PracticaCPD

Privacy policy

Your data, handled carefully.

Plain-English answers to what we collect, why, and how it's kept. Compliant with the Australian Privacy Act 1988 and the 13 Australian Privacy Principles.

Last updated 16 May 2026

Who runs PracticaCPD

PracticaCPD is a service of DRAW Group Pty Ltd (ABN 40 630 049 599, ACN 630 049 599), an Australian company providing a Continuing Professional Development (CPD) platform for AHPRA-registered Australian health practitioners. Modules are designed by Australian RACGP-Fellow general practitioners, with specialist reviewer input on individual modules. In this policy, “we”, “us”, and “PracticaCPD” mean DRAW Group Pty Ltdtrading as PracticaCPD.

For privacy questions, email support@practicacpd.com.au.

What we collect

Account details you give us directly: full name, post-nominals, email, profession, AHPRA registration number, optional CPD home member numbers (RACGP, ACRRM), and optional practice details (practice name, city, state, phone, profile photo).

CPD activity you log on the platform: titles, dates, hours, category (EA / RP / MO), provider, descriptions, compliance tags, and uploaded evidence files (PDFs, images).

Module engagement: which modules you start and complete, your quiz answers, audit submissions, and reflection answers.

Billing data: if you subscribe to Pro, Stripe stores your card details — we never see or store the card number. We store the Stripe customer ID and subscription status only.

Technical data: IP address, browser type, and error reports captured automatically when you use PracticaCPD. Used to diagnose bugs and prevent abuse.

What we deliberately don't collect: PracticaCPD never sees patient identifiers. Audit templates download as docx files that you complete offline in your own EMR — that data never leaves your machine.

How we use it

Only for the purposes you'd expect: running your account, tracking your CPD hours against the framework you've chosen, generating Statement of Completion PDFs, processing subscription payments, sending magic- link sign-in emails, and contacting you about your account when necessary.

We do not use your data for advertising, do not sell it, and do not share it with third parties for their own marketing.

Who we share data with

A small, deliberate set of service providers helps us run PracticaCPD. Each only sees the data they need to do their job.

  • Supabase hosts our database, authentication, and file storage in the Sydney AWS region (ap-southeast-2).
  • Netlify serves the web application via a CDN with edge presence in Australia.
  • Stripe processes subscription payments. Your card details are stored by Stripe under their PCI-DSS certification.
  • Resend delivers transactional email (sign-in codes, receipts).
  • AWS Bedrock runs the AI inference for our Reflection Assistant and Standardised Patient simulations. Inference is hosted in the Sydney region; prompts are never retained for model training.
  • Expo / EAS builds and distributes our mobile application and relays push notifications via the Expo Push service.
  • Apple distributes the iOS app (App Store, TestFlight) and relays push payloads via Apple Push Notification Service.
  • Sentry collects error reports so we can diagnose bugs. Reports may include the URL you were on and your browser type; they do not include CPD content.

A complete, always-current sub-processor register with each vendor's purpose, data received, hosting region, and privacy policy lives at /trust/subprocessors.

We disclose personal information to law-enforcement or regulatory bodies only if compelled by valid Australian legal process or in response to a genuine safety risk.

Where data is stored

Your account, activity log, reflections, and uploaded evidence sit in the Sydney AWS region (ap-southeast-2). Limited operational data may transit through global CDN edges (Netlify) and processing servers (Stripe, Resend, Sentry) located outside Australia, including the United States and the European Union.

Under Australian Privacy Principle 8, we take reasonable steps to ensure overseas recipients handle your information consistently with the APPs. Stripe is PCI-DSS certified; Supabase, Netlify, Resend, and Sentry operate under SOC 2 or equivalent frameworks.

How long we keep it

We keep your account data for as long as your account is active. If you delete your account, we delete your profile, activity log, reflections, and evidence files within 30 days. Stripe retains transaction records independently for seven years for tax and chargeback compliance — that data is governed by Stripe's privacy policy.

A full per-data-type retention schedule — including audit logs, sign-in logs, push tokens, simulation transcripts, and backups — is published at /trust/retention.

Your rights

Under the Privacy Act you have the right to:

  • Access the personal information we hold about you — most of it is visible to you inside the app on /account and /activities.
  • Correct anything inaccurate via your account settings, or by emailing us.
  • Delete your account and associated data — email support@practicacpd.com.au from your registered address.
  • Export your CPD log as CSV from /activities at any time.
  • Complain to the Office of the Australian Information Commissioner (oaic.gov.au) if you believe we have mishandled your data.

Security

Every row in our database is scoped to your user account using Supabase Row Level Security — other practitioners literally can't read your data even if they tried. Connections are encrypted in transit (HTTPS / TLS 1.2+). Passwords aren't stored; we use passwordless one-time-code sign-in. Two-factor authentication is available from Security settings.

No system is perfectly secure. Our public commitment under the Notifiable Data Breaches scheme — how we detect, contain, and disclose incidents — is published at /trust/breach-response.

Mobile application

The PracticaCPD mobile app is a thin native shell around the same web experience. When you sign in on the app, you authenticate natively using a 6-digit code we email you; the resulting session is then handed to the in-app browser so you see your real account data.

Stored on your device:your Supabase session (in encrypted local storage on iOS), and a preference flag indicating whether you've enabled biometric unlock. We do not store your CPD content on the device; it's fetched live each session.

Push notifications: if you grant permission, the app registers an Expo push token in our database. The token is an opaque identifier we use to route alerts (e.g. AHPRA renewal reminders). You can revoke push permission at any time in iOS Settings; signing out also deletes the token from our database.

Biometric unlock: Face ID / Touch ID runs entirely on-device using the standard iOS APIs. Your biometric data never leaves your phone — only a success/fail signal is returned to the app.

AI assistant

PracticaCPD includes an optional AI Reflection Assistant that helps you draft CPD reflections from a brief, de-identified case summary you type yourself. The text you provide is sent to Claude (Anthropic), accessed via AWS Bedrock in the Sydney (ap-southeast-2) region. The inference runs entirely on Australian infrastructure; your case text does not leave the country.

AWS Bedrock does not retain prompts or responses for model training, and we don't log your case text on our own servers either. Token counts are recorded for billing reconciliation; the prompt body is not. You review and edit every draft before it's saved as a CPD activity — the AI's output is a starting point, never an automatic record.

Please don't paste patient identifiers (names, MRNs, dates of birth, specific dates of consultation) into the assistant. A short paragraph describing the case, your reasoning, and what you noticed is what the assistant is designed for.

Patient feedback surveys

Practitioners can run anonymous patient feedback campaigns for self-conducted multi-source feedback. If you have been invited to complete a survey:

Your responses are anonymous. We do not record your IP address, store cookies, or capture any identifier that could link a response back to you. The practitioner sees only aggregate scores once at least five responses are received, and open-text comments are shuffled so submission timing cannot identify you.

If you arrived via an emailed invitation, the practitioner provided your email address to us solely to deliver that invitation. We do not retain the address after sending; it's not stored against your response, which is anonymous regardless.

Participation is entirely optional and has no effect on your care.

Cookies & tracking

We use essential cookies (sign-in sessions, fraud prevention on checkout) and — only with your explicit consent — Google Analytics 4 to understand which features get used. Analytics is off by default; you decide via the banner on first visit. No advertising trackers, no behavioural profiling, no fingerprinting.

Full breakdown of every cookie, its purpose, and how to revoke consent at any time: cookie policy.

Children

PracticaCPD is for AHPRA-registered health practitioners and is not intended for anyone under 18. We do not knowingly collect personal information from children.

2024–2025 Privacy Act amendments

The Privacy and Other Legislation Amendment Act 2024 introduced several changes that affect how PracticaCPD operates. We have aligned to each of them proactively:

  • Statutory tort for serious invasions of privacy. We treat any data-handling decision through a privacy-by-design lens; our audit log records sensitive admin actions to demonstrate accountability under APP 1.2.
  • Transparency about automated decisions. No PracticaCPD decision that materially affects you is fully automated. AI assistant output is a draft you review and edit; CPD progress calculations are deterministic and visible to you on the dashboard.
  • OAIC infringement-notice powers. We have updated our internal escalation playbook to respond to OAIC inquiries within statutory deadlines.
  • Children's online privacy code (draft). PracticaCPD is not directed at children, and we verify professional registration at sign-up. If the children's privacy code is finalised, we will review and update this policy accordingly.

Changes to this policy

If we make material changes, we'll update the “last updated” date at the top and notify active users by email. Minor wording or formatting changes happen quietly.

Contact

Questions about this policy, or about how we've handled your data: support@practicacpd.com.au.