CityReach ← Back to home
Privacy Notice

Your information is held with care.

This is the plain-language version of PR-01 — Privacy and Confidential Records Policy, the Foundation's adopted privacy policy. It explains what we collect, how we use it, how we keep it safe, and how to ask us anything about your information.

City Reach Foundation Ltd is an Australian charity. We handle your information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

In thirty seconds
  • ·We only collect what we need — usually a name, email, and what you've told us is going on.
  • ·We don't sell or share your information. If we refer you to a partner agency, we ask you first.
  • ·You can ask to see, correct, or delete your information at any time. Email hello@cityreach.org.au.
  • ·Children's information gets extra care. Where possible, we collect from a parent or guardian.
  • ·If we ever have a data breach that might cause serious harm, we'll tell you and the regulator.
On this page
1. What we collect & why 2. How we use & share it 3. How we protect it 4. If you used the Get Help form 5. Donations & donor records 6. Children's information 7. Where your data is stored 8. How long we keep records 9. Your rights — access & correction 10. Complaints 11. Data breaches 12. Contact us

1. What we collect & why

We collect personal information through a small number of channels. Each one collects only what's needed for the work it supports:

  • Get Help form — name, email, phone (optional), suburb (optional), the kind of help you're looking for, and what's going on. Used to respond, refer if appropriate, and keep a follow-up record.
  • Volunteer registration — name, contact details, availability, areas of interest, and the declarations our volunteer screening procedure requires.
  • Partner enquiry — organisation name, contact details, and what you'd like to talk about.
  • Donations via Stripe — name, email, donation amount and date. Stripe holds payment-card data; we don't see or store it.
  • In-person intake (where the Foundation operates a physical hub) — identification details, the support you're seeking, any referral history, and information relevant to safety.

2. How we use & share it

We use your information only for the purpose you gave it to us, or for a closely related purpose you'd reasonably expect. We share information only with people who need it for an authorised purpose:

  • Foundation staff and volunteers doing their roles
  • Partner agencies, when you've agreed to a referral
  • Regulators, where the law requires
  • Police or child safety authorities, where mandatory reporting or safety requires it
  • Insurers and funders, where lawful and necessary
  • Service providers (like Stripe for donations) who are bound by their own privacy obligations

We don't use information from the Get Help form for marketing. If you've supported us as a donor or supporter, we may send updates about our work and how to keep helping — you can unsubscribe at any time.

3. How we protect it

We take reasonable steps to keep information safe from loss, misuse and unauthorised access. That includes access controls on Foundation systems, password protection and (where practical) two-factor authentication, secure handling of paper records, written agreements with contractors who handle Foundation data, and regular review of our security practice — especially after any incident.

Sensitive information — including health information shared through the Get Help form, intake processes and safeguarding records — is held with extra security and tighter access controls.

4. If you used the Get Help form

This is the most common reason people read a privacy notice on our site. Here's what happens to a Get Help submission:

  • Your submission lands with the Foundation directly — no third party sees it first.
  • It's logged into a private spreadsheet that only the Foundation's four Directors can access.
  • A Director or designated responder follows up with you by email or phone within the timeframes set in our Safeguarding Policy — faster for crisis categories, within two business days for everything else.
  • If a partner agency would be the better fit, we'll talk to you about a referral before passing on any details.
  • Your submission is kept while the case is open, and for seven years after closure as required by law — then permanently deleted.

The auto-acknowledgement you may receive after submitting is an automated receipt. It is not a full response, and a real person will follow up.

5. Donations & donor records

If you've donated, we hold your name, email, and the amount and date of your gift. We use that to acknowledge the donation, issue receipts, and (once we are endorsed as a Deductible Gift Recipient) issue ATO-compliant tax receipts. You can opt out of future communications at any time.

During the Foundation's founding season, some donations and registration costs intended for the Foundation are received and held by World Changers Church Gold Coast (WCCGC) in their "Making a Difference" holding account, while we open the Foundation's own bank account (week beginning 4 May 2026). Donor information for those gifts is currently held by WCCGC under their privacy framework. Once our bank account opens, this arrangement ends and donor records transfer to the Foundation under this Privacy Notice.

6. Children's information

We handle children's information with extra care. Where we collect information about a child — through Care4Kids, family support, or guest intake involving family members — we collect from a parent or guardian where possible, and we hold the information only as long as it's needed for the relevant Foundation activity.

7. Where your data is stored

Some of the services we use — like Stripe (donations) and Google (forms and email infrastructure) — may store data on servers outside Australia. We choose providers who handle personal information in a way consistent with the Australian Privacy Principles, and we tell you about cross-border storage where it's reasonably practical to do so.

8. How long we keep records

We keep personal information only as long as we need it for the purpose it was collected, or as required by law. Default retention periods:

  • Get Help submissions and intake records — seven years from last contact, then secure deletion.
  • Donor and supporter records — seven years from last donation or contact, in line with ATO requirements.
  • Volunteer screening records — for the duration of the volunteer engagement plus seven years from the end.
  • Employment records — seven years from end of employment, in line with Fair Work obligations.
  • Safeguarding incident records — held in line with our Safeguarding Policy and applicable legal requirements; longer retention may apply where a child or vulnerable person is involved.
  • Financial records — seven years from the end of the relevant financial year, in line with Australian taxation law.

At the end of a retention period, information is securely deleted or destroyed — or de-identified, where ongoing analysis or evaluation is needed.

9. Your rights — access & correction

You can ask to see the personal information we hold about you, and you can ask us to correct anything that is wrong, incomplete or out of date. Email hello@cityreach.org.au. We'll respond within a reasonable time (generally within 30 days), and we don't charge for access requests.

In limited circumstances allowed by the Privacy Act, we may need to refuse a request — for example, where giving you access would seriously threaten someone's life, health or safety. If we refuse, we'll explain in writing why.

10. Complaints

If you think we've handled your information in a way that breaches this Notice or the Australian Privacy Principles, please tell us. Email hello@cityreach.org.au — the message will reach our Privacy Officer.

If you're not satisfied with our response, you can take the complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by phone on 1300 363 992.

11. Data breaches

If we become aware of a suspected data breach, our Privacy Officer assesses within 30 days whether it's likely to cause serious harm. If it is, we notify the Office of the Australian Information Commissioner and the people affected, as soon as practicable. The Board is briefed on any eligible data breach without delay.

12. Contact us

For any privacy question, access request, correction request or complaint, email our Privacy Officer at hello@cityreach.org.au.

The full Privacy and Confidential Records Policy (PR-01) — including operational detail not summarised here — is available on request.

Document detail
Source policy:
PR-01 — Privacy and Confidential Records Policy
Adopted by Board:
27 April 2026
Owner:
Managing Director / Privacy Officer
Next review:
27 April 2027
Entity:
City Reach Foundation Ltd · ACN 696 804 681 · ABN 70 696 804 681