Privacy policy.

1. Who we are

Handover is a product of Alexandara Digital Studio Pty Ltd, a digital product studio based in Brisbane, Queensland, Australia. When this policy says "we", "us", or "our", it means Alexandara and the Handover product specifically.

Contact: handover@alexandara.com.au

2. What we collect

We collect only what is necessary to provide the service:

• Account details — email address, first name, password (hashed with bcrypt; never stored in plain text).
• Participant context — first names, support tags, goals, and contextual notes you enter about the people you support. We never store surnames, NDIS numbers, addresses, or photos.
• Voice transcripts — the raw text captured by your browser's speech recognition during voice recording. Transcripts are saved alongside the generated note as part of the same record. They persist as long as the note does. You can delete any note (and its transcript) at any time from the Notes tab.
• Shift notes — the structured notes (SOAP, DAP, or Narrative format) generated from your transcripts. Notes and their transcripts are retained until you delete them. You can export and delete your data at any time.
• Calendar data — when you connect Google Calendar, Outlook, or an iCal feed, we read your calendar events to import shift times. Calendar data is processed in-memory during sync, normalised to our shift schema, and only the resulting shift records (start time, end time, duration, event title) are persisted. The original calendar event payload is not stored.
• Usage metadata — timestamps, device type, and feature usage for debugging and service improvement. No IP addresses are stored long-term.

3. How we use your data

• AI rewrite — your transcript text is sent to our AI provider's API to generate the structured note. The AI provider processes the text and returns the result. They do not train on your data, do not retain it beyond a maximum of 30 days (for abuse monitoring), and are SOC 2 Type II certified. We redact identifiable participant information before sending transcripts to the AI provider where possible.
• Calendar sync — we read events from your connected calendar to create pending shift entries. We use read-only access. We never modify, create, or delete events in your calendar.
• Email — we send transactional emails (sign-in, password reset, trial reminders) via our email provider. We do not send marketing emails.
• Payment — subscription billing is handled by Stripe. We do not store your card number, CVV, or full card details. Stripe handles PCI compliance.

4. Where your data lives

All primary data is hosted in Australia:

• Database — Supabase, hosted on AWS ap-southeast-2 (Sydney).
• Encryption keys — AWS Key Management Service, ap-southeast-2 (Sydney).
• Application hosting — Vercel (edge network, with data processing routed to the nearest region).

Sensitive fields (calendar tokens, API credentials, encrypted note content where applicable) are encrypted at rest using AES-256-GCM with envelope encryption. All data in transit uses TLS 1.2 or higher.

5. Third parties

We share data with third parties only to operate the service:

• AI provider (Anthropic Claude, with OpenAI as fallback) — processes transcript text to generate notes. US-based servers. No training on your data. 30-day maximum retention for abuse monitoring, then deleted.
• Supabase — database hosting and authentication. Australian region (ap-southeast-2).
• AWS — encryption key management. Australian region.
• Stripe — payment processing. PCI Level 1 certified.
• Resend — transactional email delivery.
• Google / Microsoft — calendar OAuth providers. We request read-only calendar access. These providers see that you authorised Handover but do not receive your notes, transcripts, or participant data. See section 6 for full disclosure regarding Google user data.

We do not sell, rent, or share your data with advertisers, data brokers, credit-reference agencies, or anyone else for purposes outside operating Handover.

6. Google user data — Limited Use compliance

When you connect your Google Calendar to Handover, we access a narrow, specific subset of your Google account. This section explains exactly what we access, what we do with it, and what we do not do with it.

What Google data we access

Why we access it

The sole purpose of this access is to display your upcoming and recent shifts inside Handover, so you can tap a shift and write its handover note without retyping the date, time, participant name, or duration. This is the user-facing feature you signed up for.

How we use Google user data

• Event start time, end time, summary (title), and calendar source are read from your Google Calendar each time a sync is performed.
• These fields are normalised to our internal shift schema and persisted as shift records in our Australian database.
• The raw Google Calendar event payload is not stored in full. We do not retain attendee lists, recurrence rules, conference links, attachments, or any other Google event metadata beyond what is necessary to display a shift row.
• Your Google OAuth refresh token is stored encrypted (AES-256-GCM with AWS KMS envelope encryption) so we can sync your calendar in the background when you have new shifts.

How we do not use Google user data

In line with the Google API Services User Data Policy Limited Use requirements:

• We do not use Google user data for advertising.
• We do not sell, rent, or licence Google user data to any third party.
• We do not use Google user data to train, fine-tune, or improve generalised or non-personalised AI/ML models.
• We do not allow humans to read your Google user data, except: (a) with your explicit consent for a specific support request you have raised, (b) where strictly necessary for security investigations or to comply with applicable law, or (c) when the data has been aggregated and anonymised such that it cannot be linked to an individual user.
• We do not transfer Google user data outside the operational scope described above.

How we store Google user data

• Shift records derived from Google Calendar events are stored in our Australian database (Supabase, AWS Sydney).
• Google OAuth refresh tokens are encrypted at rest with AES-256-GCM using keys managed in AWS KMS Sydney. The KMS keys never leave the hardware security module.
• All transfers of Google data between Google's servers, Handover, and your browser use TLS 1.2 or higher.
• Row-level security on the database ensures only the authenticated user can read their own Google-derived data.

How to revoke access

You can revoke Handover's access to your Google account at any time. There are two equivalent paths:

• From inside Handover — go to Settings → Calendars → tap the Google connection → Disconnect. The refresh token is immediately deleted from our database, and we stop syncing your calendar.
• From inside Google — go to your Google Account → Security → Third-party apps with account access, find Handover, and click Remove access.

Either action immediately stops future calendar sync. Shift records already imported into Handover remain in your account until you delete them (Notes tab → delete, or Settings → Delete account for everything at once).

7. Data retention

• Shift notes and transcripts — retained until you delete them. Notes and their associated transcripts are stored as a single record. You can delete individual notes at any time from the Notes tab, or export and delete all data from Settings.
• Calendar tokens — stored encrypted while your connection is active. Deleted immediately when you disconnect or delete your account.
• Account data — retained while your account is active. On deletion: 7-day soft-delete window (in case you change your mind), then permanently purged.
• Audit logs — retained for compliance and security review. Do not contain note content or transcript text.

8. Your rights

Under the Australian Privacy Principles and applicable law, you can:

• Access your data at any time via Settings → Export everything (returns notes, transcripts, participant context, and incidents as JSON, CSV, and PDF).
• Correct any information by editing your profile or participant records.
• Delete your account and all associated data via Settings → Delete account. Soft-delete applies for 7 days, then permanent deletion.
• Disconnect any calendar connection at any time. Tokens are immediately deleted.
• Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have mishandled your data. Phone 1300 363 992 or visit oaic.gov.au.

9. Security

• AES-256-GCM field-level encryption for sensitive data (calendar tokens, API keys).
• Envelope encryption with AWS KMS (master keys never leave the hardware security module).
• TOTP-based multi-factor authentication available for all accounts.
• Append-only audit log for all security-relevant actions.
• TLS 1.2 or higher for all data in transit.
• Row-level security on the database — users can only access their own data, enforced at the database layer.
• Service-role keys are never shipped to the browser and are scoped to specific API routes.

10. Children

Handover is a professional tool for adult support workers. We do not knowingly collect data from anyone under 16. If you believe a child has created an account, contact us and we will delete it.

11. Changes

We may update this policy as the product evolves. Material changes will be communicated via the app's notification system and by email. The "last updated" date and version number at the top of this page reflect the most recent revision.

12. Contact

For any privacy-related questions or requests:

Email: handover@alexandara.com.au
Postal: Alexandara Digital Studio Pty Ltd, Brisbane QLD, Australia.
Regulator: Office of the Australian Information Commissioner · 1300 363 992