First month freeClaim it →
openway
Get started

Privacy

Privacy policy

Last updated: 13 May 2026.

This policy explains, in plain English, how OpenWay handles personal information. If anything here is unclear, email us at [email protected] and we will get back to you.

Who we are

OpenWay is an Australian-owned marketplace that helps NDIS participants, families and support coordinators find suitable disability service providers. We do not deliver supports ourselves and we are not part of the NDIS, NDIA or NDIS Commission.

In this policy "OpenWay", "we", "our" or "us" refers to OpenWay. "You" means anyone using myopenway.com.au, whether as a participant, a person supporting a participant, a support coordinator, a provider, or simply a visitor.

What information we collect

Account information: your email, name, role (participant / provider / coordinator / admin), and the answers you give during onboarding. For providers this includes business details (ABN, address, services, registration status). For coordinators this includes organisation name. For participants this includes preferences such as plan type, location, supports needed, language and access needs.

Communications: enquiries, replies and notes sent through OpenWay between participants, coordinators and providers. We store these so the conversation history is available to both sides.

Reviews: ratings and written feedback participants submit about providers, plus the moderator decisions and notes attached to each one.

Usage data: standard server logs (IP address, browser, referring page) used to keep the service running and to detect abuse. We do not sell this data and we do not use it for cross-site advertising.

How we use your information

Matching: we use a participant's plan type, location, language and support categories to surface suitable providers. NDIA-managed participants only see NDIS-registered providers, applied as a hard filter at the query level (not by ranking).

Privacy snapshots: when a coordinator sends an enquiry on behalf of a participant, the privacy level (anonymous / initials / first name) is snapshotted at the moment of sending. Changing the case privacy level later does not retroactively change what the provider already saw.

Sending transactional email: sign-in links, enquiry notifications, reply notifications, review moderation outcomes. We use Resend as our transactional email provider.

Audit and safety: every admin moderation action and every provider state change is recorded in an append-only audit log we can refer back to if there is a dispute or safety concern.

What we share, and what we do not

Participant identifiers are never shared with providers without consent. At INITIALS privacy a provider sees only the participant's initials; at ANONYMOUS only a reference like "Participant 1234". A participant's full name is shared with a provider only when the participant (or the coordinator with the participant's written consent) chooses NAME-level privacy on a specific case.

A provider's account email is never visible to participants or coordinators. All messaging is mediated by OpenWay so providers can reply without exposing their inbox.

We do not sell personal information to third parties. We use Resend (email), Cloudflare (DNS + bot protection), and our hosting provider (server + database) as sub-processors strictly to run the service.

Reviews and public content

Reviews are public on the reviewed provider's profile once approved by a moderator. The reviewer's name is shown as a first name only - never their full identity. Reviews are append-only: we never silently edit a participant's words. A reviewer may ask us to remove their own review at any time by emailing us; the provider cannot demand a review be edited.

Search-result and provider-profile pages are public and indexed by search engines unless we explicitly noindex a thin-content variant.

Your rights

You can ask us at any time to access the personal information we hold about you, correct it, or delete your account. Deletion is a soft-delete: we retain the audit trail of any moderation actions and conversation history with other parties as required to operate the marketplace safely.

If you believe we have mishandled your information, you can complain to the Office of the Australian Information Commissioner at oaic.gov.au. We will work with the OAIC to resolve the issue.

Cookies and similar technologies

We use three categories of cookies. Essential cookies keep you signed in, remember your preferences, and record your consent choice itself - the site does not work without them and they cannot be switched off. Analytics cookies collect aggregated, anonymised usage data so we can fix slow pages and confusing flows. Marketing cookies help us measure the reach of OpenWay campaigns. We do not sell your data and we do not run cross-site behavioural advertising.

Australian visitors see a consent banner on first arrival. You can choose "Accept all", "Essential only", or pick categories one at a time through "Manage". Your choice is stored in a single first-party cookie for 12 months. You can change your mind any time using the button below.

Security

We use industry-standard transport security (HTTPS) site-wide and a strong Content Security Policy. Database access is restricted to the application and to authorised admins. We log every admin action to an append-only audit table that cannot be modified after the fact.

No system is perfectly secure. If you discover a security issue, please email us so we can address it promptly.

Changes to this policy

We will update this policy as the service evolves. The "last updated" date below reflects the most recent change. Material changes are flagged on this page; if you have an account we will email you when we make a change that affects how we handle your information.

Contact us

Privacy questions: [email protected]. Postal mail can also be sent to the registered business address on the About page once the company is formally incorporated.

See also: Terms of service, Trust & Safety.