Privacy Policy
Last updated: 26 February 2026
1. Introduction
LEVELUP Tech ("we", "us", "our") operates iSupplose, a calendar synchronisation and practice management tool for allied health and NDIS service providers. This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service.
We are committed to protecting the privacy and confidentiality of your data, particularly given the sensitive nature of healthcare practice management.
2. Information We Collect
Account information
- Name and email address (from your Microsoft 365 account)
- Azure Active Directory tenant identifier
- Organisation name
Practice configuration
- Splose API key (encrypted at rest)
- Splose practice web URL
- Practitioner names and email addresses
- Sync preferences and configuration settings
- Azure OpenAI API keys (encrypted at rest)
Sync metadata
- Appointment identifiers and sync status mappings between Splose and Microsoft 365
- Client identifiers, first names, and last names (cached for display purposes only)
- Sync run logs (timestamps, success/failure counts)
Information we do NOT store
- Full client health records or clinical notes
- Appointment content or detailed descriptions beyond what is needed for sync
- Billing or payment card information for your clients
3. How We Use Your Information
| Purpose | Data used |
|---|---|
| Calendar synchronisation | Splose API key, practitioner mappings, appointment IDs |
| Client dashboard | Client names and IDs, appointment and invoice data (queried live from Splose) |
| AI practice assistant | Your questions and live Splose data (not stored after the conversation) |
| Task automation | Form completion and invoice status data from Splose |
| Account management | Email address, tenant ID, admin permissions |
4. Third-Party Services
iSupplose integrates with the following third-party services. Your data may be transmitted to these services as part of normal operation:
- Microsoft 365 / Azure Active Directory: Authentication, calendar read/write, user directory lookups. Governed by the Microsoft Privacy Statement.
- Splose: Practice management data access via API. Governed by the Splose Privacy Policy.
- Azure OpenAI: AI assistant queries are processed by Azure OpenAI. Your data is not used to train OpenAI models when using Azure OpenAI. Governed by the Azure OpenAI Data Privacy policy.
- Azure Cosmos DB: Database hosting for sync metadata and configuration. Data is stored in the Australia East region.
- Azure Key Vault: Encryption key management for API keys and sensitive configuration.
5. Data Security
- All data is encrypted in transit using TLS 1.2+.
- Sensitive fields (API keys, configuration secrets) are encrypted at rest using AES-256-GCM with per-tenant encryption keys stored in Azure Key Vault.
- Each tenant's data is isolated in a separate database.
- Access to admin functions requires authenticated Microsoft 365 sessions with admin-level permissions.
- Session cookies are HttpOnly and Secure.
6. Data Retention
- Account and configuration data: Retained while your account is active. Deleted upon account termination after a reasonable grace period.
- Sync logs: Retained for up to 90 days for troubleshooting purposes.
- Webhook logs: Automatically purged after 7 days.
- Client cache data: Contains only client IDs and names. Refreshed during sync cycles and deleted upon account termination.
- AI assistant conversations: Not persisted after the session ends.
7. Data Location
All data is stored and processed in Australia East (Sydney) Azure data centres. Data does not leave Australia unless required by a third-party integration you have configured (e.g. Microsoft 365 in a different region).
8. Your Rights
You have the right to:
- Access the personal data we hold about you.
- Correct inaccurate information in your account.
- Delete your account and associated data by contacting us.
- Export your configuration data upon request.
- Withdraw consent by revoking the Microsoft 365 admin consent for our application in your Azure AD tenant.
9. NDIS and Allied Health Context
We understand that our users work with sensitive client information in the NDIS and allied health space. Our Service is designed to minimise data exposure:
- We only cache the minimum client data needed for sync (IDs and names).
- Clinical notes, health records, and detailed client information remain in Splose and are never stored by iSupplose.
- AI assistant queries access Splose data live and do not persist results.
- We do not share, sell, or provide client data to any third party beyond what is necessary for the Service to function.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy or how we handle your data, please contact us at:
Email: service@leveluptech.com.au