Trust & compliance

How we handle your data.

PracticaCPD is built around the Australian Privacy Principles. Sensitive data stays in Australia. Sub-processors are named. Retention is documented. Breach commitments are written down. No surprises.

Last reviewed 16 May 2026

Privacy Policy

Plain-English statement of what we collect, why, who sees it, and how to exercise your rights under the Australian Privacy Principles.

Sub-processors

Every third-party service that touches your data — what they do, where they host, and the contractual safeguards we have with them.

Data retention

How long each type of data stays in our systems, what triggers deletion, and what gets kept beyond account closure (and why).

Breach response

Our public commitment under the Notifiable Data Breaches scheme: how we detect incidents, when we notify, and what you can expect from us.

Security disclosure

Found a vulnerability? Read our safe-harbour responsible-disclosure policy and how to reach us.

Cookies

Every cookie we set, its purpose, its lifetime, and how to revoke analytics consent at any time.

Australian regulatory posture

Privacy Act 1988 (Cth) + the 13 Australian Privacy Principles — full applicability, health information treated as sensitive under APP 3.
Notifiable Data Breaches scheme — documented response plan; OAIC + user notification within statutory timelines if serious harm is likely.
Data sovereignty — primary database, authentication, file storage, and AI inference all hosted in AWS Sydney (ap-southeast-2).
State health privacy laws (NSW HRIP, VIC HRA) — we handle practitioner data consistently with these where they apply.
Spam Act 2003 (Cth) — every email we send is operational; marketing communications require an opt-in and carry one-click unsubscribe.