Complete CPD - Privacy Policy

Last updated: 7 April 2026

Effective date: 7 April 2026

This privacy policy explains how Complete CPD ("we", "us", "our") collects, uses, stores, and discloses your personal information when you use our website and platform (together, the "Service"). We are committed to protecting your privacy and handling your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy applies to all users of the Service, including visitors to our website, free tier users, and paid subscribers.

If you have questions about this policy, contact us at privacy@completecpd.com.au.

1. Who we are

Complete CPD is an Australian platform that helps regulated professionals manage their Continuing Professional Development. We provide tools for CPD tracking, planning, discovery, and audit preparation.

Our contact details are:

• Entity name: Complete CPD
• ABN: 93 302 944 735
• Location: Queensland, Australia
• Email: privacy@completecpd.com.au
• Website: completecpd.com.au

2. What personal information we collect

We collect the following categories of personal information:

Account information. When you create an account, we collect your name, email address, and profession. During onboarding, we also collect your registration type and CPD year preferences, which help us configure the platform to your regulatory framework.

CPD records. When you use the platform, you create CPD activity logs, reflections, learning plans, evidence uploads, and other professional development records. This information is created by you and stored within your account.

Payment information. If you subscribe to a paid plan, our payment processor (Stripe) collects your payment details. We do not store your credit card number or full payment details on our servers. We receive and store your Stripe customer ID and subscription status.

Usage information. We collect information about how you interact with the Service, including pages visited, features used, and actions taken within the platform. This helps us understand how the Service is used and improve it.

Device and technical information. When you access the Service, we automatically collect technical information such as your IP address, browser type, operating system, and device type. This information is used for security, troubleshooting, and analytics purposes.

Communications. If you contact us for support or send us feedback, we collect the content of those communications along with your contact details.

Workplace information. If you join a workplace on the platform, we collect your association with that workplace. Your workplace administrator may be able to see limited information about your CPD completion status. This is explained clearly before you join a workplace, and you choose whether to participate.

3. How we collect your information

We collect personal information in the following ways:

• Directly from you, when you create an account, complete onboarding, log CPD activities, upload evidence, write reflections, or contact us.
• From your device, when technical and usage information is collected automatically as you use the Service.
• From third parties, specifically from Stripe when processing subscription payments.

We do not collect personal information from data brokers, social media platforms, or any other third-party sources.

4. Unsolicited information

If we receive personal information that we did not request and we determine that we could not have collected it under the APPs, we will destroy or de-identify that information as soon as practicable, provided it is lawful and reasonable to do so. For example, if someone sends us another person's CPD records or professional details without authorisation, we will delete that information and notify the sender where possible.

5. Why we collect your information and how we use it

We collect and use your personal information for the following purposes:

To provide the Service. We use your account information and CPD records to deliver the core platform features, including CPD tracking, planning, discovery, compliance monitoring, and audit preparation.

To manage your account. We use your email address and account details to authenticate you, manage your subscription, and communicate with you about your account.

To process payments. We use payment-related information (via Stripe) to manage your subscription, process payments, and handle billing enquiries.

To improve the Service. We use aggregated and de-identified usage data to understand how the platform is used, identify issues, and improve features. We do not use your individual CPD records for this purpose.

To communicate with you. We use your email address to send you account-related notifications such as subscription confirmations, payment receipts, CPD reminders, and important platform updates. You can manage your notification preferences in your account settings.

To ensure security. We use technical information and access logs to detect and prevent unauthorised access, fraud, and other security threats.

To comply with the law. We may use or disclose your information where required by Australian law, a court order, or a regulatory authority.

6. What we do not do with your information

We want to be clear about what we will never do:

• We do not sell your personal information. Not to advertisers, data brokers, or anyone else.
• We do not use your CPD records for advertising. Your professional development records will never be used to profile you for third-party advertising purposes.
• We do not share your CPD records with your employer without your consent. If you join a workplace on the platform, you will see exactly what information is visible to your workplace administrator before you opt in.
• We do not share your CPD records with regulators. We will not disclose your individual CPD records to the Pharmacy Board of Australia, AHPRA, or any other regulatory body unless required by law.
• We do not use dark patterns. We aim to be transparent about our data practices and will not use deceptive design to collect consent or make it difficult to manage your information.

7. Disclosure of your information

We may disclose your personal information to the following third parties:

Stripe (payment processing). Stripe processes subscription payments on our behalf. When you subscribe to a paid plan, your payment details are handled directly by Stripe. Stripe's privacy policy governs their handling of your payment information. Stripe is based in the United States and processes data in accordance with their data processing agreement.

Supabase (infrastructure). Our platform is built on Supabase, which provides database, authentication, and file storage services. Your data is stored in Supabase's Australian data centre (Sydney, ap-southeast-2 region). Supabase is operated by Supabase Inc., based in the United States. While the data is stored in Australia, Supabase staff may access infrastructure for support and maintenance purposes from outside Australia.

Resend (email delivery). We use Resend to send transactional emails such as account confirmations, password resets, and notifications. Resend receives your email address and the content of the email being sent. Resend is based in the United States.

Vercel (hosting). Our website and application are hosted on Vercel. Vercel may process technical data such as IP addresses and request logs. Vercel is based in the United States and operates a global content delivery network.

We require all third-party service providers to handle your personal information in a manner consistent with this privacy policy and applicable Australian privacy laws. Where personal information is transferred overseas, we take reasonable steps to ensure it receives protections comparable to those required under the APPs.

We do not disclose your personal information to any other third parties for their own marketing or commercial purposes.

8. Overseas disclosure

Some of our service providers are based outside Australia, as described in section 7. Specifically, data may be processed in the United States by Stripe, Resend, and Vercel. Your CPD data and account information are stored in Australia (Supabase's Sydney region), though Supabase's parent company is based in the United States.

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the overseas recipient handles your information consistently with the APPs, as required by APP 8. This is achieved through our contractual arrangements with these providers.

9. Government-related identifiers

We do not collect government-related identifiers such as AHPRA registration numbers as a standard part of account creation or platform use. If you choose to include a registration number in your CPD records, reflections, or evidence files, that information is stored within your account and protected by the same security measures described in this policy.

We will not use or disclose government-related identifiers as our own identifiers, and we will only use or disclose them where required or authorised by Australian law, or where reasonably necessary to verify your identity for the purposes of the Service, in accordance with APP 9.

10. Cookies and tracking

We use cookies and similar technologies for the following purposes:

Essential cookies. These are necessary for the Service to function. They include authentication cookies that keep you logged in and session cookies that maintain your preferences while you use the platform.

Analytics cookies. We use Plausible Analytics for privacy-respecting page-level analytics. Plausible does not use cookies and does not collect personal information.

We do not use advertising cookies or tracking pixels. We do not share cookie data with advertisers.

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using the Service.

11. Data security

We take the security of your personal information seriously. We implement a range of technical and organisational measures to protect your data, including:

• All data is transmitted using HTTPS encryption.
• User data is protected by Row Level Security (RLS) policies, which ensure you can only access your own records.
• Evidence files and sensitive documents are stored in private storage buckets, accessible only via time-limited signed URLs.
• Authentication is managed through Supabase Auth with secure session handling.
• Administrative access to the database and infrastructure is restricted and logged.

While we take reasonable steps to protect your personal information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining and improving our security practices.

If we become aware of a data breach that is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. Upon becoming aware of a suspected eligible data breach, we will complete a reasonable and expeditious assessment within 30 days to determine whether the breach is likely to result in serious harm. If the assessment confirms a notifiable breach, we will notify the OAIC and affected individuals as soon as practicable.

12. Data quality

We take reasonable steps to ensure that the personal information we collect, use, and disclose is accurate, up to date, complete, and relevant, as required by APP 10. You can review and update your account information at any time through the platform. If you believe any information we hold about you is inaccurate or incomplete, you can correct it directly in your account settings or contact us for assistance. We encourage you to keep your account details and CPD records current to ensure the Service works correctly for you.

13. How long we keep your information

We retain your personal information for as long as your account is active and for a reasonable period after you close your account.

Active accounts. Your CPD records, reflections, evidence, and account information are retained for as long as your account remains open.

Closed accounts. After you close your account, we retain your data for a period that aligns with regulatory retention requirements. For pharmacists, the Pharmacy Board of Australia requires CPD records to be retained for at least three years. After the applicable retention period, your data will be permanently deleted or de-identified.

Anonymised data. We may retain anonymised, aggregated data (which cannot be used to identify you) indefinitely for the purpose of improving the Service.

Backup copies. Backup copies of data may persist in our systems for a limited period after deletion, consistent with our backup retention schedule.

14. Your rights

Under the Australian Privacy Principles, you have the following rights:

Access. You can request access to the personal information we hold about you. You can view and download most of your information directly through the platform. For information not available through the platform, contact us and we will respond within 30 days.

Correction. You can request correction of any personal information that is inaccurate, incomplete, out of date, or misleading. You can update most of your information directly through your account settings.

Data export. You can export your CPD records from the platform at any time. We believe your data belongs to you, and we will not make it difficult for you to take it with you.

Account deletion. You can request deletion of your account and associated data by contacting us. We will process deletion requests promptly, subject to any legal retention obligations.

Complaints. If you believe we have breached the APPs or handled your personal information inappropriately, you can contact us to make a complaint. We will investigate and respond within 30 days. If you are not satisfied with our response, you can lodge a complaint with the OAIC:

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au

15. Anonymity and pseudonymity

You may interact with our website (for example, browsing public content) without identifying yourself. However, to use the core features of the Service, you need to create an account with your name and email address. This is necessary because CPD records are professional documents linked to your registration, and the platform needs to configure your regulatory framework correctly.

16. Children's privacy

The Service is designed for registered professionals and is not intended for use by children under 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will take steps to delete it.

17. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, the law, or our Service. If we make material changes, we will notify you by email or through a prominent notice on the platform before the changes take effect.

We encourage you to review this policy periodically. The "last updated" date at the top of this page indicates when this policy was most recently revised.

18. Contact us

If you have questions, concerns, or complaints about this privacy policy or how we handle your personal information, please contact us:

• Email: privacy@completecpd.com.au
• Website: completecpd.com.au/privacy

We aim to respond to all enquiries within 30 days.