Privacy policy

NCAT Tracker is an Australian online service that helps NSW self-represented parties prepare and run their case at the NSW Civil and Administrative Tribunal. This privacy policy explains what personal information we handle, why we handle it, and how we keep it safe.

We are bound by the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs). If you have a question about your information, email privacy@ncattracker.com.au. We aim to respond within 14 days.

In this policy, "we", "us" and "our" mean NCAT Tracker. "You" means the account holder.

We try to collect the minimum personal information needed to run the service. The categories below cover what we hold.

Account information

Your name, email address, and a hashed password. If you pay, your billing email and a Stripe customer reference. We do not store full card numbers — Stripe holds that.

Case information

Everything you put into a case workspace: the dispute type, party names and contact details, dates, dollar amounts, your written notes, uploaded documents and photos, and any orders you ask the Tribunal to make.

Emails you forward to us

When you forward or CC an email to your case's unique inbound address, we receive and store the full message, its headers, and its attachments. We store the raw .eml file so the email is preserved exactly for use as evidence.

The other side's personal information

When you CC us on an email, that email may include the personal information of the other party to your dispute — an agent, a landlord, a builder, a dealer, or someone else. We hold that information as part of your case file because it is reasonably necessary to help you prepare for the Tribunal proceeding you are a party to.

Our lawful basis for holding that information is twofold: it is reasonably necessary for the function of the service you have asked us to perform (APP 3.2), and it is information collected and used in connection with the conduct of legal proceedings you are a party to, which is a permitted general situation under section 16A of the Privacy Act (APP 6).

Technical information

Basic server logs: IP address, user agent, timestamps of requests. We use these to keep the service running and to investigate abuse. We do not run third-party analytics or advertising trackers.

We collect information directly from you when you sign up, fill in the triage, create a case, upload a file, or pay. We collect emails and attachments when you forward or CC them to your case's unique address.

We sometimes receive information about other people from you (for example, the agent's name when you add a party). Where this is unsolicited — for example, a stranger emails your case address — we assess whether we could lawfully have collected it ourselves. If not, we destroy or de-identify it as soon as practicable.

This page is how we notify people about our collection practices (APP 5). If you forward an email from someone else to us, we ask you to consider whether they would expect that.

We use your information to operate the service for you: to show your case data back to you, generate your application form, build your evidence bundle, calculate deadlines, send transactional emails (sign-in links, deadline reminders, receipts), and provide support.

We do not sell your information. We do not share it with advertisers. We do not build an advertising profile from it. We do not use your case content to train AI models, ours or anyone else's.

We will disclose your information only:

• to the sub-processors listed below, to the extent needed to run the service;
• when you ask us to (for example, sharing a bundle with a support worker you choose);
• where we are required to by Australian law (for example, a court order or a regulator).

If we ever receive a law-enforcement or court request, we will tell you about it unless we are legally prohibited from doing so.

We send transactional emails about your account and your case (reminders, receipts, security alerts). These are not marketing and you cannot opt out of them while you have an active account.

We do not send marketing emails by default. If we ever introduce a newsletter or product update list, it will be opt-in only, and every message will include a one-click unsubscribe link (APP 7).

We run the service on a small set of trusted vendors (sub-processors). Where a sub-processor stores data outside Australia, we flag it below. We take reasonable steps to ensure our sub-processors handle your information consistently with the APPs (APP 8).

Your case content (database rows, uploaded files, raw .eml files) lives in Sydney. The cross-border sub-processors above mainly see metadata (email routing headers, billing email addresses, request IP addresses), but Postmark does see the content of inbound emails as it parses them before they land in our Sydney database.

We will update this list when our infrastructure changes. If you want notice of changes, email privacy@ncattracker.com.au.

We take reasonable steps to protect your information from misuse, interference, loss, and unauthorised access (APP 11):

• All traffic between your browser and our servers is encrypted in transit using TLS.
• Database rows and uploaded files are encrypted at rest by our infrastructure providers.
• Every row that belongs to a case is protected by row-level security in the database — only the account that owns the case can read or change it. We test these rules.
• Passwords are hashed using the algorithms built into Supabase Auth. We never see your plaintext password.
• Access to production systems is limited to a small number of people who need it, with multi-factor authentication required.

No online service is perfectly secure. If a data breach ever affects your information and is likely to cause serious harm, we will notify you and the Office of the Australian Information Commissioner as required by the Notifiable Data Breaches scheme.

We do not hold certifications such as ISO 27001 or SOC 2. Several of our sub-processors do — see their trust pages for details.

You can update most of your information yourself in Settings → Profile. If something is wrong that you cannot fix yourself, email us and we will correct it. We do not modify the content of emails you have forwarded to us, because their integrity matters for evidence — but we will redact or remove an email at your request (APP 10 and APP 13).

You have a right to access the personal information we hold about you and to ask us to correct it (APP 12 and APP 13).

You can export everything in your account — case data, attachments, and the raw .eml files for forwarded emails — from Settings → Data & export. The export is provided as a ZIP file containing JSON and the original attachments.

If you need access to anything not covered by the in-app export, email privacy@ncattracker.com.au and we will respond within 30 days. We will only charge a fee where doing so is permitted and where the request is unusually large; we will tell you the fee before starting.

We keep your case data while your account is active. If you delete your account, we keep a minimal copy of your case data for 12 months for accounting and legal-hold purposes (for example, in case a dispute is later raised about your bundle), then we purge it.

Raw .eml files are an exception — for as long as a case is open we keep them in their original form to preserve evidentiary integrity. They are deleted together with the rest of the case at the end of the retention period.

You can ask us to delete your account at any time from Settings → Data & export. Billing records that we are required to keep under Australian tax law are retained for seven years.

We use a small number of functional cookies to keep you signed in and to process payments. We do not run analytics or advertising cookies. See our cookies policy for the full list.

NCAT Tracker is for adults. The service is not directed at people under 18, and we do not knowingly collect information from anyone under 18. If you believe a child has created an account, email us and we will close it.

If we make material changes to this policy — for example, adding a new sub-processor or changing how case data is used — we will email you before the change takes effect and update the "last updated" date at the top of this page. Minor changes (clarifying wording, fixing typos) will be made without notice.

If you think we have mishandled your personal information, please email privacy@ncattracker.com.au first. We will acknowledge within 7 days and aim to resolve within 30 days.

If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC). The OAIC's contact details and complaint form are at oaic.gov.au/privacy/privacy-complaints.