Threshold is built around consent. This page is honest about two things: what is true today while Threshold is a concept, and what the production system will be required to commit to before a single real client record is created.
Last updated 27 April 2026 · Threshold Rehab · Melbourne, Victoria
1. What we collect right now
While the site is a concept, the only information collected is what is necessary to make the demo work and keep it operating safely.
Role session cookie
A short-lived signed cookie that records which role you are exploring (court, caseworker, rehab, family, or service partner). It does not contain your name, email, or any health information.
Standard server logs
IP address, user agent, requested path, response status, and timestamps. These are kept by our hosting provider (Vercel) and used only to diagnose errors and abuse.
Anything you type into demo forms
Treated as sample data. We ask that you do not enter real client information. Submitted text may be cleared during routine resets.
Contact you initiate
If you email contact@threshold.rehab, we hold that email and any reply thread so we can respond.
2. Cookies
Threshold uses one essential cookie: an HMAC-signed role session. It is set when you select a role on the home page and cleared when you sign out. There is no advertising, analytics, fingerprinting, or third-party tracking on this site.
3. What the production system will commit to
Before Threshold holds any real client record, the following commitments are non-negotiable. They are tracked in our internal compliance register and must be independently verified before launch.
Consent at the centre
Every disclosure of a client record is bound to a recorded consent scope, with a grantee, a timestamp, and an immutable revocation history. Health Records Act 2001 (Vic) HPP 2; Privacy Act 1988 (Cth) APP 3.3.
Audit logging
Every read of a client record is logged with viewer identity, role, and timestamp. Logs are tamper-evident and retained for at least seven years. APP 1.2; HPP 4.
Lawful disclosure pathways
Disclosures without client consent are limited to those expressly permitted by law (e.g. Mental Health and Wellbeing Act 2022 (Vic) Part 7.4 / s730), are flagged in the record, and are reported to the client unless prohibited.
IRAP-assessed onshore hosting
Personal and health information will be held in an IRAP-assessed Australian environment. VPDSS 2.0 Standard 10; WoVG Cloud Policy.
Verified identity
Real production access will require a verified Digital ID (myID or VIC Gov Entra) — never the cookie-based role stub used in the demo. Digital ID Act 2024 (Cth).
Privacy Impact Assessment
A PIA will be lodged with the Office of the Victorian Information Commissioner (OVIC) before any production rollout, and re-lodged on material change.
Inter-agency authority
Pooling court, corrections, clinical, and family information requires a written legal authority and an executed MOU between participating agencies. Sentencing Act 1991 (Vic) Part 3A; Corrections Act 1986 (Vic).
4. Your rights
If a future production version of Threshold holds your personal or health information, you will have the following rights at a minimum:
Access
Request a copy of the information held about you. Privacy Act 1988 (Cth) APP 12; Health Records Act 2001 (Vic) HPP 6.
Correction
Ask us to correct information that is inaccurate, out of date, incomplete, or misleading. APP 13; HPP 7.
Withdraw consent
Revoke a consent scope you previously granted. Revocation is immediate; downstream services lose access on the next request.
Complain
Lodge a complaint with us first (contact@threshold.rehab). If unresolved, escalate to the Office of the Australian Information Commissioner (OAIC) for Privacy Act matters, or to OVIC for Vic Health Records Act matters.
5. Contact
For privacy questions, data requests, or concerns about the demo: