Privacy policy
How Resonant Studios handles your personal information when you visit our website, book a discovery call, or work with us as an NDIS participant or support coordinator.
Working draft. This privacy policy is a working draft prepared for an unregistered NDIS provider operating in Victoria, Australia. We'll have a privacy lawyer review it before treating it as final. If anything in here looks wrong for your situation, tell us at info@resonantstudios.com.au.
1. About us
Resonant Studios is a sole trader business owned and operated by Tony Rako (ABN 17 544 307 578), trading as Resonant Studios. We deliver NDIS-aligned music production sessions for self-managed and plan-managed participants from 3 Harris Street, Yarraville VIC 3013. We are an unregistered NDIS provider.
In this policy, "we", "us" and "our" refer to Resonant Studios. "You" refers to anyone whose personal information we hold — typically participants, their family members or support workers, support coordinators, and plan managers.
2. The law we follow
This policy is written to comply with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). As a small business operating in the NDIS space we voluntarily comply with the APPs even where the small business exemption might otherwise apply, because the sensitive nature of disability-related information makes the APP framework the right standard.
3. What we collect
We collect only what we need to deliver sessions, process payments, and meet our NDIS record-keeping obligations.
3.1 Information you give us directly
- Your name (and the participant's name, if you're booking on someone else's behalf)
- Email address
- Phone number
- NDIS plan type (self-managed or plan-managed) and, where relevant, your plan manager's contact details
- Goals, interests, accessibility needs, and anything else you choose to share when booking a discovery call or during sessions
- Payment details where we invoice you directly (handled via your nominated plan manager or self-managed payment method — we do not store card numbers)
3.2 Sensitive information
Some of the information you share with us is "sensitive information" under the Privacy Act — for example, information about your disability, health, or support needs. We only collect sensitive information that's necessary to deliver sessions safely and to comply with NDIS requirements. We treat all sensitive information with extra care under APP 3.
3.3 Information collected automatically when you visit the website
- Standard server logs from our website host — your IP address, browser type, the pages you visit, the date and time. We use these only for security and performance monitoring.
- Local browser storage of your accessibility preferences (theme, reading mode, motion, contrast). This is stored on your device under the key
rs-a11yand never sent to our servers.
We do not currently use analytics cookies, advertising cookies, social tracking pixels, or behavioural retargeting. If we add Google Analytics or similar in future, we'll update this policy and seek your consent where required.
4. How we use your information
We use your information only for purposes that fit one of the lawful bases below.
- To deliver the service: respond to your enquiry, run your discovery call, book your sessions, work with your support coordinator or plan manager, send session reminders, and produce and release your finished song.
- To invoice and get paid: issue NDIS-compliant invoices, send them to your plan manager (if plan-managed) or to you (if self-managed), and keep records of payments received.
- To meet our legal obligations: keep records that the NDIS Quality and Safeguards Commission, the ATO, or other regulators may require us to keep.
- To improve the service: reflect on what worked well and what didn't, on an anonymised basis where possible.
We do not use your information for unsolicited marketing. If we ever want to send you a periodic update (for example, "Tony's newsletter"), we'll ask you to opt in first, and you'll be able to opt out in every message.
5. Who we share it with
We don't sell your personal information to anyone, ever. We share only with the people and organisations below, only when needed for one of the purposes above.
- Your plan manager (if you're plan-managed) — for invoicing and payment.
- Your support coordinator — only with your consent, and only the information you've agreed we can share.
- Our forms and calendar provider — when you fill out a booking, contact, or referral form, your responses are stored on our behalf by a third-party service. The provider processes data under our instructions and only for the purposes set out in this policy.
- Our website hosting provider — server logs and any data flowing through the website pass through their infrastructure.
- Music distribution services — when we release your finished song to streaming services under your name, we share the metadata needed for distribution (artist name, song title, release date). We do this with your written consent at the time of release.
- The ATO and other regulators — if required by law (for example, tax records, NDIS Commission audits).
6. Information stored overseas
Some of the third-party services we use store data outside Australia, including hosting, forms and calendar, code repository, and music distribution providers. These are typically based in the United States or use cloud infrastructure that may include US data centres. We take reasonable steps to ensure overseas providers handle your information consistently with the APPs, but you should be aware that overseas privacy regimes may differ from Australian law. If you'd like the names of specific service providers we use, contact us via the details at the bottom of this page and we'll provide them.
7. How long we keep it
We keep your information only for as long as we need it for the purposes above, plus any periods required by law.
- Active participant records — for the duration of your sessions plus 7 years (NDIS, ATO, and general business record-keeping standard).
- Discovery-call enquiries that don't lead to sessions — up to 12 months, then deleted.
- Website server logs — typically 30 days at our hosting provider.
- Marketing opt-in lists (if any) — until you unsubscribe.
8. How we keep it safe
We take reasonable steps to protect your information from misuse, loss, unauthorised access, modification, or disclosure:
- Cloud services protected by access controls and providers' own security standards (our hosting, forms platform, and code repository all maintain SOC 2 or equivalent).
- Local devices used by Tony are password-protected with full-disk encryption.
- Email and form data is transmitted over HTTPS.
- Paper records (if any) are stored securely at the studio.
If we ever suspect a data breach that may cause serious harm, we'll notify you and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme.
9. Your rights
Under the APPs you have the right to:
- Ask what we hold about you. We'll respond within 30 days.
- Correct anything that's wrong. Just email us with the correction.
- Ask us to delete information we no longer need (subject to NDIS and tax record-keeping requirements).
- Withdraw your consent at any time. This won't affect anything we've already done with your information lawfully.
- Complain if you think we've mishandled your information (see section 11 below).
To exercise any of these rights, email info@resonantstudios.com.au with the words "Privacy request" in the subject line.
10. Children and young people
NDIS participants we work with are typically aged 15 and over. For participants under 18, we need consent from a parent, guardian, or other authorised representative before collecting personal information beyond what's needed for an initial discovery call. We don't knowingly collect information from children under 13 through the website.
11. Complaints and feedback
If you're unhappy with how we've handled your information — or anything else about our service — please tell us first:
- Email: info@resonantstudios.com.au
- Phone: 0480 893 303
- Post: Resonant Studios, 3 Harris Street, Yarraville VIC 3013
We'll acknowledge your complaint within 5 business days and respond substantively within 30 days.
If you're not satisfied with how we resolve it, you can take it to:
- The Office of the Australian Information Commissioner (OAIC) — oaic.gov.au — for privacy complaints.
- The NDIS Quality and Safeguards Commission — ndiscommission.gov.au — for complaints about NDIS-funded services.
12. Changes to this policy
We may update this policy from time to time. If we make a material change, we'll update the "Effective" date at the top and, where reasonable, let you know directly. The current version always lives at resonantstudios.com.au/privacy.
13. Contact us
Resonant Studios
Tony Rako, sole trader · ABN 17 544 307 578
Resonant Studios, 3 Harris Street, Yarraville VIC 3013
Email: info@resonantstudios.com.au
Phone: 0480 893 303
See also: Website terms of use · Accessibility statement
