Data Handling
This page explains in plain terms exactly what data SDA Match collects, how it is stored, who can see it, and how long we keep it. We have designed our data practices around the sensitivity of NDIS disability-related information.
1. Data we collect from participants
| Data field | Purpose | Visible to others? |
|---|---|---|
| Email address | Account access and match notifications | No — internal only |
| Password | Account security | No — hashed, never stored in plain text |
| SDA design category | Compatibility matching | Yes — shown anonymously |
| Funded bedroom configuration | Compatibility matching | Yes — shown anonymously |
| Location preferences | Proximity matching | Yes — shown anonymously (suburb/region level) |
| Lifestyle preferences | Compatibility matching | Yes — shown anonymously |
| Support needs (e.g. OOA, ceiling hoist) | Compatibility matching | Yes — shown anonymously as tags |
| Support provider name & email | Facilitating introductions | No — only used for SC-mediated contact |
| Profile active/inactive status | Controls visibility in matching | Indirectly — inactive profiles are hidden from matches |
2. Data we collect from SDA home owners
| Data field | Purpose | Visible to others? |
|---|---|---|
| Email address | Account access and notifications | No — internal only |
| Password | Account security | No — hashed |
| Property address | Location matching | Yes — shown to matched participants via SC |
| SDA design category | Compatibility matching | Yes — shown to participants |
| Property features (e.g. ceiling hoist, accessible bathroom) | Compatibility matching | Yes — shown to participants |
| Availability status | Surfacing active listings | Yes — shown to participants |
| Additional properties | Showing all owned SDA homes | Yes — shown to matched participants |
3. What we do not collect
- NDIS plan numbers or funding amounts
- Medical diagnoses or clinical records
- Government-issued identity documents
- Financial account details
- Real name or photo (not required to register)
- Device fingerprinting or cross-site tracking data
4. How data is stored
All data is stored in a WordPress database hosted on servers located in Australia. Passwords are hashed using bcrypt and are never stored in plain text. Database access is restricted to authorised administrators only.
All connections to the platform use HTTPS (TLS encryption). We do not transmit personal data via unencrypted channels.
5. Anonymisation
Participant profiles shown to other users are anonymised. Real names are replaced with system-generated participant numbers. Initials shown in profile cards are derived from a one-way hash of the user ID and are not reversible to the user's real name. Your email address and support provider's details are never exposed to other users.
6. Third-party services
We use a small number of third-party services to operate the platform:
- Web hosting provider — stores the database and serves the platform. Located in Australia. Bound by data processing agreements.
- Transactional email service — used to send match notifications and account emails. Only your email address is shared, not profile data.
We do not use Google Analytics, Facebook Pixel, or any behavioural advertising technology.
7. Data retention
We retain your data for as long as your account is active. If you delete your account, all personal data associated with your profile will be permanently removed within 30 days. Anonymised aggregate statistics (e.g. total participant counts by state) may be retained indefinitely as they cannot identify any individual.
8. Expression of interest data
When a connection request is submitted between participants or between a home owner and a participant, a record is stored internally for the purpose of tracking the introduction. This record includes the participant numbers involved and a timestamp. It is not shared externally and is deleted when an account is closed.
9. Admin access
SDA Match administrators can view registered profiles for the purpose of approving listings, moderating content and responding to support requests. Administrators are bound by confidentiality obligations and access controls.
10. Your rights
You may request a copy of your data, ask us to correct it, or request deletion at any time by contacting privacy@sdamatch.com.au. We will respond within 10 business days.
11. NDIS data principles
We recognise that disability-related information is sensitive. Our data practices are designed to be consistent with the NDIS Privacy Principles and the NDIS Act 2013, including minimising the collection of disability information and ensuring it is used only for the purpose for which it was collected.