Collection Notice

Who we are

Phoenix Health Co (ABN 28 685 097 044), Sydney NSW 2000 (“Phoenix Health”, “we”, “us”) is a health service provider. We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and by the Health Records and Information Privacy Act 2002 (NSW) and the Health Privacy Principles (HPPs).

What we collect and why

We collect and use your personal and health information to:

• Create and manage your account and provide our health optimisation services.
• Facilitate appointments, health screenings, referrals and communication about your care.
• Process billing and payments. Where you take a paid service such as a gym membership, payments are processed by our payment processor, Stripe. We also process Medicare and private health insurance claims where applicable.
• Assist our practitioners using artificial intelligence to extract health metrics from your de-identified documents. All personal information is removed before AI processing, AI output is reviewed by a clinician before it is saved, and no data is used to train AI models.
• Comply with our legal, clinical-governance and record-keeping obligations.
• Respond to in-app support requests you submit via Help & Support (message content, optional screenshots, and ticket metadata are stored so we can assist you and maintain an audit trail).

Help & Support channel

When you use Help & Support we collect your message, optional image attachments, subject, and category. This information is stored in our secure database (Neon Postgres, Australia) and attachment images in Vercel Blob (United States). Staff with authorised access can view your thread to respond. We email a PHI-minimised alert to our support inbox (contact@phoenixhealthco.com.au) — the email contains ticket metadata only, not your message body. Support messages may be retained for up to 7 years from last activity under the NSW Health Records and Information Privacy Act 2002 (until age 25 for minors). On account deletion, message bodies are scrubbed and attachment blobs deleted; ticket metadata is retained per our retention policy.

Sensitive (health) information and consent

Health information is sensitive information. We collect it with your consent and only where it is reasonably necessary to provide your health services (APP 3.3 / HPP 3). Government identifiers (such as your Medicare, DVA or private health insurance numbers) are collected and used only for billing, claims and referrals, and are never adopted as our own identifier (APP 9 / HPP 12).

If you do not provide your information

If you choose not to provide certain information, we may be unable to provide some or all of our health services, or the quality of those services may be affected.

Who we disclose it to (including overseas)

We may disclose your information to:

• Healthcare providers involved in your care (with your consent or as directly related to your care).
• Government and regulatory bodies where required or authorised by law.
• Our technology service providers. Some are located overseas: we disclose payment/billing data to Stripe (United States), and technical/usage data to Cloudflare (United States) and Vercel (United States edge network). Our database (Neon), rate-limiting (Upstash) and AI/email processing (Microsoft Azure) are hosted in Australia.

Before disclosing personal information overseas we take reasonable steps to ensure the recipient handles it consistently with the APPs (APP 8 / HPP 14). We do not sell your personal or health information.

Access, correction and complaints

You may request access to, or correction of, the information we hold about you, and you may make a privacy complaint. To do so, contact our Privacy Officer at privacy@phoenixhealthco.com.au. If you are not satisfied with our response you may contact:

• NSW Information and Privacy Commission (IPC): ipc.nsw.gov.au
• Office of the Australian Information Commissioner (OAIC): oaic.gov.au/privacy/privacy-complaints

Full details are set out in our Privacy Policy.