Minikai Logo
Sign in

Privacy Policy

Version: 14 June 2026

View previous versions

Minikai Pty Ltd (ABN 32 674 548 577) (referred to in this Privacy Policy as Minikai, we, our or us) is committed to protecting the privacy of individuals whose Personal Information we handle. We provide a secure software-as-a-service (SaaS) platform to aged care and disability providers in Australia, New Zealand, and the United Kingdom.

This Privacy Policy sets out how we collect, use, disclose, and protect Personal Information in accordance with the Privacy Act 1988 (Cth) (Australian Privacy Act) and the Australian Privacy Principles (APPs), the Privacy Act 2020 (NZ) (NZ Privacy Act) and the Information Privacy Principles (IPPs), and for customers established in the United Kingdom, the UK General Data Protection Regulation and the Data Protection Act 2018.

By using Minikai's services or providing Personal Information to us, you acknowledge and agree to the terms of this Privacy Policy.

Introduction

Minikai provides a secure cloud-based platform (the Platform) that enables Customers (care providers) to record, manage, and share information about the Care Recipients they support. In doing so, we handle Personal Information and Sensitive Information of both Customers and Care Recipients. We are committed to managing that information responsibly, in line with applicable privacy laws and the consent given by individuals and their Authorised Representatives.

Definitions

Capitalised terms and expressions used in this Privacy Policy but not otherwise defined have the meanings given to them in this section, unless the context requires otherwise.

  • APPs means the Australian Privacy Principles set out in the Australian Privacy Act, as amended from time to time.
  • Australian Privacy Act means the Privacy Act 1988 (Cth), as amended from time to time.
  • Automated Decision-Making (ADM) means the use of a computer program to make, or to do something substantially and directly related to making, a decision about an individual, where Personal Information is used in the program's operation.
  • Authorised Representative means a parent, guardian, enduring or medical power of attorney, or another person who is legally authorised to provide consent on behalf of a Care Recipient.
  • Care Recipient means any individual whose Personal Information is collected, stored, or otherwise managed on the Platform by a Customer, including (without limitation) individuals receiving care, services, or other forms of support from that Customer.
  • Customer means any organisation, entity, or individual that registers for, subscribes to, purchases, or otherwise uses Minikai's services, whether directly or through an authorised representative. This includes, without limitation, aged care providers, disability service providers, and similar users of our services.
  • IPPs means the Information Privacy Principles set out in the NZ Privacy Act, as amended from time to time.
  • NZ Privacy Act means the Privacy Act 2020 (NZ), as amended from time to time.
  • Personal Information has the meaning given in the Australian Privacy Act and the NZ Privacy Act. In this Privacy Policy, it generally refers to information or an opinion about an individual who is identified, or reasonably identifiable. This may include, without limitation, contact details, account information, health information, disability information, and care needs. For the avoidance of doubt, Personal Information includes Sensitive Information.
  • Platform means Minikai's SaaS solution, including its software, systems, applications, websites, mobile applications, integrations, and any related technologies, updates, enhancements, or services made available by Minikai from time to time.
  • SaaS means software-as-a-service, being a software licensing and delivery model in which software is provided on a subscription basis and hosted by Minikai or its service providers.
  • Sensitive Information means a category of Personal Information that is given additional legal protection under the Australian Privacy Act and the NZ Privacy Act. It includes, without limitation, health information, disability information, care needs, and any other information considered sensitive under applicable privacy laws (such as racial or ethnic origin, religious beliefs, sexual orientation, or criminal history).

Our Role: When We Are Responsible for Your Information

Minikai handles personal information in two different capacities, and who is responsible depends on why it is being handled.

When the Customer is responsible (we act on their behalf). When we handle care records and other information a Customer manages through the Platform, the Customer decides how that information is used and we handle it on their documented instructions. This also includes reports we prepare for a Customer about how the Platform is used within their account, so they can understand and improve how it is used. In UK and EU terms, the Customer is the data controller and Minikai is the data processor. If your information is managed on the Platform by a Customer, or you use the Platform through a Customer, and you wish to exercise your rights over that information, please contact the relevant Customer, and we will assist them in responding.

When Minikai is responsible (we act for our own purposes). When we handle information for our own purposes, we decide how it is used and we are responsible for it. This includes our business contacts and prospects, our marketing, visitors to our website, and the analytics we use to run, secure, and improve our own products and services. In UK and EU terms, Minikai is the data controller, and you can contact us directly to exercise your rights.

Some information about how the Platform is used serves both purposes: we use it to improve our own products (where we are responsible), and we present it to your organisation as reports on how the Platform is used (where your organisation is responsible). Your choices about these technologies are described in the Cookies and Similar Technologies section.

What Information We Collect

The Platform may be used by Customers to collect, store, and share the following types of Personal Information and Sensitive Information about Care Recipients:

  • Identifying details: name, date of birth, gender, address, contact details, ethnicity, sexual orientation, cultural background, language preferences, next of kin, and emergency contacts.
  • Health and medical information: diagnoses, medical history, medications, allergies, test results, clinical notes, treatment plans, referrals, imaging and laboratory reports.
  • Care and support needs: disability information, aged care assessments, daily living assistance, support plans, behavioural support records, incident reports, and progress notes.
  • Personal and social information: family details, relationships, living arrangements, employment or education history, lifestyle preferences, communication preferences, religious or spiritual beliefs (where relevant to care).
  • Legal and administrative information: Medicare/NHI number, health insurance details, guardianship or power of attorney documents, advance care directives, consent records, funding and service agreements.
  • Financial information: billing details, payment records, government subsidies or funding (for example, NDIS, My Aged Care, ACC in New Zealand).
  • Multimedia records: photographs, audio or video recordings for identification, care planning, or clinical purposes.
  • Technology and usage data: information about how Care Recipients or their representatives interact with the Platform (for example, log-in activity, device details, and communications exchanged).
  • Other information: any other information, documentation, or materials reasonably required by care providers to deliver, coordinate, or manage care.

Minikai collects and handles this information on behalf of Customers and Care Recipients as part of hosting the Platform. We recognise that Care Recipient data may be comprised of Sensitive Information, and we treat it with strict confidentiality and robust security measures. It will only be collected where relevant to the provision of care, required by law, or where appropriate consent has been provided.

How We Collect Information

We collect Personal Information and Sensitive Information in several ways:

  • Directly from Customers: When a Customer signs up for our services or uses the Platform, they may provide us with Customer and Care Recipient information (for example, by entering data into the Platform or contacting us for support).
  • From Care Recipients or their Authorised Representatives: In some cases, a Care Recipient or their Authorised Representative may provide information directly (for example, by completing a form linked to the Platform or supplying documents to their Care Provider). In these cases, we collect that information on behalf of the relevant Customer.
  • Automatically through use of the Platform: When Customers use the Platform, we may automatically collect certain technical data (such as usage logs, device information, and IP addresses) to maintain performance, support functionality, and enhance security, and to understand how the Platform is used. We describe how we use usage information, and the choices available to you, in the Cookies and Similar Technologies section.
  • From third-party integrations: If Customers connect other software, applications, or systems with the Platform, we handle the integrated information in accordance with this Privacy Policy and applicable privacy laws.
  • Change of Care Provider: Where a Care Recipient changes from one Customer to another (for example, moving to a new care provider or being referred to another service), their existing Personal Information and Sensitive Information stored in the Platform may be made available, or transferred to, the new Customer. Such transfers will only occur where permitted under applicable privacy laws and subject to the necessary consent arrangements.

We handle Personal Information and Sensitive Information only where permitted by applicable privacy laws. This may include where the handling is necessary for providing our services to Customers, required by law, based on consent, or otherwise authorised under the Australian Privacy Act or the NZ Privacy Act.

Unsolicited Information

If we receive Personal Information or Sensitive Information that we did not request and that is not reasonably necessary for our services or the services provided by Customers, we will securely delete or de-identify it, provided it is lawful and reasonable for us to do so.

Anonymity and Pseudonymity

Where practicable, individuals have the option of not identifying themselves, or of using a pseudonym when dealing with us (for example, when making a general enquiry). However, due to the nature of our services, we will usually need certain Personal Information (such as names and contact details) to provide effective support or access to the Platform.

Cookies and Similar Technologies

We use cookies and similar technologies (such as local storage) to operate, secure, and improve our website and the Platform. These store or read small amounts of information on your device.

  • Strictly necessary: essential for the website and Platform to function, including keeping you securely signed in and remembering your privacy choices. The site and Platform cannot work properly without these.
  • Analytics: help us understand how our website and the Platform are used, for example which pages are visited and where errors occur, so we can improve our products and services.
  • Marketing: help us measure our marketing and understand how people find us.
  • Functional: enable optional, non-essential features that improve your experience, such as our in-app support chat.

We do not store Sensitive Information or health data in cookies.

Your choices. You can manage or block cookies through your browser settings, though some features may not work if strictly necessary cookies are blocked, and we respect recognised browser privacy signals such as Global Privacy Control. Where we ask for your consent (see United Kingdom below), you can set and change your choices through our cookie banner and preference controls.

United Kingdom. For UK visitors, these technologies are governed by the Privacy and Electronic Communications Regulations (PECR) and the UK GDPR. Strictly necessary storage is exempt from consent. Aggregate analytics on our public website rely on the PECR statistical exception, with legitimate interests (UK GDPR Article 6(1)(f)) as the basis for any personal data involved. Individual-level analytics within the Platform, functional technologies such as our support chat, and marketing technologies, rely on your consent (Article 6(1)(a)). If you decline functional cookies, features such as live chat will not load until you enable them, and you can still contact us by email.

Disclosure of Information

Minikai does not sell Personal Information or Sensitive Information to anyone. We only disclose such information outside of Minikai in limited circumstances, including:

  • Other Health and Care Providers: We may disclose Personal Information and Sensitive Information to other health and care providers directly involved in a Care Recipient's care, including doctors, specialists, hospitals, allied health professionals, aged care providers, and disability service providers. This may also include potential providers, where disclosure is reasonably necessary to determine their ability to provide appropriate care.
  • Emergency Situations: We may disclose Personal Information and Sensitive Information to emergency services or other relevant organisations where reasonably necessary to protect the life, health, or safety of a Care Recipient or others.
  • Regulators, Government Agencies, and Funding Authorities: We may disclose Personal Information and Sensitive Information where required by law or regulation, including to regulators, law enforcement, or government agencies. This may include disclosures for compliance with aged care, disability, or public health reporting obligations, or to funding authorities such as NDIS, My Aged Care, or ACC for claims and subsidy purposes.
  • Minikai Staff: Our staff may access Personal Information and Sensitive Information where required to operate, maintain, and support the secure functioning of the Platform (for example, system troubleshooting or technical support). Access is strictly limited to authorised personnel, subject to confidentiality obligations, and monitored through internal controls.
  • Service Providers (Sub-processors): We may engage trusted third parties to support our business operations (for example, cloud hosting providers, analytics tools, and customer support systems). These providers may handle Personal Information on our behalf, but only for our purposes and under our instructions. They are bound by confidentiality obligations and must comply with privacy standards equivalent to ours. See the Data Residency and Retention section for details of how we manage overseas transfers.
  • Change of Care Provider: Where a Care Recipient moves from one Customer to another, their existing Personal Information (including Sensitive Information) stored in the Platform may be made available to the new Customer. Such transfers will only occur where permitted under applicable privacy laws and in accordance with the Care Recipient's valid consent form or equivalent authorisation.
  • Business Transactions: If Minikai is involved in a business transaction such as a merger, acquisition, or sale of part or all of our company, Personal Information (including Sensitive Information) may be transferred to the relevant parties as part of that process. In such cases, we will ensure that any recipients of the information are required to protect it in line with this Privacy Policy and applicable law.

How We Use Information

We use the Personal Information and Sensitive Information we collect to operate, maintain, and improve our services, to support the delivery of care, to communicate with Customers, Care Recipients and their Authorised Representatives (where appropriate), and to meet our legal and regulatory obligations. Key purposes include:

  • Providing and improving services: To set up and manage Customer accounts, authenticate users, deliver the core features of the Platform, and ensure its security. We also analyse how the Platform is used to improve it and develop new features, as described in the Cookies and Similar Technologies section.
  • Supporting care delivery: To record, monitor, and update Care Recipients' care, and to share information with other health and care providers (including potential providers) where necessary to coordinate care, manage referrals or handovers, or confirm their ability to deliver services.
  • Communications and support: To communicate with Customers, and where appropriate with Care Recipients or their Authorised Representatives, regarding service updates and to provide support (such as responding to enquiries, resolving technical issues, or assisting with consent or access requests).
  • Funding and administration: To support funding, billing, subsidy, and reimbursement processes, including NDIS, My Aged Care, ACC, and private health insurance.
  • Quality and training: To conduct audits, quality assurance, service improvement, and safety monitoring activities. To train and support care provider staff (using de-identified information where possible).
  • Compliance and protection: To comply with legal obligations (for example, health record-keeping requirements, aged care and disability reporting), and to enforce contractual terms. We may also use information to detect, investigate, and prevent fraud, misuse of the Platform, or other unlawful activity.
  • Automated Decision-Making Support: The Platform uses computer programs to analyse Personal Information and Sensitive Information of the kinds described in "What Information We Collect" and to generate outputs that care provider staff review when making decisions about Care Recipients. These include decisions about care delivery and care planning, compliance and incident reporting, and the preparation of assessments and supporting documentation used in funding processes under aged care and disability frameworks, which may significantly affect Care Recipients. The Platform does not make any decisions about Care Recipients solely by the operation of a computer program.
  • Marketing communications: We may use the contact details of Customers, prospective customers, and other business contacts to send updates about our products and services and other marketing communications. We send these where we have consent or another basis permitted by law; every message identifies Minikai and offers a simple, free way to unsubscribe; and you can opt out at any time. We handle marketing communications in line with the Spam Act 2003 (Cth), the Unsolicited Electronic Messages Act 2007 (NZ), and, for the United Kingdom, the Privacy and Electronic Communications Regulations. We do not use Care Recipient Personal Information, or any Sensitive Information, for marketing.
  • Case studies and testimonials: With the individual's express permission, we may feature a Customer's name, role, organisation, logo, and quotes, and where separately agreed photographs or video, in our marketing, such as case studies and testimonials. We tell people what we will publish and where before we publish it, we record their permission, and they may withdraw it at any time by contacting privacy@minikai.com, after which we stop using the content and remove it from the channels we control as soon as practicable. We do not feature identifiable Care Recipients without their separate, explicit consent.

Data Security

We implement a range of security measures to protect Personal Information from misuse, loss, unauthorised access, modification, or disclosure. These measures include encryption of data (both in transit and at rest), strict internal access controls, and regular security testing of our systems.

While no method of electronic storage or transmission is completely secure, we continually update our safeguards to align with industry best practices. Customers remain responsible for ensuring they have obtained the necessary consent or authorisation before uploading Personal Information or Sensitive Information into the Platform.

Data Residency and Retention

Customer Data (content and processing layer): Minikai stores and processes Customer Data (care plans, conversations, files, reports, and all other records created or managed through the Platform) in the Data Region selected by the Customer on their Order Form. Available Data Regions are Australia and the United Kingdom. Customer Data does not leave the selected Data Region except as required by law or as expressly authorised by the Customer.

Account information (control layer): The infrastructure that provides authentication, identity management, and platform analytics operates globally. This includes the names and email addresses of platform users (Authorised Users), which are processed by our control layer providers. These providers may operate outside the selected Data Region, and are required to handle this information under binding agreements that impose privacy and security obligations equivalent to those required by applicable privacy laws. A current list of our sub-processors and the countries in which they operate is available at trust.minikai.com/subprocessors.

Cross-border accountability: Minikai remains accountable for the handling of Personal Information by our control layer providers, consistent with the Australian Privacy Principles and the NZ Privacy Act. We take reasonable steps, including through written contractual terms, to ensure that any overseas recipient handles Personal Information in a manner consistent with applicable privacy laws. Where required by applicable law, we will provide individuals with information about overseas disclosures and their available remedies.

Data Retention: We retain Customer Personal Information for as long as the Customer's subscription remains active, or as otherwise directed by the Customer, unless a longer retention period is required by law.

We retain Care Recipient Personal Information and Sensitive Information for as long as the Care Recipient continues to receive treatment, care, or support from a Customer using the Platform, unless a longer retention period is required by law. When a Care Recipient is no longer supported by a Customer using the Platform, their Personal Information will be deleted, de-identified, or returned to the Customer, subject to any legal obligations to retain records. Residual copies of data may remain in backup systems for a limited period for security and disaster recovery purposes, after which they are securely overwritten.

All sub-processors engaged by Minikai are bound by written agreements requiring compliance with privacy and security obligations equivalent to those set out in this Policy.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services or legal obligations. If we make a significant change, we will notify Customers (for example, by email or via a notice in the Platform). The "Last updated" date at the top of this page shows when it was most recently revised. We encourage you to check back periodically to review updates.

Contact, Your Rights and Complaints

You have certain rights regarding your Personal Information under privacy laws, including the Australian Privacy Act and the NZ Privacy Act. These rights include:

  • Access: You can request a copy of the Personal Information we hold about you, unless legal exceptions apply.
  • Correction: You can ask us to correct or update any Personal Information you believe is inaccurate, out of date, or incomplete.
  • Object to processing: You may object to specific uses of your Personal Information, such as direct marketing, and we will respect such requests wherever possible.
  • Withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time, and we will stop the processing (where feasible).
  • Data portability: You may request a copy of the Personal Information you have provided to us in a structured, commonly used, machine-readable format, where this is technically feasible.

How you exercise these rights depends on who is responsible for your information (see Our Role). Where Minikai handles your information on a Customer's behalf, such as care records or how you use the Platform, please contact the relevant Customer (your care provider or employer), who is responsible for it, and we will support them in responding. Where Minikai is responsible for your information, such as our website, our marketing, and our own analytics, you can contact us directly using the details below.

If you have any questions, wish to exercise your rights, or would like to make a complaint, please contact our Privacy Officer at privacy@minikai.com. We typically respond within 30 days.

If you are not satisfied with our response, you may escalate your concern to the Office of the Australian Information Commissioner (OAIC) in Australia or the Office of the Privacy Commissioner in New Zealand. We will cooperate fully with the relevant authority to resolve your concerns.

Contact us

We're here to help you

Our dedicated team is here to ensure you feel completely confident using Minikai.

Sales

Our team is ready to chat about how Minikai fits your needs, from pricing and plans to a live demo.

Start the conversation

Help Desk

Whether you need a quick answer, help resolving an issue, or want to share valuable feedback.