Privacy Policy

Last updated: 4 May 2026

About this policy

Making Waves Foundation ("MWF", "we", "us") operates Helm — the internal platform you are using now — to coordinate sailing programs for young people with disability across Australia. This policy explains what personal information Helm collects, why, and what choices you have. It is written to align with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

What information we collect

What we collect depends on your role.

Volunteers

• Identity and contact details: name, preferred name, email, phone, postal address, date of birth, gender.
• Emergency contact: a name and phone number you nominate.
• Sailing accreditation history (Crew Level 1 → Skipper) and induction progress.
• First-aid certificate expiry, radio licence indication, shirt size, on-water vs off-water role.
• Working with Children check details (state, number, expiry, document image where required).
• Membership payment history processed via Stripe (payment confirmation only — Helm never stores card numbers).
• Session attendance and activity (rosters, attendance ticks, incident reports you submit, comments and photos you upload).
• Sign-in metadata (last login time, IP address briefly held for security and abuse detection).

Program participants and their families

• Participant: name, date of birth, photo-consent flag, any access notes the booking organiser supplies.
• Parent or guardian: name, contact details, sign-off on consent forms.
• For the Wright of Passage youth program: cohort assignment, attendance, milestones reached.

Booking organisations

• Organisation name, ABN where applicable, primary contact details.
• Booking history and any feedback the organising teacher submits after a session.

How we use it

• Running programs: rostering crew, managing bookings, recording attendance, scheduling sessions, communicating with volunteers and organisers about upcoming sails.
• Safety: verifying Working with Children checks remain current, recording safety briefings, capturing incident reports.
• Membership and payments: issuing receipts, tracking annual membership status.
• Charitable reporting: aggregate (de-identified) statistics for ACNC reporting and grant submissions.
• Service improvement: diagnosing errors via Sentry, monitoring application health.

We do not sell your information. We do not use it for advertising. We do not share it with third parties beyond the service providers listed below.

Who we share it with

Helm relies on a small set of trusted service providers, each contractually bound to handle data only on our instructions:

• Amazon Web Services (Sydney, ap-southeast-2): hosts the application and its database. All Helm data lives in Australia.
• Amazon Simple Email Service (Sydney): delivers transactional emails (roster confirmations, password resets, broadcast notices).
• Stripe (Australia / United States): processes membership and donation payments. Stripe holds your payment card details — Helm never sees them.
• Sentry (United States / European Union): captures application errors so we can fix bugs. Sentry receives the URL you were on, your user ID, and a stack trace; it does not receive form data we mark as sensitive.
• Adobe Lightroom (United States): if photo-upload-to-Lightroom is enabled in your environment, photos and metadata are pushed to MWF's central Lightroom Cloud catalog. Volunteers do not need an Adobe account.
• Laravel Forge: deployment automation; does not access application data in normal operation.

Children's information

Helm holds personal information about young people enrolled in our programs, including the Wright of Passage youth program. We treat this information with particular care:

• A parent or guardian must consent at the point of booking.
• The photo consent flag set on a participant's record is honoured throughout the platform — printed nametags display a clearly visible "no photos" indicator and the social-media team is briefed accordingly.
• Participants and their families may withdraw at any time and request deletion of their records (see "Your rights" below).
• We retain only the minimum information needed to run the program and report on outcomes.

How long we keep it

• Volunteer accounts: retained while you are an active volunteer and for seven years after your last engagement, to meet our duty-of-care, governance, and ACNC reporting obligations.
• Participant records: retained for seven years after the last program activity, then de-identified.
• Incident reports: retained for seven years from the date of the incident.
• Payment records: retained for seven years (Australian tax-record requirements).
• Sign-in logs: retained for 90 days.
• Error reports (Sentry): retained for 30 days.

Your rights

You may at any time:

• Ask what information we hold about you, and request a copy.
• Ask us to correct anything that is wrong.
• Ask us to delete your information, where we are not obliged by law to retain it.
• Withdraw consent for photo use.
• Make a complaint about how we have handled your information.

Email info@makingwaves.au. If you are not satisfied with our response you may contact the Office of the Australian Information Commissioner at oaic.gov.au.

Cookies and tracking

Helm sets a single session cookie required to keep you signed in. It sets no advertising or analytics cookies. We do not embed third-party trackers. Sentry's optional session-replay feature is disabled by default; if it is enabled in future, this policy will be updated and a notice shown on next login.

Changes to this policy

When we change this policy substantively we update the version date at the top of the page. Where the change affects how we collect or use information, we will prompt you to re-acknowledge it on next sign-in. The current version is 2026-05-04.

Contact

Privacy questions: info@makingwaves.au
General support: info@makingwaves.au
Making Waves Foundation, ABN 82 714 459 575