OverviewAccount and sign-inYour profileDraft your summary from your CVAI assistant (Sandy)Managing shiftsBooking requestsMessaging a workplaceBooking schedulesAvailability calendarCalendar syncCancellation protectionLocum directoryWorkplaces and organisationsInvoicingWorkplace signed linksAuto-chasersShift pay-checkMedicare direct billingAgency vs direct billingAgency and PAYG trackingTripled bulk-billing incentiveThomas and Naaz: payroll taxTax planningExpenses and cents-per-kmEarnings forecastBAS readinessSuper guaranteePSI diagnosticXero integrationAdvanced reportingAHPRA registration and CPDState credentialsDocument storeCompliance passportRural incentives and MMMNDIS price guideBilling and subscriptionComplimentary and trial accessReferralsNotification preferencesNotification inboxSupport ticketsREST APIData export and privacyLocum tax calculatorATO cents-per-km calculatorBAS estimatorSuper contribution plannerPSI self-assessmentMMM rural lookupAgency super checkAHPRA renewal reminderFree invoice templateLocum GP rates AustraliaLocum pharmacist rates AustraliaAgency nurse rates AustraliaLocum paramedic rates AustraliaLocum physio rates AustraliaBecome a locum GPBecome a locum pharmacistBecome an agency nurseBecome a locum paramedicBecome a locum physiotherapist
Help centre

Data export and privacy

Your records are yours. Download everything Sessional holds as CSV or JSON, exercise your rights under the Privacy Act, and see how we protect your sensitive details.

Export everything as JSON

You can download a complete, machine-readable copy of everything we hold about you at any time. Go to your Profile > Account tab and select Export my data. Sessional builds a single JSON file covering every record tied to your account:

  • Account details (name, email, decrypted phone number) and your profile
  • Profession, AHPRA registration, business structure, super fund and billing details
  • Every shift and booking request, with the workplace on each
  • Every invoice with its line items, payment status and chase history
  • Every expense, including kilometres logged for cents-per-km claims
  • Tax planner settings, subscription history and promo redemptions
  • Document metadata, availability, referrals, support tickets and disputes
  • Your in-app inbox, two-way messages, and an audit log of account actions

This satisfies your right to access your personal information under the Privacy Act 1988, specifically Australian Privacy Principle 12. The export is rate-limited to a handful of downloads per hour, and each one is recorded in your audit log.

Per-dataset CSV exports

For accounting and spreadsheet work you usually want a single table rather than the full JSON bundle. Each dashboard area offers a CSV download of just that dataset, formatted for Excel, Google Sheets, Xero or your BAS agent:

  • Shifts: date, workplace, start and end times (Australia/Sydney), rate, status
  • Invoices: invoice number, workplace, issued and due dates, total, status, payment reference
  • Expenses: date, category, description, amount, kilometres, receipt reference, notes
  • Earnings: a financial-year summary you can hand to your accountant

Dates render in Australian format and amounts are in Australian dollars. CSV cells are also guarded against spreadsheet formula injection, so a value that begins with a special character cannot run as a formula when the file is opened. If you would rather pull this data into your own tools programmatically, the REST API exposes the same shifts, invoices and expenses as JSON.

Your privacy rights

Under the Privacy Act 1988 and the Australian Privacy Principles, you can:

  • Access: download everything we hold via self-service export, no request needed
  • Correct: fix anything inaccurate directly in your profile settings (APP 13)
  • Port: receive your data in a machine-readable format (JSON)
  • Delete: ask us to close and erase your account
  • Withdraw consent: opt out of marketing email via the one-click unsubscribe link or your notification preferences

If you are unhappy with how we handle your personal information, you can complain to us first and then, if it is not resolved, to the Office of the Australian Information Commissioner (OAIC). For deletion or any privacy query, email [email protected]. Our full privacy policy sets out who we share data with, including our sub-processors.

Retention and the ATO five-year rule

  • When you delete your account, your data is removed after a short grace period in case you change your mind
  • Invoices, shifts, expenses, super records and uploaded documents are deleted with the account
  • Receipts and documents are permanently removed from storage
  • A minimal audit log is retained for a period after closure for security and fraud purposes

Important

The ATO requires you to keep most business and tax records for at least five years from when you prepared or obtained them, or from when the transaction was completed, whichever is later. Deleting your Sessional account does not satisfy that obligation, so export your invoices, expenses and earnings to CSV before you close your account, and keep the files somewhere safe.

How we protect your data

Healthcare locums hand us some of their most sensitive details, so security is not an afterthought. Sessional protects your data with:

  • AES-256-GCM field encryption for your most sensitive identifiers: ABN, AHPRA registration number, bank BSB and account, billing address, and phone number. These are encrypted at rest, so a database dump alone reveals nothing.
  • TLS on every connection (HTTPS everywhere)
  • Passwords hashed with a per-user salt, never stored in the clear
  • HTTP-only session cookies that JavaScript cannot read, plus CSRF protection on every change you make
  • Card details handled entirely by Stripe: we never see or store your card number
  • Uploaded files validated by their actual contents, not a guessable file type, and rate limiting on public endpoints

Read the full privacy policy and cookie policy for the complete picture.

Frequently asked questions

In what format can I export my data?
Two ways. A single JSON file from your profile Account tab covers everything we hold. Per-dataset CSV files for shifts, invoices, expenses and earnings are available from the dashboard for spreadsheets and accounting software.
Is my ABN encrypted?
Yes. Your ABN, AHPRA registration number, bank BSB and account, billing address and phone number are encrypted at rest with AES-256-GCM. They are decrypted only when shown back to you, such as in your own data export. Sessional does not collect or store your Tax File Number at all.
What are my rights under the Privacy Act?
Under the Privacy Act 1988 and the Australian Privacy Principles you can access, correct and port your data, ask for it to be deleted, and withdraw consent to marketing. The self-service export covers access and portability. If a concern is unresolved, you can complain to the OAIC.
Should I export before deleting my account?
Yes. Account deletion removes your records after a short grace period, but the ATO still expects you to keep tax records for at least five years. Download your invoices, expenses and earnings to CSV first and store them safely.
Who do you share my data with?
Only the sub-processors needed to run the service, such as our payment and email providers, listed in our privacy policy. We do not sell your data, and we do not let AI-training crawlers index your private dashboard.

Related guides

REST APIProfile settingsInvoicingExpenses and mileageBilling and subscriptions

Your data, on your terms

Export to CSV or JSON whenever you like, with bank-grade encryption on your most sensitive details. Start free and keep full control of your records.

Start freeRead the privacy policy