CENTRIM LIFE - PRIVACY POLICY

Entity: Centrim Life Pty Ltd with ABN: 44 669 185 184 and Registered Office: 35B, 240 Plenty Road, Bundoora, VIC 3083

1. INTRODUCTION

Centrim Life Pty Ltd ("Centrim Life", "we", "our", "us") provides software‑as‑a‑service (SaaS) solutions to aged care, retirement living and healthcare organizations. This Privacy Policy explains how we collect, use, disclose, store, and protect Personal Information in compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. WHAT PERSONAL INFORMATION WE COLLECT

We collect the following categories of information:

  • Identifiers: names, titles, gender, dates of birth, addresses, phone numbers, email addresses.
  • Resident Information: room/unit data, preferences, dietary requirements, allergies, IDDSI textures.
  • Sensitive Information: health data, food intake, incident reports, care‑related notes, feedback & complaints.
  • Staff Information: roles, permissions, rostering‑related data.
  • Visitor Data: entry/exit logs, identity verification, purpose of visit.
  • Technical Data: IP addresses, device identifiers, audit logs, activity history, error logs.
  • Payment Data: payment tokens processed via Stripe (we do not store full card details).

3. HOW WE COLLECT INFORMATION

We collect Personal Information directly through forms, platform interactions, support communications, mobile apps, AI‑assisted workflows, integrations (e.g., PCS, Nourish), uploaded files, photographs, 360‑degree inspection images, and automated logging systems.

4. PURPOSES OF USE

We use Personal Information to:

  • Operate Centrim Life modules including Dining, Maintenance, Housekeeping, CRM, Visitor Management, Lifestyle, Feedback & Compliance, Incidents and Concierge.
  • Support aged‑care operations, workflows, reporting and compliance.
  • Facilitate AI‑enabled documentation, dining notes, and search where authorized.
  • Provide secure access, authentication, and audit trails.
  • Process payments for concierge services.
  • Improve, maintain and secure the platform.

We do NOT use Personal Information for advertising, resale, or behavioural profiling.

5. DISCLOSURE OF PERSONAL INFORMATION

We may disclose information to:

  • The organization that controls the data (Controller).
  • Authorized staff and user roles.
  • Sub‑processors including: AWS (Australia), Stripe, Postmark, MessageMedia/Burst SMS, Gleap and Mixpanel (optional pseudonymized analytics), Ecaret Solutions (secure VPN restricted access only; no data export).
  • Government bodies or regulators where required by law.

6. CROSS-BORDER DISCLOSURES

Centrim Life stores data exclusively in Australia. Overseas developer access may occur solely through encrypted VPN sessions with no copying, exporting, or offshoring of Personal Information. This approach satisfies APP 8 requirements for cross‑border disclosure.

7. DATA SECURITY

We implement ISO 27001‑aligned controls including encryption (at rest and in transit), MFA, Azure AD SSO, RBAC, secure coding practices, firewalls, automated monitoring, penetration testing, encrypted backups, DR protocols (RTO 1 hour, RPO 4 hours) and strict access controls.

8. DATA RETENTION

We retain Personal Information while the client maintains an active subscription. Upon termination, live data is deleted within 30 days, and backup data is purged within 30–60 days. A certificate of destruction is available upon request.

9. NOTIFIABLE DATA BREACHES SCHEME

If we become aware of an eligible data breach, we will notify the Controller within 24 hours and assist with assessment, remediation, OAIC notifications, and affected individual communications as required.

10. ACCESS AND CORRECTION RIGHTS

Individuals may request access to or correction of their Personal Information. Requests must be directed to the relevant customer organization acting as the Controller. We will assist Controllers in fulfilling such requests.

11. ANONYMIZED DATA AND ANALYTICS

We may produce aggregated or anonymized data for reporting, benchmarking, or platform improvement. This data contains no Personal Information and cannot identify individuals.

12. COOKIES AND TRACKING TECHNOLOGIES

We use cookies for authentication, session management, security, and performance. We do not use cookies for advertising or behavioural tracking.

13. CHANGES TO POLICY

We may update this Privacy Policy to reflect legislation, platform enhancements, or operational changes. The current version will be published on our website.

14. CONTACT DETAILS

Privacy Officer

Centrim Life Pty Ltd

Email: privacy@centrimlife.com.au

Address: 35B, 240 Plenty Road, Bundoora, VIC 3083


CENTRIM LIFE - DATA GOVERNANCE FRAMEWORK

Entity: Centrim Life Pty Ltd
ABN: 44 669 185 184
Registered Office: 35B, 240 Plenty Road, Bundoora, VIC 3083

1. PURPOSE AND GOVERNANCE OBJECTIVE

This Data Governance Framework defines how Centrim Life Pty Ltd ("Centrim Life") governs, manages, secures, and ensures the lawful handling of data across its software-as-a-service (SaaS) platforms used within:

  • Aged care services
  • Retirement living operations
  • Healthcare-connected environments
  • Community and support services

The framework ensures:

  • Compliance with the Privacy Act 1988 (Cth)
  • Compliance with the Australian Privacy Principles (APPs)
  • Alignment with ISO/IEC 27001:2022 Information Security Management standards
  • Protection of sensitive health and care-related information
  • Full accountability across the entire data lifecycle

This framework applies to all Centrim Life systems, applications, mobile platforms, integrations, AI tools, and support operations.

2. DATA OWNERSHIP AND ACCOUNTABILITY MODEL

Centrim Life operates under a strict Controller–Processor structure:

  • Customer (Controller): Owns and controls all Personal Information entered into the platform.
  • Centrim Life (Processor): Processes information only on the documented instructions of the Controller.

Centrim Life:

  • Does not sell data
  • Does not use client data for advertising
  • Does not monetise or profile individuals
  • Does not repurpose data for unrelated activities

All data remains the legal property of the customer.

3. DATA CLASSIFICATION FRAMEWORK

All information processed within Centrim Life is classified under a formal four-tier model:

Classification Level Description
Public Marketing content, publicly available material
Internal Internal operational logs and system metadata
Confidential Staff records, operational reports, visitor systems
Restricted (Sensitive) Resident data, health information, dietary data, incidents, complaints, clinical or risk-related data

Restricted data receives the highest level of technical, procedural, and access protection.

4. DATA LIFECYCLE GOVERNANCE

4.1 Lawful Collection

Data is collected only where:

  • Necessary for delivery of contracted services
  • Required for clinical, operational, safety, or compliance purposes
  • Lawfully authorised by the customer

Data minimisation is enforced by design.

4.2 Secure Storage

All production data is:

  • Stored within Australian-based data centres
  • Encrypted using strong industry-standard cryptography
  • Segregated by individual customer tenancy
  • Protected from unauthorised physical and logical access
4.3 Lawful Use

Data is used exclusively for:

  • Dining, nutrition, and intake workflows
  • Maintenance, housekeeping, and compliance operations
  • Incident, complaint and risk management
  • Visitor management and site safety
  • CRM, enquiries and resident engagement
  • Concierge and service booking
  • Reporting, auditing and regulatory compliance
  • Platform security, stability and support

No behavioural profiling, advertising use, or commercial exploitation occurs.

4.4 Controlled Disclosure

Information is disclosed only to:

  • Authorised users of the customer organisation
  • Contractually bound service providers strictly required to operate the system
  • Regulators and authorities where legally required

All disclosures are:

  • Logged
  • Access controlled
  • Subject to contractual confidentiality obligations
4.5 Retention Governance

Data retention is governed by:

  • Active contractual service periods
  • Statutory record-keeping obligations
  • Clinical and compliance retention requirements

Upon lawful termination:

  • Production data is removed within 30 days
  • Secure backup data is purged within 30–60 days
  • A Certificate of Secure Data Destruction is available upon request
4.6 Secure Destruction

Data destruction is performed using:

  • Cryptographic overwrite methods
  • Logical eradication procedures
  • Verified deletion controls

Destruction is documented and auditable.

5. IDENTITY, ACCESS AND PRIVILEGE GOVERNANCE

Centrim Life enforces a strict least-privilege access model, including:

  • Role-Based Access Control (RBAC)
  • Multi-Factor Authentication (MFA)
  • Single Sign-On (SSO) where supported
  • Device and session management
  • Password complexity enforcement
  • Time-based access restrictions where required

All access to Restricted data is:

  • Logged
  • Timestamped
  • User-attributed
  • Monitored for anomalous behaviour

6. SUB-PROCESSOR AND VENDOR GOVERNANCE

Centrim Life engages specialist infrastructure, communications, payment and support service providers to deliver its platform.

All such providers are governed by:

  • Formal vendor risk assessments
  • Contractual confidentiality and security obligations
  • Privacy Act–equivalent data protection standards
  • Mandatory breach notification clauses
  • Annual security and compliance review processes

Centrim Life remains fully accountable to customers for all data processing activities.

7. CROSS-BORDER DATA GOVERNANCE (APP 8 COMPLIANCE)

  • No production customer data is stored outside Australia
  • Where limited offshore technical access is required:
    • Access is secured via encrypted channels
    • Export, replication and permanent storage are technically restricted
    • Activity is logged and monitored
    • Legal safeguards enforce Australian privacy equivalence

8. AI, AUTOMATION AND ADVANCED PROCESSING GOVERNANCE

AI and automation tools integrated into Centrim Life operate under strict governance:

  • AI acts only on explicit user-initiated instructions
  • AI models do not train on live client production data
  • All AI-generated outputs remain:
    • Encrypted
    • Tenant-isolated
    • Subject to standard access controls
  • Voice and AI-generated notes are governed as Restricted data

No Personal Information is transferred to public AI training systems.

9. INFORMATION SECURITY GOVERNANCE (ISO-ALIGNED)

Centrim Life implements an ISO-aligned Information Security Management System (ISMS) including:

  • Encryption at rest and in transit
  • Secure software development lifecycle (SSDLC)
  • Firewalls and intrusion detection
  • Continuous logging and security monitoring
  • Vulnerability management and penetration testing
  • Backup equity and disaster recovery testing
  • Change management and access reviews
  • Incident response and escalation playbooks

10. DATA BREACH AND CYBER INCIDENT GOVERNANCE

In the event of a security incident or eligible data breach:

  1. Immediate detection and containment
  2. Impact assessment and forensic analysis
  3. Notification to customers within 24 hours
  4. Regulatory reporting under the Notifiable Data Breaches Scheme where required
  5. Remediation and preventative control enhancement

11. DATA INTEGRITY, QUALITY AND AUDITABILITY

Centrim Life enforces:

  • Validation rules across all forms and workflows
  • Referential integrity across related datasets
  • Immutable audit logs for:
    • Clinical and dining notes
    • Incidents and complaints
    • Maintenance activities
    • Compliance actions

This ensures:

  • Evidence-grade audit trails
  • Non-repudiation
  • Regulatory defensibility

12. REGULATORY AND SECTOR COMPLIANCE COVERAGE

This governance framework supports compliance with:

  • Privacy Act 1988 (Cth)
  • Australian Privacy Principles (APPs)
  • Notifiable Data Breaches Scheme
  • Australian Aged Care Quality Standards (including 2025 reforms)
  • Clinical safety and risk governance expectations
  • Cyber insurance underwriting requirements
  • Enterprise ICT security due diligence

13. ACCOUNTABILITY, OVERSIGHT AND REVIEW

Centrim Life maintains:

  • Appointed Privacy & Data Governance Officer
  • Formal data governance ownership
  • Annual oversight and policy review cycles
  • Documented access control governance
  • Vendor security assurance reviews
  • Board-level escalation pathways for incidents

14. CONTINUOUS IMPROVEMENT AND MATURITY

Centrim Life continuously improves its data governance through:

  • Regulatory monitoring
  • Threat intelligence
  • Platform upgrades
  • Security testing and audits
  • Client feedback and risk assessments

Governance maturity is reviewed annually.

15. DATA GOVERNANCE CONTACT

Privacy & Data Governance Officer

Centrim Life Pty Ltd

35B, 240 Plenty Road, Bundoora, VIC 3083

Email: privacy@centrimlife.com.au


CENTRIM LIFE - DATA PROCESSING AGREEMENT (AUSTRALIA)

This Data Processing Agreement ("DPA") forms part of the SaaS Services Agreement between:

Controller: The Customer as identified in the Services Agreement ("Controller")
Processor: Centrim Life Pty Ltd with ABN: 44 669 185 184 and Registered Office: 35B, 240 Plenty Road, Bundoora, VIC 3083 ("Processor")

1. DEFINITIONS

  • 'Privacy Act' means the Privacy Act 1988 (Cth)
  • 'APPs' means the Australian Privacy Principles
  • 'Personal Information' has the meaning given in section 6 of the Privacy Act
  • 'Sensitive Information' includes health, dietary, incident, and care-related information
  • 'Processing' includes collecting, storing, using, disclosing, deleting, or otherwise handling Personal Information
  • 'Services' means the Centrim Life SaaS platform and its activated modules
  • 'Data Breach' means an eligible data breach under the Notifiable Data Breaches Scheme.

2. PURPOSE OF PROCESSING

The Processor shall Process Personal Information solely for the purpose of providing the Services to the Controller, including platform hosting, maintenance, support, system analytics, security monitoring, and approved integrations. The Processor shall not use Personal Information for marketing, profiling, resale, or unrelated purposes.

3. CATEGORIES OF DATA AND DATA SUBJECTS

Data Subjects include residents, staff, contractors, family members, visitors, and authorized representatives.

Personal Information includes names, contact details, identifiers, dietary requirements, health and incident data, service and workflow records, visitor logs, authentication data, and audit trails.

4. PROCESSOR OBLIGATIONS

The Processor must:

  1. Process Personal Information only in accordance with the Controller's lawful documented instructions
  2. Ensure all personnel with access to Personal Information are bound by confidentiality obligations
  3. Implement appropriate technical and organizational security measures including encryption, access control, multi-factor authentication, firewalls, and monitoring
  4. Assist the Controller to comply with data subject access and correction requests
  5. Maintain audit logs and access controls
  6. Immediately notify the Controller of any unauthorized access or security incident.

5. SUB-PROCESSORS

Approved Sub-Processors include:

  • AWS (Australia) – hosting & infrastructure
  • Stripe – payments
  • Postmark – transactional email
  • Message Media/Burst SMS – SMS
  • Gleap – support ticketing
  • Mixpanel (optional) – analytics (pseudonymized)
  • Ecaret Solutions – restricted VPN development and support access only.

The Processor shall ensure that all Sub-Processors are contractually bound to equivalent privacy and security obligations.

6. CROSS-BORDER DISCLOSURE

The Processor shall not disclose Personal Information to recipients outside Australia without the prior written authorization of the Controller and only where APP 8 compliance is ensured through contractual safeguards.

7. DATA BREACH NOTIFICATION

The Processor shall notify the Controller within 24 hours of becoming aware of any Data Breach and provide all reasonable assistance required under the Notifiable Data Breaches Scheme.

8. DATA RETENTION AND DESTRUCTION

Upon termination of the Services, all Personal Information shall be securely deleted or returned to the Controller within 30 to 60 days, subject to backup retention policies.

9. AUDIT RIGHTS

The Controller may conduct reasonable audits on written notice to verify compliance with this DPA, subject to confidentiality and non-disruption requirements.

10. LIABILITY

All liability relating to data protection obligations is governed by the limitation of liability clause in the SaaS Services Agreement. This DPA does not expand the Processor's commercial liability.

11. GOVERNING LAW

This Agreement is governed by the laws of Victoria, Australia.

CENTRIM LIFE END USER LICENCE AGREEMENT

1. Important Notice

This End User Licence Agreement governs access to and use of the Centrim Life platform, including the Centrim Life web application, mobile applications, resident and family applications, reporting tools, integrations, APIs, and any related services made available by Centrim Life Pty Ltd.

By accessing or using Centrim Life, the User agrees to comply with this EULA.

If the User is accessing or using Centrim Life on behalf of an organisation, aged care provider, retirement living operator, healthcare provider, contractor, employee, resident, family member, representative, attorney, guardian, or other authorised entity, the User confirms that they are authorised to do so.

This EULA operates together with any applicable Master Services Agreement, Order Form, Data Processing Agreement, Privacy Policy, Support Policy, Acceptable Use Policy, Service Level Agreement, Statement of Work, and any other written agreement between Centrim Life Pty Ltd and the relevant Customer.

If there is an inconsistency between this EULA and a signed Master Services Agreement or Order Form, the signed Master Services Agreement or Order Form will prevail to the extent of the inconsistency.

2. Definitions

In this EULA:

  • "Centrim Life", "we", "us", or "our" means Centrim Life Pty Ltd ABN 44 669 185 184, located at 35b/240 Plenty Road, Bundoora VIC 3083, Australia, and where applicable its related bodies corporate, officers, employees, contractors, authorised representatives, and authorised service providers.
  • "Customer" means the organisation that has entered into an agreement with Centrim Life Pty Ltd to access or use the Platform.
  • "User" means any person who accesses or uses the Platform, including staff, contractors, administrators, managers, residents, prospective residents, family members, representatives, financial attorneys, enduring guardians, suppliers, visitors, or other authorised persons.
  • "Authorised User" means a User who has been authorised by the Customer or Centrim Life to access the Platform.
  • "Platform" means the Centrim Life software platform, including modules for maintenance, assets, dining, kitchen operations, lifestyle, activities, communications, feedback, quality, concierge, visitor management, CRM, reporting, integrations, mobile applications, resident and family applications, and related digital services.
  • "Services" means the hosting, support, maintenance, implementation, configuration, integration, training, data migration, professional services, and related services provided by Centrim Life.
  • "Customer Data" means all data, information, records, documents, images, files, comments, resident information, family information, staff information, operational data, clinical-related data, allergy information, care-related information, maintenance data, visitor data, feedback, complaints, reports, and other content uploaded to, entered into, generated through, or processed by the Platform on behalf of the Customer.
  • "Personal Information" has the meaning given under the Privacy Act 1988 (Cth).
  • "Sensitive Information" includes health information and other sensitive information as defined under the Privacy Act 1988 (Cth).
  • "Third Party Systems" means external software, applications, platforms, APIs, databases, identity providers, payment providers, clinical systems, communication systems, or other third-party services integrated or connected with Centrim Life.
  • "Subscription Term" means the period during which the Customer is authorised to access the Platform.

3. Licence Grant

Subject to this EULA, the applicable Customer agreement, payment of all applicable fees, and compliance with all relevant policies, Centrim Life grants the User a limited, non-exclusive, non-transferable, revocable licence to access and use the Platform for the Customer's authorised business purposes.

The licence is limited to:

  1. the modules purchased or enabled for the Customer;
  2. the authorised facilities, sites, homes, retirement villages, business units, or entities;
  3. the User's approved role, permissions, and access level; and
  4. the Subscription Term.

No ownership rights are transferred to the User or Customer.

4. Authorised Use

The Platform may only be used for lawful and authorised purposes, including aged care, retirement living, healthcare-adjacent operations, maintenance management, dining operations, kitchen operations, resident services, family communications, lifestyle activities, visitor management, concierge services, customer relationship management, quality management, reporting, and related operational functions.

Users must:

  1. use the Platform only for the purpose for which access was granted;
  2. comply with all applicable laws, regulations, standards, workplace obligations, and Customer policies;
  3. ensure information entered into the Platform is accurate, complete, timely, and not misleading;
  4. use reasonable care when handling resident, family, staff, clinical, allergy, dietary, financial, and operational information;
  5. comply with all role-based access controls and approval workflows;
  6. keep login credentials confidential;
  7. immediately notify the Customer or Centrim Life of any suspected unauthorised access, security issue, privacy incident, or data incident; and
  8. use the Platform in a manner consistent with aged care, retirement living, privacy, food safety, workplace safety, and resident care obligations.

5. Prohibited Use

Users must not:

  1. access or attempt to access data, modules, records, facilities, or accounts for which they are not authorised;
  2. share login credentials or allow another person to use their account;
  3. bypass, disable, interfere with, or circumvent authentication, MFA, audit logging, permissions, security controls, or access restrictions;
  4. upload malicious code, viruses, ransomware, spyware, or harmful content;
  5. use the Platform to harass, abuse, defame, threaten, mislead, discriminate, or unlawfully monitor any person;
  6. scrape, copy, extract, bulk download, reverse engineer, decompile, disassemble, or attempt to derive the source code of the Platform, except to the extent permitted by law;
  7. use the Platform to build, support, or improve a competing product;
  8. overload, disrupt, attack, or interfere with the Platform or its infrastructure;
  9. upload content that infringes intellectual property, privacy, confidentiality, or legal rights of any person;
  10. alter, falsify, hide, or delete records in a way that breaches law, clinical governance, audit, compliance, aged care, workplace, or organisational obligations;
  11. use another User's account;
  12. attempt to access production databases, infrastructure, source code, logs, or administrative systems without written authorisation;
  13. use the Platform for unlawful surveillance, unauthorised tracking, or unauthorised profiling; or
  14. use the Platform in any way that may expose Centrim Life, the Customer, residents, families, staff, or third parties to legal, regulatory, security, privacy, reputational, or operational risk.

6. Customer Responsibilities

The Customer is responsible for:

  1. determining which Users are authorised to access the Platform;
  2. assigning appropriate roles, permissions, access levels, and approval rights;
  3. ensuring Users are trained and competent to use the Platform;
  4. ensuring data entered into the Platform is accurate, complete, current, and appropriate;
  5. maintaining appropriate clinical, operational, care, dining, medication, allergy, incident, complaint, maintenance, visitor, financial, and governance processes outside the Platform;
  6. obtaining all required consents and authorisations from residents, prospective residents, families, representatives, attorneys, contractors, and other individuals;
  7. determining whether data should be entered, displayed, shared, exported, archived, corrected, or retained;
  8. reviewing reports, alerts, dashboards, workflows, and outputs before relying on them;
  9. maintaining appropriate policies for aged care, privacy, cybersecurity, records management, complaints, food safety, resident care, and workplace safety;
  10. ensuring use of the Platform aligns with applicable aged care standards, accreditation requirements, and regulatory obligations; and
  11. ensuring any Third Party System connected to the Platform is properly authorised, configured, maintained, and monitored.

7. User Accounts and Security

Each User must have a unique account unless otherwise approved in writing by Centrim Life.

Users must:

  1. keep passwords confidential;
  2. use strong passwords;
  3. enable and comply with MFA where required;
  4. log out of shared or public devices;
  5. not leave the Platform open on unattended devices;
  6. immediately report lost devices, compromised credentials, or suspicious activity; and
  7. comply with any Customer or Centrim Life security instructions.

Centrim Life may suspend, restrict, or disable access where it reasonably suspects unauthorised use, compromised credentials, security risk, breach of this EULA, misuse, or legal/regulatory risk.

8. Role-Based Access and Audit Logs

The Platform may include role-based access controls, user permissions, approval workflows, audit logs, timestamps, user activity records, login records, data modification records, and other security or governance features.

Users acknowledge that:

  1. their use of the Platform may be logged and monitored for security, audit, support, compliance, and operational purposes;
  2. audit logs may identify the User, time, action taken, record accessed, changes made, device information, and IP-related information;
  3. audit logs may be made available to the Customer, regulators, auditors, investigators, insurers, or legal advisers where reasonably required; and
  4. Users must not attempt to alter, conceal, delete, or interfere with audit records.

9. Resident, Family, Staff and Health-Related Information

The Platform may process information relating to residents, prospective residents, family members, representatives, financial attorneys, enduring guardians, staff, contractors, suppliers, visitors, and other persons.

Depending on the modules used, this information may include:

  1. names, contact details, facility details, room details, and account details;
  2. resident preferences, lifestyle interests, activity attendance, communications, concierge requests, and family engagement information;
  3. dietary requirements, food allergies, intolerances, texture requirements, IDDSI information, menu choices, supplements, meal delivery records, and kitchen notes;
  4. maintenance requests, incidents, hazards, assets, inspections, and work orders;
  5. visitor records and communication records;
  6. feedback, complaints, compliments, surveys, quality improvement records, and incident-related information;
  7. limited clinical, care, or health-related information where integrated or entered by the Customer; and
  8. financial, authority-related, billing-related, or representative information where family, resident, or attorney access is enabled.

Users must handle all such information with care, confidentiality, and in accordance with applicable privacy, aged care, health records, workplace, and organisational obligations.

10. Not a Clinical Decision-Making System

Unless expressly agreed in writing, Centrim Life is an operational, workflow, communication, reporting, and administration platform.

It is not a replacement for clinical judgement, medical advice, nursing assessment, medication management, allied health review, dietitian review, emergency response, or resident care decision-making.

Users acknowledge that:

  1. Centrim Life does not diagnose, treat, prescribe, or provide medical advice;
  2. any clinical, care, allergy, dietary, medication, risk, incident, or resident-related information must be reviewed by appropriately qualified personnel;
  3. the Customer remains responsible for care delivery, clinical governance, regulatory compliance, and resident outcomes;
  4. alerts, reports, dashboards, notes, or automated outputs must not be solely relied upon without professional review; and
  5. Centrim Life is not responsible for decisions made by Users, staff, clinicians, providers, families, or representatives based on incomplete, inaccurate, outdated, or misinterpreted information entered by the Customer or retrieved from Third Party Systems.

11. Dining, Allergy and Food Information

Where the Platform is used for dining, kitchen operations, meal ordering, recipe management, menu planning, resident dietary profiles, allergies, intolerances, texture-modified diets, IDDSI information, or food safety workflows:

  1. the Customer is responsible for maintaining accurate resident dietary and allergy information;
  2. the Customer is responsible for verifying information received from clinical systems or entered manually;
  3. the Customer is responsible for determining whether a blank allergy field means "no allergy recorded", "no known food allergy", "not assessed", or another status;
  4. kitchen staff must follow the Customer's food safety, allergen management, IDDSI, clinical nutrition, and resident care procedures;
  5. meal dockets, labels, reports, dashboards, and production sheets must be checked before service;
  6. absence of an allergy record does not necessarily mean the resident has no allergy unless the Customer has verified that status; and
  7. Centrim Life is not responsible for adverse events arising from inaccurate, incomplete, missing, outdated, or incorrectly entered resident information.

12. Integrations and Third Party Systems

The Platform may integrate with Third Party Systems, including clinical software, identity providers, payment gateways, communication platforms, reporting systems, authentication systems, and other APIs.

Users acknowledge that:

  1. Third Party Systems are not controlled by Centrim Life;
  2. data received from Third Party Systems depends on the availability, accuracy, permissions, mapping, configuration, and technical performance of those systems;
  3. Centrim Life is not responsible for errors, delays, outages, omissions, mapping issues, API changes, data quality issues, or failures caused by Third Party Systems;
  4. the Customer is responsible for ensuring it has the legal right to connect Third Party Systems and transfer data;
  5. the Customer must validate integration outputs before operational or clinical reliance; and
  6. Centrim Life may suspend or modify integrations where required for security, compliance, vendor changes, API limitations, or system stability.

13. Privacy and Personal Information

Centrim Life will handle Personal Information in accordance with its Privacy Policy, applicable privacy laws, contractual obligations, and the Australian Privacy Principles where applicable.

The Customer acknowledges that, depending on the context, it may be the primary collector or controller of Personal Information and Centrim Life may act as a service provider, processor, or data handler on behalf of the Customer.

The Customer is responsible for:

  1. providing all required privacy notices to individuals;
  2. obtaining required consents;
  3. determining the lawful basis for collection, use, disclosure, storage, and retention;
  4. ensuring Personal Information uploaded to the Platform is necessary and appropriate;
  5. responding to resident, family, staff, or representative requests unless otherwise agreed; and
  6. ensuring its own compliance with privacy, health records, aged care, workplace, and data protection obligations.

Centrim Life will take reasonable steps to protect Personal Information from misuse, interference, loss, unauthorised access, modification, and disclosure.

14. Health Information and Sensitive Information

The Customer acknowledges that health information and other sensitive information may be processed through the Platform where such information is entered by the Customer, generated through the Customer's use of the Platform, or received from Third Party Systems.

Centrim Life will handle such information in accordance with applicable privacy obligations and the relevant Customer agreement.

The Customer is responsible for ensuring that sensitive information is only entered, stored, used, disclosed, and shared where lawful, necessary, authorised, and appropriate.

Users must not enter unnecessary sensitive information into the Platform.

15. Data Breach Notification

Centrim Life will maintain reasonable procedures for identifying, assessing, managing, and responding to suspected data incidents.

Where Centrim Life becomes aware of a suspected or actual data breach affecting Customer Data, Centrim Life will notify the Customer without undue delay and provide available information reasonably required for the Customer to assess and respond to the incident.

Where the Notifiable Data Breaches scheme applies, eligible data breaches involving personal information that are likely to result in serious harm may require notification to affected individuals and the OAIC.

Unless otherwise agreed in writing, the Customer remains responsible for determining whether notifications to individuals, regulators, residents, employees, insurers, or other parties are required, except where Centrim Life is legally required to notify directly.

16. Sub-Processors and Hosting Providers

Centrim Life may use trusted third-party providers to host, support, secure, monitor, deliver, analyse, or improve the Platform.

These may include infrastructure providers, email providers, SMS providers, monitoring tools, error tracking tools, analytics tools, authentication services, customer support tools, payment providers, and other operational service providers.

Centrim Life will take reasonable steps to ensure that sub-processors used for Customer Data are subject to appropriate confidentiality, privacy, security, and data protection obligations.

Centrim Life may maintain a sub-processor register or trust centre identifying key service providers.

The Customer acknowledges that sub-processors may change from time to time due to operational, technical, security, or commercial requirements.

17. Overseas Access and Offshore Support

Centrim Life may use employees, contractors, support personnel, or service providers located outside Australia.

Where offshore access is required, Centrim Life will apply reasonable safeguards, which may include:

  1. role-based access controls;
  2. least-privilege access;
  3. access only for legitimate support, maintenance, troubleshooting, security, development, or service delivery purposes;
  4. logging and auditability;
  5. confidentiality obligations;
  6. secure authentication;
  7. data minimisation;
  8. contractual controls; and
  9. restrictions on use of production data for development or testing unless authorised or appropriately controlled.

18. Support and Administrative Access

Centrim Life personnel may access Customer environments or Customer Data only where reasonably required for:

  1. implementation;
  2. support;
  3. troubleshooting;
  4. defect investigation;
  5. maintenance;
  6. security monitoring;
  7. performance improvement;
  8. data migration;
  9. integration support;
  10. compliance or audit support; or
  11. other legitimate service delivery purposes.

Where practicable, such access will be authorised, role-based, limited to the relevant purpose, and logged.

Centrim Life personnel must not use Customer Data for personal purposes or unrelated business purposes.

19. Customer Data Ownership

As between the Customer and Centrim Life, the Customer retains ownership of Customer Data.

Centrim Life does not claim ownership of Customer Data.

The Customer grants Centrim Life a limited licence to host, process, transmit, store, back up, display, modify, analyse, and use Customer Data solely as necessary to provide, secure, support, maintain, improve, and comply with obligations relating to the Platform and Services.

20. De-Identified and Aggregated Data

Centrim Life may use de-identified, anonymised, statistical, or aggregated data for:

  1. platform improvement;
  2. product analytics;
  3. benchmarking;
  4. security monitoring;
  5. performance improvement;
  6. operational insights;
  7. research and development;
  8. reporting; and
  9. commercial analysis.

Centrim Life will not use such data in a way that reasonably identifies an individual resident, family member, staff member, Customer, or facility unless permitted by law or agreement.

21. Data Accuracy

The Customer and Users are responsible for the accuracy, quality, completeness, legality, reliability, and appropriateness of Customer Data.

Centrim Life is not responsible for:

  1. incorrect information entered by Users;
  2. incomplete resident, family, staff, allergy, dietary, clinical, maintenance, visitor, financial, or operational records;
  3. outdated data from Third Party Systems;
  4. incorrect configuration by the Customer;
  5. inappropriate role assignment;
  6. failure to review reports, alerts, or workflows; or
  7. operational decisions made based on inaccurate or incomplete information.

22. Backups, Retention and Availability

Centrim Life will use reasonable commercial efforts to maintain backups, disaster recovery procedures, monitoring, and platform availability in accordance with its applicable policies or service agreement.

The Customer acknowledges that no system can be guaranteed to be continuously available, error-free, secure, or uninterrupted.

Access may be temporarily unavailable due to:

  1. planned maintenance;
  2. emergency maintenance;
  3. security incidents;
  4. third-party outages;
  5. internet or telecommunications failures;
  6. infrastructure failure;
  7. force majeure events;
  8. integration outages; or
  9. circumstances outside Centrim Life's reasonable control.

23. Mobile Applications

Where Users access Centrim Life through mobile applications, including staff apps, maintenance apps, reporting apps, family apps, resident apps, or visitor apps:

  1. Users are responsible for keeping devices secure;
  2. Users must install updates when made available;
  3. Users must not use jailbroken, rooted, compromised, or insecure devices where prohibited by the Customer or Centrim Life;
  4. offline functionality, where available, may be limited and subject to later synchronisation;
  5. data entered offline may not be available to other Users until successfully synced;
  6. Users must verify that offline data has synced successfully;
  7. Centrim Life is not responsible for loss or delay caused by device failure, local storage issues, network unavailability, operating system restrictions, or User error; and
  8. Users must immediately report lost or stolen devices that may contain or access Customer Data.

24. AI, Automation and Assisted Features

Where Centrim Life provides AI-enabled, automation, recommendation, summarisation, menu-building, note-assistance, reporting, workflow, or decision-support features:

  1. outputs are assistive only;
  2. outputs must be reviewed by appropriately authorised Users before reliance;
  3. AI-generated content may be incomplete, inaccurate, unsuitable, or require human correction;
  4. the Customer remains responsible for approving menus, recipes, resident allergy checks, dietary suitability, reports, communications, care-related workflows, complaints, incidents, and operational decisions;
  5. Centrim Life does not warrant that AI outputs will be error-free or compliant with all Customer-specific policies; and
  6. Users must not enter unnecessary sensitive information into AI-enabled features unless authorised and appropriate.

25. Intellectual Property

All intellectual property rights in the Platform, Services, software, source code, object code, database structure, design, workflows, user interface, modules, documentation, templates, reports, branding, logos, know-how, algorithms, configurations, and related materials are owned by or licensed to Centrim Life.

Users and Customers must not:

  1. copy, reproduce, modify, adapt, translate, distribute, sell, rent, lease, sublicense, or commercially exploit the Platform;
  2. reverse engineer, decompile, disassemble, or attempt to discover source code;
  3. remove proprietary notices;
  4. create derivative works from the Platform;
  5. use Centrim Life intellectual property outside the permitted scope; or
  6. register or claim ownership of confusingly similar names, marks, domains, products, or software.

26. Feedback and Suggestions

If a User or Customer provides feedback, suggestions, ideas, enhancement requests, workflows, designs, comments, or recommendations regarding the Platform, Centrim Life may use them without restriction or obligation to compensate the User or Customer.

No intellectual property rights in the Platform are transferred by providing feedback.

27. Confidentiality

Users must keep confidential all non-public information accessed through the Platform, including:

  1. resident information;
  2. family information;
  3. staff information;
  4. clinical, dietary, allergy, financial, operational, and maintenance information;
  5. Customer business information;
  6. Centrim Life technical, commercial, pricing, security, roadmap, and product information; and
  7. any information that would reasonably be considered confidential.

Users must not disclose confidential information except as authorised by the Customer, required for legitimate duties, permitted by law, or approved in writing.

28. Payment and Commercial Terms

Payment obligations are governed by the applicable Order Form, Master Services Agreement, invoice, or written commercial arrangement between Centrim Life and the Customer.

Individual Users are not responsible for subscription fees unless separately agreed in writing.

Centrim Life may suspend access for non-payment by the Customer, subject to the applicable agreement and any required notice period.

29. Suspension and Termination of User Access

Centrim Life or the Customer may suspend, restrict, or terminate a User's access where:

  1. the User is no longer authorised;
  2. the User breaches this EULA;
  3. the User's employment, engagement, authority, or relationship with the Customer ends;
  4. there is suspected unauthorised access;
  5. there is a security, privacy, regulatory, legal, or operational risk;
  6. the Customer requests suspension;
  7. required by law, regulator, court order, or government authority; or
  8. the relevant Customer agreement expires or terminates.

Termination of User access does not affect obligations relating to confidentiality, privacy, intellectual property, liability, audit logs, records, or misuse.

30. Data Export and Return on Termination

Unless otherwise agreed in the Customer's signed agreement, Centrim Life will provide reasonable access to Customer Data following termination for a limited period to allow export or transition.

The format, timing, cost, scope, and method of export will be governed by the applicable Customer agreement, Order Form, DPA, or written arrangement.

Where Centrim Life agrees to provide data export, the Customer acknowledges that:

  1. exports may be provided in a standard machine-readable format such as CSV, JSON, database extract, or another agreed format;
  2. raw data may require interpretation, mapping, or transformation by the Customer;
  3. attachments, files, images, logs, audit trails, and system metadata may be subject to separate export processes;
  4. data from Third Party Systems may need to be obtained directly from those systems; and
  5. data migration services are separate professional services unless included in the relevant agreement.

31. Warranties

To the extent permitted by law, Centrim Life provides the Platform on an "as is" and "as available" basis.

Centrim Life does not warrant that:

  1. the Platform will be uninterrupted, error-free, or free from vulnerabilities;
  2. all defects will be corrected;
  3. the Platform will meet every Customer-specific requirement;
  4. the Platform will replace professional judgement, clinical governance, care planning, food safety procedures, legal advice, financial advice, or operational review;
  5. third-party integrations will always remain available or accurate;
  6. reports, alerts, AI outputs, dashboards, or recommendations will be complete or error-free; or
  7. the Platform will ensure compliance with every law, accreditation standard, aged care obligation, workplace requirement, or Customer policy.

Nothing in this EULA excludes, restricts, or modifies any guarantee, warranty, right, or remedy that cannot lawfully be excluded under the Australian Consumer Law or any other applicable law.

32. Liability

To the maximum extent permitted by law, Centrim Life is not liable for loss caused by:

  1. User error;
  2. inaccurate, incomplete, outdated, or missing Customer Data;
  3. Customer configuration decisions;
  4. inappropriate User permissions;
  5. failure by the Customer to train Users;
  6. failure to verify clinical, dietary, allergy, resident, financial, or operational information;
  7. Third Party System failures;
  8. internet, telecommunications, device, or infrastructure failures outside Centrim Life's reasonable control;
  9. unauthorised use caused by compromised User credentials where Centrim Life was not at fault;
  10. resident care decisions made by the Customer or its personnel; or
  11. use of the Platform outside the permitted scope.

To the maximum extent permitted by law, Centrim Life is not liable for indirect, consequential, special, punitive, or exemplary loss, including loss of profit, revenue, goodwill, opportunity, contracts, or anticipated savings.

Where liability cannot be excluded, Centrim Life's liability is limited to the maximum extent permitted by law.

Any contractual liability cap will be as set out in the applicable Master Services Agreement or Order Form.

33. Indemnity

The Customer and, where applicable, the User, indemnifies Centrim Life against losses, claims, damages, liabilities, costs, and expenses arising from:

  1. misuse of the Platform;
  2. breach of this EULA;
  3. unauthorised access caused by the User or Customer;
  4. inaccurate, unlawful, or inappropriate Customer Data;
  5. breach of privacy, confidentiality, employment, health, aged care, consumer, or other laws by the Customer or User;
  6. reliance on Platform outputs without appropriate review;
  7. failure to obtain required consents or authorisations;
  8. third-party claims arising from Customer Data; or
  9. use of the Platform outside the permitted scope.

This indemnity is reduced to the extent the loss is caused by Centrim Life's fraud, wilful misconduct, negligence, or breach of law.

34. Unfair Contract Terms

This EULA is intended to be read and applied reasonably and proportionately.

Nothing in this EULA is intended to unfairly limit rights that cannot be excluded under applicable law, including Australian Consumer Law protections for consumers and small businesses.

If any term is found to be unfair, void, unlawful, or unenforceable, that term will be severed or read down to the extent necessary, and the remaining terms will continue to apply.

35. Updates to the Platform

Centrim Life may update, modify, enhance, remove, suspend, replace, or change features, modules, user interfaces, workflows, integrations, security controls, reports, mobile functionality, APIs, or documentation from time to time.

Where a material change materially reduces core functionality purchased by the Customer, Centrim Life will use reasonable efforts to provide notice, unless the change is required urgently for security, legal, technical, third-party, or operational reasons.

36. Updates to this EULA

Centrim Life may update this EULA from time to time.

Updated terms may be notified by email, in-app notice, publication on the website, or other reasonable method.

Continued use of the Platform after the effective date of updated terms constitutes acceptance of the updated EULA.

Where required by law or contract, Centrim Life will obtain consent or provide notice before material changes take effect.

37. App Store Terms

Where a mobile application is downloaded from the Apple App Store, Google Play Store, Microsoft Store, or another app marketplace, the User must also comply with the applicable store terms.

The app marketplace provider is not responsible for the Platform, Customer Data, support, claims, maintenance, privacy practices, or legal compliance of Centrim Life unless required by applicable store terms or law.

38. Force Majeure

Centrim Life is not liable for delay or failure to perform caused by events beyond its reasonable control, including natural disasters, fire, flood, pandemic, epidemic, war, terrorism, civil unrest, labour disruption, government action, power failure, internet outage, telecommunications failure, cloud provider outage, cyberattack, denial-of-service attack, third-party system failure, or emergency maintenance.

39. Governing Law and Jurisdiction

This EULA is governed by the laws of Victoria, Australia.

The parties submit to the non-exclusive jurisdiction of the courts of Victoria and the Commonwealth courts of Australia.

40. Contact

Questions about this EULA may be directed to:

Centrim Life Pty Ltd
ABN 44 669 185 184
35b/240 Plenty Road
Bundoora VIC 3083
Australia
Email: legal@centrimlife.com.au