY family of marketplace platforms operated by Inevara.

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you use the HAVEN platform, accessible at app.withhaven.io and associated applications (collectively, the “Platform”).

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”). Given the sensitive nature of aged care and disability information, we treat all health and care-related data as sensitive information requiring a higher standard of protection.

By creating an account or using the Platform you acknowledge you have read this Policy. If you do not agree, please do not use the Platform.

2.1 Account information

When you register for a HAVEN account, we collect:

• Full name and display name
• Email address
• Password (stored as a salted cryptographic hash — never in plain text)
• Mobile phone number (optional, used for booking notifications)

2.2 Care recipient and care needs information

To enable our AI-powered matching service, we collect information about the person requiring care, including:

• Care recipient name, age, and relationship to the account holder
• Type of care required (home care, NDIS, nursing, dementia care, respite)
• Funding pathway (NDIS, Home Care Package, DVA, private, hybrid)
• Medical conditions, care notes, and care requirements
• Preferred service areas and budget range
• Care urgency and timeline

Health and care information is treated as sensitive information under the Privacy Act 1988 and is handled with heightened protection. We collect this information only to the extent necessary to facilitate appropriate care matching.

2.3 Provider profile information

If you register as a care worker or organisation, we also collect:

• Business or trading name, ABN or ACN (where applicable)
• Professional credentials, registrations, and licence details (e.g. AHPRA, NDIS Worker Screening)
• Service types, funding types accepted, and service areas
• Police check and Working with Vulnerable People clearance status
• Insurance details
• Bank account details for payment disbursement (held by our payment processor)

2.4 Booking and transaction records

For every booking made through the Platform, we record:

• Date, time, service type, and duration
• Consumer and provider identifiers
• Booking status history
• Payment metadata (amount, currency, transaction reference — not full card numbers)
• Care notes and session records where provided

2.5 Device and analytics data

We automatically collect technical information including IP address, browser type, device identifiers (anonymised), pages visited, and session identifiers stored in secure HTTP-only cookies. We use this data for security monitoring, fraud detection, and aggregate analytics. We do not sell this data.

We use personal information only for the following purposes:

We do not sell your personal information. We disclose it only in the following circumstances:

4.1 With care workers upon booking

When you confirm a booking, we share relevant care recipient information, contact details, and care notes with the provider. Providers are not permitted to use this information outside the context of delivering services through the Platform.

4.2 Payment processors

Payments are processed by third-party payment service providers. We do not store full card numbers. Processors operate under PCI-DSS obligations.

4.3 Infrastructure and hosting

We host the Platform on Amazon Web Services infrastructure in Australia (Sydney region, ap-southeast-2). Data processing agreements are in place.

4.4 Legal and regulatory requirements

We may disclose personal information if required by law, court order, or regulatory direction, or where necessary to prevent harm or investigate suspected illegal activity.

Health and care-related information (including medical conditions, disability information, care needs, and funding pathway information) constitutes sensitive information under the Privacy Act 1988. We:

• Collect sensitive information only to the extent necessary for care matching
• Apply heightened security controls to sensitive information
• Do not use sensitive information for marketing purposes
• Share sensitive information only with the care worker you select and only for the purpose of delivering care
• Obtain your consent before collecting sensitive information beyond what is strictly necessary

• Account and profile data: retained for the life of your account plus 24 months after closure (to support dispute resolution and comply with tax obligations).
• Booking and transaction records: retained for 7 years from the date of the transaction, as required by Australian taxation law.
• Care recipient and health information: retained for the duration of active bookings and for up to 7 years thereafter to comply with applicable health records legislation.
• Device and analytics logs: retained for 13 months in identifiable form, then aggregated and de-identified.

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption at rest for sensitive fields
• Passwords stored using cryptographic hashing
• Role-based access controls
• Multi-factor authentication required for administrative access
• Regular security assessments
• Data stored in AWS ap-southeast-2 (Sydney) — Australian soil

If you believe your account has been compromised, please contact us immediately at [email protected].

• Access: Request a copy of personal information we hold about you. We will respond within 30 days.
• Correction: Ask us to correct inaccurate or incomplete information.
• Deletion: Request deletion of your account and associated personal information, subject to retention obligations.
• Withdrawal of consent: Withdraw consent for marketing or optional data processing at any time.
• Complaint to a regulator: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or wish to make a complaint, please contact our Privacy Officer:

We may update this Privacy Policy from time to time. When we make a material change, we will notify you by email at least 14 days before the changes take effect. Continued use of the Platform after a change takes effect constitutes acceptance of the updated Policy.