Skip to content
Xyston
Call

Legal

Privacy Policy

Last updated: February 2026

1. About This Policy

Xyston Pty Ltd (ABN 84 641 527 433) ("Xyston", "we", "us", "our") is committed to protecting the privacy of personal information we collect, hold, use, and disclose. This policy outlines how we handle personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

As an NDIS registered provider (Provider No. 4050127478), we also comply with privacy and information management requirements set by the NDIS Quality and Safeguards Commission.

2. What Information We Collect

We may collect the following types of personal information:

  • Identity information: Full name, date of birth, address, phone number, email address
  • NDIS-related information: NDIS number, plan details, funding categories, support needs
  • Health and disability information: Medical reports, diagnoses, allied health assessments, behaviour support plans (sensitive information under APP 3)
  • Referral information: Details submitted via our online referral form including participant information, referrer details, and support needs
  • Contact form submissions: Name, email, phone number, and message content
  • Guardian/representative details: Where a participant has a legal guardian or nominated representative

3. How We Collect Information

We collect personal information:

  • Directly from you or your authorised representative via our referral form, phone calls, emails, or meetings
  • From third parties with your consent, including other NDIS providers, health professionals, the NDIA, and Local Area Coordinators
  • Through our website when you submit a referral or contact form

We will only collect sensitive information (health, disability, cultural background) with your express consent or where required or authorised by law.

4. Purpose of Collection

We collect and use personal information to:

  • Assess your suitability for our NDIS Support Coordination services
  • Provide and manage your support coordination
  • Coordinate with your NDIS service providers and allied health professionals
  • Prepare NDIS plan review reports and submit information to the NDIA
  • Meet our obligations under the NDIS Act 2013 and NDIS Practice Standards
  • Respond to your enquiries and referrals
  • Comply with legal obligations including reporting requirements

5. How We Store and Protect Information

Personal information is stored securely using industry-standard measures including:

  • Cloud-hosted databases with encryption at rest and in transit (Supabase, hosted in Sydney, Australia)
  • Role-based access controls limiting staff access to information relevant to their role
  • Audit logging of all data access and modifications
  • Regular review of security practices

We retain personal information for a minimum of 7 years after the end of our service relationship, in accordance with NDIS record-keeping requirements.

6. Disclosure of Information

We may disclose your personal information to:

  • The National Disability Insurance Agency (NDIA) as required for plan management and reporting
  • Other NDIS service providers involved in your support network, with your consent
  • The NDIS Quality and Safeguards Commission as required by law (e.g., reportable incidents)
  • Health professionals involved in your care, with your consent
  • Government agencies where required or authorised by law

We do not sell, rent, or trade personal information to third parties for marketing purposes.

7. Your Rights

Under the Australian Privacy Principles, you have the right to:

  • Access: Request access to the personal information we hold about you (APP 12)
  • Correction: Request correction of any inaccurate, incomplete, or out-of-date information (APP 13)
  • Withdraw consent: Withdraw your consent to the collection or use of your information at any time, noting this may affect our ability to provide services
  • Complain: Make a complaint about how we handle your personal information

To make an access or correction request, contact us using the details below. We will respond within 30 days.

8. Cookies and Website Analytics

Our website does not use tracking cookies or third-party analytics services. We do not collect personal information through your use of our website unless you voluntarily submit it via our referral or contact forms.

9. Complaints

If you believe we have breached your privacy or mishandled your personal information, you can:

  1. Contact us directly (details below) to discuss your concern
  2. Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or call 1300 363 992
  3. Contact the NDIS Quality and Safeguards Commission at www.ndiscommission.gov.au or call 1800 035 544

10. Contact Us

For privacy-related enquiries, access requests, or complaints:

11. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with the updated date. We encourage you to review this policy periodically.