1. Introduction

This statement applies only to personal information collected through the Financial Assistance Application Form at grants.beyondlimitscf.org.au (Grant Portal). It sits beside, and does not replace, our broader website Privacy Policy that is available at beyondlimitscf.org.au/privacy-policy.

2. Information we collect and why

Identity and contact details

We ask for the names, addresses, dates of birth, and contact details of the child and their carers. We need these details to identify the application, to keep in touch, and to confirm eligibility for a grant.

Sensitive health and disability information

The form requests medical diagnoses, therapy reports, and letters from health professionals. We use this information to understand the child’s needs and to decide whether a grant is appropriate. We handle this information under the Privacy Act 1988 (Cth) and the Health Records and Information Privacy Act 2002 (NSW).

Financial information

Questions about Centrelink payments and NDIS funding help us ensure that our funds go to families who need them most.

Uploaded documents

You will be asked to upload copies of NDIS correspondence, diagnosis letters, and other supporting files. The files are held in encrypted storage inside Australia and are never used for marketing.

Usage and metadata

When you upload a file we record its name, size, type, and the time it was received. This helps us track the application and meet audit duties.

3. Legal basis for collection

We collect and use your information only when we have a lawful reason. These reasons include your consent, our charitable purpose of providing financial aid, our need to meet audit and reporting duties, and our legitimate interest in contacting you about the outcome of your application.

We do not keep personal information for longer than is necessary for the purposes set out in this statement or as required by law.

4. How we protect your information

In transit

All data that you send through the form travels over an encrypted connection (TLS).

Storage

Files go straight from your browser to protected storage in the Amazon Web Services Sydney region. They are encrypted automatically and cannot be accessed by the public.

Access control

Only authorised Beyond Limits staff and approved advisors can see your application. Every access is logged and multi-factor authentication is required.

Retention and deletion

We keep personal information only for as long as needed to assess and administer your application and any resulting grant, and to meet audit, reporting and legal obligations. The retention period starts when your application is finalised.

Core application records are kept for up to five years. Supporting health documents that are no longer required for assessment or audit are deleted or de-identified sooner. If a grant is paid, financial records related to the payment may be kept for up to seven years to meet accounting and audit requirements.

If you start but do not submit an application, any draft and uploaded files are deleted after 90 days of inactivity.

When information is no longer needed for any purpose permitted by the Australian Privacy Principles, we destroy or de-identify it, subject to legal requirements.

Back-ups

Encrypted back-ups are created each night and stored in a second Australian location for disaster recovery.

When data is deleted from live systems, copies in back-ups are removed as those back-ups cycle, usually within 90 days.

5. Where data is stored

All application data stays within Australia (AWS Sydney or Melbourne). We do not move your personal information overseas unless you ask us to do so or an Australian law obliges us.

6. Who may see the information

• Beyond Limits assessment panel, to review the grant request.

• External medical advisors, but only the parts of the file that they must confirm.

• Australian based service providers who host or secure our systems. They store the data in encrypted form and cannot use it for any other purpose.

• Government regulators or auditors, if the law requires.

We do not sell or rent your personal data to anyone.

7. Your rights

You have the right to ask for a copy of the information we hold about you, to correct wrong details, to withdraw any consent that is not essential to the grant, and to complain if you believe your privacy has been breached.You may also request deletion of your information where we are not legally required to keep it. To use these rights please email contact@beyondlimitscf.org.au.

8. Data breach response

We follow the Notifiable Data Breaches scheme of the Office of the Australian Information Commissioner. If an incident is likely to cause serious harm we will let you know promptly and we will also inform the regulator.

9. Contact

Privacy Officer

Beyond Limits Children’s Foundation

Email: contact@beyondlimitscf.org.au

Mail: Suite C, 39 John Street, 12 Broughton Street, Camden NSW 2570

Phone: +61 (02) 4600 2882

This notice may change from time to time. Significant changes will be posted on the Grant Portal and, where possible, sent to applicants by email.