Lamassu Care logo
Login

Legal

Privacy Policy

Effective date: 22 May 2026

1. Who this policy applies to

This Privacy Policy explains how Lamassu Care handles personal information when you use the Lamassu Care mobile app, the web platform at app.lamassucare.com.au, this website, and related account, attendance, timesheet, activity log, document, and organisation features.

Lamassu Care is operated by Pegasus Solutions Pty Ltd (ABN 79 665 783 773).

Lamassu Care is designed for Australian users and organisations, including NDIS and Aged Care provider workflows. Depending on the context, records may refer to participants, clients, workers, subcontractors, organisation staff, or authorised representatives.

2. Information we collect and process

  • Account identity details such as name, email address, phone number, username, and sign-in details.
  • Role and organisation details such as organisation name, account type, permissions, employment or subcontractor status, and feature access settings.
  • Attendance data, including clock in and clock out records and related attendance verification metadata.
  • Timesheet data and associated work records.
  • Signature delivery and audit metadata, such as signature request status, delivery channel, masked destination details, link access events, timestamps, browser or network metadata, and signing submission events.
  • Activity log data and service-note style records.
  • Participant or client information entered into the platform.
  • NDIS numbers where they are entered into the platform.
  • Uploaded or linked documents and related metadata.
  • Passkey authentication data and other authentication events, but not raw biometric identifiers.
  • Device-stored temporary draft, session, and sync data used to support platform functionality.
  • Technical and usage data such as device, browser, app, network, diagnostic, and security event information needed to operate, secure, and improve the service.

3. How we use information

  • To create, maintain, secure, and administer user and organisation accounts.
  • To provide attendance, timesheet, activity log, document, and operational workflow features.
  • To send and track operational signature requests, including secure participant or client signature links for timesheet workflows.
  • To support NDIS and Aged Care provider workflows, including participant and client record handling.
  • To authenticate users, support passkeys, sign-in persistence, password recovery, first-time login, and temporary credential delivery workflows where applicable.
  • To enable offline use, draft saving, syncing, auditability, fraud prevention, and service security.
  • To communicate service, support, billing, security, and account-related updates.

4. Authentication and passkeys

Users may sign in using passwords and, where supported, passkeys. Passkeys may rely on device-level authentication such as Face ID, Touch ID, fingerprint, device PIN, or equivalent platform authentication. Lamassu Care does not collect or store raw biometric identifiers. Authentication is based on cryptographic credentials and platform authentication responses.

5. Attendance verification and location

Location may be requested during attendance verification. If location is provided, it may be used to verify clock in and clock out events against attendance rules such as geofence checks.

If location is unavailable or permission is denied, the attendance action may still proceed but may be flagged for review. Location is used at the time of attendance verification and is not retained by Lamassu Care as an ongoing location history.

6. Local storage, offline use, and session persistence

The mobile app and web platform may store certain data locally on your device to support sign-in persistence, remembered sessions, and offline workflows. This can include session cookies, device session data, and draft activity log data.

Offline drafts may remain on the device until they are synced or removed. Saved drafts may automatically sync when connectivity returns.

7. Visibility within organisation accounts

For organisation accounts, information may be accessible to authorised office staff, admins, directors, HR managers, support coordinators, employers, or other authorised personnel within that same organisation where relevant to platform operations.

Lamassu Care provides the platform, but organisation-level users may review records created by workers or subcontractors in that organisation. This can include attendance records, timesheets, activity logs, and documents where access permissions allow.

8. Disclosure to service providers and others

We may disclose personal information to hosting, infrastructure, authentication, analytics, communications, support, security, and payment service providers where reasonably required to deliver and protect Lamassu Care. We may also disclose information where required by law, to respond to lawful requests, or to protect the rights, safety, and integrity of the service, users, and affected organisations.

We may use communications providers to send operational emails or messages, such as account access, password recovery, support, and signature request communications.

We do not sell personal information.

9. Retention and deletion

We retain records for as long as reasonably necessary to provide Lamassu Care and operate the relevant account type. For provider and organisation accounts, records are generally retained while the account remains active and subscribed, and may be deleted promptly or within a reasonable period after account closure, termination, or non-payment.

Users may request deletion of their personal information. For business and organisation accounts, deletion may depend on the status of the organisation account and the authority of the organisation over records in that account. Where a specific product flow or account type has its own retention timing, including any individual account retention period presented at sign-up or in-product, that more specific retention timing will apply to that account or data set.

10. Security and international processing

We use reasonable technical and organisational safeguards to protect personal information, but no system can be guaranteed completely secure. Information may be processed in Australia and in other countries used by our service providers and infrastructure partners.

11. Australian privacy rights

We aim to handle personal information consistently with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Subject to applicable law, you may request access to or correction of your personal information, or contact us about a privacy concern.

For privacy enquiries, please use the contact form on the Contact page.

12. Changes to this policy

We may update this Privacy Policy from time to time. Changes are effective when published on this page with a revised effective date.