Effective date: 21 May 2026 Last updated: 21 May 2026 Operator: Luke Ferguson, trading as Mealward (sole trader), ABN 17 977 307 913, of 2 Northumberland Court, Carrum Downs VIC 3201, Australia ("Mealward", "we", "us", "our"). Contact: privacy@mealward.com
1. About this Policy
Mealward provides software-as-a-service used by Australian residential aged-care providers to plan and record meal services for residents. This Privacy Policy explains how we collect, use, hold, disclose, and protect Personal Information.
This Policy is written to comply with:
- The Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);
- State-based health-records legislation where applicable (NSW Health Records and Information Privacy Act 2002, Victorian Health Records Act 2001, ACT Health Records (Privacy and Access) Act 1997); and
- The Aged Care Act 2024 (commenced 2025) ("NACA") and the Strengthened Aged Care Quality Standards.
This Policy applies to:
- Visitors to mealward.com and its sub-pages (the "Website");
- Customer organisations that license the Mealward platform (the "Platform");
- Authorised users of the Platform employed or engaged by a customer organisation (the "Users"); and
- Residents of customer aged-care facilities whose meal-related data is recorded in the Platform (the "Residents").
2. Our role in handling Personal Information
When a customer organisation uses the Platform, the customer is the APP entity (data controller) that decides what Personal Information is collected and for what purpose. Mealward acts as a data processor, processing Personal Information on the customer's documented instructions under our Data Processing Agreement (see /legal/dpa).
When you visit the Website or contact us directly, we are the APP entity for the limited Personal Information we collect about you in that context.
3. Personal Information we collect
3.1 From Resident records (processed on behalf of customer organisations)
When a customer uses the Platform to manage meal services, we process the following types of Resident Personal Information on behalf of the customer:
- Name, date of birth, room/bed identifier;
- Dietary requirements, allergies, intolerances, dislikes, religious or cultural food preferences;
- IDDSI texture and fluid level;
- Clinical context relevant to meals (e.g. percutaneous endoscopic gastrostomy status, supplement orders), where the customer has chosen to record it;
- Meal selections made on the Resident's behalf, served-or-not status, and consumption notes;
- Higher Everyday Living (HEDL) extras consumed and reconciled to the Resident's account.
We process this information solely to provide the Platform to the customer. We do not use Resident Personal Information for our own marketing, analytics, or product development.
3.2 From Users (carers, kitchen staff, managers, administrators)
- Name and work email address;
- Role within the customer organisation;
- Authentication credentials (password hash, MFA configuration);
- Audit metadata: IP address, user-agent string, session timestamps, actions taken in the Platform.
User audit metadata is retained for 7 years to support the customer's NACA Standard 8 evidence obligations.
3.3 From Website visitors and prospective customers
- Inbound contact details you provide (name, email, phone, organisation) when you email us, fill in a contact form, or schedule a call;
- Aggregate, non-identifying analytics data (page-level visit counts and referrer source). We do not use third-party advertising or behavioural-tracking cookies on the Website.
3.4 Sensitive information
Some information we process on behalf of customers is "sensitive information" under the Privacy Act (e.g. health information, religious or cultural food preferences). We handle sensitive information consistently with APP 3 and APP 6, processing it only for the purposes the customer organisation has instructed us to under our Data Processing Agreement.
4. How we collect Personal Information
- Directly from Users when they sign in to the Platform, configure their account, or interact with the Platform;
- From customer organisations through bulk imports (resident lists, menu data, dietary information) and through ongoing data entry by Users;
- Automatically through the Platform as part of normal operation (audit logs, error reports, performance metrics);
- From you when you contact us via the Website or by email; and
- From third parties only where the customer organisation has instructed us to integrate with a third-party system on their behalf (see Section 7).
We do not knowingly collect Personal Information about Residents or Users without the underlying authority of the customer organisation that engaged us.
5. How we use Personal Information
We use Personal Information to:
- Provide the Platform to customers and their Users;
- Authenticate Users and protect account security;
- Maintain audit logs that customers rely on for NACA Standard 8 evidence;
- Diagnose and fix software issues;
- Communicate with Users about Platform changes, security advisories, and service interruptions;
- Comply with our legal obligations (including Notifiable Data Breaches reporting under Part IIIC of the Privacy Act); and
- Respond to enquiries you send us through the Website.
We do not:
- Sell Personal Information;
- Use Resident Personal Information to train AI/ML models;
- Use Resident or User Personal Information for advertising or behavioural targeting; or
- Disclose Personal Information to entities outside Australia except as described in Section 6.
6. Disclosure of Personal Information
We disclose Personal Information only as follows:
- To the customer organisation that engaged us, on their instructions, in the course of providing the Platform;
- To sub-processors listed in Section 7, under data-processing terms equivalent to our own;
- As required by Australian law, including in response to a valid subpoena, search warrant, or other lawful request from an Australian regulator or court; and
- In connection with a corporate transaction (e.g. sale of the business), under confidentiality obligations and only after the recipient agrees to honour the protections in this Policy.
We never disclose Personal Information for marketing purposes.
7. Sub-processors and offshore disclosures
We use a small number of sub-processors to deliver the Platform. The current list is published at /trust.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Primary database, authentication, storage | Sydney, Australia (AWS ap-southeast-2) |
| Vercel | Application hosting and CDN | Global edge; AU edge for AU-origin traffic |
| Cloudflare | DNS, WAF, DDoS protection | Global edge; AU points of presence |
| Sentry | Error monitoring (anonymised, PII scrubbed) | United States |
| Upstash | Rate-limit Redis cache (ephemeral, 1-hour TTL, IPs and user IDs only) | Sydney, Australia |
| Google Workspace | Internal corporate email (not customer data) | United States |
Resident Personal Information is stored only in Australia. Specifically, the primary database (Supabase) is in Sydney, ap-southeast-2.
Some operational metadata (anonymised stack traces in Sentry, internal corporate email in Google Workspace) is processed in the United States. We have taken reasonable steps to ensure these recipients do not breach the Australian Privacy Principles in respect of that information, including written contractual data-protection terms.
We give customers 30 days notice before adding or replacing a sub-processor. Customers can object in writing; if we cannot reach a resolution, either party may terminate the relevant Order Form.
8. Data security
We use a defence-in-depth approach:
- In transit: TLS 1.2+ enforced everywhere; HSTS enforced on the application domain.
- At rest: AES-256 encryption via Supabase-managed keys.
- Access controls: Postgres row-level security enforces per-organisation isolation; multi-factor authentication is mandatory for any account with administrative access; access is reviewed quarterly.
- Monitoring: Sentry for error and security observability; Cloudflare WAF and DDoS protection; rate-limiting via Upstash; audit logs retained for 7 years.
- Backups: Nightly automated backups, 90-day retention, restore-tested quarterly.
- Personnel: All persons with access to production are bound by confidentiality obligations and background-checked. Production access requires a documented business reason and is logged.
Our full security posture, including the Information Security Policy and Incident Response Runbook, is summarised on the /trust page.
9. Data breach notification
If we become aware of a data breach involving Personal Information that is likely to result in serious harm, we will notify the affected customer organisation within 24 hours of discovery and assist them with their obligations under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act).
In appropriate cases we will also notify the Office of the Australian Information Commissioner and affected individuals directly.
Our Incident Response Runbook is published on the /trust page.
10. Retention
- Resident and operational data: retained for the duration of the customer's subscription. On termination, data is exported to the customer (where requested) and then permanently deleted within 90 days, subject to any legal hold.
- Audit logs: retained for 7 years to support customer NACA Standard 8 evidence obligations.
- Backups: rotated on a 90-day cycle; data deleted from primary storage may persist in backup tape for up to 90 days before scheduled overwrite.
- Inbound enquiries to mealward.com: retained for 24 months unless deletion is requested earlier.
- Marketing list (Mealward newsletter, if subscribed): retained until you unsubscribe.
11. Your rights
If you are a Resident, your rights are exercised through the customer organisation that operates the facility you live in. We will assist that customer in responding to your request promptly. You can also contact us directly at privacy@mealward.com and we will route your enquiry to the appropriate customer.
For your own Personal Information (e.g. as a User of the Platform or a Website visitor), you have the right to:
- Request access to the Personal Information we hold about you;
- Request correction of any inaccurate or out-of-date Personal Information;
- Request deletion (subject to our retention obligations under Section 10);
- Withdraw consent (where we rely on consent as the lawful basis for processing); and
- Lodge a complaint (see Section 12).
To exercise any of these rights, email privacy@mealward.com. We respond within 30 days. There is no fee for reasonable requests.
12. Complaints
If you believe we have breached this Policy or the Australian Privacy Principles:
- Email privacy@mealward.com with the subject line "Privacy complaint". We aim to acknowledge within 5 business days and respond substantively within 30 days.
- If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au or by phone on 1300 363 992.
13. Cookies and tracking technologies
The Website uses only the minimum cookies necessary to operate (session cookies for authenticated areas, CSRF protection cookies). We do not use behavioural advertising cookies, pixel trackers, or third-party analytics that track individuals across sites. Aggregate, anonymised page-view counts are collected via a privacy-respecting first-party analytics setup; you can opt out by enabling Do Not Track in your browser, which we honour.
14. Children
The Platform is not directed at children. We do not knowingly process Personal Information about people under 18 in the Resident records, except where the customer organisation operates a facility that legitimately serves residents under 18 (rare in residential aged care). Where a customer informs us that a Resident is under 18, we apply the same APP-aligned protections, and rely on the customer's assurance that appropriate consent has been obtained from a parent or legal guardian.
15. Changes to this Policy
We may amend this Policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated to active customers by email at least 30 days before they take effect, and posted on this page.
16. Contact
| Topic | Contact |
|---|---|
| General privacy enquiries | privacy@mealward.com |
| Data subject access requests | privacy@mealward.com |
| Data breach notification | security@mealward.com |
| Legal correspondence | legal@mealward.com |
| Postal address | 2 Northumberland Court, Carrum Downs VIC 3201, Australia |
This Privacy Policy was prepared with reference to OAIC guidance on Australian Privacy Principles compliance and is reviewed at least annually.
docs/legal/PRIVACY-POLICY.md in our public repo.Question about this document?Related documents
Public-facing policy
Website Terms of Use
The terms governing use of mealward.com and its public marketing surfaces.
Read
Customer agreement
Master Services Agreement
Customer-facing contractual terms for the Mealward platform after the 30-day pilot.
Read
Customer agreement
Data Processing Agreement
Our role as data processor acting on behalf of your organisation, including sub-processors and breach notification.
Read