1. About Us
Baldwin Advocacy & Claims (BAC) is an Australian veteran DVA advocacy service operated by Kai Baldwin. We assist Australian veterans and their families with Department of Veterans' Affairs (DVA) claims on a fixed-fee basis. We operate remotely Australia-wide.
Business name: Baldwin Advocacy & Claims (BAC)
Website: baldwinclaims.com.au
Email: admin@baldwinclaims.com.au
Location: Australia-wide (remote service)
This Privacy Policy applies to all personal information collected by BAC through our website, client portal, email, phone, and any other communication channels. It has been prepared in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
2. What We Collect
Depending on the services you engage us for, we may collect the following categories of personal information:
Personal identification information
- Full name
- Email address
- Phone number(s)
- Residential address
- Date of birth
Health and medical information
- Medical reports and clinical notes
- Diagnostic imaging (MRI, X-ray, CT scans)
- Specialist and consultant reports
- General practitioner (GP) reports and referrals
- Mental health assessments and reports
- Information about injuries, conditions, and treatments
Australian Defence Force (ADF) service information
- Service history and dates of service
- Service number(s)
- Discharge papers and certificates
- Unit history and deployment records
- Rank and trade information
DVA claim information
- DVA file numbers
- Correspondence between you and DVA
- Claim forms and supporting documents
- Decision letters and determination documents
- Statements of Principles (SOPs) and related factors
Financial information
- Invoicing details (name, address, email for billing)
- Payment records and transaction history
We do not collect or store credit card numbers. All payments are processed securely through Zoho Invoice and Stripe, which handle payment card data independently under their own PCI-DSS compliant systems. BAC never has access to your full card details.
Communication records
- Messages exchanged between you and BAC through the client portal
- Email correspondence
- Notes from phone calls and consultations
Appointment and booking information
- Consultation dates and times
- Meeting notes and outcomes
3. How We Collect Your Information
We collect personal information in the following ways:
- Directly from you — when you contact us via our website, email, phone, or client portal; when you submit documents; when you complete intake forms; and when you book consultations.
- From third parties with your consent — from your medical practitioners, specialists, or other health professionals when you authorise us to obtain reports on your behalf; from DVA when you authorise us to correspond on your behalf; and from other advocates or legal representatives involved in your claim.
- From publicly available sources — only where relevant and lawful, such as publicly available ADF information or published Statements of Principles.
We will only collect personal information by lawful and fair means. Where it is reasonable and practicable to do so, we will collect information directly from you. If we receive unsolicited personal information that we did not request and could not have lawfully collected, we will destroy or de-identify that information as soon as practicable, unless it is contained in a Commonwealth record.
4. Why We Collect Your Information
We collect, hold, use, and disclose your personal information for the following purposes:
- To provide DVA claims advocacy services to you, including preparing, lodging, and managing your DVA claims
- To communicate with you about your claim, including providing updates, requesting information, and responding to your queries
- To correspond with DVA, medical practitioners, and other relevant parties on your behalf and with your consent
- To prepare submissions, statements, and supporting documentation for your claim
- To issue invoices and manage payment for our services
- To schedule and manage appointments and consultations
- To maintain accurate records of services provided to you
- To comply with our legal and regulatory obligations
- To improve our services and client experience
We will not use or disclose your personal information for a purpose other than the purpose for which it was collected (the primary purpose), unless:
- You have consented to the use or disclosure for another purpose
- You would reasonably expect us to use or disclose the information for a related secondary purpose (or, in the case of sensitive information, a directly related secondary purpose)
- It is required or authorised by or under an Australian law or a court/tribunal order
- A permitted general situation or permitted health situation exists under the Privacy Act
5. Sensitive Information
Much of the information we collect is classified as sensitive information under section 6 of the Privacy Act 1988. This includes:
- Health information — your medical records, reports, scans, diagnoses, treatment information, and any information about your physical or mental health
- Information about military service — where it relates to your membership of professional or trade associations, or reveals other sensitive attributes
We understand the deeply personal nature of this information. Under APP 3, we will only collect sensitive information where:
- You consent to the collection, and the collection is reasonably necessary for our functions (providing DVA advocacy services to you)
- The collection is required or authorised by law
We obtain your consent to collect sensitive information during the client onboarding process. You may withdraw your consent at any time by contacting us, though this may affect our ability to provide services to you.
Your health information is treated with the highest level of care. It is only accessed by authorised BAC personnel directly involved in your claim, and is never shared with anyone without your explicit consent unless required by law.
6. Disclosure of Your Information
We may disclose your personal information to the following parties, only as necessary to provide our services and only with your consent (unless otherwise required by law):
- Department of Veterans' Affairs (DVA) — to lodge, manage, and progress your claims on your behalf, under your written authority
- Medical practitioners and specialists — to request reports, clarifications, or additional medical evidence relevant to your claim, with your consent
- Veterans' Review Board (VRB) or Administrative Review Tribunal (ART) — in connection with reviews or appeals of DVA decisions, with your consent and instruction
- Payment processors (Stripe) — limited billing information necessary to process payments. Stripe operates under its own privacy policy and PCI-DSS compliance
- Zoho Corporation — as our platform provider for client portal, invoicing, and document management. Zoho processes data on our behalf as a data processor under a binding agreement
- Professional advisors — our own legal or accounting advisors, where necessary and subject to their professional confidentiality obligations
- Law enforcement or regulatory bodies — only where required by Australian law, a court order, or to prevent a serious threat to life, health, or safety
We will never sell, rent, or trade your personal information to third parties for their marketing purposes.
7. Storage & Security
We take the security of your personal information seriously and have implemented robust technical and organisational measures to protect it against misuse, interference, loss, unauthorised access, modification, and disclosure.
Where your data is stored
All client data is stored in Zoho's Australian data centre located in Sydney, Australia. Your data remains within Australian jurisdiction.
Technical safeguards
- Encryption at rest: All stored data is encrypted using AES-256 encryption, the same standard used by banks and government agencies
- Encryption in transit: All data transmitted between your device and our systems is protected with TLS 1.2 or higher encryption
- Platform certifications: Zoho holds ISO 27001 (information security management) and SOC 2 Type II (security, availability, and confidentiality) certifications
- Access control: The BAC client portal is invitation-only. You can only access the portal if BAC has explicitly invited you and provisioned your account
- Two-factor authentication (2FA): Two-factor authentication is enabled on all portal accounts, adding an extra layer of security beyond your password
- Session timeout: Portal sessions automatically time out after 30 minutes of inactivity, reducing the risk of unauthorised access from unattended devices
- Audit logging: All access to client data is logged for accountability and security monitoring purposes
Organisational safeguards
- Access to client information is restricted to authorised BAC personnel only
- Staff are trained on privacy obligations and the handling of sensitive information
- We regularly review and update our security practices
While we take all reasonable steps to protect your information, no method of electronic storage or transmission is completely secure. If you become aware of any security issues, please contact us immediately at admin@baldwinclaims.com.au.
8. Data Retention
We retain your personal information for a minimum of 7 years from the date of our last interaction or the completion of your claim, whichever is later. This retention period is maintained to:
- Comply with Australian legal and regulatory requirements
- Support any future claims, reviews, or appeals you may wish to lodge (DVA claims can be reopened or reviewed years after initial determination)
- Fulfil our professional record-keeping obligations
- Respond to any potential disputes or complaints
After the retention period, your personal information will be securely destroyed or de-identified in accordance with APP 11, unless we are required by law to retain it for a longer period.
You may request earlier deletion of your data, subject to Section 10 of this policy.
9. Access & Correction
Under Australian Privacy Principles 12 and 13, you have the right to:
Access your information (APP 12)
You can request access to the personal information we hold about you at any time. We will respond to your request within 30 days. There is no charge for making a request, although we may charge a reasonable fee for providing access if your request requires significant effort to compile (we will advise you of any costs beforehand).
We may refuse access in limited circumstances permitted by law, such as where providing access would:
- Pose a serious threat to the life, health, or safety of any individual
- Unreasonably impact the privacy of other individuals
- Be unlawful or in breach of a legal obligation
- Prejudice enforcement activities or legal proceedings
If we refuse access, we will provide you with a written explanation of our reasons.
Correct your information (APP 13)
You can request that we correct any personal information we hold about you that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will respond to correction requests within 30 days. If we correct information that we have previously disclosed to a third party, we will take reasonable steps to notify that third party of the correction (unless it is impractical or unlawful to do so).
If we refuse to correct your information, we will provide written reasons and advise you of your right to request that a statement of the correction sought be associated with your information.
To make an access or correction request, please contact us at admin@baldwinclaims.com.au.
10. Data Export & Deletion
Data export
You may request a complete export of all personal information we hold about you. We will provide this in a commonly used electronic format (such as PDF or CSV) within 30 days of your request. The export will include all documents, correspondence, and records associated with your file.
Data deletion
You may request that we delete your personal information from our systems. When we receive a deletion request, we will:
- Confirm the scope of deletion with you
- Advise you of any legal obligations that may require us to retain certain information (for example, financial records required under tax law)
- Securely destroy or permanently de-identify the information within 30 days, subject to any legal retention requirements
- Confirm deletion in writing once completed
Important: Deletion of your information is irreversible. If you later wish to re-engage BAC for further claims or appeals, you will need to provide all documentation again. We strongly recommend requesting a data export before requesting deletion.
To request a data export or deletion, email admin@baldwinclaims.com.au with the subject line "Data Export Request" or "Data Deletion Request".
12. Overseas Disclosure
In accordance with Australian Privacy Principle 8, we are required to inform you if your personal information may be disclosed to overseas recipients.
BAC primarily stores and processes all client data within Australia, in Zoho's Sydney-based data centre. However, certain service providers we use may have infrastructure or personnel located overseas:
- Zoho Corporation — headquartered in India with global operations. While your data is stored on Australian servers, Zoho's support and infrastructure teams may have limited access to data for platform maintenance purposes. Zoho operates under binding contractual obligations to protect your data in accordance with Australian privacy standards
- Stripe — headquartered in the United States. Stripe processes payment information (not stored by BAC) and operates under its own privacy policy and PCI-DSS compliance
Before disclosing personal information to any overseas recipient, we take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information, or that an exception under APP 8 applies.
13. Data Breaches
BAC complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988.
An eligible data breach occurs when personal information we hold is subject to unauthorised access, disclosure, or loss, and it is likely to result in serious harm to affected individuals.
Our response to data breaches
If we become aware of a suspected or actual data breach, we will:
- Contain the breach immediately and take steps to minimise any resulting harm
- Assess the breach to determine whether it is likely to result in serious harm to any individual whose information is involved
- Notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable if the breach is assessed as an eligible data breach
- Review our security measures and make improvements to prevent similar incidents
Our notification to affected individuals will include:
- A description of the breach
- The type of information involved
- Steps we have taken in response
- Steps you can take to protect yourself
- How to contact us for further information
- How to make a complaint to the OAIC
14. Direct Marketing
In accordance with Australian Privacy Principle 7, BAC does not use your personal information for direct marketing purposes without your consent.
If you have opted in to receive updates or communications from BAC (such as newsletters or service updates), you may opt out at any time by:
- Clicking the unsubscribe link in any marketing email
- Emailing us at admin@baldwinclaims.com.au with the subject "Unsubscribe"
We will action your opt-out request within 5 business days. Opting out of marketing communications will not affect service-related communications necessary for managing your claim.
15. Complaints
If you believe we have breached your privacy or handled your personal information inappropriately, you have the right to make a complaint.
Step 1: Contact BAC
In the first instance, please raise your concern directly with us. You can lodge a complaint by emailing admin@baldwinclaims.com.au with the subject line "Privacy Complaint". Please include:
- Your name and contact details
- A description of the privacy issue or breach
- What outcome you are seeking
We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days. We will work with you to resolve the matter fairly and promptly.
Step 2: Contact the OAIC
If you are not satisfied with our response, or if you would prefer to lodge your complaint directly with the regulator, you can contact the Office of the Australian Information Commissioner (OAIC):
Office of the Australian Information Commissioner
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Post: GPO Box 5288, Sydney NSW 2001
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational reasons.
When we make changes:
- The "Last updated" date at the top of this page will be revised
- For material changes that affect how we handle your information, we will notify you directly via email or through the client portal
- The current version of this policy will always be available on our website
We encourage you to review this policy periodically. Your continued use of our services after changes are published constitutes acceptance of the updated policy.
17. Contact Us
If you have any questions about this Privacy Policy, how we handle your personal information, or if you wish to make a request or complaint, please contact us:
Baldwin Advocacy & Claims
Privacy Officer: Kai Baldwin
Email: admin@baldwinclaims.com.au
Website: baldwinclaims.com.au
We aim to respond to all privacy-related enquiries within 5 business days.